Selinux changes to allow dogtag to start on f17.

Addresses java_exec_t issue in BZ 795966

2 files changed, 219 insertions, 217 deletions

diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index 317fb22b8..47e34e861 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -22,7 +22,6 @@ template(`pki_ca_template',`
                 type rpm_var_lib_t;
                 type rpm_exec_t;
 		type setfiles_t;
-                type httpd_t;
 	')
 	########################################
 	#
@@ -41,7 +40,7 @@ template(`pki_ca_template',`
                 type initrc_t;
         ')
         domtrans_pattern($1_script_t, java_exec_t, $1_t)
-        unconfined_domain($1_script_t)
+
         role system_r types $1_script_t;
         allow $1_t java_exec_t:file entrypoint;
         allow initrc_t $1_script_t:process transition;
@@ -161,17 +160,13 @@ template(`pki_ca_template',`
 
 	miscfiles_read_localization($1_t)
 
+	logging_send_syslog_msg($1_t)
+
 	ifdef(`targeted_policy',`
 		term_dontaudit_use_unallocated_ttys($1_t)
 		term_dontaudit_use_generic_ptys($1_t)
 	')
 
-        #This is broken in selinux-policy we need java_exec defined, Will add to policy
-	gen_require(`
-		type java_exec_t;
-	')
-	can_exec($1_t, java_exec_t)
-
         # allow java subsystems to talk to the ncipher hsm
         allow $1_t pki_common_dev_t:sock_file write;
         allow $1_t pki_common_dev_t:dir search;
@@ -181,25 +176,33 @@ template(`pki_ca_template',`
         init_stream_connect_script($1_t)
 
         #allow java subsystems to talk to lunasa hsm
-        allow $1_t devlog_t:sock_file write;
-	allow $1_t self:unix_dgram_socket { write create connect };
-	allow $1_t syslogd_t:unix_dgram_socket sendto;
 
-       #allow sending mail
-       corenet_tcp_connect_smtp_port($1_t)
+        #allow sending mail
+        corenet_tcp_connect_smtp_port($1_t)
 
-       # allow rpm -q in init scripts
-       rpm_exec($1_t)
+        # allow rpm -q in init scripts
+        rpm_exec($1_t)
         
-       # allow writing to the kernel keyring
-       allow $1_t self:key { write read };
+        # allow writing to the kernel keyring
+        allow $1_t self:key { write read };
 
-       #reverse proxy
-       corenet_tcp_connect_dogtag_port($1_t)
+        #reverse proxy
+        corenet_tcp_connect_dogtag_port($1_t)
 
-       #connect to ldap
-       corenet_tcp_connect_ldap_port($1_t)
+        #connect to ldap
+        corenet_tcp_connect_ldap_port($1_t)
 
+        optional_policy(`
+            #This is broken in selinux-policy we need java_exec defined, Will add to policy
+            gen_require(`
+                type java_exec_t;
+            ')
+            can_exec($1_t, java_exec_t)
+        ')
+
+        optional_policy(`
+            unconfined_domain($1_script_t)
+        ')
 ')
 
 ########################################
@@ -472,106 +475,6 @@ template(`pki_tps_template',`
 	allow httpd_t $1_var_run_t:dir search;
 	allow httpd_t $1_var_run_t:file read_file_perms;
 
