From 5fd74e0e0c9407306e99ef4fd2e776cb911ee94a Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 10 Jul 2012 11:50:59 -0400 Subject: Selinux policy for new configuration. Added tomcat_t for java processes. Added aliases for old types to allow compatibility of existng subsystems. Added install scripts for pkispawn and pkidestroy --- base/deploy/src/scriptlets/initialization.py | 5 ++ base/deploy/src/scriptlets/pkiconfig.py | 12 +++ base/deploy/src/scriptlets/pkihelper.py | 52 +++++++++++++ base/deploy/src/scriptlets/pkimessages.py | 2 + base/deploy/src/scriptlets/selinux_setup.py | 107 +++++++++++++++++++++++++++ 5 files changed, 178 insertions(+) create mode 100644 base/deploy/src/scriptlets/selinux_setup.py (limited to 'base/deploy/src/scriptlets') diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index cc516532e..368cf2595 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -50,6 +50,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.configuration_file.verify_sensitive_data() # verify existence of MUTUALLY EXCLUSIVE configuration file data util.configuration_file.verify_mutually_exclusive_data() + # verify selinux context of selected ports + util.configuration_file.populate_non_default_ports() + util.configuration_file.verify_selinux_ports() return self.rv def respawn(self): @@ -80,6 +83,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) + # get ports to remove selinux context + util.configuration_file.populate_non_default_ports() # ALWAYS Stop this Apache/Tomcat PKI Process util.systemd.stop() return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index fc8ddac90..e300c1ea7 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -79,6 +79,11 @@ PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg" PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ "/usr/share/pki/deployment/config/pkislots.cfg" +# default ports (for defined selinux policy) +PKI_DEPLOYMENT_DEFAULT_HTTP_PORT = 8080 +PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT = 8443 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 +PKI_DEPLOYMENT_DEFAULT_AJP_PORT = 8009 # PKI Deployment Jython 2.2 Constants PKI_JYTHON_CRITICAL_LOG_LEVEL = 1 @@ -174,3 +179,10 @@ pki_subsystem_dict = None pki_master_dict = None pki_slots_dict = None pki_master_jython_dict = None + +# PKI Selinux Constants and parameters +PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" +PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t" +PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t" +PKI_PORT_SELINUX_CONTEXT = "pki_tomcat_port_t" +pki_selinux_config_ports = [] diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 7de6502a2..1ceb65898 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -35,6 +35,7 @@ from grp import getgrnam from pwd import getpwnam from pwd import getpwuid import zipfile +import seobject # PKI Deployment Imports @@ -42,6 +43,7 @@ import pkiconfig as config from pkiconfig import pki_master_dict as master from pkiconfig import pki_sensitive_dict as sensitive from pkiconfig import pki_slots_dict as slots +from pkiconfig import pki_selinux_config_ports as ports import pkimanifest as manifest import pkimessages as log @@ -403,6 +405,56 @@ class configuration_file: extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) + def populate_non_default_ports(self): + if master['pki_http_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_HTTP_PORT: + ports.append(master['pki_http_port']) + if master['pki_https_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT: + ports.append(master['pki_https_port']) + if master['pki_tomcat_server_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT: + ports.append(master['pki_tomcat_server_port']) + if master['pki_ajp_port'] != \ + config.PKI_DEPLOYMENT_DEFAULT_AJP_PORT: + ports.append(master['pki_ajp_port']) + return + + def verify_selinux_ports(self): + # Determine which ports still need to be labelled, and if any are + # incorrectly labelled + if len(ports) == 0: + return + + portrecs = seobject.portRecords().get_all() + portlist = ports[:] + for port in portlist: + context = "" + for i in portrecs: + if portrecs[i][0] == "unreserved_port_t" or \ + portrecs[i][0] == "reserved_port_t" or \ + i[2] != "tcp": + continue + if i[0] <= int(port) and int(port) <= i[1]: + context = portrecs[i][0] + break + if context == "": + # port has no current context + # leave it in list of ports to set + continue + elif context == config.PKI_PORT_SELINUX_CONTEXT: + # port is already set correctly + # remove from list of ports to set + ports.remove(port) + else: + config.pki_log.error( + log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT, + port, context, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + # PKI Deployment XML File Class #class xml_file: diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index d1326edb3..e4da468c1 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -163,6 +163,8 @@ PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" +PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ + "context %s" PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\ "jython %s %s '" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py new file mode 100644 index 000000000..38cc17f0a --- /dev/null +++ b/base/deploy/src/scriptlets/selinux_setup.py @@ -0,0 +1,107 @@ +#!/usr/bin/python -t +# Authors: +# Ade Lee +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_selinux_config_ports as ports +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import seobject +import selinux + +# PKI Deployment Selinux Setup Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + suffix = "(/.*)?" + + def restore_context(self): + selinux.restorecon(master['pki_instance_path'], True) + selinux.restorecon(master['pki_instance_log_path'], True) + selinux.restorecon(master['pki_instance_configuration_path'], True) + + def spawn(self): + config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + self.restore_context() + return self.rv + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + fcon1 = seobject.fcontextRecords() + fcon1.add(master['pki_instance_path'] + self.suffix, + config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") + + fcon2 = seobject.fcontextRecords() + fcon2.add(master['pki_instance_log_path'] + self.suffix, + config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") + + fcon3 = seobject.fcontextRecords() + fcon3.add(master['pki_instance_configuration_path'] + self.suffix, + config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") + for port in ports: + port1 = seobject.portRecords() + port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) + trans.finish() + + self.restore_context() + return self.rv + + def respawn(self): + config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + self.restore_context() + return self.rv + + def destroy(self): + config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + return self.rv + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + fcon1 = seobject.fcontextRecords() + fcon1.delete(master['pki_instance_path'] + self.suffix , "") + + fcon2 = seobject.fcontextRecords() + fcon2.delete(master['pki_instance_log_path'] + self.suffix, "") + + fcon3 = seobject.fcontextRecords() + fcon3.delete(master['pki_instance_configuration_path'] + \ + self.suffix, "") + for port in ports: + port1 = seobject.portRecords() + port1.delete(port, "tcp") + trans.finish() + return self.rv -- cgit