Add selinux policy for ns-slapd

This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon.  The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.

The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.

To use the dirsrv policy module, the module will need to be loaded
using the semodule utility.  It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.

4 files changed, 111 insertions, 4 deletions

diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in
index d33f13af..15302b9c 100644
--- a/ldap/admin/src/scripts/DSCreate.pm.in
+++ b/ldap/admin/src/scripts/DSCreate.pm.in
@@ -888,6 +888,41 @@ sub setDefaults {
     return ();
 }
 
+sub updateSelinuxPolicy {
+    my $inf = shift;
+
+    # if selinux is not available, do nothing
+    if ("@with_selinux@") {
+        # run restorecon on all directories we created
+        for (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir
+                cert_dir db_dir ldif_dir bak_dir)) {
+            my $dir = $inf->{slapd}->{$_};
+            system("restorecon -R $dir");
+        }
+
+        # label the selected port as ldap_port_t
+        if ($inf->{slapd}->{ServerPort} != 0) {
+            my $need_label = 1;
+
+            # check if the port is already labeled properly
+            my $portline = `semanage port -l | grep ldap_port_t | grep tcp`;
+            chomp($portline);
+            $portline =~ s/ldap_port_t\s+tcp\s+//g;
+            my @labeledports = split(/,\s+/, $portline);
+            foreach my $labeledport (@labeledports) {
+                if ($inf->{slapd}->{ServerPort} == $labeledport) {
+                    $need_label = 0;
+                    last;
+                }
+            }
+
+            if ($need_label == 1) {
+                system("semanage port -a -t ldap_port_t -p tcp $inf->{slapd}->{ServerPort}");
+            }
+        }
+    }
+}
+
 sub createDSInstance {
     my $inf = shift;
     my @errs;
@@ -924,6 +959,8 @@ sub createDSInstance {
         return @errs;
     }
 
+    updateSelinuxPolicy($inf);
+
     if (@errs = startServer($inf)) {
         return @errs;
     }
@@ -1048,6 +1085,31 @@ sub removeDSInstance {
     # Finally, config dir
     push @errs, remove_tree($entry, "nsslapd-schemadir", $instname, 1, "\.db\$");
 
+    # remove the selinux label from the ports if needed
+    if ("@with_selinux@") {
+        foreach my $port (@{$entry->{"nsslapd-port"}}) 
+        {
+            my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $port 2>&1`;
+            if ($? != 0)  {
+                if ($semanage_err !~ /defined in policy, cannot be deleted/) {
+                    push @errs, [ 'error_removing_port_label', $port, $semanage_err];
+                    debug(1, "Warning: Port $port not removed from selinux policy correctly.  Error: $semanage_err\n");
+                }
+            }
+        }
+
+        foreach my $secureport (@{$entry->{"nsslapd-secureport"}})
+        {
+            my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $secureport 2>&1`;
+            if ($? != 0)  {
+                if ($semanage_err !~ /defined in policy, cannot be deleted/) {
+                    push @errs, [ 'error_removing_port_label', $secureport, $semanage_err];
+                    debug(1, "Warning: Port $secureport not removed from selinux policy correctly.  Error: $semanage_err\n");
+                }
+            }
+        }
+    }
+
     # if we got here, report success
     if (@errs) {
         debug(1, "Could not successfully remove $instname\n");
diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in
index 69e12882..c661d2c1 100644
--- a/ldap/admin/src/scripts/DSMigration.pm.in
+++ b/ldap/admin/src/scripts/DSMigration.pm.in
@@ -1141,6 +1141,9 @@ sub migrateDS {
             return 0;
         }
 
+	# ensure any selinux relabeling gets done if needed
+        DSCreate::updateSelinuxPolicy($inf);
+
         # finally, start the server
         if ($mig->{start_servers}) {
             $inf->{slapd}->{start_server} = 1;
diff --git a/ldap/admin/src/scripts/Util.pm.in b/ldap/admin/src/scripts/Util.pm.in
index e90f3c10..6d54648f 100644
--- a/ldap/admin/src/scripts/Util.pm.in
+++ b/ldap/admin/src/scripts/Util.pm.in
@@ -917,11 +917,52 @@ sub remove_tree
 sub remove_pidfile
 {
     my ($type, $instdir, $instname) = @_;
+    my $serv_id;
+    my $run_dir;
+    my $product_name;
+    my $pidfile;
+
+    # Get the serv_id from the start-slapd script.
+    unless(open(INFILE,"$instdir/start-slapd")) {
+        print("Cannot open start-slapd file for reading "); return 0;
+    }
+    while(<INFILE>) {
+        if (/start-dirsrv /g) {
+            my @servline=split(/start-dirsrv /, );
+            @servline=split(/\s+/, $servline[1]);
+            $serv_id=$servline[0];
+        }
+    }
+    close(INFILE);
+
+    # Get the run_dir and product_name from the instance initconfig script.
+    unless(open(INFILE,"@initconfigdir@/@package_name@-$serv_id")) {
+        print("Couldn't open @initconfigdir@/@package_name@-$serv_id "); return 0;
+    }
+    while(<INFILE>) {
+        if (/RUN_DIR=/g) {
+            my @rundir_line=split(/RUN_DIR=+/, );
+            @rundir_line=split(/;/, $rundir_line[1]);
+            $run_dir = $rundir_line[0];
+            chop($run_dir);
+        } elsif (/PRODUCT_NAME=/g) {
+            my @product_line=split(/PRODUCT_NAME=+/, );
+            @product_line=split(/;/, $product_line[1]);
+            $product_name = $product_line[0];
+            chop($product_name);
+        }
+    }
+    close(INFILE);
+
+    # Construct the pidfile name as follows:
+    #     PIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.pid
+    #     STARTPIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.startpid
+    if ($type eq "PIDFILE") {
+        $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".pid";
+    } elsif ($type eq "STARTPIDFILE") {
+        $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".startpid";
+    }
 
-    my $pattern = "^" . $type . ".*=";
-    my $pidline = `grep $pattern $instdir/start-slapd`;
-    chomp($pidline);
-    my ($key, $pidfile) = split(/=/, $pidline);
     if ( -e $pidfile && $pidfile =~ /$instname/ )
     {
         unlink($pidfile);
diff --git a/ldap/admin/src/scripts/setup-ds.res.in b/ldap/admin/src/scripts/setup-ds.res.in
index 6502951c..53269631 100644
--- a/ldap/admin/src/scripts/setup-ds.res.in
+++ b/ldap/admin/src/scripts/setup-ds.res.in
@@ -135,3 +135,4 @@ error_creating_templdif = Could not create temporary LDIF file. Error: %s\n
 error_no_such_instance = Error: could not find directory server configuration directory '%s'.  Error: %s\n
 error_finding_config_entry = Error: could not find the config entry '%s' in '%s'.  Error: %s\n
 error_removing_path = Error: could not remove path '%s'.  Error: %s\n
+error_removing_port_label = Error: could not remove selinux label from port '%s'.  Error: %s\n