-        # start up httpd in pki_tps_t mode
-        allow pki_tps_t httpd_config_t:file { read getattr execute };
-        allow pki_tps_t httpd_exec_t:file entrypoint;
-        allow pki_tps_t httpd_modules_t:lnk_file read;
-	allow pki_tps_t httpd_suexec_exec_t:file { getattr read execute };
-
-        # apache permissions
-        apache_exec_modules(pki_tps_t)
-        apache_list_modules(pki_tps_t)
-        apache_read_config(pki_tps_t)
-
-        allow pki_tps_t lib_t:file execute_no_trans;
-
-        #fowner needed for chmod
-        allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
-        allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem sigkill};
-        allow pki_tps_t self:sem all_sem_perms;
-        allow pki_tps_t self:tcp_socket create_stream_socket_perms;
-
-        # used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
-        allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
-
-         #netlink needed?
-        allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-
-        corecmd_exec_bin(pki_tps_t)
-        corecmd_exec_shell(pki_tps_t)
-        corecmd_read_bin_symlinks(pki_tps_t)
-        corecmd_search_bin(pki_tps_t)
-
-        corenet_sendrecv_unlabeled_packets(pki_tps_t)
-        corenet_tcp_bind_all_nodes(pki_tps_t)
-        corenet_tcp_bind_pki_tps_port(pki_tps_t)
-        corenet_tcp_connect_generic_port(pki_tps_t)
-
-        # customer may run an ldap server on 389 
-        corenet_tcp_connect_ldap_port(pki_tps_t)
-
-        # connect to other subsystems
-        corenet_tcp_connect_pki_ca_port(pki_tps_t)
-        corenet_tcp_connect_pki_kra_port(pki_tps_t)
-        corenet_tcp_connect_pki_tks_port(pki_tps_t)
-        
-        corenet_tcp_sendrecv_all_if(pki_tps_t)
-        corenet_tcp_sendrecv_all_nodes(pki_tps_t)
-        corenet_tcp_sendrecv_all_ports(pki_tps_t)
-        corenet_all_recvfrom_unlabeled(pki_tps_t)
-
-        dev_read_urand(pki_tps_t)
-        files_exec_usr_files(pki_tps_t)
-        files_read_usr_symlinks(pki_tps_t)
-        files_read_usr_files(pki_tps_t)
-
-        #installation and debug uses /tmp
-        files_manage_generic_tmp_dirs(pki_tps_t)
-        files_manage_generic_tmp_files(pki_tps_t)
-
-        kernel_read_kernel_sysctls(pki_tps_t)
-        kernel_read_system_state(pki_tps_t)
-
-        # need to resolve addresses?
-        auth_use_nsswitch(pki_tps_t)
-
-        sysnet_read_config(pki_tps_t)
-
-        allow httpd_t pki_tps_etc_rw_t:dir search;
-        allow httpd_t pki_tps_etc_rw_t:file rw_file_perms;
-        allow httpd_t pki_tps_log_t:dir rw_dir_perms;
-        allow httpd_t pki_tps_log_t:file manage_file_perms;
-        allow httpd_t pki_tps_t:process { signal signull };
-        allow httpd_t pki_tps_var_lib_t:dir { getattr search };
-        allow httpd_t pki_tps_var_lib_t:lnk_file read;
-        allow httpd_t pki_tps_var_lib_t:file read_file_perms;
-
-        # why do I need to add this?
-        allow httpd_t httpd_config_t:file execute;
-        files_exec_usr_files(httpd_t)
-
-        # talk to the hsm
-        allow pki_tps_t pki_common_dev_t:sock_file write;
-        allow pki_tps_t pki_common_dev_t:dir search;
-        allow pki_tps_t pki_common_t:dir create_dir_perms;
-        manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t)
-        can_exec(pki_tps_t, pki_common_t)
-        init_stream_connect_script(pki_tps_t)
-
-        #allow tps to talk to lunasa hsm
-        allow pki_tps_t devlog_t:sock_file write;
-        allow pki_tps_t self:unix_dgram_socket { write create connect };
-        allow pki_tps_t syslogd_t:unix_dgram_socket sendto;
-
-        # allow rpm -q in init scripts
-        rpm_exec(pki_tps_t)
-
-        # allow writing to the kernel keyring
-        allow pki_tps_t self:key { write read };
-
-        # new for f14
-        apache_exec(pki_tps_t)
-
 ')
 
