From 4ae483600f77cea2449cb63d8298ad8763904068 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 27 2010 14:50:13 +0000 Subject: Move the dogtag SELinux rules loading into the spec file I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing. --- diff --git a/ipa.spec.in b/ipa.spec.in index e76b358..3e677e4 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -330,7 +330,7 @@ if [ -s /etc/selinux/config ]; then fi %post server-selinux -semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp +semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -352,7 +352,7 @@ fi %postun server-selinux if [ $1 = 0 ]; then -semodule -s targeted -r ipa_kpasswd ipa_httpd +semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -497,6 +497,9 @@ fi %endif %changelog +* Mon May 17 2010 Rob Crittenden - 1.99-21 +- Load ipa_dogtag.pp in post install + * Mon Apr 26 2010 Rob Crittenden - 1.99-20 - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index e3c4fbd..11e896b 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -469,7 +469,6 @@ class CAInstance(service.Service): self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("install SELinux policy", self.__setup_selinux) self.step("set up CRL publishing", self.__enable_crl_publish) self.step("configuring certificate server to start on boot", self.__enable) self.step("restarting certificate server", self.__restart_instance) @@ -1006,24 +1005,6 @@ class CAInstance(service.Service): ipautil.run(["/sbin/restorecon", publishdir]) - def __setup_selinux(self): - """ - This policy should probably be defined by dogtag but it grants - dogtag the ability to read/write cert_t files for CRL publishing. - """ - - # Start by checking to see if policy is already installed. - (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/semodule", "-l"]) - - # Ok, so stdout is a huge string of the output. Look through that - # for our policy - policy = stdout.find('ipa_dogtag') - if policy >= 0: - # Already loaded - return - - ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"]) - def set_subject_in_config(self, suffix): # dogtag ships with an IPA-specific profile that forces a subject # format. We need to update that template with our base subject @@ -1046,11 +1027,6 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: logging.critical("failed to uninstall CA instance %s" % e) - try: - ipautil.run(["/usr/sbin/semodule", "-r", "ipa_dogtag"]) - except ipautil.CalledProcessError, e: - pass - pki_user = self.restore_state("user") user_exists = self.restore_state("user_exists") if not pki_user is None and not user_exists is None and not user_exists: diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te index 937d9a2..3750e4d 100644 --- a/selinux/ipa_dogtag/ipa_dogtag.te +++ b/selinux/ipa_dogtag/ipa_dogtag.te @@ -1,4 +1,4 @@ -module ipa_dogtag 1.3; +module ipa_dogtag 1.4; require { type httpd_t; @@ -15,6 +15,7 @@ require { class file rename; class lnk_file create; class lnk_file rename; + class lnk_file unlink; } # Let dogtag write to cert_t directories @@ -30,6 +31,7 @@ allow pki_ca_t cert_t:file rename; # Let dogtag manage cert_t symbolic links allow pki_ca_t cert_t:lnk_file create; allow pki_ca_t cert_t:lnk_file rename; +allow pki_ca_t cert_t:lnk_file unlink; # Let apache read the CRLs allow httpd_t pki_ca_var_lib_t:dir { search getattr };