From da73f97ee897782a4e8fc326cd428bcd7ba5fd31 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 4 Oct 2012 13:21:15 -0400
Subject: Changes to start pki_ra and pki_tps in correct context

Added required selinux versions to spec file.  Also added
additional rule needed for F17
---
 base/setup/pkicommon.pm                  |  2 ++
 base/setup/pkicreate                     | 12 +++++++-----
 base/setup/pkiremove                     |  4 ++++
 base/setup/scripts/pki_apache_initscript | 25 ++++++++-----------------
 4 files changed, 21 insertions(+), 22 deletions(-)

(limited to 'base/setup')

diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm
index 4b68ffa7e..16f553e00 100755
--- a/base/setup/pkicommon.pm
+++ b/base/setup/pkicommon.pm
@@ -3505,6 +3505,8 @@ sub check_selinux_port
     if (defined $selinux_ports{$seport}) {
         if ($selinux_ports{$seport} eq $setype) {
             return $SELINUX_PORT_DEFINED;
+        } elsif ($selinux_ports{$seport} eq "unreserved_port_t") {
+            return $SELINUX_PORT_UNDEFINED;
         } else {
             return $SELINUX_PORT_WRONGLY_DEFINED;
         }
diff --git a/base/setup/pkicreate b/base/setup/pkicreate
index e3ee5a0ab..b83fd870c 100755
--- a/base/setup/pkicreate
+++ b/base/setup/pkicreate
@@ -2421,6 +2421,7 @@ sub process_pki_templates
     $slot_hash{$PKI_SUBSYSTEM_DIR_SLOT}    = "";
     $slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT}   = $subsystem_type;
     $slot_hash{$PKI_INSTANCE_ID_SLOT}      = $pki_instance_name;
+    $slot_hash{$PKI_INSTANCE_PATH_SLOT}    = $pki_instance_path;
     $slot_hash{$PKI_INSTANCE_ROOT_SLOT}    = $pki_instance_root;
     $slot_hash{$PKI_INSTANCE_INITSCRIPT}   = $pki_instance_initscript_path;
     $slot_hash{$PKI_REGISTRY_FILE_SLOT}    = $pki_registry_instance_file_path;
@@ -2489,7 +2490,6 @@ LoadModule nss_module  /opt/fortitude/modules.local/libmodnss.so
         $slot_hash{$INSTALL_TIME}              = localtime;
         $slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password;
         $slot_hash{$PKI_CFG_PATH_NAME_SLOT}    = $pki_cfg_instance_file_path;
-        $slot_hash{$PKI_INSTANCE_PATH_SLOT}    = $pki_instance_path;
         $slot_hash{$PKI_MACHINE_NAME_SLOT}     = $host;
         $slot_hash{$PKI_RANDOM_NUMBER_SLOT}    = $random;
         $slot_hash{$PKI_SERVER_XML_CONF}       = $server_xml_instance_file_path;
@@ -3168,6 +3168,12 @@ sub process_pki_selinux_setup
         add_selinux_file_context($setype . "_var_lib_t", 
                                  "\"${pki_instance_root}/${pki_instance_name}(/.*)?\"", 
                                  "a", \$semanage_cmds);
+
+        if (!$java_component) {
+            add_selinux_file_context($setype . "_exec_t",
+                                 "\"${pki_instance_root}/${pki_instance_name}/${pki_instance_name}\"",
+                                 "a", \$semanage_cmds);
+        }
     }
     push(@restorecon_cmds, "$restorecon -F -R $pki_instance_root/$pki_instance_name");
 
@@ -3213,10 +3219,6 @@ sub process_pki_selinux_setup
         push(@restorecon_cmds, "$restorecon -F -R $conf_path");
     }
     
-    if (! $java_component) {
-        push(@restorecon_cmds, "$restorecon -F -R /usr/sbin/httpd.worker");
-    }    
-
     # add ports
     parse_selinux_ports();
     if ($secure_port != -1) {
diff --git a/base/setup/pkiremove b/base/setup/pkiremove
index dd9fbc7f9..ca81cb09e 100755
--- a/base/setup/pkiremove
+++ b/base/setup/pkiremove
@@ -355,6 +355,10 @@ sub get_selinux_fcontexts
     if (($pki_instance_name ne $default_instance_name) || ($pki_instance_root ne $default_instance_root)) {
         remove_fcontext($setype . "_var_lib_t", 
             "\"$pki_instance_root/$pki_instance_name(/.*)?\"", "a", $cmd_ref);
+        if (! $java_component) {
+            remove_fcontext($setype . "_exec_t",
+                "\"${pki_instance_root}/{$pki_instance_name}/${pki_instance_name}\"", "a", $cmd_ref);
+        }
     }
 
     # remove context for /var/run/$pki_instance_name.pid
diff --git a/base/setup/scripts/pki_apache_initscript b/base/setup/scripts/pki_apache_initscript
index c50c812a4..1e411207f 100755
--- a/base/setup/scripts/pki_apache_initscript
+++ b/base/setup/scripts/pki_apache_initscript
@@ -64,25 +64,16 @@ start()
 
     # restore context for ncipher hsm
     [ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
-    
-    /usr/sbin/selinuxenabled
-    rv=$?
-    if [ ${rv} = 0 ] ; then	
-	if [ ${ARCHITECTURE} = "i386" ] ; then
-	    LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS}
-            rv=$?
-	    # overwrite output from "daemon"
-	    echo -n $"Starting ${prog}: "
-	elif [ ${ARCHITECTURE} = "x86_64" ] ; then
-	    # NOTE:  "daemon" is incompatible with "httpd" on 64-bit architectures
-	    LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS}
-            rv=$?
-	fi
+
+    if [ ${ARCHITECTURE} = "x86_64" ] ; then
+        # NOTE:  "daemon" is incompatible with "httpd" on 64-bit architectures
+        LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS}
+        rv=$?
     else
-	LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
+        LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
         rv=$?
-	# overwrite output from "daemon"
-	echo -n $"Starting ${prog}: "
+        # overwrite output from "daemon"
+        echo -n $"Starting ${prog}: "
     fi
 
     if [ ${rv} = 0 ] ; then
-- 
cgit