From 5fd74e0e0c9407306e99ef4fd2e776cb911ee94a Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 10 Jul 2012 11:50:59 -0400 Subject: Selinux policy for new configuration. Added tomcat_t for java processes. Added aliases for old types to allow compatibility of existng subsystems. Added install scripts for pkispawn and pkidestroy --- base/deploy/CMakeLists.txt | 11 ++ base/deploy/scripts/operations | 2 +- base/deploy/src/scriptlets/initialization.py | 5 + base/deploy/src/scriptlets/pkiconfig.py | 12 ++ base/deploy/src/scriptlets/pkihelper.py | 52 ++++++ base/deploy/src/scriptlets/pkimessages.py | 2 + base/deploy/src/scriptlets/selinux_setup.py | 107 ++++++++++++ base/selinux/src/pki.fc | 125 ++++---------- base/selinux/src/pki.if | 243 ++++++--------------------- base/selinux/src/pki.te | 119 +++---------- specs/pki-core.spec | 2 +- 11 files changed, 310 insertions(+), 370 deletions(-) create mode 100644 base/deploy/src/scriptlets/selinux_setup.py diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt index c7c4bd19b..666a7704d 100644 --- a/base/deploy/CMakeLists.txt +++ b/base/deploy/CMakeLists.txt @@ -83,6 +83,7 @@ install( src/scriptlets/pkiparser.py src/scriptlets/pkiscriptlet.py src/scriptlets/security_databases.py + src/scriptlets/selinux_setup.py src/scriptlets/slot_substitution.py src/scriptlets/subsystem_layout.py src/scriptlets/war_explosion.py @@ -141,6 +142,11 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS}) \"${PYTHON_SITE_PACKAGES}/pki/deployment/subsystem_layout.py\" \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/030_subsystem_layout\")" ) + install(CODE "execute_process(COMMAND + ${CMAKE_COMMAND} -E create_symlink + \"${PYTHON_SITE_PACKAGES}/pki/deployment/selinux_setup.py\" + \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/035_selinux_setup\")" + ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink \"${PYTHON_SITE_PACKAGES}/pki/deployment/war_explosion.py\" @@ -209,6 +215,11 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS}) \"${PYTHON_SITE_PACKAGES}/pki/deployment/instance_layout.py\" \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/980_instance_layout\")" ) + install(CODE "execute_process(COMMAND + ${CMAKE_COMMAND} -E create_symlink + \"${PYTHON_SITE_PACKAGES}/pki/deployment/selinux_setup.py\" + \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/985_selinux_setup\")" + ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink \"${PYTHON_SITE_PACKAGES}/pki/deployment/infrastructure_layout.py\" diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations index ea7527f31..a2f88b30d 100644 --- a/base/deploy/scripts/operations +++ b/base/deploy/scripts/operations @@ -790,7 +790,7 @@ start_instance() # with programmatic replacement of either # 'pki_tomcat_script_t' or 'pki_apache_script_t', AND # (2) MUST currently be run with SELinux in 'Permissive' mode! - /usr/bin/runcon -t pki_ca_script_t \ + /usr/bin/runcon -t pki_tomcat_script_t \ $PKI_INSTANCE_INITSCRIPT start rv=$? else diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index cc516532e..368cf2595 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -50,6 +50,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.configuration_file.verify_sensitive_data() # verify existence of MUTUALLY EXCLUSIVE configuration file data util.configuration_file.verify_mutually_exclusive_data() + # verify selinux context of selected ports + util.configuration_file.populate_non_default_ports() + util.configuration_file.verify_selinux_ports() return self.rv def respawn(self): @@ -80,6 +83,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) + # get ports to remove selinux context + util.configuration_file.populate_non_default_ports() # ALWAYS Stop this Apache/Tomcat PKI Process util.systemd.stop() return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index fc8ddac90..e300c1ea7 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -79,6 +79,11 @@ PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg" PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ "/usr/share/pki/deployment/config/pkislots.cfg" +# default ports (for defined selinux policy) +PKI_DEPLOYMENT_DEFAULT_HTTP_PORT = 8080 +PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT = 8443 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 +PKI_DEPLOYMENT_DEFAULT_AJP_PORT = 8009 # PKI Deployment Jython 2.2 Constants PKI_JYTHON_CRITICAL_LOG_LEVEL = 1 @@ -174,3 +179,10 @@ pki_subsystem_dict = None pki_master_dict = None pki_slots_dict = None pki_master_jython_dict = None + +# PKI Selinux Constants and parameters +PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" +PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t" +PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t" +PKI_PORT_SELINUX_CONTEXT = "pki_tomcat_port_t" +pki_selinux_config_ports = [] diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 7de6502a2..1ceb65898 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -35,6 +35,7 @@ from grp import getgrnam from pwd import getpwnam from pwd import getpwuid import zipfile +import seobject # PKI Deployment Imports @@ -42,6 +43,7 @@ import pkiconfig as config from pkiconfig import pki_master_dict as master from pkiconfig import pki_sensitive_dict as sensitive from pkiconfig import pki_slots_dict as slots +from pkiconfig import pki_selinux_config_ports as ports import pkimanifest as manifest import pkimessages as log @@ -403,6 +405,56 @@ class configuration_file: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) + def populate_non_default_ports(self): + if master['pki_http_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_HTTP_PORT: + ports.append(master['pki_http_port']) + if master['pki_https_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT: + ports.append(master['pki_https_port']) + if master['pki_tomcat_server_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT: + ports.append(master['pki_tomcat_server_port']) + if master['pki_ajp_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_AJP_PORT: + ports.append(master['pki_ajp_port']) + return + + def verify_selinux_ports(self): + # Determine which ports still need to be labelled, and if any are + # incorrectly labelled + if len(ports) == 0: + return + + portrecs = seobject.portRecords().get_all() + portlist = ports[:] + for port in portlist: + context = "" + for i in portrecs: + if portrecs[i][0] == "unreserved_port_t" or \ + portrecs[i][0] == "reserved_port_t" or \ + i[2] != "tcp": + continue + if i[0] <= int(port) and int(port) <= i[1]: + context = portrecs[i][0] + break + if context == "": + # port has no current context + # leave it in list of ports to set + continue + elif context == config.PKI_PORT_SELINUX_CONTEXT: + # port is already set correctly + # remove from list of ports to set + ports.remove(port) + else: + config.pki_log.error( + log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT, + port, context, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + # PKI Deployment XML File Class #class xml_file: diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index d1326edb3..e4da468c1 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -163,6 +163,8 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" +PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ + "context %s" PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\ "jython %s %s '" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py new file mode 100644 index 000000000..38cc17f0a --- /dev/null +++ b/base/deploy/src/scriptlets/selinux_setup.py @@ -0,0 +1,107 @@ +#!/usr/bin/python -t +# Authors: +# Ade Lee +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_selinux_config_ports as ports +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import seobject +import selinux + +# PKI Deployment Selinux Setup Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + suffix = "(/.*)?" + + def restore_context(self): + selinux.restorecon(master['pki_instance_path'], True) + selinux.restorecon(master['pki_instance_log_path'], True) + selinux.restorecon(master['pki_instance_configuration_path'], True) + + def spawn(self): + config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + self.restore_context() + return self.rv + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + fcon1 = seobject.fcontextRecords() + fcon1.add(master['pki_instance_path'] + self.suffix, + config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") + + fcon2 = seobject.fcontextRecords() + fcon2.add(master['pki_instance_log_path'] + self.suffix, + config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") + + fcon3 = seobject.fcontextRecords() + fcon3.add(master['pki_instance_configuration_path'] + self.suffix, + config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") + for port in ports: + port1 = seobject.portRecords() + port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) + trans.finish() + + self.restore_context() + return