From 5a04c625bfa441442265ce7ad234b08bed6be0f5 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 22 Feb 2012 22:48:52 -0500 Subject: Selinux changes to allow dogtag to start on f17. Addresses java_exec_t issue in BZ 795966 --- pki/base/selinux/src/pki.if | 240 +++++--------------------------------------- pki/base/selinux/src/pki.te | 196 +++++++++++++++++++++++++++++++++++- 2 files changed, 219 insertions(+), 217 deletions(-) (limited to 'pki') diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index 317fb22b8..47e34e861 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -22,7 +22,6 @@ template(`pki_ca_template',` type rpm_var_lib_t; type rpm_exec_t; type setfiles_t; - type httpd_t; ') ######################################## # @@ -41,7 +40,7 @@ template(`pki_ca_template',` type initrc_t; ') domtrans_pattern($1_script_t, java_exec_t, $1_t) - unconfined_domain($1_script_t) + role system_r types $1_script_t; allow $1_t java_exec_t:file entrypoint; allow initrc_t $1_script_t:process transition; @@ -161,17 +160,13 @@ template(`pki_ca_template',` miscfiles_read_localization($1_t) + logging_send_syslog_msg($1_t) + ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys($1_t) term_dontaudit_use_generic_ptys($1_t) ') - #This is broken in selinux-policy we need java_exec defined, Will add to policy - gen_require(` - type java_exec_t; - ') - can_exec($1_t, java_exec_t) - # allow java subsystems to talk to the ncipher hsm allow $1_t pki_common_dev_t:sock_file write; allow $1_t pki_common_dev_t:dir search; @@ -181,25 +176,33 @@ template(`pki_ca_template',` init_stream_connect_script($1_t) #allow java subsystems to talk to lunasa hsm - allow $1_t devlog_t:sock_file write; - allow $1_t self:unix_dgram_socket { write create connect }; - allow $1_t syslogd_t:unix_dgram_socket sendto; - #allow sending mail - corenet_tcp_connect_smtp_port($1_t) + #allow sending mail + corenet_tcp_connect_smtp_port($1_t) - # allow rpm -q in init scripts - rpm_exec($1_t) + # allow rpm -q in init scripts + rpm_exec($1_t) - # allow writing to the kernel keyring - allow $1_t self:key { write read }; + # allow writing to the kernel keyring + allow $1_t self:key { write read }; - #reverse proxy - corenet_tcp_connect_dogtag_port($1_t) + #reverse proxy + corenet_tcp_connect_dogtag_port($1_t) - #connect to ldap - corenet_tcp_connect_ldap_port($1_t) + #connect to ldap + corenet_tcp_connect_ldap_port($1_t) + optional_policy(` + #This is broken in selinux-policy we need java_exec defined, Will add to policy + gen_require(` + type java_exec_t; + ') + can_exec($1_t, java_exec_t) + ') + + optional_policy(` + unconfined_domain($1_script_t) + ') ') ######################################## @@ -472,106 +475,6 @@ template(`pki_tps_template',` allow httpd_t $1_var_run_t:dir search; allow httpd_t $1_var_run_t:file read_file_perms; - # start up httpd in pki_tps_t mode - allow pki_tps_t httpd_config_t:file { read getattr execute }; - allow pki_tps_t httpd_exec_t:file entrypoint; - allow pki_tps_t httpd_modules_t:lnk_file read; - allow pki_tps_t httpd_suexec_exec_t:file { getattr read execute }; - - # apache permissions - apache_exec_modules(pki_tps_t) - apache_list_modules(pki_tps_t) - apache_read_config(pki_tps_t) - - allow pki_tps_t lib_t:file execute_no_trans; - - #fowner needed for chmod - allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; - allow pki_tps_t self:process { setsched signal getsched signull execstack execmem sigkill}; - allow pki_tps_t self:sem all_sem_perms; - allow pki_tps_t self:tcp_socket create_stream_socket_perms; - - # used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment - allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; - - #netlink needed? - allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; - - corecmd_exec_bin(pki_tps_t) - corecmd_exec_shell(pki_tps_t) - corecmd_read_bin_symlinks(pki_tps_t) - corecmd_search_bin(pki_tps_t) - - corenet_sendrecv_unlabeled_packets(pki_tps_t) - corenet_tcp_bind_all_nodes(pki_tps_t) - corenet_tcp_bind_pki_tps_port(pki_tps_t) - corenet_tcp_connect_generic_port(pki_tps_t) - - # customer