Generate CRLs and make them available from the IPA web server

author: Rob Crittenden <rcritten@redhat.com> 2009-08-24 13:42:48 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2009-08-26 09:51:19 -0400
commit: 08fc563212faeca9aa4dc9339acedcac3751ca5d (patch)
tree: 324c0c5ed15a24b0a8a2fd8ecaf153e561c51530
parent: 7a7041045e127e0537bd5eb1592bf58c846bb64d (diff)
download: freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.gz
freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.xz
freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.zip
5 files changed, 81 insertions, 4 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 9656fdf3..5ca13d37 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -41,6 +41,9 @@ Alias /ipa/errors "/usr/share/ipa/html"
 # For the MIT Windows config files
 Alias /ipa/config "/usr/share/ipa/html"
 
+# For CRL publishing
+Alias /ipa/crl "/var/lib/pki-ca/publish"
+
 <Location "/ipa/xml">
   AuthType Kerberos
   AuthName "Kerberos Login"
@@ -72,6 +75,13 @@ Alias /ipa/config "/usr/share/ipa/html"
   Allow from all
 </Directory>
 
+<Directory "/var/lib/pki-ca/publish">
+  AllowOverride None
+  Options Indexes FollowSymLinks
+  Satisfy Any
+  Allow from all
+</Directory>
+
 # Protect our CGIs
 <Directory /var/www/cgi-bin>
   AuthType Kerberos
diff --git a/ipa.spec.in b/ipa.spec.in
index 32f3d999..cd38b05a 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -287,7 +287,7 @@ if [ -s /etc/selinux/config ]; then
 fi
 
 %post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -309,7 +309,7 @@ fi
 
 %postun server-selinux
 if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_webgui ipa_kpasswd
+semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -376,6 +376,7 @@ fi
 %files server-selinux
 %{_usr}/share/selinux/targeted/ipa_webgui.pp
 %{_usr}/share/selinux/targeted/ipa_kpasswd.pp
+%{_usr}/share/selinux/targeted/ipa_httpd.pp
 
 %files client
 %doc LICENSE README
@@ -432,6 +433,9 @@ fi
 %endif
 
 %changelog
+* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
+- Added httpd SELinux policy so CRLs can be read
+
 * Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
 - Move ipalib to ipa-python subpackage
 - Bump minimum version of slapi-nis to 0.15
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5ade4716..054ceaf2 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -409,6 +409,7 @@ class CAInstance(service.Service):
             self.step("adding RA agent as a trusted user", self.__configure_ra)
         self.step("fixing RA database permissions", self.fix_ra_perms)
         self.step("setting up signing cert profile", self.__setup_sign_profile)
+        self.step("set up CRL publishing", self.__enable_crl_publish)
         self.step("configuring certificate server to start on boot", self.__enable)
         self.step("restarting certificate server", self.__restart_instance)
 
@@ -827,6 +828,51 @@ class CAInstance(service.Service):
         # Tell the profile to automatically issue certs for RAs
         installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
 
+    def __enable_crl_publish(self):
+        """
+        Enable file-based CRL publishing and disable LDAP publishing.
+
+        http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
+        """
+        caconfig = "/var/lib/pki-ca/conf/CS.cfg"
+
+        publishdir='/var/lib/pki-ca/publish'
+        os.mkdir(publishdir)
+        os.chmod(publishdir, 0755)
+        pent = pwd.getpwnam(self.pki_user)
+        os.chown(publishdir, pent.pw_uid, pent.pw_gid )
+
+
+        # Enable file publishing, disable LDAP
+        installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.ldappublish.enable', 'false', quotes=False, separator='=')
+
+        # Create the file publisher, der only, not b64
+        installutils.set_directive(caconfig, 'ca.publish.publisher.impl.FileBasedPublisher.class','com.netscape.cms.publish.publishers.FileBasedPublisher', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt', 'bin', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink', 'true', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName', 'FileBasedPublisher', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp', 'LocalTime', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel', '9', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der', 'true', quotes=False, separator='=')
+
+        # The publishing rule
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=')
+
+        # Now disable LDAP publishing
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCaCertRule.enable', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCrlRule.enable', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
+
     def uninstall(self):
         try:
             ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
diff --git a/selinux/Makefile b/selinux/Makefile
index a662d2fd..9c2ed091 100644
--- a/selinux/Makefile
+++ b/selinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = ipa_webgui ipa_kpasswd
+SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
 
@@ -23,6 +23,7 @@ install: all
 	install -d $(POLICY_DIR)
 	install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
 	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
+	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
 
 load:
-	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp
+	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
new file mode 100644
index 00000000..a13ebc12
--- /dev/null
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -0,0 +1,16 @@
+module ipa_httpd 1.0;
+
+require {
+        type pki_ca_var_lib_t;
+        type httpd_t;
+        class lnk_file { read getattr };
+        class dir { read search open getattr };
+        class file { getattr read open execute };
+}
+
+# Let Apache read the directories within the certificate authority
+# so it can read the published CRLs.
+allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
+allow httpd_t pki_ca_var_lib_t:file { read getattr open };
+allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
+
author	Rob Crittenden <rcritten@redhat.com>	2009-08-24 13:42:48 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2009-08-26 09:51:19 -0400
commit	08fc563212faeca9aa4dc9339acedcac3751ca5d (patch)
tree	324c0c5ed15a24b0a8a2fd8ecaf153e561c51530
parent	7a7041045e127e0537bd5eb1592bf58c846bb64d (diff)
download	freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.gz freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.xz freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.zip