From da73f97ee897782a4e8fc326cd428bcd7ba5fd31 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 4 Oct 2012 13:21:15 -0400 Subject: Changes to start pki_ra and pki_tps in correct context Added required selinux versions to spec file. Also added additional rule needed for F17 --- base/ra/setup/pkidaemon_registry | 3 +++ base/ra/setup/registry_instance | 3 +++ base/selinux/src/pki.fc | 3 ++- base/selinux/src/pki.if | 18 +++++++++++++++++- base/selinux/src/pki.te | 1 + base/setup/pkicommon.pm | 2 ++ base/setup/pkicreate | 12 +++++++----- base/setup/pkiremove | 4 ++++ base/setup/scripts/pki_apache_initscript | 25 ++++++++----------------- base/tps/setup/pkidaemon_registry | 3 +++ base/tps/setup/registry_instance | 3 +++ specs/pki-core.spec | 10 +++++++++- 12 files changed, 62 insertions(+), 25 deletions(-) diff --git a/base/ra/setup/pkidaemon_registry b/base/ra/setup/pkidaemon_registry index 2e81158ef..9aa1eeaee 100644 --- a/base/ra/setup/pkidaemon_registry +++ b/base/ra/setup/pkidaemon_registry @@ -15,6 +15,9 @@ export PKI_GROUP PKI_INSTANCE_ID=[PKI_INSTANCE_ID] export PKI_INSTANCE_ID +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] export PKI_INSTANCE_INITSCRIPT diff --git a/base/ra/setup/registry_instance b/base/ra/setup/registry_instance index 5be7a4de0..8fb0d6233 100644 --- a/base/ra/setup/registry_instance +++ b/base/ra/setup/registry_instance @@ -12,6 +12,9 @@ export PKI_GROUP PKI_INSTANCE_ID=[PKI_INSTANCE_ID] export PKI_INSTANCE_ID +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] export PKI_INSTANCE_INITSCRIPT diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc index 119e23562..8258b67c5 100644 --- a/base/selinux/src/pki.fc +++ b/base/selinux/src/pki.fc @@ -6,18 +6,19 @@ /var/log/pki gen_context(system_u:object_r:pki_log_t,s0) /usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) -/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) /etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) /var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) /var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) /var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) /etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) +/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0) /etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) /var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) /var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) /var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) /etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) +/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0) # default labeling for nCipher /opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index 37d5ec08b..e2392634e 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -51,7 +51,7 @@ template(`pki_apache_template',` # allow $1_t lib_t:file execute_no_trans; - allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; + allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill}; allow $1_t self:sem all_sem_perms; allow $1_t self:tcp_socket create_stream_socket_perms; @@ -87,10 +87,21 @@ template(`pki_apache_template',` manage_files_pattern($1_t, $1_log_t, $1_log_t) logging_log_filetrans($1_t, $1_log_t, { file dir } ) + # lock files + files_create_lock_dirs($1_t) + files_manage_generic_locks($1_t) + files_delete_generic_locks($1_t) + files_rw_lock_dirs($1_t) + + seutil_exec_setfiles($1_t) + init_dontaudit_write_utmp($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) + libs_exec_ld_so($1_t) + + fs_search_cgroup_dirs($1_t) miscfiles_read_localization($1_t) @@ -148,6 +159,11 @@ template(`pki_apache_template',` sysnet_read_config($1_t) dev_read_urand($1_t) + dev_read_rand($1_t) + + # shutdown script uses ps + domain_dontaudit_read_all_domains_state($1_t) + ps_process_pattern($1_t, $1_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys($1_t) diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index df34aa03e..7fa76adb9 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -76,6 +76,7 @@ logging_send_audit_msgs(pki_tomcat_t) logging_send_syslog_msg(pki_tomcat_t) miscfiles_read_hwdata(pki_tomcat_t) +files_manage_generic_tmp_files(pki_tomcat_t) # forward proxy # need to define ports to fix this diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm index 4b68ffa7e..16f553e00 100755 --- a/base/setup/pkicommon.pm +++ b/base/setup/pkicommon.pm @@ -3505,6 +3505,8 @@ sub check_selinux_port if (defined $selinux_ports{$seport}) { if ($selinux_ports{$seport} eq $setype) { return $SELINUX_PORT_DEFINED; + } elsif ($selinux_ports{$seport} eq "unreserved_port_t") { + return $SELINUX_PORT_UNDEFINED; } else { return $SELINUX_PORT_WRONGLY_DEFINED; } diff --git a/base/setup/pkicreate b/base/setup/pkicreate index e3ee5a0ab..b83fd870c 100755 --- a/base/setup/pkicreate +++ b/base/setup/pkicreate @@ -2421,6 +2421,7 @@ sub process_pki_templates $slot_hash{$PKI_SUBSYSTEM_DIR_SLOT} = ""; $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type; $slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name; + $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; $slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root; $slot_hash{$PKI_INSTANCE_INITSCRIPT} = $pki_instance_initscript_path; $slot_hash{$PKI_REGISTRY_FILE_SLOT} = $pki_registry_instance_file_path; @@ -2489,7 +2490,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so $slot_hash{$INSTALL_TIME} = localtime; $slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password; $slot_hash{$PKI_CFG_PATH_NAME_SLOT} = $pki_cfg_instance_file_path; - $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path; $slot_hash{$PKI_MACHINE_NAME_SLOT} = $host; $slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random; $slot_hash{$PKI_SERVER_XML_CONF} = $server_xml_instance_file_path; @@ -3168,6 +3168,12 @@ sub process_pki_selinux_setup add_selinux_file_context($setype . "_var_lib_t", "\"${pki_instance_root}/${pki_instance_name}(/.*)?\"", "a", \$semanage_cmds); + + if (!$java_component) { + add_selinux_file_context($setype . "_exec_t", + "\"${pki_instance_root}/${pki_instance_name}/${pki_instance_name}\"", + "a", \$semanage_cmds); + } } push(@restorecon_cmds, "$restorecon -F -R $pki_instance_root/$pki_instance_name"); @@ -3213,10 +3219,6 @@ sub process_pki_selinux_setup push(@restorecon_cmds, "$restorecon -F -R $conf_path"); } - if (! $java_component) { - push(@restorecon_cmds, "$restorecon -F -R /usr/sbin/httpd.worker"); - } - # add ports parse_selinux_ports(); if ($secure_port != -1) { diff --git a/base/setup/pkiremove b/base/setup/pkiremove index dd9fbc7f9..ca81cb09e 100755 --- a/base/setup/pkiremove +++ b/base/setup/pkiremove @@ -355,6 +355,10 @@ sub get_selinux_fcontexts if (($pki_instance_name ne $default_instance_name) || ($pki_instance_root ne $default_instance_root)) { remove_fcontext($setype . "_var_lib_t", "\"$pki_instance_root/$pki_instance_name(/.*)?\"", "a", $cmd_ref); + if (! $java_component) { + remove_fcontext($setype . "_exec_t", + "\"${pki_instance_root}/{$pki_instance_name}/${pki_instance_name}\"", "a", $cmd_ref); + } } # remove context for /var/run/$pki_instance_name.pid diff --git a/base/setup/scripts/pki_apache_initscript b/base/setup/scripts/pki_apache_initscript index c50c812a4..1e411207f 100755 --- a/base/setup/scripts/pki_apache_initscript +++ b/base/setup/scripts/pki_apache_initscript @@ -64,25 +64,16 @@ start() # restore context for ncipher hsm [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast - - /usr/sbin/selinuxenabled - rv=$? - if [ ${rv} = 0 ] ; then - if [ ${ARCHITECTURE} = "i386" ] ; then - LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS} - rv=$? - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " - elif [ ${ARCHITECTURE} = "x86_64" ] ; then - # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures - LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS} - rv=$? - fi + + if [ ${ARCHITECTURE} = "x86_64" ] ; then + # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures + LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS} + rv=$? else - LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} + LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS} rv=$? - # overwrite output from "daemon" - echo -n $"Starting ${prog}: " + # overwrite output from "daemon" + echo -n $"Starting ${prog}: " fi if [ ${rv} = 0 ] ; then diff --git a/base/tps/setup/pkidaemon_registry b/base/tps/setup/pkidaemon_registry index b74c84317..cac9b3c48 100644 --- a/base/tps/setup/pkidaemon_registry +++ b/base/tps/setup/pkidaemon_registry @@ -15,6 +15,9 @@ export PKI_GROUP PKI_INSTANCE_ID=[PKI_INSTANCE_ID] export PKI_INSTANCE_ID +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] export PKI_INSTANCE_INITSCRIPT diff --git a/base/tps/setup/registry_instance b/base/tps/setup/registry_instance index cb907eb61..3c0f5eb4e 100644 --- a/base/tps/setup/registry_instance +++ b/base/tps/setup/registry_instance @@ -12,6 +12,9 @@ export PKI_GROUP PKI_INSTANCE_ID=[PKI_INSTANCE_ID] export PKI_INSTANCE_ID +PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH] +export PKI_INSTANCE_PATH + PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT] export PKI_INSTANCE_INITSCRIPT diff --git a/specs/pki-core.spec b/specs/pki-core.spec index a3c8833ca..9452f1b02 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} Name: pki-core Version: 10.0.0 -Release: %{?relprefix}37%{?prerel}%{?dist} +Release: %{?relprefix}38%{?prerel}%{?dist} Summary: Certificate System - PKI Core Components URL: http://pki.fedoraproject.org/ License: GPLv2 @@ -357,6 +357,11 @@ BuildArch: noarch Requires: policycoreutils Requires: selinux-policy-targeted +%if 0%{?fedora} >= 18 +Requires: selinux-policy >= 3.11.1.23 +%else +Requires: selinux-policy >= 3.10.0-151 +%endif %description -n pki-selinux Selinux policies for the PKI components. @@ -1312,6 +1317,9 @@ fi %changelog +* Fri Oct 5 2012 Ade Lee 10.0.0-0.38.a2 +- Added required selinux versions for new policy. + * Tue Oct 2 2012 Endi S. Dewata 10.0.0-0.37.a2 - Added Provides to packages replacing obsolete packages. -- cgit