 template(`pki_ra_template',`
@@ -659,101 +562,6 @@ template(`pki_ra_template',`
 	#============= httpd_t ==============
 	allow httpd_t $1_var_run_t:dir search;
 	allow httpd_t $1_var_run_t:file read_file_perms;
-
-         # start up httpd in pki_ra_t mode
-        allow pki_ra_t httpd_config_t:file { read getattr execute };
-        allow pki_ra_t httpd_exec_t:file entrypoint;
-        allow pki_ra_t httpd_modules_t:lnk_file read;
-        allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute };
-
-        #apache permissions
-        apache_read_config(pki_ra_t)
-        apache_exec_modules(pki_ra_t)
-        apache_list_modules(pki_ra_t)
-
-        allow pki_ra_t lib_t:file execute_no_trans;
-
-        allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid};
-        allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
-        allow pki_ra_t self:sem all_sem_perms;
-        allow pki_ra_t self:tcp_socket create_stream_socket_perms;
-
-        #RA specific? talking to mysql?
-        allow pki_ra_t self:udp_socket { write read create connect };
-        allow pki_ra_t self:unix_dgram_socket { write create connect };
-
-        # netlink needed?
-        allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-
-        corecmd_exec_bin(pki_ra_t)
-        corecmd_exec_shell(pki_ra_t)
-        corecmd_read_bin_symlinks(pki_ra_t)
-        corecmd_search_bin(pki_ra_t)
-
-        corenet_sendrecv_unlabeled_packets(pki_ra_t)
-        corenet_tcp_bind_all_nodes(pki_ra_t)
-        corenet_tcp_bind_pki_ra_port(pki_ra_t)
-
-        corenet_tcp_sendrecv_all_if(pki_ra_t)
-        corenet_tcp_sendrecv_all_nodes(pki_ra_t)
-        corenet_tcp_sendrecv_all_ports(pki_ra_t)
-        corenet_all_recvfrom_unlabeled(pki_ra_t)
-        corenet_tcp_connect_generic_port(pki_ra_t)
-
-        # talk to other subsystems
-        corenet_tcp_connect_pki_ca_port(pki_ra_t)
-
-        dev_read_urand(pki_ra_t)
-        files_exec_usr_files(pki_ra_t)
-        fs_getattr_xattr_fs(pki_ra_t)
-
-        # ra writes files to /tmp
-        files_manage_generic_tmp_files(pki_ra_t)
-
-        kernel_read_kernel_sysctls(pki_ra_t)
-        kernel_read_system_state(pki_ra_t)
-
-        #send mail, sendmail writes to devlog, syslog
-        allow pki_ra_t mqueue_spool_t:file { write getattr read lock create unlink };
-        allow pki_ra_t devlog_t:sock_file write;
-        allow pki_ra_t syslogd_t:unix_dgram_socket sendto;
-        corenet_tcp_connect_smtp_port(pki_ra_t)
-        files_search_spool(pki_ra_t)
-        mta_manage_queue(pki_ra_t)
-        mta_read_config(pki_ra_t)
-        mta_sendmail_exec(pki_ra_t)
- 
-        #resolve names?
-        auth_use_nsswitch(pki_ra_t)
-
-        sysnet_read_config(pki_ra_t)
-
-        allow httpd_t pki_ra_etc_rw_t:dir search;
-        allow httpd_t pki_ra_etc_rw_t:file rw_file_perms;
-        allow httpd_t pki_ra_log_t:dir rw_dir_perms;
-        allow httpd_t pki_ra_log_t:file manage_file_perms;
-        allow httpd_t pki_ra_t:process { signal signull };
-        allow httpd_t pki_ra_var_lib_t:dir { getattr search };
-        allow httpd_t pki_ra_var_lib_t:lnk_file read;
-        allow httpd_t pki_ra_var_lib_t:file read_file_perms;
-
-        # talk to the hsm
-        allow pki_ra_t pki_common_dev_t:sock_file write;
-        allow pki_ra_t pki_common_dev_t:dir search;
-        allow pki_ra_t pki_common_t:dir create_dir_perms;
-        manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t)
-        can_exec(pki_ra_t, pki_common_t)
-        init_stream_connect_script(pki_ra_t)
-
-        # allow rpm -q in init scripts
-        rpm_exec(pki_ra_t)
-
-        # allow writing to the kernel keyring
-        allow pki_ra_t self:key { write read };
-
-        # new for f14
-        apache_exec(pki_ra_t)
-
 ')
 
