diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2016-07-22 17:31:20 +0200 |
|---|---|---|
| committer | Endi S. Dewata <edewata@redhat.com> | 2016-07-26 21:18:20 +0200 |
| commit | 9e77b42d88da07e91a42966bc2d1ea9237e62f47 (patch) | |
| tree | c3b92f8ebb1eac3b74972f2c12758c97a48959bf /base | |
| parent | 3f4c9e4e7946f3f330b71cfe36a00ae933de2575 (diff) | |
Removed hard-coded paths in pki.policy.
The operations script has been modified to generate pki.policy
dynamically from links in the <instance>/common/lib directory.
This allows the pki.policy to match the actual paths in different
platforms.
https://fedorahosted.org/pki/ticket/2403
Diffstat (limited to 'base')
| -rw-r--r-- | base/server/scripts/operations | 16 | ||||
| -rw-r--r-- | base/server/share/conf/pki.policy | 132 |
2 files changed, 17 insertions, 131 deletions
diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 14443c4a5..599167008 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -1352,10 +1352,24 @@ start_instance() return $rv fi + # Copy pki.policy template + /bin/cp /usr/share/pki/server/conf/pki.policy /var/lib/pki/$PKI_INSTANCE_NAME/conf + + # Add permissions for all JAR files in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib + for path in /var/lib/pki/$PKI_INSTANCE_NAME/common/lib/*; do + + cat >> /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy << EOF + +grant codeBase "file:$(realpath $path)" { + permission java.security.AllPermission; +}; +EOF + done + # Generate catalina.policy dynamically. cat /usr/share/pki/server/conf/catalina.policy \ /usr/share/tomcat/conf/catalina.policy \ - /usr/share/pki/server/conf/pki.policy \ + /var/lib/pki/$PKI_INSTANCE_NAME/conf/pki.policy \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy diff --git a/base/server/share/conf/pki.policy b/base/server/share/conf/pki.policy index e281e0191..7d8cfec45 100644 --- a/base/server/share/conf/pki.policy +++ b/base/server/share/conf/pki.policy @@ -4,10 +4,10 @@ // --- END COPYRIGHT BLOCK --- // ============================================================================ -// pki.policy - Default Security Policy Permissions for PKI on Tomcat 7 +// pki.policy - Default Security Policy Permissions for PKI on Tomcat // // This file contains a default set of security policies for PKI running inside -// Tomcat 7. +// Tomcat. // ============================================================================ grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { @@ -22,42 +22,6 @@ grant codeBase "file:${catalina.base}/lib/-" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/lib/java/jss4.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib/java/symkey.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib64/java/jss4.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/lib64/java/symkey.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/commons-codec.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-io.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-lang.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/apache-commons-logging.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/ecj.jar" { permission java.security.AllPermission; }; @@ -70,18 +34,6 @@ grant codeBase "file:/usr/share/java/glassfish-jsp.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/httpcomponents/httpclient.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/httpcomponents/httpcore.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/javassist.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/jaxb-api.jar" { permission java.security.AllPermission; }; @@ -98,66 +50,10 @@ grant codeBase "file:/usr/share/java/jboss-web.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/jackson/jackson-core-asl.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-jaxrs.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-mapper-asl.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-mrbean.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-smile.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/jackson/jackson-xc.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/ldapjdk.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/log4j.jar" { permission java.security.AllPermission; }; -grant codeBase "file:${RESTEASY_LIB}/jaxrs-api.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-atom-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-client.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxb-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jaxrs.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:${RESTEASY_LIB}/resteasy-jackson-provider.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/scannotation.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/servlet.jar" { permission java.security.AllPermission; }; @@ -166,10 +62,6 @@ grant codeBase "file:/usr/share/java/tomcat/-" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/tomcatjss.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/tomcat-el-api.jar" { permission java.security.AllPermission; }; @@ -178,22 +70,6 @@ grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" { permission java.security.AllPermission; }; -grant codeBase "file:/usr/share/java/velocity.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xerces-j2.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xml-commons-apis.jar" { - permission java.security.AllPermission; -}; - -grant codeBase "file:/usr/share/java/xml-commons-resolver.jar" { - permission java.security.AllPermission; -}; - grant codeBase "file:/usr/share/java/pki/-" { permission java.security.AllPermission; }; @@ -221,7 +97,3 @@ grant codeBase "file:${catalina.base}/webapps/tks/-" { grant codeBase "file:${catalina.base}/webapps/ROOT/-" { permission java.security.AllPermission; }; - -grant codeBase "file:/usr/lib/java/nuxwdog.jar" { - permission java.security.AllPermission; -}; |