Move the dogtag SELinux rules loading into the spec file

I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.

ipa.spec.in

@@ -330,7 +330,7 @@ if [ -s /etc/selinux/config ]; then
 fi
 
 %post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -352,7 +352,7 @@ fi
 
 %postun server-selinux
 if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_kpasswd ipa_httpd
+semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -497,6 +497,9 @@ fi
 %endif
 
 %changelog
+* Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21
+- Load ipa_dogtag.pp in post install
+
 * Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20
 - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes.
 

ipaserver/install/cainstance.py

@@ -469,7 +469,6 @@ class CAInstance(service.Service):
                 self.step("adding RA agent as a trusted user", self.__configure_ra)
             self.step("fixing RA database permissions", self.fix_ra_perms)
             self.step("setting up signing cert profile", self.__setup_sign_profile)
-            self.step("install SELinux policy", self.__setup_selinux)
             self.step("set up CRL publishing", self.__enable_crl_publish)
             self.step("configuring certificate server to start on boot", self.__enable)
             self.step("restarting certificate server", self.__restart_instance)
@@ -1006,24 +1005,6 @@ class CAInstance(service.Service):
 
         ipautil.run(["/sbin/restorecon", publishdir])
 
-    def __setup_selinux(self):
-        """
-        This policy should probably be defined by dogtag but it grants
-        dogtag the ability to read/write cert_t files for CRL publishing.
-        """
-
-        # Start by checking to see if policy is already installed.
-        (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/semodule", "-l"])
-
-        # Ok, so stdout is a huge string of the output. Look through that
-        # for our policy
-        policy = stdout.find('ipa_dogtag')
-        if policy >= 0:
-            # Already loaded
-            return
-
-        ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"])
-
     def set_subject_in_config(self, suffix):
         # dogtag ships with an IPA-specific profile that forces a subject
         # format. We need to update that template with our base subject
@@ -1046,11 +1027,6 @@ class CAInstance(service.Service):
         except ipautil.CalledProcessError, e:
             logging.critical("failed to uninstall CA instance %s" % e)
 
-        try:
-            ipautil.run(["/usr/sbin/semodule", "-r", "ipa_dogtag"])
-        except ipautil.CalledProcessError, e:
-            pass
-
         pki_user = self.restore_state("user")
         user_exists = self.restore_state("user_exists")
         if not pki_user is None and not user_exists is None and not user_exists:

selinux/ipa_dogtag/ipa_dogtag.te

@@ -1,4 +1,4 @@
-module ipa_dogtag 1.3;
+module ipa_dogtag 1.4;
 
 require {
 	type httpd_t;
@@ -15,6 +15,7 @@ require {
 	class file rename;
 	class lnk_file create;
 	class lnk_file rename;
+	class lnk_file unlink;
 }
 
 # Let dogtag write to cert_t directories
@@ -30,6 +31,7 @@ allow pki_ca_t cert_t:file rename;
 # Let dogtag manage cert_t symbolic links
 allow pki_ca_t cert_t:lnk_file create;
 allow pki_ca_t cert_t:lnk_file rename;
+allow pki_ca_t cert_t:lnk_file unlink;
 
 # Let apache read the CRLs
 allow httpd_t pki_ca_var_lib_t:dir { search getattr };