diff options
-rw-r--r-- | Makefile.am | 23 | ||||
-rw-r--r-- | Makefile.in | 74 | ||||
-rwxr-xr-x | configure | 125 | ||||
-rw-r--r-- | configure.ac | 2 | ||||
-rw-r--r-- | ldap/admin/src/scripts/DSCreate.pm.in | 62 | ||||
-rw-r--r-- | ldap/admin/src/scripts/DSMigration.pm.in | 3 | ||||
-rw-r--r-- | ldap/admin/src/scripts/Util.pm.in | 49 | ||||
-rw-r--r-- | ldap/admin/src/scripts/setup-ds.res.in | 1 | ||||
-rw-r--r-- | m4/selinux.m4 | 34 | ||||
-rw-r--r-- | selinux/Makefile | 17 | ||||
-rw-r--r-- | selinux/dirsrv.fc.in | 22 | ||||
-rw-r--r-- | selinux/dirsrv.if | 23 | ||||
-rw-r--r-- | selinux/dirsrv.te | 127 |
13 files changed, 512 insertions, 50 deletions
diff --git a/Makefile.am b/Makefile.am index ac7ab276..665b1f4f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -94,9 +94,23 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \ ldap/ldif/template-orgunit.ldif ldap/ldif/template-pampta.ldif ldap/ldif/template-sasl.ldif \ ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif +clean-local: + -rm -rf selinux-built + dberrstrs.h: Makefile perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o . +selinux-built: + cp -r $(srcdir)/selinux $@ + +selinux-built/dirsrv.fc: selinux-built + $(fixupcmd) selinux-built/dirsrv.fc.in > $@ + +selinux-built/dirsrv.pp: selinux-built/dirsrv.fc + cd selinux-built && $(MAKE) + + + #------------------------ # Install Paths #------------------------ @@ -113,6 +127,7 @@ instconfigdir = @instconfigdir@ perldir = $(libdir)@perldir@ infdir = $(datadir)@infdir@ mibdir = $(datadir)@mibdir@ +policydir = $(datadir)/selinux/targeted defaultuser=@defaultuser@ defaultgroup=@defaultgroup@ @@ -150,6 +165,10 @@ else enable_presence = off endif +if SELINUX +POLICY_MODULE = selinux-built/dirsrv.pp +endif + serverplugin_LTLIBRARIES = libacl-plugin.la libattr-unique-plugin.la \ libback-ldbm.la libchainingdb-plugin.la libcollation-plugin.la \ libcos-plugin.la libderef-plugin.la libdes-plugin.la libdistrib-plugin.la \ @@ -170,6 +189,8 @@ noinst_LIBRARIES = libavl.a libldaputil.a #------------------------ # Installed Files #------------------------ +policy_DATA = $(POLICY_MODULE) + config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \ $(srcdir)/ldap/schema/slapd-collations.conf \ ldap/admin/src/template-initconfig @@ -1226,6 +1247,7 @@ fixupcmd = sed \ -e 's,@defaultuser\@,$(defaultuser),g' \ -e 's,@defaultgroup\@,$(defaultgroup),g' \ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ + -e 's,@with_selinux\@,@with_selinux@,g' \ -e 's,@perlexec\@,@perlexec@,g' \ -e 's,@initconfigdir\@,$(initconfigdir),g' else @@ -1277,6 +1299,7 @@ fixupcmd = sed \ -e 's,@defaultuser\@,$(defaultuser),g' \ -e 's,@defaultgroup\@,$(defaultgroup),g' \ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ + -e 's,@with_selinux\@,@with_selinux@,g' \ -e 's,@perlexec\@,@perlexec@,g' \ -e 's,@initconfigdir\@,$(initconfigdir),g' endif diff --git a/Makefile.in b/Makefile.in index dcea507d..a09bdd48 100644 --- a/Makefile.in +++ b/Makefile.in @@ -61,7 +61,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/fhs.m4 $(top_srcdir)/m4/nspr.m4 \ $(top_srcdir)/m4/sasl.m4 $(top_srcdir)/m4/svrcore.m4 \ $(top_srcdir)/m4/icu.m4 $(top_srcdir)/m4/netsnmp.m4 \ $(top_srcdir)/m4/kerberos.m4 $(top_srcdir)/m4/pcre.m4 \ - $(top_srcdir)/configure.ac + $(top_srcdir)/m4/selinux.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ @@ -101,8 +101,9 @@ am__installdirs = "$(DESTDIR)$(serverdir)" \ "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" \ "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" \ "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" \ - "$(DESTDIR)$(perldir)" "$(DESTDIR)$(propertydir)" \ - "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" + "$(DESTDIR)$(perldir)" "$(DESTDIR)$(policydir)" \ + "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" \ + "$(DESTDIR)$(schemadir)" serverLTLIBRARIES_INSTALL = $(INSTALL) serverpluginLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(server_LTLIBRARIES) $(serverplugin_LTLIBRARIES) @@ -884,12 +885,13 @@ initconfigDATA_INSTALL = $(INSTALL_DATA) mibDATA_INSTALL = $(INSTALL_DATA) nodist_propertyDATA_INSTALL = $(INSTALL_DATA) perlDATA_INSTALL = $(INSTALL_DATA) +policyDATA_INSTALL = $(INSTALL_DATA) propertyDATA_INSTALL = $(INSTALL_DATA) sampledataDATA_INSTALL = $(INSTALL_DATA) schemaDATA_INSTALL = $(INSTALL_DATA) DATA = $(config_DATA) $(inf_DATA) $(initconfig_DATA) $(mib_DATA) \ - $(nodist_property_DATA) $(perl_DATA) $(property_DATA) \ - $(sampledata_DATA) $(schema_DATA) + $(nodist_property_DATA) $(perl_DATA) $(policy_DATA) \ + $(property_DATA) $(sampledata_DATA) $(schema_DATA) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -974,6 +976,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SED = @SED@ +SELINUX_FALSE = @SELINUX_FALSE@ +SELINUX_TRUE = @SELINUX_TRUE@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOLARIS_FALSE = @SOLARIS_FALSE@ @@ -1104,6 +1108,7 @@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ vendor = @vendor@ with_fhs_opt = @with_fhs_opt@ +with_selinux = @with_selinux@ # look for included m4 files in the ./m4/ directory ACLOCAL_AMFLAGS = -I m4 @@ -1190,6 +1195,7 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \ ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif taskdir = $(datadir)@scripttemplatedir@ +policydir = $(datadir)/selinux/targeted server_LTLIBRARIES = libslapd.la libns-dshttpd.la # this is how to add optional plugins @@ -1203,6 +1209,7 @@ server_LTLIBRARIES = libslapd.la libns-dshttpd.la @enable_presence_TRUE@LIBPRESENCE_SCHEMA = $(srcdir)/ldap/schema/10presence.ldif @enable_presence_FALSE@enable_presence = off @enable_presence_TRUE@enable_presence = on +@SELINUX_TRUE@POLICY_MODULE = selinux-built/dirsrv.pp serverplugin_LTLIBRARIES = libacl-plugin.la libattr-unique-plugin.la \ libback-ldbm.la libchainingdb-plugin.la libcollation-plugin.la \ libcos-plugin.la libderef-plugin.la libdes-plugin.la libdistrib-plugin.la \ @@ -1220,6 +1227,7 @@ noinst_LIBRARIES = libavl.a libldaputil.a #------------------------ # Installed Files #------------------------ +policy_DATA = $(POLICY_MODULE) config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \ $(srcdir)/ldap/schema/slapd-collations.conf \ ldap/admin/src/template-initconfig @@ -2183,6 +2191,7 @@ rsearch_bin_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBS @BUNDLE_FALSE@ -e 's,@defaultuser\@,$(defaultuser),g' \ @BUNDLE_FALSE@ -e 's,@defaultgroup\@,$(defaultgroup),g' \ @BUNDLE_FALSE@ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ +@BUNDLE_FALSE@ -e 's,@with_selinux\@,@with_selinux@,g' \ @BUNDLE_FALSE@ -e 's,@perlexec\@,@perlexec@,g' \ @BUNDLE_FALSE@ -e 's,@initconfigdir\@,$(initconfigdir),g' @@ -2244,6 +2253,7 @@ rsearch_bin_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBS @BUNDLE_TRUE@ -e 's,@defaultuser\@,$(defaultuser),g' \ @BUNDLE_TRUE@ -e 's,@defaultgroup\@,$(defaultgroup),g' \ @BUNDLE_TRUE@ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ +@BUNDLE_TRUE@ -e 's,@with_selinux\@,@with_selinux@,g' \ @BUNDLE_TRUE@ -e 's,@perlexec\@,@perlexec@,g' \ @BUNDLE_TRUE@ -e 's,@initconfigdir\@,$(initconfigdir),g' @@ -9339,6 +9349,23 @@ uninstall-perlDATA: echo " rm -f '$(DESTDIR)$(perldir)/$$f'"; \ rm -f "$(DESTDIR)$(perldir)/$$f"; \ done +install-policyDATA: $(policy_DATA) + @$(NORMAL_INSTALL) + test -z "$(policydir)" || $(mkdir_p) "$(DESTDIR)$(policydir)" + @list='$(policy_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(policyDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(policydir)/$$f'"; \ + $(policyDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(policydir)/$$f"; \ + done + +uninstall-policyDATA: + @$(NORMAL_UNINSTALL) + @list='$(policy_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(policydir)/$$f'"; \ + rm -f "$(DESTDIR)$(policydir)/$$f"; \ + done install-propertyDATA: $(property_DATA) @$(NORMAL_INSTALL) test -z "$(propertydir)" || $(mkdir_p) "$(DESTDIR)$(propertydir)" @@ -9572,7 +9599,7 @@ check: $(BUILT_SOURCES) all-am: Makefile $(LIBRARIES) $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) \ $(MANS) $(DATA) config.h installdirs: - for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)"; do \ + for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(policydir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)"; do \ test -z "$$dir" || $(mkdir_p) "$$dir"; \ done install: $(BUILT_SOURCES) @@ -9684,7 +9711,7 @@ maintainer-clean-generic: -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-binPROGRAMS clean-generic clean-libtool \ +clean-am: clean-binPROGRAMS clean-generic clean-libtool clean-local \ clean-noinstLIBRARIES clean-noinstPROGRAMS clean-sbinPROGRAMS \ clean-serverLTLIBRARIES clean-serverpluginLTLIBRARIES \ mostlyclean-am @@ -9709,9 +9736,9 @@ info-am: install-data-am: install-configDATA install-infDATA \ install-initSCRIPTS install-initconfigDATA install-man \ install-mibDATA install-nodist_propertyDATA install-perlDATA \ - install-propertyDATA install-sampledataDATA install-schemaDATA \ - install-serverLTLIBRARIES install-serverpluginLTLIBRARIES \ - install-taskSCRIPTS + install-policyDATA install-propertyDATA install-sampledataDATA \ + install-schemaDATA install-serverLTLIBRARIES \ + install-serverpluginLTLIBRARIES install-taskSCRIPTS install-exec-am: install-binPROGRAMS install-binSCRIPTS \ install-sbinPROGRAMS install-sbinSCRIPTS @@ -9746,7 +9773,7 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ uninstall-configDATA uninstall-infDATA uninstall-info-am \ uninstall-initSCRIPTS uninstall-initconfigDATA uninstall-man \ uninstall-mibDATA uninstall-nodist_propertyDATA \ - uninstall-perlDATA uninstall-propertyDATA \ + uninstall-perlDATA uninstall-policyDATA uninstall-propertyDATA \ uninstall-sampledataDATA uninstall-sbinPROGRAMS \ uninstall-sbinSCRIPTS uninstall-schemaDATA \ uninstall-serverLTLIBRARIES uninstall-serverpluginLTLIBRARIES \ @@ -9755,7 +9782,7 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ uninstall-man: uninstall-man1 uninstall-man8 .PHONY: CTAGS GTAGS all all-am am--refresh check check-am clean \ - clean-binPROGRAMS clean-generic clean-libtool \ + clean-binPROGRAMS clean-generic clean-libtool clean-local \ clean-noinstLIBRARIES clean-noinstPROGRAMS clean-sbinPROGRAMS \ clean-serverLTLIBRARIES clean-serverpluginLTLIBRARIES ctags \ dist dist-all dist-bzip2 dist-gzip dist-shar dist-tarZ \ @@ -9769,7 +9796,7 @@ uninstall-man: uninstall-man1 uninstall-man8 install-initSCRIPTS install-initconfigDATA install-man \ install-man1 install-man8 install-mibDATA \ install-nodist_propertyDATA install-perlDATA \ - install-propertyDATA install-sampledataDATA \ + install-policyDATA install-propertyDATA install-sampledataDATA \ install-sbinPROGRAMS install-sbinSCRIPTS install-schemaDATA \ install-serverLTLIBRARIES install-serverpluginLTLIBRARIES \ install-strip install-taskSCRIPTS installcheck installcheck-am \ @@ -9781,15 +9808,28 @@ uninstall-man: uninstall-man1 uninstall-man8 uninstall-initSCRIPTS uninstall-initconfigDATA uninstall-man \ uninstall-man1 uninstall-man8 uninstall-mibDATA \ uninstall-nodist_propertyDATA uninstall-perlDATA \ - uninstall-propertyDATA uninstall-sampledataDATA \ - uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \ - uninstall-schemaDATA uninstall-serverLTLIBRARIES \ - uninstall-serverpluginLTLIBRARIES uninstall-taskSCRIPTS + uninstall-policyDATA uninstall-propertyDATA \ + uninstall-sampledataDATA uninstall-sbinPROGRAMS \ + uninstall-sbinSCRIPTS uninstall-schemaDATA \ + uninstall-serverLTLIBRARIES uninstall-serverpluginLTLIBRARIES \ + uninstall-taskSCRIPTS +clean-local: + -rm -rf selinux-built + dberrstrs.h: Makefile perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o . +selinux-built: + cp -r $(srcdir)/selinux $@ + +selinux-built/dirsrv.fc: selinux-built + $(fixupcmd) selinux-built/dirsrv.fc.in > $@ + +selinux-built/dirsrv.pp: selinux-built/dirsrv.fc + cd selinux-built && $(MAKE) + #------------------------ # ns-slapd.properties #------------------------ @@ -465,7 +465,7 @@ ac_includes_default="\ #endif" ac_default_prefix=/opt/$PACKAGE_NAME -ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CXX CXXFLAGS LDFLAGS CPPFLAGS ac_ct_CXX EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CC CFLAGS ac_ct_CC CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE CCAS CCASFLAGS SED EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS debug_defs BUNDLE_TRUE BUNDLE_FALSE enable_pam_passthru_TRUE enable_pam_passthru_FALSE enable_dna_TRUE enable_dna_FALSE enable_ldapi_TRUE enable_ldapi_FALSE enable_autobind_TRUE enable_autobind_FALSE enable_auto_dn_suffix_TRUE enable_auto_dn_suffix_FALSE enable_bitwise_TRUE enable_bitwise_FALSE enable_presence_TRUE enable_presence_FALSE with_fhs_opt configdir sampledatadir propertydir schemadir serverdir serverplugindir scripttemplatedir perldir infdir mibdir defaultuser defaultgroup instconfigdir WINNT_TRUE WINNT_FALSE LIBSOCKET LIBNSL LIBDL LIBCSTD LIBCRUN initdir perlexec initconfigdir HPUX_TRUE HPUX_FALSE SOLARIS_TRUE SOLARIS_FALSE PKG_CONFIG ICU_CONFIG NETSNMP_CONFIG KRB5_CONFIG_BIN kerberos_inc kerberos_lib kerberos_libdir PACKAGE_BASE_VERSION