summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--base/deploy/CMakeLists.txt11
-rw-r--r--base/deploy/scripts/operations2
-rw-r--r--base/deploy/src/scriptlets/initialization.py5
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py12
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py52
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py2
-rw-r--r--base/deploy/src/scriptlets/selinux_setup.py107
-rw-r--r--base/selinux/src/pki.fc125
-rw-r--r--base/selinux/src/pki.if243
-rw-r--r--base/selinux/src/pki.te119
-rw-r--r--specs/pki-core.spec2
11 files changed, 310 insertions, 370 deletions
diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt
index c7c4bd19b..666a7704d 100644
--- a/base/deploy/CMakeLists.txt
+++ b/base/deploy/CMakeLists.txt
@@ -83,6 +83,7 @@ install(
src/scriptlets/pkiparser.py
src/scriptlets/pkiscriptlet.py
src/scriptlets/security_databases.py
+ src/scriptlets/selinux_setup.py
src/scriptlets/slot_substitution.py
src/scriptlets/subsystem_layout.py
src/scriptlets/war_explosion.py
@@ -143,6 +144,11 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS})
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/selinux_setup.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/035_selinux_setup\")"
+ )
+ install(CODE "execute_process(COMMAND
+ ${CMAKE_COMMAND} -E create_symlink
\"${PYTHON_SITE_PACKAGES}/pki/deployment/war_explosion.py\"
\"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/040_war_explosion\")"
)
@@ -211,6 +217,11 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS})
)
install(CODE "execute_process(COMMAND
${CMAKE_COMMAND} -E create_symlink
+ \"${PYTHON_SITE_PACKAGES}/pki/deployment/selinux_setup.py\"
+ \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/985_selinux_setup\")"
+ )
+ install(CODE "execute_process(COMMAND
+ ${CMAKE_COMMAND} -E create_symlink
\"${PYTHON_SITE_PACKAGES}/pki/deployment/infrastructure_layout.py\"
\"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/990_infrastructure_layout\")"
)
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations
index ea7527f31..a2f88b30d 100644
--- a/base/deploy/scripts/operations
+++ b/base/deploy/scripts/operations
@@ -790,7 +790,7 @@ start_instance()
# with programmatic replacement of either
# 'pki_tomcat_script_t' or 'pki_apache_script_t', AND
# (2) MUST currently be run with SELinux in 'Permissive' mode!
- /usr/bin/runcon -t pki_ca_script_t \
+ /usr/bin/runcon -t pki_tomcat_script_t \
$PKI_INSTANCE_INITSCRIPT start
rv=$?
else
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index cc516532e..368cf2595 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -50,6 +50,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.configuration_file.verify_sensitive_data()
# verify existence of MUTUALLY EXCLUSIVE configuration file data
util.configuration_file.verify_mutually_exclusive_data()
+ # verify selinux context of selected ports
+ util.configuration_file.populate_non_default_ports()
+ util.configuration_file.verify_selinux_ports()
return self.rv
def respawn(self):
@@ -80,6 +83,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
+ # get ports to remove selinux context
+ util.configuration_file.populate_non_default_ports()
# ALWAYS Stop this Apache/Tomcat PKI Process
util.systemd.stop()
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index fc8ddac90..e300c1ea7 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -79,6 +79,11 @@ PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg"
PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\
"/usr/share/pki/deployment/config/pkislots.cfg"
+# default ports (for defined selinux policy)
+PKI_DEPLOYMENT_DEFAULT_HTTP_PORT = 8080
+PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT = 8443
+PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005
+PKI_DEPLOYMENT_DEFAULT_AJP_PORT = 8009
# PKI Deployment Jython 2.2 Constants
PKI_JYTHON_CRITICAL_LOG_LEVEL = 1
@@ -174,3 +179,10 @@ pki_subsystem_dict = None
pki_master_dict = None
pki_slots_dict = None
pki_master_jython_dict = None
+
+# PKI Selinux Constants and parameters
+PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t"
+PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t"
+PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t"
+PKI_PORT_SELINUX_CONTEXT = "pki_tomcat_port_t"