self.rv + + def respawn(self): + config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + self.restore_context() + return self.rv + + def destroy(self): + config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + return self.rv + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + fcon1 = seobject.fcontextRecords() + fcon1.delete(master['pki_instance_path'] + self.suffix , "") + + fcon2 = seobject.fcontextRecords() + fcon2.delete(master['pki_instance_log_path'] + self.suffix, "") + + fcon3 = seobject.fcontextRecords() + fcon3.delete(master['pki_instance_configuration_path'] + \ + self.suffix, "") + for port in ports: + port1 = seobject.portRecords() + port1.delete(port, "tcp") + trans.finish() + return self.rv diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc index 3a22d86a4..fbc086fe0 100644 --- a/base/selinux/src/pki.fc +++ b/base/selinux/src/pki.fc @@ -1,91 +1,40 @@ - -/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0) - -/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) -/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0) - -/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0) - -/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0) - -/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0) - -/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0) - -/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) -/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0) - -/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0) - -/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0) - -/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0) - -/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0) - -/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) -/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0) - -/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0) - -/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) - -/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0) - -/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) -/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) -/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) -/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) - - -/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0) - -/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) -/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0) - -/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0) - -/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0) - -/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0) - -/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) -/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) -/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) +/etc/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/var/lib/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/var/log/pki gen_context(system_u:object_r:pki_log_t,s0) + +/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) +/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) +/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) +/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) +/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) +/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) + +/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) +/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) +/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) +/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) +/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) # default labeling for nCipher -/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) -/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) -/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) -/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) - -# labeling for new CA under pki-cad - -/var/run/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_var_run_t,s0) -/etc/sysconfig/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) - -# labeling for new KRA under pki-krad - -/var/run/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_var_run_t,s0) -/etc/sysconfig/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) - -# labeling for new OCSP under pki-ocspd - -/var/run/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) -/etc/sysconfig/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) - -# labeling