diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-12-18 01:49:16 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-12-18 01:49:16 +0000 |
| commit | 9870bcfe3fc135f3c6fa2c645f7947a6242ec435 (patch) | |
| tree | 4d037fd4ac95f59f219f6d44c4f510d641b6ee61 /pki | |
| parent | 234b2a99d0845feeaebcf1acb3fd2fba757835a6 (diff) | |
| download | pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.tar.gz pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.tar.xz pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.zip | |
Bugzilla BZ 547471: Apply PKI SELinux changes to PKI registry model
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@894 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki')
| -rw-r--r-- | pki/base/ca/shared/conf/schema.ldif | 2 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java | 5 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java | 8 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java | 34 | ||||
| -rw-r--r-- | pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java | 75 | ||||
| -rw-r--r-- | pki/base/kra/shared/conf/schema.ldif | 2 | ||||
| -rw-r--r-- | pki/base/ocsp/shared/conf/schema.ldif | 2 | ||||
| -rw-r--r-- | pki/base/selinux/src/pki.fc | 6 | ||||
| -rw-r--r-- | pki/base/selinux/src/pki.if | 4 | ||||
| -rw-r--r-- | pki/base/selinux/src/pki.te | 2 | ||||
| -rw-r--r-- | pki/base/tks/shared/conf/schema.ldif | 2 |
11 files changed, 125 insertions, 17 deletions
diff --git a/pki/base/ca/shared/conf/schema.ldif b/pki/base/ca/shared/conf/schema.ldif index 269b3f576..4b9c1f65a 100644 --- a/pki/base/ca/shared/conf/schema.ldif +++ b/pki/base/ca/shared/conf/schema.ldif @@ -431,7 +431,7 @@ objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CM dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subject $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java index f929587b4..a4d583dc7 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java @@ -2217,6 +2217,11 @@ public class UsrGrpAdminServlet extends AdminServlet { user.setPhone(phone); } + String userState = super.getParameter(req, Constants.PR_USER_STATE); + if (userState != null) { + user.setState(userState); + } + try { mMgr.modifyUser(user); NameValuePairs params = new NameValuePairs(); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java index aa7ce76d6..2adeea469 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java @@ -257,7 +257,13 @@ public class DonePanel extends WizardPanelBase { attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectclass", "top")); attrs.add(new LDAPAttribute("objectclass", "pkiSecurityDomain")); - attrs.add(new LDAPAttribute("name", secdomain)); + if (secdomain.equals("")) { + // this should not happen - just in case + CMS.debug("DonePanel display(): Security domain is an empty string!"); + throw new IOException("Security domain is an empty string!"); + } else { + attrs.add(new LDAPAttribute("name", secdomain)); + } attrs.add(new LDAPAttribute("ou", "Security Domain")); entry = new LDAPEntry(dn, attrs); conn.add(entry); diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java index 4337c5c64..9f2838b8c 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java @@ -251,6 +251,40 @@ public class UpdateDomainXML extends CMSServlet { String clone = httpReq.getParameter("clone"); String operation = httpReq.getParameter("operation"); + // ensure required parameters are present + // especially important for DS schema checking + String missing = ""; + if ((host == null) || host.equals("")) { + missing += " host "; + } + if ((name == null) || name.equals("")) { + missing += " name "; + } + if ((sport == null) || sport.equals("")) { + missing += " sport "; + } + if ((agentsport == null) || agentsport.equals("")) { + missing += " agentsport "; + } + if ((adminsport == null) || adminsport.equals("")) { + missing += " adminsport "; + } + if ((httpport == null) || httpport.equals("")) { + missing += " httpport "; + } + if ((domainmgr == null) || domainmgr.equals("")) { + missing += " domainmgr "; + } + if ((clone == null) || clone.equals("")) { + clone = "false"; + } + + if (! missing.equals("")) { + CMS.debug("UpdateDomainXML process: required parameters:" + missing + "not provided in request"); + outputError(httpResp, "Error: required parameters: " + missing + "not provided in request"); + return; + } + String basedn = null; String secstore = null; diff --git a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java index b3c8b4475..65a5c52b4 100644 --- a/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java +++ b/pki/base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java @@ -568,7 +568,7 @@ public final class UGSubsystem implements IUGSubsystem { LDAPAttribute userTypeAttr = entry.getAttribute("usertype"); - if (userTypeAttr == null) + if (userTypeAttr == null) id.setUserType(""); else { Enumeration en = userTypeAttr.getStringValues(); @@ -576,7 +576,7 @@ public final class UGSubsystem implements IUGSubsystem { if (en != null && en.hasMoreElements()) { String userType = (String) en.nextElement(); - if (userType != null) + if ((userType != null) && (! userType.equals("undefined"))) id.setUserType(userType); else id.setUserType(""); @@ -668,11 +668,35 @@ public final class UGSubsystem implements IUGSubsystem { attrs.add(new LDAPAttribute("sn", id.getFullName())); attrs.add(new LDAPAttribute("cn", id.getFullName())); attrs.add(new LDAPAttribute("mail", id.getEmail())); - attrs.add(new LDAPAttribute("telephonenumber", id.getPhone())); + + if (id.getPhone() != null) { + // DS syntax checking requires a value for PrintableString syntax + if (! id.getPhone().equals("")) { + attrs.add(new LDAPAttribute("telephonenumber", id.getPhone())); + } + } + attrs.add(new