Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 294221 Details for
Bug 429999
SELinux policies for all server components
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch submitted by Dan Walsh
ipa-selinux.diff.dan (text/plain), 14.28 KB, created by
Rob Crittenden
on 2008-02-07 15:59:55 UTC
(
hide
)
Description:
patch submitted by Dan Walsh
Filename:
MIME Type:
Creator:
Rob Crittenden
Created:
2008-02-07 15:59:55 UTC
Size:
14.28 KB
patch
obsolete
># HG changeset patch ># User "Karl MacMillan <kmacmill@redhat.com>" ># Date 1200599152 18000 ># Node ID 7713ece9969f3457e79b3913ef9763dccaa7411c ># Parent 3443b4ae123479a1738253714e6b15a899d96ba9 >[mq]: selinux > >diff -r 3443b4ae1234 -r 7713ece9969f Makefile >--- a/Makefile Fri Jan 11 11:57:36 2008 +0000 >+++ b/Makefile Thu Jan 17 14:45:52 2008 -0500 >@@ -1,4 +1,4 @@ SUBDIRS=ipa-server ipa-admintools ipa-py >-SUBDIRS=ipa-server ipa-admintools ipa-python ipa-client ipa-radius-server ipa-radius-admintools >+SUBDIRS=ipa-server ipa-admintools ipa-python ipa-client ipa-radius-server ipa-radius-admintools ipa-server-selinux > > PRJ_PREFIX=ipa > >@@ -49,6 +49,14 @@ RADIUS_ADMINTOOLS_TARBALL_PREFIX=$(PRJ_P > RADIUS_ADMINTOOLS_TARBALL_PREFIX=$(PRJ_PREFIX)-radius-admintools-$(RADIUS_ADMINTOOLS_VERSION) > RADIUS_ADMINTOOLS_TARBALL=$(RADIUS_ADMINTOOLS_TARBALL_PREFIX).tgz > >+SERV_SELINUX_MAJOR=0 >+SERV_SELINUX_MINOR=6 >+SERV_SELINUX_RELEASE=0 >+SERV_SELINUX_VERSION=$(SERV_SELINUX_MAJOR).$(SERV_SELINUX_MINOR).$(SERV_SELINUX_RELEASE) >+SERV_SELINUX_TARBALL_PREFIX=$(PRJ_PREFIX)-server-selinux-$(SERV_SELINUX_VERSION) >+SERV_SELINUX_TARBALL=$(SERV_SELINUX_TARBALL_PREFIX).tgz >+ >+ > LIBDIR ?= /usr/lib > > all: bootstrap-autogen >@@ -96,6 +104,9 @@ version-update: > > sed s/VERSION/$(RADIUS_ADMINTOOLS_VERSION)/ ipa-radius-admintools/ipa-radius-admintools.spec.in \ > > ipa-radius-admintools/ipa-radius-admintools.spec >+ >+ sed s/VERSION/$(SERV_SELINUX_VERSION)/ ipa-server-selinux/ipa-server-selinux.spec.in \ >+ > ipa-server-selinux/ipa-server-selinux.spec > > > archive: >@@ -152,6 +163,12 @@ tarballs: > cd dist; tar cfz sources/$(RADIUS_ADMINTOOLS_TARBALL) $(RADIUS_ADMINTOOLS_TARBALL_PREFIX) > rm -fr dist/$(RADIUS_ADMINTOOLS_TARBALL_PREFIX) > >+ # ipa-server-selinux >+ mv dist/ipa/ipa-server-selinux dist/$(SERV_SELINUX_TARBALL_PREFIX) >+ rm -f dist/sources/$(SERV_SELINUX_TARBALL) >+ cd dist; tar cfz sources/$(SERV_SELINUX_TARBALL) $(SERV_SELINUX_TARBALL_PREFIX) >+ rm -fr dist/$(SERV_SELINUX_TARBALL_PREFIX) >+ > > rpmroot: > mkdir -p $(RPMBUILD)/BUILD >@@ -200,8 +217,13 @@ rpm-ipa-radius-admintools: > cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-radius-admintools-$(RADIUS_ADMINTOOLS_VERSION)-*.rpm dist/rpms/ > cp rpmbuild/SRPMS/$(PRJ_PREFIX)-radius-admintools-$(RADIUS_ADMINTOOLS_VERSION)-*.src.rpm dist/srpms/ > >- >-rpms: rpmroot rpmdistdir rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client rpm-ipa-radius-server rpm-ipa-radius-admintools >+rpm-ipa-server-selinux: >+ cp dist/sources/$(SERV_SELINUX_TARBALL) $(RPMBUILD)/SOURCES/. >+ rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-server-selinux/ipa-server-selinux.spec >+ cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-selinux-$(SERV_SELINUX_VERSION)-*.rpm dist/rpms/ >+ cp rpmbuild/SRPMS/$(PRJ_PREFIX)-server-selinux-$(SERV_SELINUX_VERSION)-*.src.rpm dist/srpms/ >+ >+rpms: rpmroot rpmdistdir rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client rpm-ipa-radius-server rpm-ipa-radius-admintools rpm-ipa-server-selinux > > repodata: > -createrepo -p dist >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server-selinux/Makefile >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/ipa-server-selinux/Makefile Thu Jan 17 14:45:52 2008 -0500 >@@ -0,0 +1,21 @@ >+SUBDIRS = ipa-webgui ipa-kpasswd >+POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile >+POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted >+ >+all: >+ @for subdir in $(SUBDIRS); do \ >+ (cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \ >+ done >+ >+clean: >+ @for subdir in $(SUBDIRS); do \ >+ (cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \ >+ done >+ >+install: all >+ install -m 644 ipa-webgui/ipa-webgui.pp $(POLICY_DIR) >+ install -m 644 ipa-kpasswd/ipa-kpasswd.pp $(POLICY_DIR) >+ >+load: >+ /usr/sbin/semodule -i ipa-webgui/ipa-webgui.pp ipa-kpasswd/ipa-kpasswd.pp >+ >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server-selinux/ipa-kpasswd/ipa-kpasswd.fc >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/ipa-server-selinux/ipa-kpasswd/ipa-kpasswd.fc Thu Jan 17 14:45:52 2008 -0500 >@@ -0,0 +1,1 @@ >+/usr/sbin/ipa_kpasswd -- gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0) >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server-selinux/ipa-kpasswd/ipa-kpasswd.te >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/ipa-server-selinux/ipa-kpasswd/ipa-kpasswd.te Thu Jan 17 14:45:52 2008 -0500 >@@ -0,0 +1,46 @@ >+policy_module(ipa-kpasswd, 1.0) >+ >+######################################## >+# >+# Declarations >+# >+ >+type ipa_kpasswd_t; >+type ipa_kpasswd_exec_t; >+init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t) >+ >+######################################## >+# >+# IPA kpasswd local policy >+# >+ >+allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms; >+allow ipa_kpasswd_t self:udp_socket create_socket_perms; >+ >+files_read_etc_files(ipa_kpasswd_t) >+files_search_usr(ipa_kpasswd_t) >+ >+auth_use_nsswitch(ipa_kpasswd_t) >+ >+libs_use_ld_so(ipa_kpasswd_t) >+libs_use_shared_libs(ipa_kpasswd_t) >+ >+logging_send_syslog_msg(ipa_kpasswd_t) >+ >+miscfiles_read_localization(ipa_kpasswd_t) >+ >+kerberos_use(ipa_kpasswd_t) >+ >+corenet_tcp_sendrecv_all_if(ipa_kpasswd_t) >+corenet_udp_sendrecv_all_if(ipa_kpasswd_t) >+corenet_raw_sendrecv_all_if(ipa_kpasswd_t) >+corenet_tcp_sendrecv_all_nodes(ipa_kpasswd_t) >+corenet_udp_sendrecv_all_nodes(ipa_kpasswd_t) >+corenet_raw_sendrecv_all_nodes(ipa_kpasswd_t) >+corenet_tcp_sendrecv_all_ports(ipa_kpasswd_t) >+corenet_udp_sendrecv_all_ports(ipa_kpasswd_t) >+corenet_all_recvfrom_unlabeled(ipa_kpasswd_t) >+corenet_tcp_bind_all_nodes(ipa_kpasswd_t) >+corenet_udp_bind_all_nodes(ipa_kpasswd_t) >+corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t) >+corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t) >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server-selinux/ipa-server-selinux.spec >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/ipa-server-selinux/ipa-server-selinux.spec Thu Jan 17 14:45:52 2008 -0500 >@@ -0,0 +1,74 @@ >+Name: ipa-server-selinux >+Version: 0.6.0 >+Release: 1%{?dist} >+Summary: Ipa authentication server selinux policies >+ >+Group: System Environment/Base >+License: GPL >+URL: http://www.freeipa.org >+Source0: %{name}-%{version}.tgz >+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) >+ >+BuildRequires: selinux-policy-devel m4 make policycoreutils >= %{POLICYCOREUTILSVER} >+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >= 2.0.14-3 >+ >+%description >+SELinux policy for ipa-server >+ >+%prep >+%setup >+ >+%build >+make >+ >+%clean >+%{__rm} -fR %{buildroot} >+ >+%install >+%{__rm} -fR %{buildroot} >+install -d %{buildroot}/%{_usr}/share/selinux/targeted/ >+make DESTDIR=%{buildroot} install >+ >+%files >+%{_usr}/share/selinux/targeted/ipa-webgui.pp >+%{_usr}/share/selinux/targeted/ipa-kpasswd.pp >+ >+%define saveFileContext() \ >+if [ -s /etc/selinux/config ]; then \ >+ . %{_sysconfdir}/selinux/config; \ >+ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ >+ if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ >+ cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ >+ fi \ >+fi; >+ >+%define relabel() \ >+. %{_sysconfdir}/selinux/config; \ >+FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ >+selinuxenabled; \ >+if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ >+ fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ >+ rm -f ${FILE_CONTEXT}.