From c494bd03f8f4f82a4c06457dfc301a606b89e2dc Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 10 Oct 2012 00:16:57 -0400
Subject: Added pki_tomcat_cert_t type and interface to access it

Added permissions to certmonger to access the certdb.  Also added
some missing selinux permissions for pki_tomcat_t
---
 base/deploy/src/scriptlets/pkiconfig.py     |  1 +
 base/deploy/src/scriptlets/selinux_setup.py | 11 +++++++++++
 2 files changed, 12 insertions(+)

(limited to 'base/deploy/src')

diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 115e4327d..bfc5b3249 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -192,5 +192,6 @@ pki_master_jython_dict = None
 PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t"
 PKI_LOG_SELINUX_CONTEXT      = "pki_tomcat_log_t"
 PKI_CFG_SELINUX_CONTEXT      = "pki_tomcat_etc_rw_t"
+PKI_CERTDB_SELINUX_CONTEXT   = "pki_tomcat_cert_t"
 PKI_PORT_SELINUX_CONTEXT     = "http_port_t"
 pki_selinux_config_ports = []
diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py
index 58ec3ad4e..0292081be 100644
--- a/base/deploy/src/scriptlets/selinux_setup.py
+++ b/base/deploy/src/scriptlets/selinux_setup.py
@@ -80,6 +80,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 fcon.add(master['pki_instance_configuration_path'] + self.suffix,
                       config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
 
+                config.pki_log.info("adding selinux fcontext \"%s\"",
+                        master['pki_database_path'] + self.suffix,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                fcon.add(master['pki_database_path'] + self.suffix,
+                      config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
+
             portRecords = seobject.portRecords()
             for port in ports:
                 config.pki_log.info("adding selinux port %s", port,
@@ -136,6 +142,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 fcon.delete(master['pki_instance_configuration_path'] + \
                          self.suffix, "")
 
+                config.pki_log.info("deleting selinux fcontext \"%s\"",
+                        master['pki_database_path'] + self.suffix,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                fcon.delete(master['pki_database_path'] + self.suffix , "")
+
             portRecords = seobject.portRecords()
             for port in ports:
                 config.pki_log.info("deleting selinux port %s", port,
-- 
cgit