LDAPAttribute("userpassword", id.getPassword())); - attrs.add(new LDAPAttribute("usertype", id.getUserType())); - attrs.add(new LDAPAttribute("userstate", id.getState())); + + if (id.getUserType() != null) { + // DS syntax checking requires a value for Directory String syntax + // but usertype is a MUST attribute, so we need to add something here + // if it is undefined. + + if (! id.getUserType().equals("")) { + attrs.add(new LDAPAttribute("usertype", id.getUserType())); + } else { + attrs.add(new LDAPAttribute("usertype", "undefined")); + } + } + + if (id.getState() != null) { + // DS syntax checking requires a value for Directory String syntax + if (! id.getState().equals("")) { + attrs.add(new LDAPAttribute("userstate", id.getState())); + } + } LDAPEntry entry = new LDAPEntry("uid=" + id.getUserID() + "," + getUserBaseDN(), attrs); @@ -995,6 +1019,7 @@ public final class UGSubsystem implements IUGSubsystem { LDAPConnection ldapconn = null; try { + ldapconn = getConn(); if ((st = user.getFullName()) != null) { attrs.add(LDAPModification.REPLACE, new LDAPAttribute("sn", st)); @@ -1011,13 +1036,42 @@ public final class UGSubsystem implements IUGSubsystem { new LDAPAttribute("userpassword", st)); } if ((st = user.getPhone()) != null) { - attrs.add(LDAPModification.REPLACE, - new LDAPAttribute("telephonenumber", st)); + if (! st.equals("")) { + attrs.add(LDAPModification.REPLACE, + new LDAPAttribute("telephonenumber", st)); + } else { + try { + LDAPModification singleChange = new LDAPModification( + LDAPModification.DELETE, new LDAPAttribute("telephonenumber")); + ldapconn.modify("uid=" + user.getUserID() + + "," + getUserBaseDN(), singleChange); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != LDAPException.NO_SUCH_ATTRIBUTE) { + CMS.debug("modifyUser: Error in deleting telephonenumber"); + throw e; + } + } + } } + if ((st = user.getState()) != null) { - attrs.add(LDAPModification.REPLACE, - new LDAPAttribute("userstate", st)); - } + if (! st.equals("")) { + attrs.add(LDAPModification.REPLACE, + new LDAPAttribute("userstate", st)); + } else { + try { + LDAPModification singleChange = new LDAPModification( + LDAPModification.DELETE, new LDAPAttribute("userstate")); + ldapconn.modify("uid=" + user.getUserID() + + "," + getUserBaseDN(), singleChange); + } catch (LDAPException e) { + if (e.getLDAPResultCode() != LDAPException.NO_SUCH_ATTRIBUTE) { + CMS.debug("modifyUser: Error in deleting userstate"); + throw e; + } + } + } + } /** if ((certs = user.getCertificates()) != null) { @@ -1040,7 +1094,6 @@ public final class UGSubsystem implements IUGSubsystem { } } **/ - ldapconn = getConn(); ldapconn.modify("uid=" + user.getUserID() + "," + getUserBaseDN(), attrs); // for audit log diff --git a/pki/base/kra/shared/conf/schema.ldif b/pki/base/kra/shared/conf/schema.ldif index 269b3f576..4b9c1f65a 100644 --- a/pki/base/kra/shared/conf/schema.ldif +++ b/pki/base/kra/shared/conf/schema.ldif @@ -431,7 +431,7 @@ objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CM dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subject $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/ocsp/shared/conf/schema.ldif b/pki/base/ocsp/shared/conf/schema.ldif index d61f83dd6..ded663f4b 100644 --- a/pki/base/ocsp/shared/conf/schema.ldif +++ b/pki/base/ocsp/shared/conf/schema.ldif @@ -431,7 +431,7 @@ objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CM dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subject $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc index 83b9edeff..56129164b 100644 --- a/pki/base/selinux/src/pki.fc +++ b/pki/base/selinux/src/pki.fc @@ -68,3 +68,9 @@ /opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) /opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) /dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) + +# labeling for new CA under pki-cad + +/var/run/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_var_run_t,s0) +/etc/init.d/pki-cad gen_context(system_u:object_r:pki_ca_script_exec_t,s0) +/etc/sysconfig/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index 4f2469b1d..a9d8c7f16 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -410,6 +410,7 @@ template(`pki_tps_template',` attribute pki_tps_process; attribute pki_tps_config, pki_tps_var_lib; attribute pki_tps_executable, pki_tps_script, pki_tps_var_log; + type setfiles_t; ') ######################################## # @@ -451,6 +452,9 @@ template(`pki_tps_template',` manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + # start/ stop using pki-cad + allow setfiles_t $1_etc_rw_t:file read; + manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index 4acaa4624..79442a7ea 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.14) +policy_module(pki,1.0.15) attribute pki_ca_config; attribute pki_ca_executable; diff --git a/pki/base/tks/shared/conf/schema.ldif b/pki/base/tks/shared/conf/schema.ldif index d61f83dd6..ded663f4b 100644 --- a/pki/base/tks/shared/conf/schema.ldif +++ b/pki/base/tks/shared/conf/schema.ldif @@ -431,7 +431,7 @@ objectClasses: ( crlIssuingPointRecord-oid NAME 'crlIssuingPointRecord' DESC 'CM dn: cn=schema changetype: modify add: objectClasses -objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subject $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) +objectClasses: ( certificateRecord-oid NAME 'certificateRecord' DESC 'CMS defined class' SUP top STRUCTURAL MUST cn MAY ( serialno $ dateOfCreate $ dateOfModify $ certStatus $ autoRenew $ issueInfo $ metaInfo $ revInfo $ version $ duration $ notAfter $ notBefore $ algorithmId $ subjectName $ signingAlgorithmId $ userCertificate $ issuedBy $ revokedBy $ revokedOn $ extension $ publicKeyData $ issuerName ) X-ORIGIN 'user defined' ) dn: cn=schema changetype: modify |