may run an ldap server on 389 - corenet_tcp_connect_ldap_port(pki_tps_t) - - # connect to other subsystems - corenet_tcp_connect_pki_ca_port(pki_tps_t) - corenet_tcp_connect_pki_kra_port(pki_tps_t) - corenet_tcp_connect_pki_tks_port(pki_tps_t) - - corenet_tcp_sendrecv_all_if(pki_tps_t) - corenet_tcp_sendrecv_all_nodes(pki_tps_t) - corenet_tcp_sendrecv_all_ports(pki_tps_t) - corenet_all_recvfrom_unlabeled(pki_tps_t) - - dev_read_urand(pki_tps_t) - files_exec_usr_files(pki_tps_t) - files_read_usr_symlinks(pki_tps_t) - files_read_usr_files(pki_tps_t) - - #installation and debug uses /tmp - files_manage_generic_tmp_dirs(pki_tps_t) - files_manage_generic_tmp_files(pki_tps_t) - - kernel_read_kernel_sysctls(pki_tps_t) - kernel_read_system_state(pki_tps_t) - - # need to resolve addresses? - auth_use_nsswitch(pki_tps_t) - - sysnet_read_config(pki_tps_t) - - allow httpd_t pki_tps_etc_rw_t:dir search; - allow httpd_t pki_tps_etc_rw_t:file rw_file_perms; - allow httpd_t pki_tps_log_t:dir rw_dir_perms; - allow httpd_t pki_tps_log_t:file manage_file_perms; - allow httpd_t pki_tps_t:process { signal signull }; - allow httpd_t pki_tps_var_lib_t:dir { getattr search }; - allow httpd_t pki_tps_var_lib_t:lnk_file read; - allow httpd_t pki_tps_var_lib_t:file read_file_perms; - - # why do I need to add this? - allow httpd_t httpd_config_t:file execute; - files_exec_usr_files(httpd_t) - - # talk to the hsm - allow pki_tps_t pki_common_dev_t:sock_file write; - allow pki_tps_t pki_common_dev_t:dir search; - allow pki_tps_t pki_common_t:dir create_dir_perms; - manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t) - can_exec(pki_tps_t, pki_common_t) - init_stream_connect_script(pki_tps_t) - - #allow tps to talk to lunasa hsm - allow pki_tps_t devlog_t:sock_file write; - allow pki_tps_t self:unix_dgram_socket { write create connect }; - allow pki_tps_t syslogd_t:unix_dgram_socket sendto; - - # allow rpm -q in init scripts - rpm_exec(pki_tps_t) - - # allow writing to the kernel keyring - allow pki_tps_t self:key { write read }; - - # new for f14 - apache_exec(pki_tps_t) - ') template(`pki_ra_template',` @@ -659,101 +562,6 @@ template(`pki_ra_template',` #============= httpd_t ============== allow httpd_t $1_var_run_t:dir search; allow httpd_t $1_var_run_t:file read_file_perms; - - # start up httpd in pki_ra_t mode - allow pki_ra_t httpd_config_t:file { read getattr execute }; - allow pki_ra_t httpd_exec_t:file entrypoint; - allow pki_ra_t httpd_modules_t:lnk_file read; - allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute }; - - #apache permissions - apache_read_config(pki_ra_t) - apache_exec_modules(pki_ra_t) - apache_list_modules(pki_ra_t) - - allow pki_ra_t lib_t:file execute_no_trans; - - allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid}; - allow pki_ra_t self:process { setsched getsched signal signull execstack execmem}; - allow pki_ra_t self:sem all_sem_perms; - allow pki_ra_t self:tcp_socket create_stream_socket_perms; - - #RA specific? talking to mysql? - allow pki_ra_t self:udp_socket { write read create connect }; - allow pki_ra_t self:unix_dgram_socket { write create connect }; - - # netlink needed? - allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; - - corecmd_exec_bin(pki_ra_t) - corecmd_exec_shell(pki_ra_t) - corecmd_read_bin_symlinks(pki_ra_t) - corecmd_search_bin(pki_ra_t) - - corenet_sendrecv_unlabeled_packets(pki_ra_t) - corenet_tcp_bind_all_nodes(pki_ra_t) - corenet_tcp_bind_pki_ra_port(pki_ra_t) - - corenet_tcp_sendrecv_all_if(pki_ra_t) - corenet_tcp_sendrecv_all_nodes(pki_ra_t) - corenet_tcp_sendrecv_all_ports(pki_ra_t) - corenet_all_recvfrom_unlabeled(pki_ra_t) - corenet_tcp_connect_generic_port(pki_ra_t) - - # talk to other subsystems - corenet_tcp_connect_pki_ca_port(pki_ra_t) - - dev_read_urand(pki_ra_t) - files_exec_usr_files(pki_ra_t) - fs_getattr_xattr_fs(pki_ra_t) - - # ra