 ########################################
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 3d9a04832..f506553ee 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.26)
+policy_module(pki,10.0.1)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
@@ -136,3 +136,197 @@ allow pki_tks_t pki_ocsp_t:process signull;
 #allow httpd_t pki_tks_tomcat_exec_t:process signull;
 #allow httpd_t pki_tks_var_lib_t:process signull;
 
+# start up httpd in pki_tps_t mode
+can_exec(pki_tps_t, httpd_config_t)
+allow pki_tps_t httpd_exec_t:file entrypoint;
+allow pki_tps_t httpd_modules_t:lnk_file read;
+can_exec(pki_tps_t, httpd_suexec_exec_t)
+
+# apache permissions
+apache_exec_modules(pki_tps_t)
+apache_list_modules(pki_tps_t)
+apache_read_config(pki_tps_t)
+
+allow pki_tps_t lib_t:file execute_no_trans;
+
+#fowner needed for chmod
+allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
+allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem sigkill};
+allow pki_tps_t self:sem all_sem_perms;
+allow pki_tps_t self:tcp_socket create_stream_socket_perms;
+
+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
+
+ #netlink needed?
+allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+corecmd_exec_bin(pki_tps_t)
+corecmd_exec_shell(pki_tps_t)
+corecmd_read_bin_symlinks(pki_tps_t)
+corecmd_search_bin(pki_tps_t)
+
+corenet_sendrecv_unlabeled_packets(pki_tps_t)
+corenet_tcp_bind_all_nodes(pki_tps_t)
+corenet_tcp_bind_pki_tps_port(pki_tps_t)
+corenet_tcp_connect_generic_port(pki_tps_t)
+
+# customer may run an ldap server on 389
+corenet_tcp_connect_ldap_port(pki_tps_t)
+
+# connect to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_tps_t)
+corenet_tcp_connect_pki_kra_port(pki_tps_t)
+corenet_tcp_connect_pki_tks_port(pki_tps_t)
+
+corenet_tcp_sendrecv_all_if(pki_tps_t)
+corenet_tcp_sendrecv_all_nodes(pki_tps_t)
+corenet_tcp_sendrecv_all_ports(pki_tps_t)
+corenet_all_recvfrom_unlabeled(pki_tps_t)
+
+dev_read_urand(pki_tps_t)
+files_exec_usr_files(pki_tps_t)
+files_read_usr_symlinks(pki_tps_t)
+files_read_usr_files(pki_tps_t)
+
+#installation and debug uses /tmp
+files_manage_generic_tmp_dirs(pki_tps_t)
+files_manage_generic_tmp_files(pki_tps_t)
+
+kernel_read_kernel_sysctls(pki_tps_t)
+kernel_read_system_state(pki_tps_t)
+
+# need to resolve addresses?
+auth_use_nsswitch(pki_tps_t)
+
+sysnet_read_config(pki_tps_t)
+
+allow httpd_t pki_tps_etc_rw_t:dir search;
+allow httpd_t pki_tps_etc_rw_t:file rw_file_perms;
+allow httpd_t pki_tps_log_t:dir rw_dir_perms;
+allow httpd_t pki_tps_log_t:file manage_file_perms;
+allow httpd_t pki_tps_t:process { signal signull };
+allow httpd_t pki_tps_var_lib_t:dir { getattr search };
+allow httpd_t pki_tps_var_lib_t:lnk_file read;
+allow httpd_t pki_tps_var_lib_t:file read_file_perms;
+
+# why do I need to add this?
+allow httpd_t httpd_config_t:file execute;
+files_exec_usr_files(httpd_t)
+
+# talk to the hsm
+allow pki_tps_t pki_common_dev_t:sock_file write;
+allow pki_tps_t pki_common_dev_t:dir search;
+allow pki_tps_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t)
+can_exec(pki_tps_t, pki_common_t)
+init_stream_connect_script(pki_tps_t)