OPENLDAP_TRUE OPENLDAP_FALSE nspr_inc nspr_lib nspr_libdir nss_inc nss_lib nss_libdir ldapsdk_inc ldapsdk_lib ldapsdk_libdir ldapsdk_bindir openldap_inc openldap_lib openldap_libdir openldap_bindir ol_libver db_inc db_incdir db_lib db_libdir db_bindir db_libver sasl_inc sasl_lib sasl_libdir sasl_path svrcore_inc svrcore_lib icu_lib icu_inc icu_bin netsnmp_inc netsnmp_lib netsnmp_libdir netsnmp_link pcre_inc pcre_lib pcre_libdir brand capbrand vendor LTLIBOBJS' +ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CXX CXXFLAGS LDFLAGS CPPFLAGS ac_ct_CXX EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CC CFLAGS ac_ct_CC CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE CCAS CCASFLAGS SED EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS debug_defs BUNDLE_TRUE BUNDLE_FALSE enable_pam_passthru_TRUE enable_pam_passthru_FALSE enable_dna_TRUE enable_dna_FALSE enable_ldapi_TRUE enable_ldapi_FALSE enable_autobind_TRUE enable_autobind_FALSE enable_auto_dn_suffix_TRUE enable_auto_dn_suffix_FALSE enable_bitwise_TRUE enable_bitwise_FALSE enable_presence_TRUE enable_presence_FALSE with_fhs_opt configdir sampledatadir propertydir schemadir serverdir serverplugindir scripttemplatedir perldir infdir mibdir defaultuser defaultgroup instconfigdir WINNT_TRUE WINNT_FALSE LIBSOCKET LIBNSL LIBDL LIBCSTD LIBCRUN initdir perlexec initconfigdir HPUX_TRUE HPUX_FALSE SOLARIS_TRUE SOLARIS_FALSE PKG_CONFIG ICU_CONFIG NETSNMP_CONFIG KRB5_CONFIG_BIN kerberos_inc kerberos_lib kerberos_libdir with_selinux PACKAGE_BASE_VERSION SELINUX_TRUE SELINUX_FALSE OPENLDAP_TRUE OPENLDAP_FALSE nspr_inc nspr_lib nspr_libdir nss_inc nss_lib nss_libdir ldapsdk_inc ldapsdk_lib ldapsdk_libdir ldapsdk_bindir openldap_inc openldap_lib openldap_libdir openldap_bindir ol_libver db_inc db_incdir db_lib db_libdir db_bindir db_libver sasl_inc sasl_lib sasl_libdir sasl_path svrcore_inc svrcore_lib icu_lib icu_inc icu_bin netsnmp_inc netsnmp_lib netsnmp_libdir netsnmp_link pcre_inc pcre_lib pcre_libdir brand capbrand vendor LTLIBOBJS' ac_subst_files='' # Initialize some variables set by options. @@ -1124,6 +1124,7 @@ Optional Packages: containing the kerberos libraries - implies use of kerberos --with-pcre=PATH Perl Compatible Regular Expression directory + --with-selinux Build SELinux policy Some influential environment variables: CXX C++ compiler command @@ -4358,7 +4359,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 4361 "configure"' > conftest.$ac_ext + echo '#line 4362 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -5493,7 +5494,7 @@ fi # Provide some information about the compiler. -echo "$as_me:5496:" \ +echo "$as_me:5497:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5 @@ -6556,11 +6557,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6559: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6560: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6563: \$? = $ac_status" >&5 + echo "$as_me:6564: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -6824,11 +6825,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6827: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6828: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6831: \$? = $ac_status" >&5 + echo "$as_me:6832: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -6928,11 +6929,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6931: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6932: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:6935: \$? = $ac_status" >&5 + echo "$as_me:6936: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8397,7 +8398,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 8400 "configure"' > conftest.$ac_ext + echo '#line 8401 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9294,7 +9295,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 9297 "configure" +#line 9298 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -9394,7 +9395,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 9397 "configure" +#line 9398 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11737,11 +11738,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11740: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11741: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11744: \$? = $ac_status" >&5 + echo "$as_me:11745: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -11841,11 +11842,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11844: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11845: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:11848: \$? = $ac_status" >&5 + echo "$as_me:11849: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12377,7 +12378,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 12380 "configure"' > conftest.