+pki_selinux_config_ports = []
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index 7de6502a2..1ceb65898 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -35,6 +35,7 @@ from grp import getgrnam
from pwd import getpwnam
from pwd import getpwuid
import zipfile
+import seobject
# PKI Deployment Imports
@@ -42,6 +43,7 @@ import pkiconfig as config
from pkiconfig import pki_master_dict as master
from pkiconfig import pki_sensitive_dict as sensitive
from pkiconfig import pki_slots_dict as slots
+from pkiconfig import pki_selinux_config_ports as ports
import pkimanifest as manifest
import pkimessages as log
@@ -403,6 +405,56 @@ class configuration_file:
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
+ def populate_non_default_ports(self):
+ if master['pki_http_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_HTTP_PORT:
+ ports.append(master['pki_http_port'])
+ if master['pki_https_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT:
+ ports.append(master['pki_https_port'])
+ if master['pki_tomcat_server_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT:
+ ports.append(master['pki_tomcat_server_port'])
+ if master['pki_ajp_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_AJP_PORT:
+ ports.append(master['pki_ajp_port'])
+ return
+
+ def verify_selinux_ports(self):
+ # Determine which ports still need to be labelled, and if any are
+ # incorrectly labelled
+ if len(ports) == 0:
+ return
+
+ portrecs = seobject.portRecords().get_all()
+ portlist = ports[:]
+ for port in portlist:
+ context = ""
+ for i in portrecs:
+ if portrecs[i][0] == "unreserved_port_t" or \
+ portrecs[i][0] == "reserved_port_t" or \
+ i[2] != "tcp":
+ continue
+ if i[0] <= int(port) and int(port) <= i[1]:
+ context = portrecs[i][0]
+ break
+ if context == "":
+ # port has no current context
+ # leave it in list of ports to set
+ continue
+ elif context == config.PKI_PORT_SELINUX_CONTEXT:
+ # port is already set correctly
+ # remove from list of ports to set
+ ports.remove(port)
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT,
+ port, context,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+
# PKI Deployment XML File Class
#class xml_file:
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index d1326edb3..e4da468c1 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -163,6 +163,8 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s"
PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s"
+PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\
+ "context %s"
PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
"jython %s %s <master_dictionary>'"
PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py
new file mode 100644
index 000000000..38cc17f0a
--- /dev/null
+++ b/base/deploy/src/scriptlets/selinux_setup.py
@@ -0,0 +1,107 @@
+#!/usr/bin/python -t
+# Authors:
+# Ade Lee <alee@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_selinux_config_ports as ports
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+import seobject
+import selinux
+
+# PKI Deployment Selinux Setup Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+ suffix = "(/.*)?"
+
+ def restore_context(self):
+ selinux.restorecon(master['pki_instance_path'], True)
+ selinux.restorecon(master['pki_instance_log_path'], True)
+ selinux.restorecon(master['pki_instance_configuration_path'], True)
+
+ def spawn(self):
+ config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # check first if any transactions are required
+ if len(ports) == 0 and master['pki_instance_name'] == \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ self.restore_context()
+ return self.rv
+
+ trans = seobject.semanageRecords("targeted")
+ trans.start()
+ if master['pki_instance_name'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ fcon1 = seobject.fcontextRecords()
+ fcon1.add(master['pki_instance_path'] + self.suffix,
+ config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
+
+ fcon2 = seobject.fcontextRecords()
+ fcon2.add(master['pki_instance_log_path'] + self.suffix,
+ config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
+
+ fcon3 = seobject.fcontextRecords()
+ fcon3.add(master['pki_instance_configuration_path'] + self.suffix,
+ config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
+ for port in ports:
