Bug 237727 - SELinux Policy for all subsystems
Summary: SELinux Policy for all subsystems
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: Other   
(Show other bugs)
Version: 1.0
Hardware: All
OS: Linux
high
medium
Target Milestone: 1.0
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Keywords:
: 442472 (view as bug list)
Depends On:
Blocks: 443788
TreeView+ depends on / blocked
 
Reported: 2007-04-24 23:38 UTC by Bob Lord
Modified: 2015-01-04 23:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 23:24:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
remove shell from pkiuser account (4.08 KB, patch)
2007-05-30 22:35 UTC, Kevin J. McCarthy
no flags Details | Diff
init script fixes (12.43 KB, patch)
2007-05-30 22:36 UTC, Kevin J. McCarthy
no flags Details | Diff
changes to init scripts, pkicreate, pkiremove (17.17 KB, patch)
2008-11-18 04:50 UTC, Ade Lee
no flags Details | Diff
spec file for pkicreate etc. (894 bytes, patch)
2008-11-18 06:20 UTC, Ade Lee
no flags Details | Diff
changes to init scripts, pkicreate, pkiremove 2 (17.17 KB, patch)
2008-11-18 20:33 UTC, Ade Lee
no flags Details | Diff
revised pkiremove, pkicreate , other patches (20.71 KB, patch)
2008-11-19 19:49 UTC, Ade Lee
no flags Details | Diff
pkiremove, pkicommon, pkicreate - so not to run on rhel4 (15.13 KB, patch)
2008-11-24 22:11 UTC, Ade Lee
no flags Details | Diff
mod to pki-setup on redhat side for rhel 5 (1.18 KB, patch)
2008-11-24 22:24 UTC, Ade Lee
no flags Details | Diff

Description Thomas Kwan 2007-04-24 23:38:37 UTC
We need to create appropriate SELinux policies CS8.0 which will run RHEL5.

Comment 1 Kevin J. McCarthy 2007-05-30 22:35:14 UTC
Created attachment 155753 [details]
remove shell from pkiuser account

SELinux policy doesn't like a system account to have a shell.

Comment 2 Kevin J. McCarthy 2007-05-30 22:36:49 UTC
Created attachment 155754 [details]
init script fixes

change su to specify shell.
Fix context on pid files after creating.

Comment 3 Thomas Kwan 2007-05-30 23:23:29 UTC
attachment 155753 [details] +nkwan
attachment 155754 [details] +nkwan

Comment 4 Red Hat Bugzilla 2007-10-27 15:42:22 UTC
User nkwan@redhat.com's account has been closed

Comment 5 Red Hat Bugzilla 2007-10-27 16:37:34 UTC
User kmccarth@redhat.com's account has been closed

Comment 6 Ade Lee 2008-09-03 14:38:36 UTC
*** Bug 442472 has been marked as a duplicate of this bug. ***

Comment 7 Ade Lee 2008-11-18 04:50:37 UTC
Created attachment 323844 [details]
changes to init scripts, pkicreate, pkiremove

So - heres the idea.  The default selinux policy will be delivered as part of the selinux-policy rpm that delivers standard selinux policies for RHEL daemons like httpd etc. I will upload a SRPM with this policy with pointers to the relevant files.  The policy automatically applies to instances configured to install in the standard locations using standard ports.  When these instances are installed, the policy will apply to them automatically.
 