for new TKS under pki-tksd - -/var/run/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_var_run_t,s0) -/etc/sysconfig/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) - -# labeling for new RA under pki-rad - -/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) -/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) - -# labeling for new TPS under pki-tpsd - -/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) -/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) +/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) +/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) +/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) +/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) + +# old paths (for migration) +/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index 0709176ea..b8c521a79 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -12,24 +12,26 @@ ## ## # -template(`pki_ca_template',` +template(`pki_tomcat_template',` gen_require(` - attribute pki_ca_process; - attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run; - attribute pki_ca_executable, pki_ca_script, pki_ca_var_log; - type pki_ca_tomcat_exec_t; + attribute pki_tomcat_process; + attribute pki_tomcat_config, pki_tomcat_var_lib, pki_tomcat_var_run; + attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log; + type pki_tomcat_tomcat_exec_t; + type tomcat_exec_t; type $1_port_t; type rpm_var_lib_t; type rpm_exec_t; type setfiles_t; + type load_policy_t; ') ######################################## # # Declarations # - type $1_t, pki_ca_process; - type $1_exec_t, pki_ca_executable; + type $1_t, pki_tomcat_process; + type $1_exec_t, pki_tomcat_executable; domain_type($1_t) init_daemon_domain($1_t, $1_exec_t) @@ -45,16 +47,16 @@ template(`pki_ca_template',` allow $1_t java_exec_t:file entrypoint; allow initrc_t $1_script_t:process transition; - type $1_etc_rw_t, pki_ca_config; + type $1_etc_rw_t, pki_tomcat_config; files_type($1_etc_rw_t) - type $1_var_run_t, pki_ca_var_run; + type $1_var_run_t, pki_tomcat_var_run; files_pid_file($1_var_run_t) - type $1_var_lib_t, pki_ca_var_lib; + type $1_var_lib_t, pki_tomcat_var_lib; files_type($1_var_lib_t) - type $1_log_t, pki_ca_var_log; + type $1_log_t, pki_tomcat_var_log; logging_log_file($1_log_t) ######################################## @@ -195,6 +197,25 @@ template(`pki_ca_template',` # tomcat connects to ephemeral ports on shutdown corenet_tcp_connect_all_unreserved_ports($1_t) + # new tomcat perms for dogtag 10 + allow $1_t pki_tomcat_var_run_t:lnk_file read; + can_exec($1_t, tomcat_exec_t) + consoletype_exec($1_t) + fs_getattr_xattr_fs($1_t) + fs_read_hugetlbfs_files($1_t) + hostname_exec($1_t) + miscfiles_read_hwdata($1_t) + allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override }; + allow $1_t self:netlink_audit_socket { nlmsg_relay create write read}; + kernel_read_kernel_sysctls($1_t) + selinux_get_enforce_mode($1_t) + dirsrv_manage_var_lib($1_t) + + # write to /var/log/pki for spawn and destroy + allow $1_t pki_log_t:dir {getattr search}; + allow load_policy_t pki_log_t:file write; + allow setfiles_t pki_log_t:file write; + optional_policy(` #This is broken in selinux-policy we need java_exec defined, Will add to policy gen_require(` @@ -211,59 +232,7 @@ template(`pki_ca_template',` ######################################## ## ## All of the rules required to administrate -## an pki_ca environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -## -## The type of the user terminal. -## -## -## -# -interface(`pki_ca_admin',` - gen_require(` - type pki_ca_tomcat_exec_t; - attribute pki_ca_process; - attribute pki_ca_config; - attribute pki_ca_executable; - attribute pki_ca_var_lib; - attribute pki_ca_var_log; - attribute pki_ca_var_run; - attribute pki_ca_pidfiles; - attribute pki_ca_script; - ') - - allow $1 pki_ca_process:process { ptrace signal_perms }; - ps_process_pattern($1, pki_ca_t) - - # Allow pki_ca_t to restart the service - pki_ca_script_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pki_ca_script system_r; - allow $2 system_r; - - manage_all_pattern($1, pki_ca_config) - manage_all_pattern($1, pki_ca_var_run) - manage_all_pattern($1, pki_ca_var_lib) - manage_all_pattern($1, pki_ca_var_log) - manage_all_pattern($1, pki_ca_config) - manage_all_pattern($1, pki_ca_tomcat_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an pki_kra environment +## an pki_tomcat