+ port1 = seobject.portRecords()
+ port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT)
+ trans.finish()
+
+ self.restore_context()
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ self.restore_context()
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # check first if any transactions are required
+ if len(ports) == 0 and master['pki_instance_name'] == \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ return self.rv
+
+ trans = seobject.semanageRecords("targeted")
+ trans.start()
+ if master['pki_instance_name'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ fcon1 = seobject.fcontextRecords()
+ fcon1.delete(master['pki_instance_path'] + self.suffix , "")
+
+ fcon2 = seobject.fcontextRecords()
+ fcon2.delete(master['pki_instance_log_path'] + self.suffix, "")
+
+ fcon3 = seobject.fcontextRecords()
+ fcon3.delete(master['pki_instance_configuration_path'] + \
+ self.suffix, "")
+ for port in ports:
+ port1 = seobject.portRecords()
+ port1.delete(port, "tcp")
+ trans.finish()
+ return self.rv
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
index 3a22d86a4..fbc086fe0 100644
--- a/base/selinux/src/pki.fc
+++ b/base/selinux/src/pki.fc
@@ -1,91 +1,40 @@
-
-/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0)
-
-/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
-/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
-
-/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
-
-/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0)
-
-/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0)
-
-/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0)
-
-/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
-/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
-
-/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
-
-/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0)
-
-/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0)
-
-/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
-
-/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
-/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
-
-/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
-
-/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
-
-/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0)
-
-/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
-/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
-/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
-/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
-
-
-/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0)
-
-/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
-/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
-
-/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
-
-/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0)
-
-/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0)
-
-/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
-/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
-/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
+/etc/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
+
+/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
+/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
+/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
+/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+
+/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
+/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
+/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
# default labeling for nCipher
-/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
-/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
-/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
-/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
-
-# labeling for new CA under pki-cad
-
-/var/run/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_var_run_t,s0)
-/etc/sysconfig/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
-
-# labeling for new KRA under pki-krad
-
-/var/run/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_var_run_t,s0)
-/etc/sysconfig/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
-
-# labeling for new OCSP under pki-ocspd
-
-/var/run/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
-/etc/sysconfig/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
