Generate CRLs and make them available from the IPA web server

install/conf/ipa.conf

@@ -41,6 +41,9 @@ Alias /ipa/errors "/usr/share/ipa/html"
 # For the MIT Windows config files
 Alias /ipa/config "/usr/share/ipa/html"
 
+# For CRL publishing
+Alias /ipa/crl "/var/lib/pki-ca/publish"
+
 <Location "/ipa/xml">
   AuthType Kerberos
   AuthName "Kerberos Login"
@@ -72,6 +75,13 @@ Alias /ipa/config "/usr/share/ipa/html"
   Allow from all
 </Directory>
 
+<Directory "/var/lib/pki-ca/publish">
+  AllowOverride None
+  Options Indexes FollowSymLinks
+  Satisfy Any
+  Allow from all
+</Directory>
+
 # Protect our CGIs
 <Directory /var/www/cgi-bin>
   AuthType Kerberos

ipa.spec.in

@@ -287,7 +287,7 @@ if [ -s /etc/selinux/config ]; then
 fi
 
 %post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -309,7 +309,7 @@ fi
 
 %postun server-selinux
 if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_webgui ipa_kpasswd
+semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -376,6 +376,7 @@ fi
 %files server-selinux
 %{_usr}/share/selinux/targeted/ipa_webgui.pp
 %{_usr}/share/selinux/targeted/ipa_kpasswd.pp
+%{_usr}/share/selinux/targeted/ipa_httpd.pp
 
 %files client
 %doc LICENSE README
@@ -432,6 +433,9 @@ fi
 %endif
 
 %changelog
+* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7
+- Added httpd SELinux policy so CRLs can be read
+
 * Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6
 - Move ipalib to ipa-python subpackage
 - Bump minimum version of slapi-nis to 0.15

ipaserver/install/cainstance.py

@@ -409,6 +409,7 @@ class CAInstance(service.Service):
             self.step("adding RA agent as a trusted user", self.__configure_ra)
         self.step("fixing RA database permissions", self.fix_ra_perms)
         self.step("setting up signing cert profile", self.__setup_sign_profile)
+        self.step("set up CRL publishing", self.__enable_crl_publish)
         self.step("configuring certificate server to start on boot", self.__enable)
         self.step("restarting certificate server", self.__restart_instance)
 
@@ -827,6 +828,51 @@ class CAInstance(service.Service):
         # Tell the profile to automatically issue certs for RAs
         installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
 
+    def __enable_crl_publish(self):
+        """
+        Enable file-based CRL publishing and disable LDAP publishing.
+
+        http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html
+        """
+        caconfig = "/var/lib/pki-ca/conf/CS.cfg"
+
+        publishdir='/var/lib/pki-ca/publish'
+        os.mkdir(publishdir)
+        os.chmod(publishdir, 0755)
+        pent = pwd.getpwnam(self.pki_user)
+        os.chown(publishdir, pent.pw_uid, pent.pw_gid )
+
+
+        # Enable file publishing, disable LDAP
+        installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.ldappublish.enable', 'false', quotes=False, separator='=')
+
+        # Create the file publisher, der only, not b64
+        installutils.set_directive(caconfig, 'ca.publish.publisher.impl.FileBasedPublisher.class','com.netscape.cms.publish.publishers.FileBasedPublisher', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt', 'bin', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink', 'true', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName', 'FileBasedPublisher', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp', 'LocalTime', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel', '9', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der', 'true', quotes=False, separator='=')
+
+        # The publishing rule
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=')
+
+        # Now disable LDAP publishing
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCaCertRule.enable', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCrlRule.enable', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
+
     def uninstall(self):
         try:
             ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",

selinux/Makefile

@@ -1,4 +1,4 @@
-SUBDIRS = ipa_webgui ipa_kpasswd
+SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
 
@@ -23,6 +23,7 @@ install: all
 	install -d $(POLICY_DIR)
 	install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
 	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
+	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
 
 load:
-	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp
+	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp

selinux/ipa_httpd/ipa_httpd.te

@@ -0,0 +1,16 @@
+module ipa_httpd 1.0;
+
+require {
+        type pki_ca_var_lib_t;
+        type httpd_t;
+        class lnk_file { read getattr };
+        class dir { read search open getattr };
+        class file { getattr read open execute };
+}
+
+# Let Apache read the directories within the certificate authority
+# so it can read the published CRLs.
+allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
+allow httpd_t pki_ca_var_lib_t:file { read getattr open };
+allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
+