writes files to /tmp - files_manage_generic_tmp_files(pki_ra_t) - - kernel_read_kernel_sysctls(pki_ra_t) - kernel_read_system_state(pki_ra_t) - - #send mail, sendmail writes to devlog, syslog - allow pki_ra_t mqueue_spool_t:file { write getattr read lock create unlink }; - allow pki_ra_t devlog_t:sock_file write; - allow pki_ra_t syslogd_t:unix_dgram_socket sendto; - corenet_tcp_connect_smtp_port(pki_ra_t) - files_search_spool(pki_ra_t) - mta_manage_queue(pki_ra_t) - mta_read_config(pki_ra_t) - mta_sendmail_exec(pki_ra_t) - - #resolve names? - auth_use_nsswitch(pki_ra_t) - - sysnet_read_config(pki_ra_t) - - allow httpd_t pki_ra_etc_rw_t:dir search; - allow httpd_t pki_ra_etc_rw_t:file rw_file_perms; - allow httpd_t pki_ra_log_t:dir rw_dir_perms; - allow httpd_t pki_ra_log_t:file manage_file_perms; - allow httpd_t pki_ra_t:process { signal signull }; - allow httpd_t pki_ra_var_lib_t:dir { getattr search }; - allow httpd_t pki_ra_var_lib_t:lnk_file read; - allow httpd_t pki_ra_var_lib_t:file read_file_perms; - - # talk to the hsm - allow pki_ra_t pki_common_dev_t:sock_file write; - allow pki_ra_t pki_common_dev_t:dir search; - allow pki_ra_t pki_common_t:dir create_dir_perms; - manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t) - can_exec(pki_ra_t, pki_common_t) - init_stream_connect_script(pki_ra_t) - - # allow rpm -q in init scripts - rpm_exec(pki_ra_t) - - # allow writing to the kernel keyring - allow pki_ra_t self:key { write read }; - - # new for f14 - apache_exec(pki_ra_t) - ') ######################################## diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index 3d9a04832..f506553ee 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.26) +policy_module(pki,10.0.1) attribute pki_ca_config; attribute pki_ca_executable; @@ -136,3 +136,197 @@ allow pki_tks_t pki_ocsp_t:process signull; #allow httpd_t pki_tks_tomcat_exec_t:process signull; #allow httpd_t pki_tks_var_lib_t:process signull; +# start up httpd in pki_tps_t mode +can_exec(pki_tps_t, httpd_config_t) +allow pki_tps_t httpd_exec_t:file entrypoint; +allow pki_tps_t httpd_modules_t:lnk_file read; +can_exec(pki_tps_t, httpd_suexec_exec_t) + +# apache permissions +apache_exec_modules(pki_tps_t) +apache_list_modules(pki_tps_t) +apache_read_config(pki_tps_t) + +allow pki_tps_t lib_t:file execute_no_trans; + +#fowner needed for chmod +allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; +allow pki_tps_t self:process { setsched signal getsched signull execstack execmem sigkill}; +allow pki_tps_t self:sem all_sem_perms; +allow pki_tps_t self:tcp_socket create_stream_socket_perms; + +# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment +allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; + + #netlink needed? +allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; + +corecmd_exec_bin(pki_tps_t) +corecmd_exec_shell(pki_tps_t) +corecmd_read_bin_symlinks(pki_tps_t) +corecmd_search_bin(pki_tps_t) + +corenet_sendrecv_unlabeled_packets(pki_tps_t) +corenet_tcp_bind_all_nodes(pki_tps_t) +corenet_tcp_bind_pki_tps_port(pki_tps_t) +corenet_tcp_connect_generic_port(pki_tps_t) + +# customer may run an ldap server on 389 +corenet_tcp_connect_ldap_port(pki_tps_t) + +# connect to other subsystems +corenet_tcp_connect_pki_ca_port(pki_tps_t) +corenet_tcp_connect_pki_kra_port(pki_tps_t) +corenet_tcp_connect_pki_tks_port(pki_tps_t) + +corenet_tcp_sendrecv_all_if(pki_tps_t) +corenet_tcp_sendrecv_all_nodes(pki_tps_t) +corenet_tcp_sendrecv_all_ports(pki_tps_t) +corenet_all_recvfrom_unlabeled(pki_tps_t) + +dev_read_urand(pki_tps_t) +files_exec_usr_files(pki_tps_t) +files_read_usr_symlinks(pki_tps_t) +files_read_usr_files(pki_tps_t) + +#installation and debug uses /tmp +files_manage_generic_tmp_dirs(pki_tps_t) +files_manage_generic_tmp_files(pki_tps_t) + +kernel_read_kernel_sysctls(pki_tps_t) +kernel_read_system_state(pki_tps_t) + +# need to resolve addresses? +auth_use_nsswitch(pki_tps_t) + +sysnet_read_config(pki_tps_t) + +allow