diff options
author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-01-12 22:47:34 +0000 |
---|---|---|
committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-01-12 22:47:34 +0000 |
commit | 7d1532ecb8310c037f54d96364dfdcd54e8e7cc0 (patch) | |
tree | 86bd1761488d7df8ea417cf15f7fb60634e82db2 /pki/base/selinux | |
parent | 39a606a94630a9dfa18b94dd0a19e97ddad451da (diff) | |
download | pki-7d1532ecb8310c037f54d96364dfdcd54e8e7cc0.tar.gz pki-7d1532ecb8310c037f54d96364dfdcd54e8e7cc0.tar.xz pki-7d1532ecb8310c037f54d96364dfdcd54e8e7cc0.zip |
Bugzilla Bug #475895 - Disallow creation of an initial login shell
Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@908 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/selinux')
-rw-r--r-- | pki/base/selinux/src/pki.fc | 18 | ||||
-rw-r--r-- | pki/base/selinux/src/pki.if | 9 | ||||
-rw-r--r-- | pki/base/selinux/src/pki.te | 2 |
3 files changed, 24 insertions, 5 deletions
diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc index 56129164b..21ff9c2e7 100644 --- a/pki/base/selinux/src/pki.fc +++ b/pki/base/selinux/src/pki.fc @@ -74,3 +74,21 @@ /var/run/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_var_run_t,s0) /etc/init.d/pki-cad gen_context(system_u:object_r:pki_ca_script_exec_t,s0) /etc/sysconfig/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) + +# labeling for new KRA under pki-krad + +/var/run/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_var_run_t,s0) +/etc/init.d/pki-krad gen_context(system_u:object_r:pki_kra_script_exec_t,s0) +/etc/sysconfig/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) + +# labeling for new OCSP under pki-ocspd + +/var/run/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) +/etc/init.d/pki-ocspd gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0) +/etc/sysconfig/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) + +# labeling for new TKS under pki-tksd + +/var/run/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_var_run_t,s0) +/etc/init.d/pki-tksd gen_context(system_u:object_r:pki_tks_script_exec_t,s0) +/etc/sysconfig/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index a9d8c7f16..1364b15ce 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -38,6 +38,7 @@ template(`pki_ca_template',` type pki_ca_tomcat_exec_t; type $1_port_t; type rpm_var_lib_t; + type setfiles_t; ') ######################################## # @@ -71,6 +72,7 @@ template(`pki_ca_template',` # Execstack/execmem caused by java app. allow $1_t self:process { execstack execmem getsched setsched signal}; + allow initrc_t self:process execstack; ## internal communication is often done using fifo and unix sockets. allow $1_t self:fifo_file rw_file_perms; @@ -106,6 +108,9 @@ template(`pki_ca_template',` manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + # start/ stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd + allow setfiles_t $1_etc_rw_t:file read; + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) files_pid_filetrans($1_t,$1_var_run_t, { file dir }) @@ -410,7 +415,6 @@ template(`pki_tps_template',` attribute pki_tps_process; attribute pki_tps_config, pki_tps_var_lib; attribute pki_tps_executable, pki_tps_script, pki_tps_var_log; - type setfiles_t; ') ######################################## # @@ -452,9 +456,6 @@ template(`pki_tps_template',` manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) - # start/ stop using pki-cad - allow setfiles_t $1_etc_rw_t:file read; - manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index 79442a7ea..84da2e54a 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.15) +policy_module(pki,1.0.16) attribute pki_ca_config; attribute pki_ca_executable; |