From da73f97ee897782a4e8fc326cd428bcd7ba5fd31 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 4 Oct 2012 13:21:15 -0400
Subject: Changes to start pki_ra and pki_tps in correct context

Added required selinux versions to spec file.  Also added
additional rule needed for F17
---
 base/selinux/src/pki.fc |  3 ++-
 base/selinux/src/pki.if | 18 +++++++++++++++++-
 base/selinux/src/pki.te |  1 +
 3 files changed, 20 insertions(+), 2 deletions(-)

(limited to 'base/selinux')

diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
index 119e23562..8258b67c5 100644
--- a/base/selinux/src/pki.fc
+++ b/base/selinux/src/pki.fc
@@ -6,18 +6,19 @@
 /var/log/pki                            gen_context(system_u:object_r:pki_log_t,s0)
 /usr/bin/pkidaemon                      gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
 
-/usr/sbin/httpd.worker  --      	gen_context(system_u:object_r:pki_ra_exec_t,s0)
 /etc/pki-ra(/.*)?               	gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
 /var/lib/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
 /var/log/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_log_t,s0)
 /var/run/pki/ra(/.*)? 	        	gen_context(system_u:object_r:pki_ra_var_run_t,s0)
 /etc/sysconfig/pki/ra(/.*)?		gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra/pki-ra                  gen_context(system_u:object_r:pki_ra_exec_t,s0)
 
 /etc/pki-tps(/.*)?              	gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
 /var/lib/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
 /var/log/pki-tps(/.*)?          	gen_context(system_u:object_r:pki_tps_log_t,s0)
 /var/run/pki/tps(/.*)? 	        	gen_context(system_u:object_r:pki_tps_var_run_t,s0)
 /etc/sysconfig/pki/tps(/.*)?		gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps/pki-tps                gen_context(system_u:object_r:pki_tps_exec_t,s0)
 
 # default labeling for nCipher
 /opt/nfast/scripts/init.d/(.*)  	gen_context(system_u:object_r:initrc_exec_t, s0)
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 37d5ec08b..e2392634e 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -51,7 +51,7 @@ template(`pki_apache_template',`
 	#
 
         allow $1_t lib_t:file execute_no_trans;
-        allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
+        allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
         allow $1_t self:process { setsched signal getsched  signull execstack execmem sigkill};
         allow $1_t self:sem all_sem_perms;
         allow $1_t self:tcp_socket create_stream_socket_perms;
@@ -87,10 +87,21 @@ template(`pki_apache_template',`
 	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
 	logging_log_filetrans($1_t, $1_log_t, { file dir } )
 
+        # lock files
+        files_create_lock_dirs($1_t)
+        files_manage_generic_locks($1_t)
+        files_delete_generic_locks($1_t)
+        files_rw_lock_dirs($1_t)
+
+        seutil_exec_setfiles($1_t)
+
 	init_dontaudit_write_utmp($1_t)
 
 	libs_use_ld_so($1_t)
 	libs_use_shared_libs($1_t)
+        libs_exec_ld_so($1_t)
+
+        fs_search_cgroup_dirs($1_t)
 
 	miscfiles_read_localization($1_t)
 
@@ -148,6 +159,11 @@ template(`pki_apache_template',`
 
         sysnet_read_config($1_t)
         dev_read_urand($1_t)
+        dev_read_rand($1_t)
+
+        # shutdown script uses ps
+        domain_dontaudit_read_all_domains_state($1_t)
+        ps_process_pattern($1_t, $1_t)
 
 	ifdef(`targeted_policy',`
 		term_dontaudit_use_unallocated_ttys($1_t)
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index df34aa03e..7fa76adb9 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -76,6 +76,7 @@ logging_send_audit_msgs(pki_tomcat_t)
 logging_send_syslog_msg(pki_tomcat_t)
 
 miscfiles_read_hwdata(pki_tomcat_t)
+files_manage_generic_tmp_files(pki_tomcat_t)
 
 # forward proxy
 # need to define ports to fix this
-- 
cgit