summaryrefslogtreecommitdiffstats
path: root/base/deploy/src
diff options
context:
space:
mode:
Diffstat (limited to 'base/deploy/src')
-rw-r--r--base/deploy/src/scriptlets/initialization.py5
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py12
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py52
-rw-r--r--base/deploy/src/scriptlets/pkimessages.py2
-rw-r--r--base/deploy/src/scriptlets/selinux_setup.py107
5 files changed, 178 insertions, 0 deletions
diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py
index cc516532e..368cf2595 100644
--- a/base/deploy/src/scriptlets/initialization.py
+++ b/base/deploy/src/scriptlets/initialization.py
@@ -50,6 +50,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.configuration_file.verify_sensitive_data()
# verify existence of MUTUALLY EXCLUSIVE configuration file data
util.configuration_file.verify_mutually_exclusive_data()
+ # verify selinux context of selected ports
+ util.configuration_file.populate_non_default_ports()
+ util.configuration_file.verify_selinux_ports()
return self.rv
def respawn(self):
@@ -80,6 +83,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
# establish 'uid' and 'gid'
util.identity.set_uid(master['pki_user'])
util.identity.set_gid(master['pki_group'])
+ # get ports to remove selinux context
+ util.configuration_file.populate_non_default_ports()
# ALWAYS Stop this Apache/Tomcat PKI Process
util.systemd.stop()
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index fc8ddac90..e300c1ea7 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -79,6 +79,11 @@ PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg"
PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\
"/usr/share/pki/deployment/config/pkislots.cfg"
+# default ports (for defined selinux policy)
+PKI_DEPLOYMENT_DEFAULT_HTTP_PORT = 8080
+PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT = 8443
+PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005
+PKI_DEPLOYMENT_DEFAULT_AJP_PORT = 8009
# PKI Deployment Jython 2.2 Constants
PKI_JYTHON_CRITICAL_LOG_LEVEL = 1
@@ -174,3 +179,10 @@ pki_subsystem_dict = None
pki_master_dict = None
pki_slots_dict = None
pki_master_jython_dict = None
+
+# PKI Selinux Constants and parameters
+PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t"
+PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t"
+PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t"
+PKI_PORT_SELINUX_CONTEXT = "pki_tomcat_port_t"
+pki_selinux_config_ports = []
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index 7de6502a2..1ceb65898 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -35,6 +35,7 @@ from grp import getgrnam
from pwd import getpwnam
from pwd import getpwuid
import zipfile
+import seobject
# PKI Deployment Imports
@@ -42,6 +43,7 @@ import pkiconfig as config
from pkiconfig import pki_master_dict as master
from pkiconfig import pki_sensitive_dict as sensitive
from pkiconfig import pki_slots_dict as slots
+from pkiconfig import pki_selinux_config_ports as ports
import pkimanifest as manifest
import pkimessages as log
@@ -403,6 +405,56 @@ class configuration_file:
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
+ def populate_non_default_ports(self):
+ if master['pki_http_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_HTTP_PORT:
+ ports.append(master['pki_http_port'])
+ if master['pki_https_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT:
+ ports.append(master['pki_https_port'])
+ if master['pki_tomcat_server_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT:
+ ports.append(master['pki_tomcat_server_port'])
+ if master['pki_ajp_port'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_AJP_PORT:
+ ports.append(master['pki_ajp_port'])
+ return
+
+ def verify_selinux_ports(self):
+ # Determine which ports still need to be labelled, and if any are
+ # incorrectly labelled
+ if len(ports) == 0:
+ return
+
+ portrecs = seobject.portRecords().get_all()
+ portlist = ports[:]
+ for port in portlist:
+ context = ""
+ for i in portrecs:
+ if portrecs[i][0] == "unreserved_port_t" or \
+ portrecs[i][0] == "reserved_port_t" or \
+ i[2] != "tcp":
+ continue
+ if i[0] <= int(port) and int(port) <= i[1]:
+ context = portrecs[i][0]
+ break
+ if context == "":
+ # port has no current context
+ # leave it in list of ports to set
+ continue
+ elif context == config.PKI_PORT_SELINUX_CONTEXT:
+ # port is already set correctly
+ # remove from list of ports to set
+ ports.remove(port)
+ else:
+ config.pki_log.error(
+ log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT,
+ port, context,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ return
+
+
# PKI Deployment XML File Class
#class xml_file:
diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py
index d1326edb3..e4da468c1 100644
--- a/base/deploy/src/scriptlets/pkimessages.py
+++ b/base/deploy/src/scriptlets/pkimessages.py
@@ -163,6 +163,8 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ."
PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ."
PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s"
PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s"
+PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\
+ "context %s"
PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\
"jython %s %s <master_dictionary>'"
PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory"
diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py
new file mode 100644
index 000000000..38cc17f0a
--- /dev/null
+++ b/base/deploy/src/scriptlets/selinux_setup.py
@@ -0,0 +1,107 @@
+#!/usr/bin/python -t
+# Authors:
+# Ade Lee <alee@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_selinux_config_ports as ports
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+import seobject
+import selinux
+
+# PKI Deployment Selinux Setup Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+ suffix = "(/.*)?"
+
+ def restore_context(self):
+ selinux.restorecon(master['pki_instance_path'], True)
+ selinux.restorecon(master['pki_instance_log_path'], True)
+ selinux.restorecon(master['pki_instance_configuration_path'], True)
+
+ def spawn(self):
+ config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # check first if any transactions are required
+ if len(ports) == 0 and master['pki_instance_name'] == \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ self.restore_context()
+ return self.rv
+
+ trans = seobject.semanageRecords("targeted")
+ trans.start()
+ if master['pki_instance_name'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ fcon1 = seobject.fcontextRecords()
+ fcon1.add(master['pki_instance_path'] + self.suffix,
+ config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
+
+ fcon2 = seobject.fcontextRecords()
+ fcon2.add(master['pki_instance_log_path'] + self.suffix,
+ config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
+
+ fcon3 = seobject.fcontextRecords()
+ fcon3.add(master['pki_instance_configuration_path'] + self.suffix,
+ config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
+ for port in ports:
+ port1 = seobject.portRecords()
+ port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT)
+ trans.finish()
+
+ self.restore_context()
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ self.restore_context()
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # check first if any transactions are required
+ if len(ports) == 0 and master['pki_instance_name'] == \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ return self.rv
+
+ trans = seobject.semanageRecords("targeted")
+ trans.start()
+ if master['pki_instance_name'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ fcon1 = seobject.fcontextRecords()
+ fcon1.delete(master['pki_instance_path'] + self.suffix , "")
+
+ fcon2 = seobject.fcontextRecords()
+ fcon2.delete(master['pki_instance_log_path'] + self.suffix, "")
+
+ fcon3 = seobject.fcontextRecords()
+ fcon3.delete(master['pki_instance_configuration_path'] + \
+ self.suffix, "")
+ for port in ports:
+ port1 = seobject.portRecords()
+ port1.delete(port, "tcp")
+ trans.finish()
+ return self.rv