Bugzilla Bug #475895 - Disallow creation of an initial login shell

Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .


git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@908 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

3 files changed, 24 insertions, 5 deletions

diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc
index 56129164b..21ff9c2e7 100644
--- a/pki/base/selinux/src/pki.fc
+++ b/pki/base/selinux/src/pki.fc
@@ -74,3 +74,21 @@
 /var/run/pki/ca(/.*)? 	        gen_context(system_u:object_r:pki_ca_var_run_t,s0)
 /etc/init.d/pki-cad             gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
 /etc/sysconfig/pki/ca(/.*)?	gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
+
+# labeling for new KRA under pki-krad
+
+/var/run/pki/kra(/.*)? 	        gen_context(system_u:object_r:pki_kra_var_run_t,s0)
+/etc/init.d/pki-krad            gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
+/etc/sysconfig/pki/kra(/.*)?	gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
+
+# labeling for new OCSP under pki-ocspd
+
+/var/run/pki/ocsp(/.*)?         gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
+/etc/init.d/pki-ocspd           gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
+/etc/sysconfig/pki/ocsp(/.*)?	gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
+
+# labeling for new TKS under pki-tksd
+
+/var/run/pki/tks(/.*)? 	        gen_context(system_u:object_r:pki_tks_var_run_t,s0)
+/etc/init.d/pki-tksd            gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
+/etc/sysconfig/pki/tks(/.*)?	gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index a9d8c7f16..1364b15ce 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -38,6 +38,7 @@ template(`pki_ca_template',`
 		type pki_ca_tomcat_exec_t;
 		type $1_port_t;
                 type rpm_var_lib_t;
+		type setfiles_t;
 	')
 	########################################
 	#
@@ -71,6 +72,7 @@ template(`pki_ca_template',`
 
 	# Execstack/execmem caused by java app.
 	allow $1_t self:process { execstack execmem getsched setsched signal};
+	allow initrc_t self:process execstack;
 
 	## internal communication is often done using fifo and unix sockets.
 	allow $1_t self:fifo_file rw_file_perms;
@@ -106,6 +108,9 @@ template(`pki_ca_template',`
 	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
 	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
 
+	# start/ stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd
+	allow setfiles_t $1_etc_rw_t:file read;
+
 	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
 	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
 	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
@@ -410,7 +415,6 @@ template(`pki_tps_template',`
 		attribute pki_tps_process;
 		attribute pki_tps_config, pki_tps_var_lib;
 		attribute pki_tps_executable, pki_tps_script, pki_tps_var_log;
-		type setfiles_t;
 	')
 	########################################
 	#
@@ -452,9 +456,6 @@ template(`pki_tps_template',`
 	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
 	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
 
-        # start/ stop using pki-cad
-        allow setfiles_t $1_etc_rw_t:file read;
-
 	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
 	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
 	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 79442a7ea..84da2e54a 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.15)
+policy_module(pki,1.0.16)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;