%name; \ >+fi; >+ >+%pre >+%saveFileContext targeted >+ >+%post >+semodule -s targeted -i /usr/share/selinux/targeted/ipa-webgui.pp /usr/share/selinux/targeted/ipa-kpasswd.pp >+%relabel targeted >+ >+%preun >+if [ $1 = 0 ]; then >+%saveFileContext targeted >+fi >+ >+%postun >+if [ $1 = 0 ]; then >+semodule -s targeted -r ipa-webgui ipa-kpasswd >+%relabel targeted >+fi >+ >+%changelog >+* Thu Jan 17 2008 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1 >+- Initial version >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server-selinux/ipa-server-selinux.spec.in >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/ipa-server-selinux/ipa-server-selinux.spec.in Thu Jan 17 14:45:52 2008 -0500 >@@ -0,0 +1,74 @@ >+Name: ipa-server-selinux >+Version: VERSION >+Release: 1%{?dist} >+Summary: Ipa authentication server selinux policies >+ >+Group: System Environment/Base >+License: GPL >+URL: http://www.freeipa.org >+Source0: %{name}-%{version}.tgz >+BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) >+ >+BuildRequires: selinux-policy-devel m4 make policycoreutils >= %{POLICYCOREUTILSVER} >+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage >+ >+%description >+SELinux policy for ipa-server >+ >+%prep >+%setup >+ >+%build >+make >+ >+%clean >+%{__rm} -fR %{buildroot} >+ >+%install >+%{__rm} -fR %{buildroot} >+install -d %{buildroot}/%{_usr}/share/selinux/targeted/ >+make DESTDIR=%{buildroot} install >+ >+%files >+%{_usr}/share/selinux/targeted/ipa-webgui.pp >+%{_usr}/share/selinux/targeted/ipa-kpasswd.pp >+ >+%define saveFileContext() \ >+if [ -s /etc/selinux/config ]; then \ >+ . %{_sysconfdir}/selinux/config; \ >+ FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ >+ if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ >+ cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ >+ fi \ >+fi; >+ >+%define relabel() \ >+. %{_sysconfdir}/selinux/config; \ >+FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ >+selinuxenabled; \ >+if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ >+ fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ >+ rm -f ${FILE_CONTEXT}.%name; \ >+fi; >+ >+%pre >+%saveFileContext targeted >+ >+%post >+semodule -s targeted -i /usr/share/selinux/targeted/ipa-webgui.pp /usr/share/selinux/targeted/ipa-kpasswd.pp >+%relabel targeted >+ >+%preun >+if [ $1 = 0 ]; then >+%saveFileContext targeted >+fi >+ >+%postun >+if [ $1 = 0 ]; then >+semodule -s targeted -r ipa-webgui ipa-kpasswd >+%relabel targeted >+fi >+ >+%changelog >+* Thu Jan 17 2008 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1 >+- Initial version >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server-selinux/ipa-webgui/ipa-webgui.fc >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/ipa-server-selinux/ipa-webgui/ipa-webgui.fc Thu Jan 17 14:45:52 2008 -0500 >@@ -0,0 +1,10 @@ >+# >+# /usr >+# >+/usr/sbin/ipa-webgui -- gen_context(system_u:object_r:ipa_webgui_exec_t,s0) >+ >+ >+# >+# /var >+# >+/var/log/ipa_error\.log -- gen_context(system_u:object_r:ipa_webgui_log_t,s0) >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server-selinux/ipa-webgui/ipa-webgui.te >--- /dev/null Thu Jan 01 00:00:00 1970 +0000 >+++ b/ipa-server-selinux/ipa-webgui/ipa-webgui.te Thu Jan 17 14:45:52 2008 -0500 >@@ -0,0 +1,75 @@ >+policy_module(ipa-webgui, 1.0) >+ >+######################################## >+# >+# Declarations >+# >+ >+type ipa_webgui_t; >+type ipa_webgui_exec_t; >+init_daemon_domain(ipa_webgui_t, ipa_webgui_exec_t) >+ >+type ipa_webgui_log_t; >+logging_log_file(ipa_webgui_log_t) >+ >+######################################## >+# >+# IPA