$ac_ext + echo '#line 12381 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -13435,11 +13436,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13438: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13439: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13442: \$? = $ac_status" >&5 + echo "$as_me:13443: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -13539,11 +13540,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13542: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13543: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13546: \$? = $ac_status" >&5 + echo "$as_me:13547: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -14988,7 +14989,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 14991 "configure"' > conftest.$ac_ext + echo '#line 14992 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -15766,11 +15767,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15769: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15770: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15773: \$? = $ac_status" >&5 + echo "$as_me:15774: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16034,11 +16035,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16037: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16038: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16041: \$? = $ac_status" >&5 + echo "$as_me:16042: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16138,11 +16139,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16141: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16142: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16145: \$? = $ac_status" >&5 + echo "$as_me:16146: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17607,7 +17608,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 17610 "configure"' > conftest.$ac_ext + echo '#line 17611 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -27089,6 +27090,52 @@ echo "$as_me: error: pcre not found, specify with --with-pcre." >&2;} fi fi +# BEGIN COPYRIGHT BLOCK +# Copyright (C) 2009 Red Hat, Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# END COPYRIGHT BLOCK + +{ echo "$as_me:$LINENO: checking for SELinux..." >&5 +echo "$as_me: checking for SELinux..." >&6;} + +# check for --with-selinux +echo "$as_me:$LINENO: checking for --with-selinux" >&5 +echo $ECHO_N "checking for --with-selinux... $ECHO_C" >&6 + +# Check whether --with-selinux or --without-selinux was given. +if test "${with_selinux+set}" = set; then + withval="$with_selinux" + + with_selinux=yes + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + + if test ! -f "/usr/share/selinux/devel/Makefile"; then + { { echo "$as_me:$LINENO: error: SELinux development tools (selinux-policy) not found" >&5 +echo "$as_me: error: SELinux development tools (selinux-policy) not found" >&2;} + { (exit 1); exit 1; }; } + fi + +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi; + PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION | awk -F\. '{print $1"."$2}'` @@ -27102,6 +27149,16 @@ fi +if test "$with_selinux" = "yes"; then + SELINUX_TRUE= + SELINUX_FALSE='#' +else + SELINUX_TRUE='#' + SELINUX_FALSE= +fi + + + if test "$with_openldap" = "yes"; then OPENLDAP_TRUE= OPENLDAP_FALSE='#' @@ -27386,6 +27443,13 @@ echo "$as_me: error: conditional \"SOLARIS\" was never defined. Usually this means the macro was only invoked conditionally." >&2;} { (exit 1); exit 1; }; } fi +if test -z "${SELINUX_TRUE}" && test -z "${SELINUX_FALSE}"; then + { { echo "$as_me:$LINENO: error: conditional \"SELINUX\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +echo "$as_me: error: conditional \"SELINUX\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi if test -z "${OPENLDAP_TRUE}" && test -z "${OPENLDAP_FALSE}"; then { { echo "$as_me:$LINENO: error: conditional \"OPENLDAP\" was never defined. Usually this means the macro was only invoked conditionally." >&5 @@ -28049,7 +28113,10 @@ s,@KRB5_CONFIG_BIN@,$KRB5_CONFIG_BIN,;t t s,@kerberos_inc@,$kerberos_inc,;t