summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java2
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py2
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py8
-rw-r--r--base/selinux/src/pki.if16
-rw-r--r--base/selinux/src/pki.te6
5 files changed, 20 insertions, 14 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java
index 7c0c14969..9747eb12c 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java
@@ -873,7 +873,7 @@ public class SystemConfigurationResourceService extends CMSResourceService imple
throw new CMSException(Response.Status.BAD_REQUEST, "Invalid key backup file name");
}
- if ((data.getBackupPassword() == null) || (data.getBackupPassword().length()<=8)) {
+ if ((data.getBackupPassword() == null) || (data.getBackupPassword().length()<8)) {
throw new CMSException(Response.Status.BAD_REQUEST, "key backup password must be at least 8 characters");
}
} else {
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 47ed16fc6..115e4327d 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -192,5 +192,5 @@ pki_master_jython_dict = None
PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t"
PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t"
PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t"
-PKI_PORT_SELINUX_CONTEXT = "pki_tomcat_port_t"
+PKI_PORT_SELINUX_CONTEXT = "http_port_t"
pki_selinux_config_ports = []
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index c172301af..61ac20273 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -636,16 +636,16 @@ class configuration_file:
def populate_non_default_ports(self):
if master['pki_http_port'] != \
- config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT:
+ str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT):
ports.append(master['pki_http_port'])
if master['pki_https_port'] != \
- config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT:
+ str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT):
ports.append(master['pki_https_port'])
if master['pki_tomcat_server_port'] != \
- config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT:
+ str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT):
ports.append(master['pki_tomcat_server_port'])
if master['pki_ajp_port'] != \
- config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT:
+ str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT):
ports.append(master['pki_ajp_port'])
return
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index b8c521a79..8f62136d5 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -19,11 +19,14 @@ template(`pki_tomcat_template',`
attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log;
type pki_tomcat_tomcat_exec_t;
type tomcat_exec_t;
- type $1_port_t;
type rpm_var_lib_t;
type rpm_exec_t;
type setfiles_t;
type load_policy_t;
+ type mxi_port_t;
+ type http_cache_port_t;
+ type http_port_t;
+ type dns_port_t;
')
########################################
#
@@ -74,7 +77,11 @@ template(`pki_tomcat_template',`
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:process signull;
- allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
+ ## ports (these will be in the tomcat domain)
+ allow $1_t mxi_port_t : tcp_socket { name_bind name_connect };
+ allow $1_t http_cache_port_t : tcp_socket name_bind;
+ allow $1_t http_port_t : tcp_socket { name_bind name_connect };
+ allow $1_t dns_port_t : tcp_socket { recv_msg send_msg name_connect };
# use rpm to look at velocity version in dtomcat-foo
allow $1_t rpm_exec_t:file exec_file_perms;
@@ -150,7 +157,6 @@ template(`pki_tomcat_template',`
kernel_read_network_state($1_t)
kernel_read_system_state($1_t)
kernel_search_network_state($1_t)
- # audit2allow
kernel_signull_unlabeled($1_t)
auth_use_nsswitch($1_t)
@@ -161,6 +167,9 @@ template(`pki_tomcat_template',`
libs_use_shared_libs($1_t)
miscfiles_read_localization($1_t)
+ miscfiles_read_hwdata($1_t)
+ miscfiles_manage_cert_dirs($1_t)
+ miscfiles_manage_generic_cert_files($1_t)
logging_send_syslog_msg($1_t)
@@ -204,7 +213,6 @@ template(`pki_tomcat_template',`
fs_getattr_xattr_fs($1_t)
fs_read_hugetlbfs_files($1_t)
hostname_exec($1_t)
- miscfiles_read_hwdata($1_t)
allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
allow $1_t self:netlink_audit_socket { nlmsg_relay create write read};
kernel_read_kernel_sysctls($1_t)
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index a91385ff2..cce797d7e 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,10.0.5)
+policy_module(pki,10.0.6)
attribute pki_tomcat_config;
attribute pki_tomcat_executable;
@@ -21,8 +21,6 @@ files_type(pki_common_dev_t)
type pki_tomcat_tomcat_exec_t;
files_type(pki_tomcat_tomcat_exec_t)
-type pki_tomcat_port_t;
-corenet_port(pki_tomcat_port_t)
pki_tomcat_template(pki_tomcat)
# forward proxy
@@ -41,7 +39,7 @@ typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
-
+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
attribute pki_ra_config;
attribute pki_ra_executable;
attribute pki_ra_var_lib;