Red Hat Bugzilla – Bug 237727
SELinux Policy for all subsystems
Last modified: 2015-01-04 18:26:31 EST
We need to create appropriate SELinux policies CS8.0 which will run RHEL5.
Created attachment 155753 [details]
remove shell from pkiuser account
SELinux policy doesn't like a system account to have a shell.
Created attachment 155754 [details]
init script fixes
change su to specify shell.
Fix context on pid files after creating.
attachment 155753 [details] +nkwan
attachment 155754 [details] +nkwan
User email@example.com's account has been closed
User firstname.lastname@example.org's account has been closed
*** Bug 442472 has been marked as a duplicate of this bug. ***
Created attachment 323844 [details]
changes to init scripts, pkicreate, pkiremove
So - heres the idea. The default selinux policy will be delivered as part of the selinux-policy rpm that delivers standard selinux policies for RHEL daemons like httpd etc. I will upload a SRPM with this policy with pointers to the relevant files. The policy automatically applies to instances configured to install in the standard locations using standard ports. When these instances are installed, the policy will apply to them automatically.
This is the patch that does the following:
1. makes the init scripts do the right thing to avoid a messy selinux rule
2. adds code to pkicreate and pkiremove to make sure that policy is applied to instances not configured to be in the default location and using the default ports.
3. includes changes to modify the default ports to match the policy.
cfu, mharmsen , please review
The selinux policy can be obtained (on FC8) at :
You'll want to install http://koji.fedoraproject.org/packages/selinux-policy/3.0.8/127.fc8/noarch/selinux-policy-3.0.8-127.fc8.noarch.rpm
The source rpm is at :
When looking for the pki policy, look at the files:
cfu, mharmsen, please review.
Created attachment 323850 [details]
spec file for pkicreate etc.
attachment (id=323844) - +mharmsen
- apply the changes that you made to "base/ca/shared/etc/init.d/httpd" to "base/kra/shared/etc/init.d/httpd", "base/ocsp/shared/etc/init.d/httpd", and "base/tks/shared/etc/init.d/httpd"
- I believe that this was asked earlier, but are "/usr/sbin/semanage" and "/sbin/restorecon" always part of any RHEL4 and/or RHEL5 system?
- Check to be sure that you can invoke "./pkicreate" and "./pkiremove" on a Solaris 9 machine to insure that the Perl on Solaris does not automatically fail because it cannot resolve something in your Perl code; although you have correctly checked for the platform prior to invocation, Perl has a nasty tendancy to die on stuff that it can't load into memory.
attachment (id=323850) - +mharmsen
- fix the changelog message to either Tue Nov 11, or Thu Nov 13
- add "Bugzilla" or "bugzilla" in front of the bug # to denote which bug system was being used
cfu still needs to review the SELinux Policy
Created attachment 323959 [details]
changes to init scripts, pkicreate, pkiremove 2
trying again ..
Created attachment 324086 [details]
revised pkiremove, pkicreate , other patches
1. This includes changes for the httpd files mentioned by mharmsen above
2, Added policycoreutils to pki-setup requires to make sure that semanage, restorecon are present on system.
mharmsen , please confirm.
Created attachment 324542 [details]
pkiremove, pkicommon, pkicreate - so not to run on rhel4
revised pkiremove, pkicreate, pkicommon to ensure that selinux policies do not run on rhel 4
mharmsen, please review
Created attachment 324544 [details]
mod to pki-setup on redhat side for rhel 5
required change for spec file for rhel 5
I there anything else to be verified for this bug other than the policy pki.pp exists and there are no selinux errors? Thanks
Nope - other than to ensure that all subsystems are installed and configured ok with no selinux errors.
Thanks - Verified.