From cff349cd4d2175eb920f9cab4998b4c3bfd0550a Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 31 Jul 2012 00:45:47 -0400
Subject: selinux policy changes to use standard ports

Selinux policy has been changed to use standard tomcat ports. Corresponding
changes have been made in the pki-deploy scripts.

Minor change in config script for password check.
---
 .../csadmin/SystemConfigurationResourceService.java      |  2 +-
 base/deploy/src/scriptlets/pkiconfig.py                  |  2 +-
 base/deploy/src/scriptlets/pkihelper.py                  |  8 ++++----
 base/selinux/src/pki.if                                  | 16 ++++++++++++----
 base/selinux/src/pki.te                                  |  6 ++----
 5 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java
index 7c0c14969..9747eb12c 100644
--- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java
+++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java
@@ -873,7 +873,7 @@ public class SystemConfigurationResourceService extends CMSResourceService imple
                 throw new CMSException(Response.Status.BAD_REQUEST, "Invalid key backup file name");
             }
 
-            if ((data.getBackupPassword() == null) || (data.getBackupPassword().length()<=8)) {
+            if ((data.getBackupPassword() == null) || (data.getBackupPassword().length()<8)) {
                 throw new CMSException(Response.Status.BAD_REQUEST, "key backup password must be at least 8 characters");
             }
         } else {
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 47ed16fc6..115e4327d 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -192,5 +192,5 @@ pki_master_jython_dict = None
 PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t"
 PKI_LOG_SELINUX_CONTEXT      = "pki_tomcat_log_t"
 PKI_CFG_SELINUX_CONTEXT      = "pki_tomcat_etc_rw_t"
-PKI_PORT_SELINUX_CONTEXT     = "pki_tomcat_port_t"
+PKI_PORT_SELINUX_CONTEXT     = "http_port_t"
 pki_selinux_config_ports = []
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index c172301af..61ac20273 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -636,16 +636,16 @@ class configuration_file:
 
     def populate_non_default_ports(self):
         if master['pki_http_port'] != \
-            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT:
+            str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT):
                 ports.append(master['pki_http_port'])
         if master['pki_https_port'] != \
-            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT:
+            str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT):
                 ports.append(master['pki_https_port'])
         if master['pki_tomcat_server_port'] != \
-            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT:
+            str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT):
                 ports.append(master['pki_tomcat_server_port'])
         if master['pki_ajp_port'] != \
-            config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT:
+            str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT):
                 ports.append(master['pki_ajp_port'])
         return
 
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index b8c521a79..8f62136d5 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -19,11 +19,14 @@ template(`pki_tomcat_template',`
 		attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log;
 		type pki_tomcat_tomcat_exec_t;
                 type tomcat_exec_t;
-		type $1_port_t;
                 type rpm_var_lib_t;
                 type rpm_exec_t;
 		type setfiles_t;
                 type load_policy_t;
+                type mxi_port_t;
+                type http_cache_port_t;
+                type http_port_t;
+                type dns_port_t;
 	')
 	########################################
 	#
@@ -74,7 +77,11 @@ template(`pki_tomcat_template',`
 	allow $1_t self:tcp_socket create_stream_socket_perms;
 	allow $1_t self:process signull;
 
-	allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
+        ## ports (these will be in the tomcat domain)
+        allow $1_t mxi_port_t : tcp_socket { name_bind name_connect };
+        allow $1_t http_cache_port_t : tcp_socket name_bind;
+        allow $1_t http_port_t : tcp_socket { name_bind name_connect };
+        allow $1_t dns_port_t : tcp_socket { recv_msg send_msg name_connect };
 
         # use rpm to look at velocity version in dtomcat-foo
         allow $1_t rpm_exec_t:file exec_file_perms;
@@ -150,7 +157,6 @@ template(`pki_tomcat_template',`
 	kernel_read_network_state($1_t)
 	kernel_read_system_state($1_t)
 	kernel_search_network_state($1_t)
-	# audit2allow
         kernel_signull_unlabeled($1_t)
 
 	auth_use_nsswitch($1_t)
@@ -161,6 +167,9 @@ template(`pki_tomcat_template',`
 	libs_use_shared_libs($1_t)
 
 	miscfiles_read_localization($1_t)
+        miscfiles_read_hwdata($1_t)
+        miscfiles_manage_cert_dirs($1_t)
+        miscfiles_manage_generic_cert_files($1_t)
 
 	logging_send_syslog_msg($1_t)
 
@@ -204,7 +213,6 @@ template(`pki_tomcat_template',`
         fs_getattr_xattr_fs($1_t)
         fs_read_hugetlbfs_files($1_t)
         hostname_exec($1_t)
-        miscfiles_read_hwdata($1_t)
         allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
         allow $1_t self:netlink_audit_socket { nlmsg_relay create write read};
         kernel_read_kernel_sysctls($1_t)
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index a91385ff2..cce797d7e 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,10.0.5)
+policy_module(pki,10.0.6)
 
 attribute pki_tomcat_config;
 attribute pki_tomcat_executable;
@@ -21,8 +21,6 @@ files_type(pki_common_dev_t)
 type pki_tomcat_tomcat_exec_t;
 files_type(pki_tomcat_tomcat_exec_t)
 
-type pki_tomcat_port_t;
-corenet_port(pki_tomcat_port_t)
 pki_tomcat_template(pki_tomcat)
 
 # forward proxy
@@ -41,7 +39,7 @@ typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_
 typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
 typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
 typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
-
+# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
 attribute pki_ra_config;
 attribute pki_ra_executable;
 attribute pki_ra_var_lib;
-- 
cgit