This is the patch that does the following:
1. makes the init scripts do the right thing to avoid a messy selinux rule
2. adds code to pkicreate and pkiremove to make sure that policy is applied to instances not configured to be in the default location and using the default ports.
3. includes changes to modify the default ports to match the policy.

cfu, mharmsen , please review

Comment 8 Ade Lee 2008-11-18 04:58:50 UTC
The selinux policy can be obtained (on FC8) at :
http://koji.fedoraproject.org/koji/buildinfo?buildID=69691

You'll want to install http://koji.fedoraproject.org/packages/selinux-policy/3.0.8/127.fc8/noarch/selinux-policy-3.0.8-127.fc8.noarch.rpm
http://koji.fedoraproject.org/packages/selinux-policy/3.0.8/127.fc8/noarch/selinux-policy-targeted-3.0.8-127.fc8.noarch.rpm

The source rpm is at :
http://koji.fedoraproject.org/packages/selinux-policy/3.0.8/127.fc8/src/selinux-policy-3.0.8-127.fc8.src.rpm

When looking for the pki policy, look at the files:
/usr/src/redhat/BUILD/serefpolicy-2.4.6/policy/modules/services/pki.if
/usr/src/redhat/BUILD/serefpolicy-2.4.6/policy/modules/services/pki.fc
/usr/src/redhat/BUILD/serefpolicy-2.4.6/policy/modules/services/pki.te

cfu, mharmsen, please review.

Comment 9 Ade Lee 2008-11-18 06:20:02 UTC
Created attachment 323850 [details]
spec file for pkicreate etc.

Comment 10 Matthew Harmsen 2008-11-18 20:24:19 UTC
attachment (id=323844) - +mharmsen
- apply the changes that you made to "base/ca/shared/etc/init.d/httpd" to "base/kra/shared/etc/init.d/httpd", "base/ocsp/shared/etc/init.d/httpd", and "base/tks/shared/etc/init.d/httpd"
- I believe that this was asked earlier, but are "/usr/sbin/semanage" and "/sbin/restorecon" always part of any RHEL4 and/or RHEL5 system?
- Check to be sure that you can invoke "./pkicreate" and "./pkiremove" on a Solaris 9 machine to insure that the Perl on Solaris does not automatically fail because it cannot resolve something in your Perl code; although you have correctly checked for the platform prior to invocation, Perl has a nasty tendancy to die on stuff that it can't load into memory.

attachment (id=323850) - +mharmsen
- fix the changelog message to either Tue Nov 11, or Thu Nov 13
- add "Bugzilla" or "bugzilla" in front of the bug # to denote which bug system was being used

Comment 11 Matthew Harmsen 2008-11-18 20:24:57 UTC
cfu still needs to review the SELinux Policy

Comment 12 Ade Lee 2008-11-18 20:33:54 UTC
Created attachment 323959 [details]
changes to init scripts, pkicreate, pkiremove 2

trying again ..

Comment 13 Ade Lee 2008-11-19 19:49:18 UTC
Created attachment 324086 [details]
revised pkiremove, pkicreate , other patches

1. This includes changes for the httpd files mentioned by mharmsen above
2, Added policycoreutils to pki-setup requires to make sure that semanage, restorecon are present on system.

mharmsen , please confirm.

Comment 14 Ade Lee 2008-11-24 22:11:49 UTC
Created attachment 324542 [details]
pkiremove, pkicommon, pkicreate - so not to run on rhel4

revised pkiremove, pkicreate, pkicommon to ensure that selinux policies do not run on rhel 4

mharmsen, please review

Comment 15 Ade Lee 2008-11-24 22:24:28 UTC
Created attachment 324544 [details]
mod to pki-setup on redhat side for rhel 5

required change for spec file for rhel 5

Comment 16 Matthew Harmsen 2008-11-25 18:01:53 UTC
attachment (id=324086)
attachment (id=324542)
attachment (id=324544)
+mharmsen

Comment 17 Jenny Galipeau 2009-06-11 17:43:04 UTC
I there anything else to be verified for this bug other than the policy pki.pp exists and there are no selinux errors?  Thanks

Comment 18 Ade Lee 2009-06-11 18:19:27 UTC
Nope - other than to ensure that all subsystems are installed and configured ok with no selinux errors.

Comment 19 Jenny Galipeau 2009-06-11 18:20:43 UTC
Thanks - Verified.


Note You need to log in before you can comment on or make changes to this bug.