t s,@kerberos_lib@,$kerberos_lib,;t t s,@kerberos_libdir@,$kerberos_libdir,;t t +s,@with_selinux@,$with_selinux,;t t s,@PACKAGE_BASE_VERSION@,$PACKAGE_BASE_VERSION,;t t +s,@SELINUX_TRUE@,$SELINUX_TRUE,;t t +s,@SELINUX_FALSE@,$SELINUX_FALSE,;t t s,@OPENLDAP_TRUE@,$OPENLDAP_TRUE,;t t s,@OPENLDAP_FALSE@,$OPENLDAP_FALSE,;t t s,@nspr_inc@,$nspr_inc,;t t diff --git a/configure.ac b/configure.ac index fa540609..b8866435 100644 --- a/configure.ac +++ b/configure.ac @@ -439,6 +439,7 @@ m4_include(m4/icu.m4) m4_include(m4/netsnmp.m4) m4_include(m4/kerberos.m4) m4_include(m4/pcre.m4) +m4_include(m4/selinux.m4) PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION | awk -F\. '{print $1"."$2}'` AC_SUBST(PACKAGE_BASE_VERSION) @@ -450,6 +451,7 @@ else sasl_path="$sasl_libdir/sasl2" fi +AM_CONDITIONAL(SELINUX,test "$with_selinux" = "yes") AM_CONDITIONAL(OPENLDAP,test "$with_openldap" = "yes") # write out paths for binary components diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in index d33f13af..15302b9c 100644 --- a/ldap/admin/src/scripts/DSCreate.pm.in +++ b/ldap/admin/src/scripts/DSCreate.pm.in @@ -888,6 +888,41 @@ sub setDefaults { return (); } +sub updateSelinuxPolicy { + my $inf = shift; + + # if selinux is not available, do nothing + if ("@with_selinux@") { + # run restorecon on all directories we created + for (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir + cert_dir db_dir ldif_dir bak_dir)) { + my $dir = $inf->{slapd}->{$_}; + system("restorecon -R $dir"); + } + + # label the selected port as ldap_port_t + if ($inf->{slapd}->{ServerPort} != 0) { + my $need_label = 1; + + # check if the port is already labeled properly + my $portline = `semanage port -l | grep ldap_port_t | grep tcp`; + chomp($portline); + $portline =~ s/ldap_port_t\s+tcp\s+//g; + my @labeledports = split(/,\s+/, $portline); + foreach my $labeledport (@labeledports) { + if ($inf->{slapd}->{ServerPort} == $labeledport) { + $need_label = 0; + last; + } + } + + if ($need_label == 1) { + system("semanage port -a -t ldap_port_t -p tcp $inf->{slapd}->{ServerPort}"); + } + } + } +} + sub createDSInstance { my $inf = shift; my @errs; @@ -924,6 +959,8 @@ sub createDSInstance { return @errs; } + updateSelinuxPolicy($inf); + if (@errs = startServer($inf)) { return @errs; } @@ -1048,6 +1085,31 @@ sub removeDSInstance { # Finally, config dir push @errs, remove_tree($entry, "nsslapd-schemadir", $instname, 1, "\.db\$"); + # remove the selinux label from the ports if needed + if ("@with_selinux@") { + foreach my $port (@{$entry->{"nsslapd-port"}}) + { + my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $port 2>&1`; + if ($? != 0) { + if ($semanage_err !~ /defined in policy, cannot be deleted/) { + push @errs, [ 'error_removing_port_label', $port, $semanage_err]; + debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n"); + } + } + } + + foreach my $secureport (@{$entry->{"nsslapd-secureport"}}) + { + my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $secureport 2>&1`; + if ($? != 0) { + if ($semanage_err !~ /defined in policy, cannot be deleted/) { + push @errs, [ 'error_removing_port_label', $secureport, $semanage_err]; + debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n"); + } + } + } + } + # if we got here, report success if (@errs) { debug(1, "Could not successfully remove $instname\n"); diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in index 69e12882..c661d2c1 100644 --- a/ldap/admin/src/scripts/DSMigration.pm.in +++ b/ldap/admin/src/scripts/DSMigration.pm.in @@ -1141,6 +1141,9 @@ sub migrateDS { return 0; } + # ensure any selinux relabeling gets done if needed + DSCreate::updateSelinuxPolicy($inf); + # finally, start the server if ($mig->{start_servers}) { $inf->{slapd}->{start_server} = 1; diff --git a/ldap/admin/src/scripts/Util.pm.in b/ldap/admin/src/scripts/Util.pm.in index e90f3c10..6d54648f 100644 --- a/ldap/admin/src/scripts/Util.pm.in +++ b/ldap/admin/src/scripts/Util.pm.in @@ -917,11 +917,52 @@ sub remove_tree sub remove_pidfile { my ($type, $instdir, $instname) = @_; + my $serv_id; + my $run_dir; + my $product_name; + my $pidfile; + + # Get the serv_id from the start-slapd script. + unless(open(INFILE,"$instdir/start-slapd")) { + print("Cannot open start-slapd file for reading "); return 0; + } + while(<INFILE>) { + if (/start-dirsrv /g) { + my @servline=split(/start-dirsrv /, ); + @servline=split(/\s+/, $servline[1]); + $serv_id=$servline[0]; + } + } + close(INFILE); + + # Get the run_dir and product_name from the instance initconfig script. + unless(open(INFILE,"@initconfigdir@/@package_name@-$serv_id")) { + print("Couldn't open @initconfigdir@/@package_name@-$serv_id "); return 0; + } + while(<INFILE>) { + if (/RUN_DIR=/g) { + my @rundir_line=split(/RUN_DIR=+/, ); + @rundir_line=split(/;/, $rundir_line[1]); + $run_dir = $rundir_line[0]; + chop($run_dir); + } elsif (/PRODUCT_NAME=/g) { + my @product_line=split(/PRODUCT_NAME=+/, ); + @product_line=split(/;/, $product_line[1]); + $product_name = $product_line[0]; + chop($product_name); + } + } + close(INFILE); + + # Construct the pidfile name as follows: + # PIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.pid + # STARTPIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.startpid + if ($type eq "PIDFILE") { + $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".pid"; + } elsif ($type eq "STARTPIDFILE") { + $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".startpid"; + } - my $pattern = "^" . $type . ".*="; - my $pidline = `grep $pattern $instdir/start-slapd`; - chomp($pidline); - my ($key, $pidfile) = split(/=/, $pidline); if ( -e $pidfile && $pidfile =~ /$instname/ ) { unlink($pidfile); diff --git a/ldap/admin/src/scripts/setup-ds.res.in b/ldap/admin/src/scripts/setup-ds.res.in index 6502951c..53269631 100644 --- a/ldap/admin/src/scripts/setup-ds.res.in +++ b/ldap/admin/src/scripts/setup-ds.res.in @@ -135,3 +135,4 @@ error_creating_templdif = Could not create temporary LDIF file. Error: %s\n error_no_such_instance = Error: could not find directory server configuration directory '%s'. Error: %s\n error_finding_config_entry = Error: could not find the config entry '%s' in '%s'. Error: %s\n error_removing_path = Error: could not remove path '%s'. Error: %s\n +error_removing_port_label = Error: could not remove selinux label from port '%s'. Error: %s\n diff --git a/m4/selinux.m4 b/m4/selinux.m4 new file mode 100644 index 00000000..de97c94e --- /dev/null +++ b/m4/selinux.m4 @@ -0,0 +1,34 @@ +# BEGIN COPYRIGHT BLOCK +# Copyright (C) 2009 Red Hat, Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# END COPYRIGHT BLOCK + +AC_CHECKING(for SELinux) + +# check for --with-selinux +AC_MSG_CHECKING(for --with-selinux) +AC_ARG_WITH(selinux, [ --with-selinux Build SELinux policy], +[ + with_selinux=yes + AC_MSG_RESULT(yes) + AC_SUBST(with_selinux) + if test ! -f "/usr/share/selinux/devel/Makefile"; then + AC_MSG_ERROR([SELinux development tools (selinux-policy) not found]) + fi +], +AC_MSG_RESULT(no)) diff --git a/selinux/Makefile b/selinux/Makefile new file mode 100644 index 00000000..bc8e6a73 --- /dev/null +++ b/selinux/Makefile @@ -0,0 +1,17 @@ +POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile +POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted + +all: + if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux policy development tools (selinux-policy)" && exit 1; fi + + $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1; + +clean: + $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1; + +install: all + install -d $(POLICY_DIR) + install -m 644 dirsrv.pp $(POLICY_DIR) + +load: + /usr/sbin/semodule -i dirsrv.pp diff --git a/selinux/dirsrv.fc.in b/selinux/dirsrv.fc.in new file mode 100644 index 00000000..ae768b1b --- /dev/null +++ b/selinux/dirsrv.fc.in @@ -0,0 +1,22 @@ +# dirsrv executable will have: +# label: system_u:object_r:dirsrv_exec_t +# MLS sensitivity: s0 +# MCS categories: <none> + +@sbindir@/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) +@sbindir@/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) +@sbindir@/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) +@serverdir@ gen_context(system_u:object_r:dirsrv_lib_t,s0) +@serverdir@(/.