httpd_t pki_tps_etc_rw_t:dir search; +allow httpd_t pki_tps_etc_rw_t:file rw_file_perms; +allow httpd_t pki_tps_log_t:dir rw_dir_perms; +allow httpd_t pki_tps_log_t:file manage_file_perms; +allow httpd_t pki_tps_t:process { signal signull }; +allow httpd_t pki_tps_var_lib_t:dir { getattr search }; +allow httpd_t pki_tps_var_lib_t:lnk_file read; +allow httpd_t pki_tps_var_lib_t:file read_file_perms; + +# why do I need to add this? +allow httpd_t httpd_config_t:file execute; +files_exec_usr_files(httpd_t) + +# talk to the hsm +allow pki_tps_t pki_common_dev_t:sock_file write; +allow pki_tps_t pki_common_dev_t:dir search; +allow pki_tps_t pki_common_t:dir create_dir_perms; +manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t) +can_exec(pki_tps_t, pki_common_t) +init_stream_connect_script(pki_tps_t) + +#allow tps to talk to lunasa hsm +logging_send_syslog_msg(pki_tps_t) + +# allow rpm -q in init scripts +rpm_exec(pki_tps_t) + +# allow writing to the kernel keyring +allow pki_tps_t self:key { write read }; + +# new for f14 +apache_exec(pki_tps_t) + + # start up httpd in pki_ra_t mode +allow pki_ra_t httpd_config_t:file { read getattr execute }; +allow pki_ra_t httpd_exec_t:file entrypoint; +allow pki_ra_t httpd_modules_t:lnk_file read; +allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute }; + +#apache permissions +apache_read_config(pki_ra_t) +apache_exec_modules(pki_ra_t) +apache_list_modules(pki_ra_t) + +allow pki_ra_t lib_t:file execute_no_trans; + +allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid}; +allow pki_ra_t self:process { setsched getsched signal signull execstack execmem}; +allow pki_ra_t self:sem all_sem_perms; +allow pki_ra_t self:tcp_socket create_stream_socket_perms; + +#RA specific? talking to mysql? +allow pki_ra_t self:udp_socket { write read create connect }; +allow pki_ra_t self:unix_dgram_socket { write create connect }; + +# netlink needed? +allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; + +corecmd_exec_bin(pki_ra_t) +corecmd_exec_shell(pki_ra_t) +corecmd_read_bin_symlinks(pki_ra_t) +corecmd_search_bin(pki_ra_t) + +corenet_sendrecv_unlabeled_packets(pki_ra_t) +corenet_tcp_bind_all_nodes(pki_ra_t) +corenet_tcp_bind_pki_ra_port(pki_ra_t) + +corenet_tcp_sendrecv_all_if(pki_ra_t) +corenet_tcp_sendrecv_all_nodes(pki_ra_t) +corenet_tcp_sendrecv_all_ports(pki_ra_t) +corenet_all_recvfrom_unlabeled(pki_ra_t) +corenet_tcp_connect_generic_port(pki_ra_t) + +# talk to other subsystems +corenet_tcp_connect_pki_ca_port(pki_ra_t) + +dev_read_urand(pki_ra_t) +files_exec_usr_files(pki_ra_t) +fs_getattr_xattr_fs(pki_ra_t) + +# ra writes files to /tmp +files_manage_generic_tmp_files(pki_ra_t) + +kernel_read_kernel_sysctls(pki_ra_t) +kernel_read_system_state(pki_ra_t) + +logging_send_syslog_msg(pki_ra_t) + +corenet_tcp_connect_smtp_port(pki_ra_t) +files_search_spool(pki_ra_t) + +# +# Should be changed to mta_send_mail +# +mta_manage_spool(pki_ra_t) +mta_manage_queue(pki_ra_t) +mta_read_config(pki_ra_t) +mta_sendmail_exec(pki_ra_t) + +#resolve names? +auth_use_nsswitch(pki_ra_t) + +sysnet_read_config(pki_ra_t) + +allow httpd_t pki_ra_etc_rw_t:dir search; +allow httpd_t pki_ra_etc_rw_t:file rw_file_perms; +allow httpd_t pki_ra_log_t:dir rw_dir_perms; +allow httpd_t pki_ra_log_t:file manage_file_perms; +allow httpd_t pki_ra_t:process { signal signull }; +allow httpd_t pki_ra_var_lib_t:dir { getattr search }; +allow httpd_t pki_ra_var_lib_t:lnk_file read; +allow httpd_t pki_ra_var_lib_t:file read_file_perms; + +# talk to the hsm +allow pki_ra_t pki_common_dev_t:sock_file write; +allow pki_ra_t pki_common_dev_t:dir search; +allow pki_ra_t pki_common_t:dir create_dir_perms; +manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t) +can_exec(pki_ra_t, pki_common_t) +init_stream_connect_script(pki_ra_t) + +# allow rpm -q in init scripts +rpm_exec(pki_ra_t) + +# allow writing to the kernel keyring +allow pki_ra_t self:key { write read }; + +# new for f14 +apache_exec(pki_ra_t) -- cgit