+
+#allow tps to talk to lunasa hsm
+logging_send_syslog_msg(pki_tps_t)
+
+# allow rpm -q in init scripts
+rpm_exec(pki_tps_t)
+
+# allow writing to the kernel keyring
+allow pki_tps_t self:key { write read };
+
+# new for f14
+apache_exec(pki_tps_t)
+
+ # start up httpd in pki_ra_t mode
+allow pki_ra_t httpd_config_t:file { read getattr execute };
+allow pki_ra_t httpd_exec_t:file entrypoint;
+allow pki_ra_t httpd_modules_t:lnk_file read;
+allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute };
+
+#apache permissions
+apache_read_config(pki_ra_t)
+apache_exec_modules(pki_ra_t)
+apache_list_modules(pki_ra_t)
+
+allow pki_ra_t lib_t:file execute_no_trans;
+
+allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid};
+allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
+allow pki_ra_t self:sem all_sem_perms;
+allow pki_ra_t self:tcp_socket create_stream_socket_perms;
+
+#RA specific? talking to mysql?
+allow pki_ra_t self:udp_socket { write read create connect };
+allow pki_ra_t self:unix_dgram_socket { write create connect };
+
+# netlink needed?
+allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+corecmd_exec_bin(pki_ra_t)
+corecmd_exec_shell(pki_ra_t)
+corecmd_read_bin_symlinks(pki_ra_t)
+corecmd_search_bin(pki_ra_t)
+
+corenet_sendrecv_unlabeled_packets(pki_ra_t)
+corenet_tcp_bind_all_nodes(pki_ra_t)
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+
+corenet_tcp_sendrecv_all_if(pki_ra_t)
+corenet_tcp_sendrecv_all_nodes(pki_ra_t)
+corenet_tcp_sendrecv_all_ports(pki_ra_t)
+corenet_all_recvfrom_unlabeled(pki_ra_t)
+corenet_tcp_connect_generic_port(pki_ra_t)
+
+# talk to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+
+dev_read_urand(pki_ra_t)
+files_exec_usr_files(pki_ra_t)
+fs_getattr_xattr_fs(pki_ra_t)
+
+# ra writes files to /tmp
+files_manage_generic_tmp_files(pki_ra_t)
+
+kernel_read_kernel_sysctls(pki_ra_t)
+kernel_read_system_state(pki_ra_t)
+
+logging_send_syslog_msg(pki_ra_t)
+
+corenet_tcp_connect_smtp_port(pki_ra_t)
+files_search_spool(pki_ra_t)
+
+#
+# Should be changed to mta_send_mail
+#
+mta_manage_spool(pki_ra_t)
+mta_manage_queue(pki_ra_t)
+mta_read_config(pki_ra_t)
+mta_sendmail_exec(pki_ra_t)
+
+#resolve names?
+auth_use_nsswitch(pki_ra_t)
+
+sysnet_read_config(pki_ra_t)
+
+allow httpd_t pki_ra_etc_rw_t:dir search;
+allow httpd_t pki_ra_etc_rw_t:file rw_file_perms;
+allow httpd_t pki_ra_log_t:dir rw_dir_perms;
+allow httpd_t pki_ra_log_t:file manage_file_perms;
+allow httpd_t pki_ra_t:process { signal signull };
+allow httpd_t pki_ra_var_lib_t:dir { getattr search };
+allow httpd_t pki_ra_var_lib_t:lnk_file read;
+allow httpd_t pki_ra_var_lib_t:file read_file_perms;
+
+# talk to the hsm
+allow pki_ra_t pki_common_dev_t:sock_file write;
+allow pki_ra_t pki_common_dev_t:dir search;
+allow pki_ra_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t)
+can_exec(pki_ra_t, pki_common_t)
+init_stream_connect_script(pki_ra_t)
+
+# allow rpm -q in init scripts
+rpm_exec(pki_ra_t)
+
+# allow writing to the kernel keyring
+allow pki_ra_t self:key { write read };
+
+# new for f14
+apache_exec(pki_ra_t)