diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-25 19:02:39 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-25 19:02:39 +0000 |
| commit | 69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c (patch) | |
| tree | 4d53f95a8fd7d417f2f397ccc174e94fd9969012 /pki | |
| parent | 969b412d685a8e668da345df7cf57ba6b559c29a (diff) | |
| download | pki-69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c.tar.gz pki-69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c.tar.xz pki-69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c.zip | |
Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@489 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki')
| -rw-r--r-- | pki/base/selinux/src/pki.if | 10 | ||||
| -rw-r--r-- | pki/base/selinux/src/pki.te | 2 | ||||
| -rw-r--r-- | pki/dogtag/selinux/pki-selinux.spec | 4 |
3 files changed, 11 insertions, 5 deletions
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index 1f7987e70..d41daa2cc 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -164,7 +164,7 @@ template(`pki_ca_template',` ') can_exec($1_t, java_exec_t) - # allow java subsystems to talk to the hsm + # allow java subsystems to talk to the ncipher hsm allow $1_t pki_common_dev_t:sock_file write; allow $1_t pki_common_dev_t:dir search; allow $1_t pki_common_t:dir create_dir_perms; @@ -172,6 +172,10 @@ template(`pki_ca_template',` can_exec($1_t, pki_common_t) init_stream_connect_script($1_t) + #allow java subsystems to talk to lunasa hsm + allow $1_t devlog_t:sock_file write; + allow $1_t self:unix_dgram_socket { write create connect }; + allow $1_t syslogd_t:unix_dgram_socket sendto; ') @@ -484,7 +488,7 @@ template(`pki_tps_template',` allow pki_tps_t lib_t:file execute_no_trans; allow pki_tps_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_tps_t self:process { setsched signal getsched signull}; + allow pki_tps_t self:process { setsched signal getsched signull execstack}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; @@ -648,7 +652,7 @@ template(`pki_ra_template',` allow pki_ra_t lib_t:file execute_no_trans; allow pki_ra_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_ra_t self:process { setsched getsched signal signull}; + allow pki_ra_t self:process { setsched getsched signal signull execstack}; allow pki_ra_t self:sem all_sem_perms; allow pki_ra_t self:tcp_socket create_stream_socket_perms; diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index c4314e47d..169dc0ef1 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.6) +policy_module(pki,1.0.7) attribute pki_ca_config; attribute pki_ca_executable; diff --git a/pki/dogtag/selinux/pki-selinux.spec b/pki/dogtag/selinux/pki-selinux.spec index 6a4d07b6b..543148509 100644 --- a/pki/dogtag/selinux/pki-selinux.spec +++ b/pki/dogtag/selinux/pki-selinux.spec @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 4 +%define base_release 5 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -249,6 +249,8 @@ fi ############################################################################### %changelog +* Mon May 25 2009 Ade Lee <alee@redhat.com> 1.1.0-5 +- Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm * Fri May 1 2009 Ade Lee <alee@redhat.com> 1.1.0-4 - Bugzilla Bug 495157 - SELinux prevents CA from using nethsm pkcs11 module * Fri Apr 24 2009 Ade Lee <alee@redhat.com> 1.1.0-3 |