IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

SELinux: Add dedicated policy for ipa-pki-retrieve-key

Browse Source 
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
This commit is contained in:
François Cami
2020-09-18 11:55:37 +02:00
parent dfeea1644a
commit 7823da0630
2 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
selinux/ipa.fc
View File

@@ -30,5 +30,6 @@
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
/usr/libexec/ipa/ipa-pki-retrieve-key -- gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)

28
selinux/ipa.te
View File

@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
type pki_tomcat_cert_t;
type node_t;
type ipa_pki_retrieve_key_exec_t;
init_script_file(ipa_pki_retrieve_key_exec_t)
########################################
#
# ipa_otpd local policy
@@ -412,3 +415,28 @@ optional_policy(`
optional_policy(`
systemd_private_tmp(ipa_custodia_tmp_t)
')
optional_policy(`
gen_require(`
type tomcat_t;
')
can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
')
optional_policy(`
gen_require(`
type devlog_t;
')
dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
')
optional_policy(`
java_exec(ipa_custodia_pki_tomcat_exec_t)
# allow Java to read system status and RNG
dev_read_urand(ipa_custodia_t)
dev_read_rand(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
dev_read_sysfs(ipa_custodia_t)
')