environment ## ## ## @@ -282,86 +251,34 @@ interface(`pki_ca_admin',` ## ## # -interface(`pki_kra_admin',` +interface(`pki_tomcat_admin',` gen_require(` - type pki_kra_tomcat_exec_t; - attribute pki_kra_process; - attribute pki_kra_config; - attribute pki_kra_executable; - attribute pki_kra_var_lib; - attribute pki_kra_var_log; - attribute pki_kra_var_run; - attribute pki_kra_pidfiles; - attribute pki_kra_script; + type pki_tomcat_tomcat_exec_t; + attribute pki_tomcat_process; + attribute pki_tomcat_config; + attribute pki_tomcat_executable; + attribute pki_tomcat_var_lib; + attribute pki_tomcat_var_log; + attribute pki_tomcat_var_run; + attribute pki_tomcat_pidfiles; + attribute pki_tomcat_script; ') - allow $1 pki_kra_process:process { ptrace signal_perms }; - ps_process_pattern($1, pki_kra_t) + allow $1 pki_tomcat_process:process { ptrace signal_perms }; + ps_process_pattern($1, pki_tomcat_t) - # Allow pki_kra_t to restart the service - pki_kra_script_domtrans($1) + # Allow pki_tomcat_t to restart the service + pki_tomcat_script_domtrans($1) domain_system_change_exemption($1) - role_transition $2 pki_kra_script system_r; + role_transition $2 pki_tomcat_script system_r; allow $2 system_r; - manage_all_pattern($1, pki_kra_config) - manage_all_pattern($1, pki_kra_var_run) - manage_all_pattern($1, pki_kra_var_lib) - manage_all_pattern($1, pki_kra_var_log) - manage_all_pattern($1, pki_kra_config) - manage_all_pattern($1, pki_kra_tomcat_exec_t) -') - -######################################## -## -## All of the rules required to administrate -## an pki_ocsp environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -## -## The type of the user terminal. -## -## -## -# -interface(`pki_ocsp_admin',` - gen_require(` - type pki_ocsp_tomcat_exec_t; - attribute pki_ocsp_process; - attribute pki_ocsp_config; - attribute pki_ocsp_executable; - attribute pki_ocsp_var_lib; - attribute pki_ocsp_var_log; - attribute pki_ocsp_var_run; - attribute pki_ocsp_pidfiles; - attribute pki_ocsp_script; - ') - - allow $1 pki_ocsp_process:process { ptrace signal_perms }; - ps_process_pattern($1, pki_ocsp_t) - - # Allow pki_ocsp_t to restart the service - pki_ocsp_script_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pki_ocsp_script system_r; - allow $2 system_r; - - manage_all_pattern($1, pki_ocsp_config) - manage_all_pattern($1, pki_ocsp_var_run) - manage_all_pattern($1, pki_ocsp_var_lib) - manage_all_pattern($1, pki_ocsp_var_log) - manage_all_pattern($1, pki_ocsp_config) - manage_all_pattern($1, pki_ocsp_tomcat_exec_t) + manage_all_pattern($1, pki_tomcat_config) + manage_all_pattern($1, pki_tomcat_var_run) + manage_all_pattern($1, pki_tomcat_var_lib) + manage_all_pattern($1, pki_tomcat_var_log) + manage_all_pattern($1, pki_tomcat_config) + manage_all_pattern($1, pki_tomcat_tomcat_exec_t) ') ######################################## @@ -624,58 +541,6 @@ interface(`pki_ra_admin',` manage_all_pattern($1, pki_ra_config) ') -######################################## -## -## All of the rules required to administrate -## an pki_tks environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -## -## The type of the user terminal. -## -## -## -# -interface(`pki_tks_admin',` - gen_require(` - type pki_tks_tomcat_exec_t; - attribute pki_tks_process; - attribute pki_tks_config; - attribute pki_tks_executable; - attribute pki_tks_var_lib; - attribute pki_tks_var_log; - attribute pki_tks_var_run; - attribute pki_tks_pidfiles; - attribute pki_tks_script; - ') - - allow $1 pki_tks_process:process { ptrace signal_perms }; - ps_process_pattern($1, pki_tks_t) - - # Allow pki_tks_t to restart the service - pki_tks_script_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 pki_tks_script system_r; - allow $2 system_r; - - manage_all_pattern($1, pki_tks_config) - manage_all_pattern($1, pki_tks_var_run) - manage_all_pattern($1, pki_tks_var_lib) - manage_all_pattern($1, pki_tks_var_log) - manage_all_pattern($1, pki_tks_config) - manage_all_pattern($1, pki_tks_tomcat_exec_t) -') - ######################################## ## ## Execute pki_tps server in the pki_tps domain. diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index 7f6e65738..a91385ff2 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -1,13 +1,16 @@ -policy_module(pki,10.0.2) +policy_module(pki,10.0.5) -attribute pki_ca_config; -attribute pki_ca_executable; -attribute pki_ca_var_lib; -attribute pki_ca_var_log; -attribute