-
-# labeling for new TKS under pki-tksd
-
-/var/run/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_var_run_t,s0)
-/etc/sysconfig/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
-
-# labeling for new RA under pki-rad
-
-/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
-/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
-
-# labeling for new TPS under pki-tpsd
-
-/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
-/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0)
+/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0)
+
+# old paths (for migration)
+/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 0709176ea..b8c521a79 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -12,24 +12,26 @@
## </summary>
## </param>
#
-template(`pki_ca_template',`
+template(`pki_tomcat_template',`
gen_require(`
- attribute pki_ca_process;
- attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
- attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
- type pki_ca_tomcat_exec_t;
+ attribute pki_tomcat_process;
+ attribute pki_tomcat_config, pki_tomcat_var_lib, pki_tomcat_var_run;
+ attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log;
+ type pki_tomcat_tomcat_exec_t;
+ type tomcat_exec_t;
type $1_port_t;
type rpm_var_lib_t;
type rpm_exec_t;
type setfiles_t;
+ type load_policy_t;
')
########################################
#
# Declarations
#
- type $1_t, pki_ca_process;
- type $1_exec_t, pki_ca_executable;
+ type $1_t, pki_tomcat_process;
+ type $1_exec_t, pki_tomcat_executable;
domain_type($1_t)
init_daemon_domain($1_t, $1_exec_t)
@@ -45,16 +47,16 @@ template(`pki_ca_template',`
allow $1_t java_exec_t:file entrypoint;
allow initrc_t $1_script_t:process transition;
- type $1_etc_rw_t, pki_ca_config;
+ type $1_etc_rw_t, pki_tomcat_config;
files_type($1_etc_rw_t)
- type $1_var_run_t, pki_ca_var_run;
+ type $1_var_run_t, pki_tomcat_var_run;
files_pid_file($1_var_run_t)
- type $1_var_lib_t, pki_ca_var_lib;
+ type $1_var_lib_t, pki_tomcat_var_lib;
files_type($1_var_lib_t)
- type $1_log_t, pki_ca_var_log;
+ type $1_log_t, pki_tomcat_var_log;
logging_log_file($1_log_t)
########################################
@@ -195,6 +197,25 @@ template(`pki_ca_template',`
# tomcat connects to ephemeral ports on shutdown
corenet_tcp_connect_all_unreserved_ports($1_t)
+ # new tomcat perms for dogtag 10
+ allow $1_t pki_tomcat_var_run_t:lnk_file read;
+ can_exec($1_t, tomcat_exec_t)
+ consoletype_exec($1_t)
+ fs_getattr_xattr_fs($1_t)
+ fs_read_hugetlbfs_files($1_t)
+ hostname_exec($1_t)
+ miscfiles_read_hwdata($1_t)
+ allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
+ allow $1_t self:netlink_audit_socket { nlmsg_relay create write read};
+ kernel_read_kernel_sysctls($1_t)
+ selinux_get_enforce_mode($1_t)
+ dirsrv_manage_var_lib($1_t)
+
+ # write to /var/log/pki for spawn and destroy
+ allow $1_t pki_log_t:dir {getattr search};
+ allow load_policy_t pki_log_t:file write;
+ allow setfiles_t pki_log_t:file write;
+
optional_policy(`
#This is broken in selinux-policy we need java_exec defined, Will add to policy
gen_require(`
@@ -211,59 +232,7 @@ template(`pki_ca_template',`
########################################
## <summary>
## All of the rules required to administrate
-## an pki_ca environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_ca_admin',`
- gen_require(`
- type pki_ca_tomcat_exec_t;
- attribute pki_ca_process;
- attribute pki_ca_config;
- attribute pki_ca_executable;
- attribute pki_ca_var_lib;
- attribute pki_ca_var_log;
- attribute pki_ca_var_run;
- attribute pki_ca_pidfiles;
- attribute pki_ca_script;
- ')
-
- allow $1 pki_ca_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_ca_t)
-
- # Allow pki_ca_t to restart the service
- pki_ca_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_ca_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_ca_config)
- manage_all_pattern($1, pki_ca_var_run)
- manage_all_pattern($1, pki_ca_var_lib)
- manage_all_pattern($1, pki_ca_var_log)
- manage_all_pattern($1, pki_ca_config)
- manage_all_pattern($1, pki_ca_tomcat_exec_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an pki_kra environment
+## an pki_tomcat environment
## </summary>
## <param name="domain">
## <summary>
@@ -282,86 +251,34 @@ interface(`pki_ca_admin',`
