Add SELinux subpackage for Thales Luna HSM support

This is simple, a port needs to be available to certmonger
to communicate during renewals of CA subsystem certificats.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Makefile.am

@@ -37,6 +37,7 @@ SUBDIRS = \
         pypi \
         selinux \
         selinux/nfast \
+        selinux/luna \
         $(PYTHON_SUBDIRS) \
         $(SERVER_SUBDIRS) \
         $(NULL)

configure.ac

@@ -689,6 +689,7 @@ AC_CONFIG_FILES([
     po/Makefile.hack
     selinux/Makefile
     selinux/nfast/Makefile
+    selinux/luna/Makefile
     util/Makefile
 ])
 

freeipa.spec.in

@@ -1006,6 +1006,16 @@ Requires(post):      selinux-policy-%{selinuxtype}
 
 %description selinux-nfast
 Custom SELinux policy module for nCipher nfast HSMs
+
+%package selinux-luna
+Summary:             FreeIPA SELinux policy for Thales Luna HSMs
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+%{?selinux_requires}
+
+%description selinux-luna
+Custom SELinux policy module for Thales Luna HSMs
 # with selinux
 %endif
 
@@ -1325,6 +1335,9 @@ semodule -d ipa_custodia &> /dev/null || true;
 %post selinux-nfast
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.bz2
 
+%post selinux-luna
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-luna.pp.bz2
+
 %postun selinux
 if [ $1 -eq 0 ]; then
     %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
@@ -1336,6 +1349,10 @@ if [ $1 -eq 0 ]; then
     %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-nfast
 fi
 
+%postun selinux-luna
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-luna
+
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}
 # with_selinux
@@ -1796,6 +1813,10 @@ fi
 %files selinux-nfast
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.*
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}-nfast
+
+%files selinux-luna
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-luna.pp.*
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}-luna
 # with selinux
 %endif
 

selinux/luna/Makefile.am

@@ -0,0 +1,33 @@
+SELINUXTYPE = targeted
+NULL =
+
+if BUILD_SELINUX_POLICY
+MODULE = ipa-luna.pp.bz2
+MODULE_IF = ipa-luna.if
+else
+MODULE =
+MODULE_IF =
+endif
+
+dist_noinst_DATA =	\
+	ipa-luna.te	\
+	$(NULL)
+
+# selinuxincludedir = $(datarootdir)/selinux/devel/include/contrib
+# nodist_selinuxinclude_DATA = \
+#	$(MODULE_IF)			\
+#	$(NULL)
+
+selinuxpolicydir = $(datarootdir)/selinux/packages/$(SELINUXTYPE)
+nodist_selinuxpolicy_DATA =	\
+	$(MODULE)				\
+	$(NULL)
+
+%.pp.bz2: %.pp
+	bzip2 -f -9 $^
+
+%.pp: %.te
+	make -f $(selinux_makefile) $@
+
+clean-local:
+	rm -f *~  *.tc *.pp *.pp.bz2

selinux/luna/ipa-luna.te

@@ -0,0 +1,9 @@
+policy_module(ipa-luna, 1.0.0)
+
+require {
+    type certmonger_t;
+    type ibm_dt_2_port_t;
+    class tcp_socket name_connect;
+}
+
+allow certmonger_t ibm_dt_2_port_t:tcp_socket name_connect;