pki_ca_var_run; -attribute pki_ca_pidfiles; -attribute pki_ca_script; -attribute pki_ca_process; +attribute pki_tomcat_config; +attribute pki_tomcat_executable; +attribute pki_tomcat_var_lib; +attribute pki_tomcat_var_log; +attribute pki_tomcat_var_run; +attribute pki_tomcat_pidfiles; +attribute pki_tomcat_script; +attribute pki_tomcat_process; + +type pki_log_t; +files_type(pki_log_t) type pki_common_t; files_type(pki_common_t) @@ -15,57 +18,29 @@ files_type(pki_common_t) type pki_common_dev_t; files_type(pki_common_dev_t) -type pki_ca_tomcat_exec_t; -files_type(pki_ca_tomcat_exec_t) +type pki_tomcat_tomcat_exec_t; +files_type(pki_tomcat_tomcat_exec_t) -pki_ca_template(pki_ca) -corenet_tcp_connect_pki_kra_port(pki_ca_t) -corenet_tcp_connect_pki_ocsp_port(pki_ca_t) +type pki_tomcat_port_t; +corenet_port(pki_tomcat_port_t) +pki_tomcat_template(pki_tomcat) # forward proxy -corenet_tcp_connect_pki_ca_port(httpd_t) +# need to define ports to fix this +#corenet_tcp_connect_pki_tomcat_port(httpd_t) # for crl publishing -allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink }; +allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; # for ECC -auth_getattr_shadow(pki_ca_t) - -attribute pki_kra_config; -attribute pki_kra_executable; -attribute pki_kra_var_lib; -attribute pki_kra_var_log; -attribute pki_kra_var_run; -attribute pki_kra_pidfiles; -attribute pki_kra_script; -attribute pki_kra_process; - -type pki_kra_tomcat_exec_t; -files_type(pki_kra_tomcat_exec_t) - -pki_ca_template(pki_kra) -corenet_tcp_connect_pki_ca_port(pki_kra_t) - -# forward proxy -corenet_tcp_connect_pki_kra_port(httpd_t) - -attribute pki_ocsp_config; -attribute pki_ocsp_executable; -attribute pki_ocsp_var_lib; -attribute pki_ocsp_var_log; -attribute pki_ocsp_var_run; -attribute pki_ocsp_pidfiles; -attribute pki_ocsp_script; -attribute pki_ocsp_process; - -type pki_ocsp_tomcat_exec_t; -files_type(pki_ocsp_tomcat_exec_t) +auth_getattr_shadow(pki_tomcat_t) -pki_ca_template(pki_ocsp) -corenet_tcp_connect_pki_ca_port(pki_ocsp_t) - -# forward proxy -corenet_tcp_connect_pki_ocsp_port(httpd_t) +# old type aliases for migration +typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; +typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; +typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; +typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; +typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; attribute pki_ra_config; attribute pki_ra_executable; @@ -81,26 +56,8 @@ files_type(pki_ra_tomcat_exec_t) pki_ra_template(pki_ra) -attribute pki_tks_config; -attribute pki_tks_executable; -attribute pki_tks_var_lib; -attribute pki_tks_var_log; -attribute pki_tks_var_run; -attribute pki_tks_pidfiles; -attribute pki_tks_script; -attribute pki_tks_process; - -type pki_tks_tomcat_exec_t; -files_type(pki_tks_tomcat_exec_t) - -pki_ca_template(pki_tks) -corenet_tcp_connect_pki_ca_port(pki_tks_t) - -# forward proxy -corenet_tcp_connect_pki_tks_port(httpd_t) - # needed for token enrollment, list /var/cache/tomcat5/temp -files_list_var(pki_tks_t) +files_list_var(pki_tomcat_t) attribute pki_tps_config; attribute pki_tps_executable; @@ -116,26 +73,6 @@ files_type(pki_tps_tomcat_exec_t) pki_tps_template(pki_tps) -#interprocess communication on process shutdown -allow pki_ca_t pki_kra_t:process signull; -allow pki_ca_t pki_ocsp_t:process signull; -allow pki_ca_t pki_tks_t:process signull; - -allow pki_kra_t pki_ca_t:process signull; -allow pki_kra_t pki_ocsp_t:process signull; -allow pki_kra_t pki_tks_t:process signull; - -allow pki_ocsp_t pki_ca_t:process signull; -allow pki_ocsp_t pki_kra_t:process signull; -allow pki_ocsp_t pki_tks_t:process signull; - -allow pki_tks_t pki_ca_t:process signull; -allow pki_tks_t pki_kra_t:process signull; -allow pki_tks_t pki_ocsp_t:process signull; - -#allow httpd_t pki_tks_tomcat_exec_t:process signull; -#allow httpd_t pki_tks_var_lib_t:process signull; - # start up httpd in pki_tps_t mode can_exec(pki_tps_t, httpd_config_t) allow pki_tps_t httpd_exec_t:file entrypoint; diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 2af431121..1ef05ccb0 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -719,7 +719,7 @@ This package is a part of the PKI Core used by the Certificate System. %setup -q -n %{name}-%{version}%{?prerel} %if 0%{?fedora} >= 17 -%patch1 -p2 -b .f17 +# %patch1 -p2 -b .f17 %else %if 0%{?fedora} >= 16 %patch0 -p2 -b .f16 -- cgit