diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-11-02 12:58:40 +0100 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-11-30 11:12:51 -0500 |
| commit | c8d522bc98fb11be92529259e7a2072796012910 (patch) | |
| tree | 635dc79adff066f3165ee0a427aada18dc0a6b4d | |
| parent | 0833f594c15d05b6ead7e7ca15aabe34fa09a766 (diff) | |
| download | freeipa-c8d522bc98fb11be92529259e7a2072796012910.tar.gz freeipa-c8d522bc98fb11be92529259e7a2072796012910.tar.xz freeipa-c8d522bc98fb11be92529259e7a2072796012910.zip | |
Update SELinux policy for dogtag10
Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
can be removed from IPA policy
Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in
system.
https://fedorahosted.org/freeipa/ticket/3234
| -rw-r--r-- | selinux/ipa_dogtag/ipa_dogtag.te | 32 | ||||
| -rw-r--r-- | selinux/ipa_httpd/ipa_httpd.te | 18 |
2 files changed, 13 insertions, 37 deletions
diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te index 1404e17ca..713ea560b 100644 --- a/selinux/ipa_dogtag/ipa_dogtag.te +++ b/selinux/ipa_dogtag/ipa_dogtag.te @@ -1,11 +1,8 @@ -module ipa_dogtag 1.5; +module ipa_dogtag 2.0; require { - type httpd_t; type cert_t; - type pki_ca_t; - type pki_ca_var_lib_t; - type certmonger_t; + type pki_tomcat_t; class dir write; class dir add_name; class dir remove_name; @@ -23,23 +20,16 @@ require { } # Let dogtag write to cert_t directories -allow pki_ca_t cert_t:dir write; -allow pki_ca_t cert_t:dir add_name; -allow pki_ca_t cert_t:dir remove_name; +allow pki_tomcat_t cert_t:dir write; +allow pki_tomcat_t cert_t:dir add_name; +allow pki_tomcat_t cert_t:dir remove_name; # Let dogtag write cert_t files -allow pki_ca_t cert_t:file create; -allow pki_ca_t cert_t:file write; -allow pki_ca_t cert_t:file rename; +allow pki_tomcat_t cert_t:file create; +allow pki_tomcat_t cert_t:file write; +allow pki_tomcat_t cert_t:file rename; # Let dogtag manage cert_t symbolic links -allow pki_ca_t cert_t:lnk_file create; -allow pki_ca_t cert_t:lnk_file rename; -allow pki_ca_t cert_t:lnk_file unlink; - -# Let apache read the CRLs -allow httpd_t pki_ca_var_lib_t:dir { search getattr }; - -# Let certmonger manage the dogtag certificate database for renewals -allow certmonger_t pki_ca_var_lib_t:dir { search getattr} ; -allow certmonger_t pki_ca_var_lib_t:file { read write getattr open }; +allow pki_tomcat_t cert_t:lnk_file create; +allow pki_tomcat_t cert_t:lnk_file rename; +allow pki_tomcat_t cert_t:lnk_file unlink; diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te index 65b161fe5..f0cc6daa6 100644 --- a/selinux/ipa_httpd/ipa_httpd.te +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -1,25 +1,11 @@ -module ipa_httpd 1.2; +module ipa_httpd 2.0; require { type httpd_t; - type named_t; - type initrc_t; - type var_run_t; - type krb5kdc_t; type cert_t; - class sock_file write; - class unix_stream_socket connectto; class file write; } -# Let Apache, bind and the KDC talk to DS over ldapi -allow httpd_t var_run_t:sock_file write; -allow httpd_t initrc_t:unix_stream_socket connectto; -allow krb5kdc_t var_run_t:sock_file write; -allow krb5kdc_t initrc_t:unix_stream_socket connectto; -allow named_t var_run_t:sock_file write; -allow named_t initrc_t:unix_stream_socket connectto; - # Let Apache access the NSS certificate database so it can issue certs -# See ipa_httpd.fe for the list of files that are granted write access +# See ipa_httpd.fc for the list of files that are granted write access allow httpd_t cert_t:file write; |