Update SELinux policy for dogtag10

Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
  can be removed from IPA policy

Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in
system.

https://fedorahosted.org/freeipa/ticket/3234
This commit is contained in:
Martin Kosek 2012-11-02 12:58:40 +01:00 committed by Rob Crittenden
parent 0833f594c1
commit c8d522bc98
2 changed files with 13 additions and 37 deletions

View File

@ -1,11 +1,8 @@
module ipa_dogtag 1.5;
module ipa_dogtag 2.0;
require {
type httpd_t;
type cert_t;
type pki_ca_t;
type pki_ca_var_lib_t;
type certmonger_t;
type pki_tomcat_t;
class dir write;
class dir add_name;
class dir remove_name;
@ -23,23 +20,16 @@ require {
}
# Let dogtag write to cert_t directories
allow pki_ca_t cert_t:dir write;
allow pki_ca_t cert_t:dir add_name;
allow pki_ca_t cert_t:dir remove_name;
allow pki_tomcat_t cert_t:dir write;
allow pki_tomcat_t cert_t:dir add_name;
allow pki_tomcat_t cert_t:dir remove_name;
# Let dogtag write cert_t files
allow pki_ca_t cert_t:file create;
allow pki_ca_t cert_t:file write;
allow pki_ca_t cert_t:file rename;
allow pki_tomcat_t cert_t:file create;
allow pki_tomcat_t cert_t:file write;
allow pki_tomcat_t cert_t:file rename;
# Let dogtag manage cert_t symbolic links
allow pki_ca_t cert_t:lnk_file create;
allow pki_ca_t cert_t:lnk_file rename;
allow pki_ca_t cert_t:lnk_file unlink;
# Let apache read the CRLs
allow httpd_t pki_ca_var_lib_t:dir { search getattr };
# Let certmonger manage the dogtag certificate database for renewals
allow certmonger_t pki_ca_var_lib_t:dir { search getattr} ;
allow certmonger_t pki_ca_var_lib_t:file { read write getattr open };
allow pki_tomcat_t cert_t:lnk_file create;
allow pki_tomcat_t cert_t:lnk_file rename;
allow pki_tomcat_t cert_t:lnk_file unlink;

View File

@ -1,25 +1,11 @@
module ipa_httpd 1.2;
module ipa_httpd 2.0;
require {
type httpd_t;
type named_t;
type initrc_t;
type var_run_t;
type krb5kdc_t;
type cert_t;
class sock_file write;
class unix_stream_socket connectto;
class file write;
}
# Let Apache, bind and the KDC talk to DS over ldapi
allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto;
allow krb5kdc_t var_run_t:sock_file write;
allow krb5kdc_t initrc_t:unix_stream_socket connectto;
allow named_t var_run_t:sock_file write;
allow named_t initrc_t:unix_stream_socket connectto;
# Let Apache access the NSS certificate database so it can issue certs
# See ipa_httpd.fe for the list of files that are granted write access
# See ipa_httpd.fc for the list of files that are granted write access
allow httpd_t cert_t:file write;