## </param>
## <rolecap/>
#
-interface(`pki_kra_admin',`
+interface(`pki_tomcat_admin',`
gen_require(`
- type pki_kra_tomcat_exec_t;
- attribute pki_kra_process;
- attribute pki_kra_config;
- attribute pki_kra_executable;
- attribute pki_kra_var_lib;
- attribute pki_kra_var_log;
- attribute pki_kra_var_run;
- attribute pki_kra_pidfiles;
- attribute pki_kra_script;
+ type pki_tomcat_tomcat_exec_t;
+ attribute pki_tomcat_process;
+ attribute pki_tomcat_config;
+ attribute pki_tomcat_executable;
+ attribute pki_tomcat_var_lib;
+ attribute pki_tomcat_var_log;
+ attribute pki_tomcat_var_run;
+ attribute pki_tomcat_pidfiles;
+ attribute pki_tomcat_script;
')
- allow $1 pki_kra_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_kra_t)
+ allow $1 pki_tomcat_process:process { ptrace signal_perms };
+ ps_process_pattern($1, pki_tomcat_t)
- # Allow pki_kra_t to restart the service
- pki_kra_script_domtrans($1)
+ # Allow pki_tomcat_t to restart the service
+ pki_tomcat_script_domtrans($1)
domain_system_change_exemption($1)
- role_transition $2 pki_kra_script system_r;
+ role_transition $2 pki_tomcat_script system_r;
allow $2 system_r;
- manage_all_pattern($1, pki_kra_config)
- manage_all_pattern($1, pki_kra_var_run)
- manage_all_pattern($1, pki_kra_var_lib)
- manage_all_pattern($1, pki_kra_var_log)
- manage_all_pattern($1, pki_kra_config)
- manage_all_pattern($1, pki_kra_tomcat_exec_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an pki_ocsp environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_ocsp_admin',`
- gen_require(`
- type pki_ocsp_tomcat_exec_t;
- attribute pki_ocsp_process;
- attribute pki_ocsp_config;
- attribute pki_ocsp_executable;
- attribute pki_ocsp_var_lib;
- attribute pki_ocsp_var_log;
- attribute pki_ocsp_var_run;
- attribute pki_ocsp_pidfiles;
- attribute pki_ocsp_script;
- ')
-
- allow $1 pki_ocsp_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_ocsp_t)
-
- # Allow pki_ocsp_t to restart the service
- pki_ocsp_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_ocsp_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_ocsp_config)
- manage_all_pattern($1, pki_ocsp_var_run)
- manage_all_pattern($1, pki_ocsp_var_lib)
- manage_all_pattern($1, pki_ocsp_var_log)
- manage_all_pattern($1, pki_ocsp_config)
- manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
+ manage_all_pattern($1, pki_tomcat_config)
+ manage_all_pattern($1, pki_tomcat_var_run)
+ manage_all_pattern($1, pki_tomcat_var_lib)
+ manage_all_pattern($1, pki_tomcat_var_log)
+ manage_all_pattern($1, pki_tomcat_config)
+ manage_all_pattern($1, pki_tomcat_tomcat_exec_t)
')
########################################
@@ -626,58 +543,6 @@ interface(`pki_ra_admin',`
########################################
## <summary>
-## All of the rules required to administrate
-## an pki_tks environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_tks_admin',`
- gen_require(`
- type pki_tks_tomcat_exec_t;
- attribute pki_tks_process;
- attribute pki_tks_config;
- attribute pki_tks_executable;
- attribute pki_tks_var_lib;
- attribute pki_tks_var_log;
- attribute pki_tks_var_run;
- attribute pki_tks_pidfiles;
- attribute pki_tks_script;
- ')
-
- allow $1 pki_tks_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_tks_t)
-
- # Allow pki_tks_t to restart the service
- pki_tks_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_tks_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_tks_config)
- manage_all_pattern($1, pki_tks_var_run)
- manage_all_pattern($1, pki_tks_var_lib)
- manage_all_pattern($1, pki_tks_var_log)
- manage_all_pattern($1, pki_tks_config)
- manage_all_pattern($1, pki_tks_tomcat_exec_t)
-')
-
-########################################
-## <summary>
## Execute pki_tps server in the pki_tps domain.
## </summary>
## <param name="domain">
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index 7f6e65738..a91385ff2 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,13 +1,16 @@
-policy_module(pki,10.0.2)
+policy_module(pki,10.0.5)
-attribute pki_ca_config;
-attribute pki_ca_executable;
-attribute pki_ca_var_lib;
-attribute pki_ca_var_log;
-attribute pki_ca_var_run;
-attribute pki_ca_pidfiles;
-attribute pki_ca_script;
-attribute pki_ca_process;
+attribute pki_tomcat_config;
