From cfec51819bd40f2795f0771a74714e0ce1135c26 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 25 Nov 2009 13:42:52 -0500 Subject: Add SELinux policy for CRL file publishing. This policy should really be provided by dogtag. We don't want to grant read/write access to everything dogtag can handle so we change the context to cert_t instead. But we have to let dogtag read/write that too hence this policy. To top it off we can't load this policy unless dogtag is also loaded so we insert it in the IPA installer --- selinux/Makefile | 3 ++- selinux/ipa_dogtag/ipa_dogtag.fc | 1 + selinux/ipa_dogtag/ipa_dogtag.te | 29 +++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 selinux/ipa_dogtag/ipa_dogtag.fc create mode 100644 selinux/ipa_dogtag/ipa_dogtag.te (limited to 'selinux') diff --git a/selinux/Makefile b/selinux/Makefile index 6780a8b48..62b7bf7ed 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_kpasswd ipa_httpd +SUBDIRS = ipa_kpasswd ipa_httpd ipa_dogtag POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -23,6 +23,7 @@ install: all install -d $(POLICY_DIR) install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) + install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR) load: /usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc new file mode 100644 index 000000000..58a4b3e82 --- /dev/null +++ b/selinux/ipa_dogtag/ipa_dogtag.fc @@ -0,0 +1 @@ +/var/lib/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te new file mode 100644 index 000000000..b3fce00da --- /dev/null +++ b/selinux/ipa_dogtag/ipa_dogtag.te @@ -0,0 +1,29 @@ +module ipa_dogtag 1.2; + +require { + type httpd_t; + type cert_t; + type pki_ca_t; + class dir write; + class dir add_name; + class dir remove_name; + class file create; + class file write; + class file rename; + class lnk_file create; + class lnk_file rename; +} + +# Let dogtag write to cert_t directories +allow pki_ca_t cert_t:dir write; +allow pki_ca_t cert_t:dir add_name; +allow pki_ca_t cert_t:dir remove_name; + +# Let dogtag write cert_t files +allow pki_ca_t cert_t:file create; +allow pki_ca_t cert_t:file write; +allow pki_ca_t cert_t:file rename; + +# Let dogtag manage cert_t symbolic links +allow pki_ca_t cert_t:lnk_file create; +allow pki_ca_t cert_t:lnk_file rename; -- cgit