diff options
author | Ade Lee <alee@redhat.com> | 2012-10-04 13:21:15 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-10-05 16:00:47 -0400 |
commit | da73f97ee897782a4e8fc326cd428bcd7ba5fd31 (patch) | |
tree | c99981ee4d53fe320a76ac5d33b08e3fd4896ddd /base/setup | |
parent | 6e79c7cb922072614155c067e26fab446893bae7 (diff) | |
download | pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.gz pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.xz pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.zip |
Changes to start pki_ra and pki_tps in correct context
Added required selinux versions to spec file. Also added
additional rule needed for F17
Diffstat (limited to 'base/setup')
-rwxr-xr-x | base/setup/pkicommon.pm | 2 | ||||
-rwxr-xr-x | base/setup/pkicreate | 12 | ||||
-rwxr-xr-x | base/setup/pkiremove | 4 | ||||
-rwxr-xr-x | base/setup/scripts/pki_apache_initscript | 25 |
4 files changed, 21 insertions, 22 deletions
diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm index 4b68ffa7e..16f553e00 100755 --- a/base/setup/pkicommon.pm +++ b/base/setup/pkicommon.pm @@ -3505,6 +3505,8 @@ sub check_selinux_port if (defined $selinux_ports{$seport}) { if ($selinux_ports{$seport} eq $setype) { return $SELINUX_PORT_DEFINED; + } elsif ($selinux_ports{$seport} eq "unreserved_port_t") { + return $SELINUX_PORT_UNDEFINED; } else { return $SELINUX_PORT_WRONGLY_DEFINED; } diff --git a/base/setup/pkicreate b/base/setup/pkicreate index e3ee5a0ab..b83fd870c 100755 --- a/base/setup/pkicreate +++ b/base/setup/pkicreate @@ -2421,6 +2421,7 @@ sub process_pki_templates $slot_hash{$PKI_SUBSYSTEM_DIR_SLOT} = ""; $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name; + $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root; $slot_hash{$PKI_INSTANCE_INITSCRIPT} = $pki_instance_initscript_path; $slot_hash{$PKI_REGISTRY_FILE_SLOT} = $pki_registry_instance_file_path; @@ -2489,7 +2490,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$INSTALL_TIME} = localtime; $slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password; $slot_hash{$PKI_CFG_PATH_NAME_SLOT} = $pki_cfg_instance_file_path; - $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; $slot_hash{$PKI_MACHINE_NAME_SLOT} = $host; $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; $slot_hash{$PKI_SERVER_XML_CONF} = $server_xml_instance_file_path; @@ -3168,6 +3168,12 @@ sub process_pki_selinux_setup add_selinux_file_context($setype . "_var_lib_t", "\"${pki_instance_root}/${pki_instance_name}(/.*)?\"", "a", \$semanage_cmds); + + if (!$java_component) { + add_selinux_file_context($setype . "_exec_t", + "\"${pki_instance_root}/${pki_instance_name}/${pki_instance_name}\"", + "a", \$semanage_cmds); + } } push(@restorecon_cmds, "$restorecon -F -R $pki_instance_root/$pki_instance_name"); @@ -3213,10 +3219,6 @@ sub process_pki_selinux_setup push(@restorecon_cmds, "$restorecon -F -R $conf_path"); } - if (! $java_component) { - push(@restorecon_cmds, "$restorecon -F -R /usr/sbin/httpd.worker"); - } - # add ports parse_selinux_ports(); if ($secure_port != -1) { diff --git a/base/setup/pkiremove b/base/setup/pkiremove index dd9fbc7f9..ca81cb09e 100755 --- a/base/setup/pkiremove +++ b/base/setup/pkiremove @@ -355,6 +355,10 @@ sub get_selinux_fcontexts if (($pki_instance_name ne $default_instance_name) || ($pki_instance_root ne $default_instance_root)) { remove_fcontext($setype . "_var_lib_t", "\"$pki_instance_root/$pki_instance_name(/.*)?\"", "a", $cmd_ref); + if (! $java_component) { + remove_fcontext($setype . "_exec_t", + "\"${pki_instance_root}/{$pki_instance_name}/${pki_instance_name}\"", "a", $cmd_ref); + } } # remove context for /var/run/$pki_instance_name.pid diff --git a/base/setup/scripts/pki_apache_initscript b/base/setup/scripts/pki_apache_initscript index c50c812a4..1e411207f 100755 --- a/base/setup/scripts/pki_apache_initscript +++ b/base/setup/scripts/pki_apache_initscript @@ -64,25 +64,16 @@ start() # restore context for ncipher hsm [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - /usr/sbin/selinuxenabled - rv=$? - if [ ${rv} = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS} - rv=$? - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures - LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS} - rv=$? - fi + + if [ ${ARCHITECTURE} = "x86_64" ] ; then + # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures + LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} + rv=$? else - LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} + LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} rv=$? - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " fi if [ ${rv} = 0 ] ; then |