+attribute pki_tomcat_executable;
+attribute pki_tomcat_var_lib;
+attribute pki_tomcat_var_log;
+attribute pki_tomcat_var_run;
+attribute pki_tomcat_pidfiles;
+attribute pki_tomcat_script;
+attribute pki_tomcat_process;
+
+type pki_log_t;
+files_type(pki_log_t)
type pki_common_t;
files_type(pki_common_t)
@@ -15,57 +18,29 @@ files_type(pki_common_t)
type pki_common_dev_t;
files_type(pki_common_dev_t)
-type pki_ca_tomcat_exec_t;
-files_type(pki_ca_tomcat_exec_t)
+type pki_tomcat_tomcat_exec_t;
+files_type(pki_tomcat_tomcat_exec_t)
-pki_ca_template(pki_ca)
-corenet_tcp_connect_pki_kra_port(pki_ca_t)
-corenet_tcp_connect_pki_ocsp_port(pki_ca_t)
+type pki_tomcat_port_t;
+corenet_port(pki_tomcat_port_t)
+pki_tomcat_template(pki_tomcat)
# forward proxy
-corenet_tcp_connect_pki_ca_port(httpd_t)
+# need to define ports to fix this
+#corenet_tcp_connect_pki_tomcat_port(httpd_t)
# for crl publishing
-allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink };
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
# for ECC
-auth_getattr_shadow(pki_ca_t)
-
-attribute pki_kra_config;
-attribute pki_kra_executable;
-attribute pki_kra_var_lib;
-attribute pki_kra_var_log;
-attribute pki_kra_var_run;
-attribute pki_kra_pidfiles;
-attribute pki_kra_script;
-attribute pki_kra_process;
-
-type pki_kra_tomcat_exec_t;
-files_type(pki_kra_tomcat_exec_t)
-
-pki_ca_template(pki_kra)
-corenet_tcp_connect_pki_ca_port(pki_kra_t)
-
-# forward proxy
-corenet_tcp_connect_pki_kra_port(httpd_t)
-
-attribute pki_ocsp_config;
-attribute pki_ocsp_executable;
-attribute pki_ocsp_var_lib;
-attribute pki_ocsp_var_log;
-attribute pki_ocsp_var_run;
-attribute pki_ocsp_pidfiles;
-attribute pki_ocsp_script;
-attribute pki_ocsp_process;
-
-type pki_ocsp_tomcat_exec_t;
-files_type(pki_ocsp_tomcat_exec_t)
+auth_getattr_shadow(pki_tomcat_t)
-pki_ca_template(pki_ocsp)
-corenet_tcp_connect_pki_ca_port(pki_ocsp_t)
-
-# forward proxy
-corenet_tcp_connect_pki_ocsp_port(httpd_t)
+# old type aliases for migration
+typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
+typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
+typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
+typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
+typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
attribute pki_ra_config;
attribute pki_ra_executable;
@@ -81,26 +56,8 @@ files_type(pki_ra_tomcat_exec_t)
pki_ra_template(pki_ra)
-attribute pki_tks_config;
-attribute pki_tks_executable;
-attribute pki_tks_var_lib;
-attribute pki_tks_var_log;
-attribute pki_tks_var_run;
-attribute pki_tks_pidfiles;
-attribute pki_tks_script;
-attribute pki_tks_process;
-
-type pki_tks_tomcat_exec_t;
-files_type(pki_tks_tomcat_exec_t)
-
-pki_ca_template(pki_tks)
-corenet_tcp_connect_pki_ca_port(pki_tks_t)
-
-# forward proxy
-corenet_tcp_connect_pki_tks_port(httpd_t)
-
# needed for token enrollment, list /var/cache/tomcat5/temp
-files_list_var(pki_tks_t)
+files_list_var(pki_tomcat_t)
attribute pki_tps_config;
attribute pki_tps_executable;
@@ -116,26 +73,6 @@ files_type(pki_tps_tomcat_exec_t)
pki_tps_template(pki_tps)
-#interprocess communication on process shutdown
-allow pki_ca_t pki_kra_t:process signull;
-allow pki_ca_t pki_ocsp_t:process signull;
-allow pki_ca_t pki_tks_t:process signull;
-
-allow pki_kra_t pki_ca_t:process signull;
-allow pki_kra_t pki_ocsp_t:process signull;
-allow pki_kra_t pki_tks_t:process signull;
-
-allow pki_ocsp_t pki_ca_t:process signull;
-allow pki_ocsp_t pki_kra_t:process signull;
-allow pki_ocsp_t pki_tks_t:process signull;
-
-allow pki_tks_t pki_ca_t:process signull;
-allow pki_tks_t pki_kra_t:process signull;
-allow pki_tks_t pki_ocsp_t:process signull;
-
-#allow httpd_t pki_tks_tomcat_exec_t:process signull;
-#allow httpd_t pki_tks_var_lib_t:process signull;
-
# start up httpd in pki_tps_t mode
can_exec(pki_tps_t, httpd_config_t)
allow pki_tps_t httpd_exec_t:file entrypoint;
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 2af431121..1ef05ccb0 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -719,7 +719,7 @@ This package is a part of the PKI Core used by the Certificate System.
%setup -q -n %{name}-%{version}%{?prerel}
%if 0%{?fedora} >= 17
-%patch1 -p2 -b .f17
+# %patch1 -p2 -b .f17
%else
%if 0%{?fedora} >= 16
%patch0 -p2 -b .f16