*) gen_context(system_u:object_r:dirsrv_lib_t,s0) +@localstatedir@/run/@package_name@ gen_context(system_u:object_r:dirsrv_var_run_t,s0) +@localstatedir@/run/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) +@localstatedir@/log/@package_name@ gen_context(system_u:object_r:dirsrv_var_log_t,s0) +@localstatedir@/log/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0) +@localstatedir@/lock/@package_name@ gen_context(system_u:object_r:dirsrv_var_lock_t,s0) +@localstatedir@/lock/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0) +@localstatedir@/lib/@package_name@ gen_context(system_u:object_r:dirsrv_var_lib_t,s0) +@localstatedir@/lib/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0) +@sysconfdir@/@package_name@ gen_context(system_u:object_r:dirsrv_config_t,s0) +@sysconfdir@/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0) +@datadir@/@package_name@ gen_context(system_u:object_r:dirsrv_share_t,s0) +@datadir@/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0) diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if new file mode 100644 index 00000000..d3851bad --- /dev/null +++ b/selinux/dirsrv.if @@ -0,0 +1,23 @@ +## <summary>policy for dirsrv</summary> + +######################################## +## <summary> +## Execute a domain transition to run dirsrv. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dirsrv_domtrans',` + gen_require(` + type dirsrv_t, dirsrv_exec_t; + ') + + domain_auto_trans($1,dirsrv_exec_t,dirsrv_t) + + allow dirsrv_t $1:fd use; + allow dirsrv_t $1:fifo_file rw_file_perms; + allow dirsrv_t $1:process sigchld; +') diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te new file mode 100644 index 00000000..ea103557 --- /dev/null +++ b/selinux/dirsrv.te @@ -0,0 +1,127 @@ +policy_module(dirsrv,1.0.0) + +######################################## +# +# Declarations +# + +# main daemon +type dirsrv_t; +type dirsrv_exec_t; +domain_type(dirsrv_t) +init_daemon_domain(dirsrv_t, dirsrv_exec_t) + +# dynamic libraries +type dirsrv_lib_t; +files_type(dirsrv_lib_t) + +# var/lib files +type dirsrv_var_lib_t; +files_type(dirsrv_var_lib_t) + +# log files +type dirsrv_var_log_t; +logging_log_file(dirsrv_var_log_t) + +# pid files +type dirsrv_var_run_t; +files_pid_file(dirsrv_var_run_t) + +# lock files +type dirsrv_var_lock_t; +files_lock_file(dirsrv_var_lock_t) + +# config files +type dirsrv_config_t; +files_type(dirsrv_config_t) + +# tmp files +type dirsrv_tmp_t; +files_tmp_file(dirsrv_tmp_t) + +# semaphores +type dirsrv_tmpfs_t; +files_tmpfs_file(dirsrv_tmpfs_t) + +# shared files +type dirsrv_share_t; +files_type(dirsrv_share_t); + +######################################## +# +# dirsrv local policy +# + +# Some common macros +files_read_etc_files(dirsrv_t) +corecmd_search_sbin(dirsrv_t) +files_read_usr_symlinks(dirsrv_t) +miscfiles_read_localization(dirsrv_t) +dev_read_urand(dirsrv_t) +libs_use_ld_so(dirsrv_t) +libs_use_shared_libs(dirsrv_t) +allow dirsrv_t self:fifo_file { read write }; + +# process stuff +allow dirsrv_t self:process { getsched setsched signal_perms}; +allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override }; + +# semaphores +allow dirsrv_t self:sem all_sem_perms; +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) + +# dynamic libraries +allow dirsrv_t dirsrv_lib_t:file exec_file_perms; +allow dirsrv_t dirsrv_lib_t:lnk_file read_lnk_file_perms; +allow dirsrv_t dirsrv_lib_t:dir search_dir_perms; + +# var/lib files for dirsrv +manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) + +# log files +manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +allow dirsrv_t dirsrv_var_log_t:dir { setattr }; +logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) + +# pid files +manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +files_pid_filetrans(dirsrv_t,dirsrv_var_run_t, { file sock_file }) + +#lock files +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +files_lock_filetrans(dirsrv_t,dirsrv_var_lock_t, { file }) + +# config files +manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) + +# tmp files +manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) + +# system state +fs_getattr_all_fs(dirsrv_t) +kernel_read_system_state(dirsrv_t) + +# Networking basics +sysnet_dns_name_resolve(dirsrv_t) +corenet_all_recvfrom_unlabeled(dirsrv_t) +corenet_all_recvfrom_netlabel(dirsrv_t) +corenet_tcp_sendrecv_generic_if(dirsrv_t) +corenet_tcp_sendrecv_generic_node(dirsrv_t) +corenet_tcp_sendrecv_all_ports(dirsrv_t) +corenet_tcp_bind_all_nodes(dirsrv_t) +corenet_tcp_bind_ldap_port(dirsrv_t) +corenet_tcp_connect_all_ports(dirsrv_t) +corenet_sendrecv_ldap_server_packets(dirsrv_t) +corenet_sendrecv_all_client_packets(dirsrv_t) +allow dirsrv_t self:tcp_socket { create_stream_socket_perms }; + +# Init script handling +init_use_fds(dirsrv_t) +init_use_script_ptys(dirsrv_t) +domain_use_interactive_fds(dirsrv_t) |