webgui local policy >+# >+ >+allow ipa_webgui_t self:tcp_socket create_stream_socket_perms; >+allow ipa_webgui_t self:udp_socket create_socket_perms; >+allow ipa_webgui_t self:process setfscreate; >+ >+# This is how the kerberos credential cache is passed to >+# the ipa-webgui process. Unfortunately, the kerberos >+# libraries seem to insist that it be open rw. To top it >+# all off there is no interface for this either. >+require { >+ type httpd_tmp_t; >+} >+allow ipa_webgui_t httpd_tmp_t:file read_file_perms; >+dontaudit ipa_webgui_t httpd_tmp_t:file write; >+ >+apache_search_sys_content(ipa_webgui_t) >+apache_read_config(ipa_webgui_t) >+ >+corecmd_list_bin(ipa_webgui_t) >+ >+miscfiles_read_localization(ipa_webgui_t) >+ >+files_list_usr(ipa_webgui_t) >+files_read_etc_files(ipa_webgui_t) >+files_read_usr_files(ipa_webgui_t) >+files_read_usr_symlinks(ipa_webgui_t) >+files_search_etc(ipa_webgui_t) >+files_search_tmp(ipa_webgui_t) >+ >+kerberos_read_config(ipa_webgui_t) >+ >+kernel_read_system_state(ipa_webgui_t) >+ >+auth_use_nsswitch(ipa_webgui_t) >+ >+libs_use_ld_so(ipa_webgui_t) >+libs_use_shared_libs(ipa_webgui_t) >+ >+logging_search_logs(ipa_webgui_t) >+logging_log_filetrans(ipa_webgui_t,ipa_webgui_log_t,file) >+allow ipa_webgui_t ipa_webgui_log_t:file rw_file_perms; >+ >+corenet_tcp_sendrecv_all_if(ipa_webgui_t) >+corenet_udp_sendrecv_all_if(ipa_webgui_t) >+corenet_raw_sendrecv_all_if(ipa_webgui_t) >+corenet_tcp_sendrecv_all_nodes(ipa_webgui_t) >+corenet_udp_sendrecv_all_nodes(ipa_webgui_t) >+corenet_raw_sendrecv_all_nodes(ipa_webgui_t) >+corenet_tcp_sendrecv_all_ports(ipa_webgui_t) >+corenet_udp_sendrecv_all_ports(ipa_webgui_t) >+corenet_all_recvfrom_unlabeled(ipa_webgui_t) >+corenet_tcp_bind_all_nodes(ipa_webgui_t) >+corenet_udp_bind_all_nodes(ipa_webgui_t) >+corenet_tcp_bind_http_cache_port(ipa_webgui_t) >+corenet_tcp_connect_http_cache_port(ipa_webgui_t) >+corenet_tcp_connect_ldap_port(ipa_webgui_t) >+ >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server/ipa-server.spec >--- a/ipa-server/ipa-server.spec Fri Jan 11 11:57:36 2008 +0000 >+++ b/ipa-server/ipa-server.spec Thu Jan 17 14:45:52 2008 -0500 >@@ -1,6 +1,6 @@ Name: ipa-server > Name: ipa-server > Version: 0.6.0 >-Release: 1%{?dist} >+Release: 2%{?dist} > Summary: Ipa authentication server > > Group: System Environment/Base >@@ -39,6 +39,7 @@ Requires: acl > Requires: acl > Requires: pyasn1 > Requires: libcap >+Requires: ipa-server-selinux > > %define httpd_conf /etc/httpd/conf.d > %define plugin_dir %{_libdir}/dirsrv/plugins >@@ -111,6 +112,9 @@ fi > %dir %{_localstatedir}/cache/ipa/sysrestore > > %changelog >+* Thu Jan 17 2008 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-2 >+- Add requirement on ipa-server-selinux >+ > * Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1 > - Version bump for release > >diff -r 3443b4ae1234 -r 7713ece9969f ipa-server/ipa-server.spec.in >--- a/ipa-server/ipa-server.spec.in Fri Jan 11 11:57:36 2008 +0000 >+++ b/ipa-server/ipa-server.spec.in Thu Jan 17 14:45:52 2008 -0500 >@@ -1,6 +1,6 @@ Name: ipa-server > Name: ipa-server > Version: VERSION >-Release: 1%{?dist} >+Release: 2%{?dist} > Summary: Ipa authentication server > > Group: System Environment/Base >@@ -39,6 +39,7 @@ Requires: acl > Requires: acl > Requires: pyasn1 > Requires: libcap >+Requires: ipa-server-selinux > > %define httpd_conf /etc/httpd/conf.d > %define plugin_dir %{_libdir}/dirsrv/plugins >@@ -111,6 +112,9 @@ fi > %dir %{_localstatedir}/cache/ipa/sysrestore > > %changelog >+* Thu Jan 17 2008 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-2 >+- Add requirement on ipa-server-selinux >+ > * Fri Dec 21 2007 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1 > - Version bump for release >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 429999
:
294221
|
294372
|
295432