diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2009-11-25 13:42:52 -0500 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-11-26 00:16:30 -0700 |
| commit | cfec51819bd40f2795f0771a74714e0ce1135c26 (patch) | |
| tree | 3daa879cb56da29bcdbc0574e279685874c16696 /selinux | |
| parent | 986c4e23e7f640911cbe72129dc3f675438f35d4 (diff) | |
| download | freeipa-cfec51819bd40f2795f0771a74714e0ce1135c26.tar.gz freeipa-cfec51819bd40f2795f0771a74714e0ce1135c26.tar.xz freeipa-cfec51819bd40f2795f0771a74714e0ce1135c26.zip | |
Add SELinux policy for CRL file publishing.
This policy should really be provided by dogtag. We don't want
to grant read/write access to everything dogtag can handle so we
change the context to cert_t instead. But we have to let dogtag
read/write that too hence this policy.
To top it off we can't load this policy unless dogtag is also loaded
so we insert it in the IPA installer
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/Makefile | 3 | ||||
| -rw-r--r-- | selinux/ipa_dogtag/ipa_dogtag.fc | 1 | ||||
| -rw-r--r-- | selinux/ipa_dogtag/ipa_dogtag.te | 29 |
3 files changed, 32 insertions, 1 deletions
diff --git a/selinux/Makefile b/selinux/Makefile index 6780a8b48..62b7bf7ed 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_kpasswd ipa_httpd +SUBDIRS = ipa_kpasswd ipa_httpd ipa_dogtag POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -23,6 +23,7 @@ install: all install -d $(POLICY_DIR) install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) + install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR) load: /usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc new file mode 100644 index 000000000..58a4b3e82 --- /dev/null +++ b/selinux/ipa_dogtag/ipa_dogtag.fc @@ -0,0 +1 @@ +/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te new file mode 100644 index 000000000..b3fce00da --- /dev/null +++ b/selinux/ipa_dogtag/ipa_dogtag.te @@ -0,0 +1,29 @@ +module ipa_dogtag 1.2; + +require { + type httpd_t; + type cert_t; + type pki_ca_t; + class dir write; + class dir add_name; + class dir remove_name; + class file create; + class file write; + class file rename; + class lnk_file create; + class lnk_file rename; +} + +# Let dogtag write to cert_t directories +allow pki_ca_t cert_t:dir write; +allow pki_ca_t cert_t:dir add_name; +allow pki_ca_t cert_t:dir remove_name; + +# Let dogtag write cert_t files +allow pki_ca_t cert_t:file create; +allow pki_ca_t cert_t:file write; +allow pki_ca_t cert_t:file rename; + +# Let dogtag manage cert_t symbolic links +allow pki_ca_t cert_t:lnk_file create; +allow pki_ca_t cert_t:lnk_file rename; |