Bug 237727 - SELinux Policy for all subsystems
SELinux Policy for all subsystems
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: Other (Show other bugs)
1.0
All Linux
high Severity medium
: 1.0
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
: 442472 (view as bug list)
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2007-04-24 19:38 EDT by Bob Lord
Modified: 2015-01-04 18:26 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:24:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
remove shell from pkiuser account (4.08 KB, patch)
2007-05-30 18:35 EDT, Kevin J. McCarthy
no flags Details | Diff
init script fixes (12.43 KB, patch)
2007-05-30 18:36 EDT, Kevin J. McCarthy
no flags Details | Diff
changes to init scripts, pkicreate, pkiremove (17.17 KB, patch)
2008-11-17 23:50 EST, Ade Lee
no flags Details | Diff
spec file for pkicreate etc. (894 bytes, patch)
2008-11-18 01:20 EST, Ade Lee
no flags Details | Diff
changes to init scripts, pkicreate, pkiremove 2 (17.17 KB, patch)
2008-11-18 15:33 EST, Ade Lee
no flags Details | Diff
revised pkiremove, pkicreate , other patches (20.71 KB, patch)
2008-11-19 14:49 EST, Ade Lee
no flags Details | Diff
pkiremove, pkicommon, pkicreate - so not to run on rhel4 (15.13 KB, patch)
2008-11-24 17:11 EST, Ade Lee
no flags Details | Diff
mod to pki-setup on redhat side for rhel 5 (1.18 KB, patch)
2008-11-24 17:24 EST, Ade Lee
no flags Details | Diff

  None (edit)
Description Thomas Kwan 2007-04-24 19:38:37 EDT
We need to create appropriate SELinux policies CS8.0 which will run RHEL5.
Comment 1 Kevin J. McCarthy 2007-05-30 18:35:14 EDT
Created attachment 155753 [details]
remove shell from pkiuser account

SELinux policy doesn't like a system account to have a shell.
Comment 2 Kevin J. McCarthy 2007-05-30 18:36:49 EDT
Created attachment 155754 [details]
init script fixes

change su to specify shell.
Fix context on pid files after creating.
Comment 3 Thomas Kwan 2007-05-30 19:23:29 EDT
attachment 155753 [details] +nkwan
attachment 155754 [details] +nkwan
Comment 4 Red Hat Bugzilla 2007-10-27 11:42:22 EDT
User nkwan@redhat.com's account has been closed
Comment 5 Red Hat Bugzilla 2007-10-27 12:37:34 EDT
User kmccarth@redhat.com's account has been closed
Comment 6 Ade Lee 2008-09-03 10:38:36 EDT
*** Bug 442472 has been marked as a duplicate of this bug. ***
Comment 7 Ade Lee 2008-11-17 23:50:37 EST
Created attachment 323844 [details]
changes to init scripts, pkicreate, pkiremove

So - heres the idea.  The default selinux policy will be delivered as part of the selinux-policy rpm that delivers standard selinux policies for RHEL daemons like httpd etc. I will upload a SRPM with this policy with pointers to the relevant files.  The policy automatically applies to instances configured to install in the standard locations using standard ports.  When these instances are installed, the policy will apply to them automatically.
 
This is the patch that does the following:
1. makes the init scripts do the right thing to avoid a messy selinux rule
2. adds code to pkicreate and pkiremove to make sure that policy is applied to instances not configured to be in the default location and using the default ports.
3. includes changes to modify the default ports to match the policy.

cfu, mharmsen , please review
Comment 8 Ade Lee 2008-11-17 23:58:50 EST
The selinux policy can be obtained (on FC8) at :
http://koji.fedoraproject.org/koji/buildinfo?buildID=69691

You'll want to install http://koji.fedoraproject.org/packages/selinux-policy/3.0.8/127.fc8/noarch/selinux-policy-3.0.8-127.fc8.noarch.rpm
http://koji.fedoraproject.org/packages/selinux-policy/3.0.8/127.fc8/noarch/selinux-policy-targeted-3.0.8-127.fc8.noarch.rpm

The source rpm is at :
http://koji.fedoraproject.org/packages/selinux-policy/3.0.8/127.fc8/src/selinux-policy-3.0.8-127.fc8.src.rpm

When looking for the pki policy, look at the files:
/usr/src/redhat/BUILD/serefpolicy-2.4.6/policy/modules/services/pki.if
/usr/src/redhat/BUILD/serefpolicy-2.4.6/policy/modules/services/pki.fc
/usr/src/redhat/BUILD/serefpolicy-2.4.6/policy/modules/services/pki.te

cfu, mharmsen, please review.
Comment 9 Ade Lee 2008-11-18 01:20:02 EST
Created attachment 323850 [details]
spec file for pkicreate etc.
Comment 10 Matthew Harmsen 2008-11-18 15:24:19 EST
attachment (id=323844) - +mharmsen
- apply the changes that you made to "base/ca/shared/etc/init.d/httpd" to "base/kra/shared/etc/init.d/httpd", "base/ocsp/shared/etc/init.d/httpd", and "base/tks/shared/etc/init.d/httpd"
- I believe that this was asked earlier, but are "/usr/sbin/semanage" and "/sbin/restorecon" always part of any RHEL4 and/or RHEL5 system?
- Check to be sure that you can invoke "./pkicreate" and "./pkiremove" on a Solaris 9 machine to insure that the Perl on Solaris does not automatically fail because it cannot resolve something in your Perl code; although you have correctly checked for the platform prior to invocation, Perl has a nasty tendancy to die on stuff that it can't load into memory.

attachment (id=323850) - +mharmsen
- fix the changelog message to either Tue Nov 11, or Thu Nov 13
- add "Bugzilla" or "bugzilla" in front of the bug # to denote which bug system was being used
Comment 11 Matthew Harmsen 2008-11-18 15:24:57 EST
cfu still needs to review the SELinux Policy
Comment 12 Ade Lee 2008-11-18 15:33:54 EST
Created attachment 323959 [details]
changes to init scripts, pkicreate, pkiremove 2

trying again ..
Comment 13 Ade Lee 2008-11-19 14:49:18 EST
Created attachment 324086 [details]
revised pkiremove, pkicreate , other patches

1. This includes changes for the httpd files mentioned by mharmsen above
2, Added policycoreutils to pki-setup requires to make sure that semanage, restorecon are present on system.

mharmsen , please confirm.
Comment 14 Ade Lee 2008-11-24 17:11:49 EST
Created attachment 324542 [details]
pkiremove, pkicommon, pkicreate - so not to run on rhel4

revised pkiremove, pkicreate, pkicommon to ensure that selinux policies do not run on rhel 4

mharmsen, please review
Comment 15 Ade Lee 2008-11-24 17:24:28 EST
Created attachment 324544 [details]
mod to pki-setup on redhat side for rhel 5

required change for spec file for rhel 5
Comment 16 Matthew Harmsen 2008-11-25 13:01:53 EST
attachment (id=324086)
attachment (id=324542)
attachment (id=324544)
+mharmsen
Comment 17 Jenny Galipeau 2009-06-11 13:43:04 EDT
I there anything else to be verified for this bug other than the policy pki.pp exists and there are no selinux errors?  Thanks
Comment 18 Ade Lee 2009-06-11 14:19:27 EDT
Nope - other than to ensure that all subsystems are installed and configured ok with no selinux errors.
Comment 19 Jenny Galipeau 2009-06-11 14:20:43 EDT
Thanks - Verified.

Note You need to log in before you can comment on or make changes to this bug.