Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm
selinux policy updates needed to ensure that CS works with lunasa hsm
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: SELinux (Show other bugs)
unspecified
All Linux
high Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-05-05 14:27 EDT by Ade Lee
Modified: 2015-01-04 18:38 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:34:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ade Lee 2009-05-05 14:27:17 EDT
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Ade Lee 2009-05-05 14:30:18 EDT
Initial rules to be tested:

[builder@oliver selinux]$ svn diff ../../base/selinux
Index: ../../base/selinux/src/pki.if
===================================================================
--- ../../base/selinux/src/pki.if       (revision 423)
+++ ../../base/selinux/src/pki.if       (working copy)
@@ -172,6 +172,10 @@
         can_exec($1_t, pki_common_t)
         init_stream_connect_script($1_t)
 
+        # needed for lunasa hsm
+        allow $1_t devlog_t:sock_file write;
+        allow $1_t self:unix_dgram_socket { write create connect };
+        allow $1_t syslogd_t:unix_dgram_socket sendto;
 
 ')
 
@@ -484,7 +488,7 @@
         allow pki_tps_t lib_t:file execute_no_trans;
 
         allow pki_tps_t self:capability { setuid sys_nice setgid dac_override };
-        allow pki_tps_t self:process { setsched signal getsched  signull};
+        allow pki_tps_t self:process { setsched signal getsched  signull execstack};
         allow pki_tps_t self:sem all_sem_perms;
         allow pki_tps_t self:tcp_socket create_stream_socket_perms;
 
@@ -648,7 +652,7 @@
         allow pki_ra_t lib_t:file execute_no_trans;
 
         allow pki_ra_t self:capability { setuid sys_nice setgid dac_override };
-        allow pki_ra_t self:process { setsched getsched signal signull};
+        allow pki_ra_t self:process { setsched getsched signal signull execstack};
         allow pki_ra_t self:sem all_sem_perms;
         allow pki_ra_t self:tcp_socket create_stream_socket_perms;
Comment 2 Ade Lee 2009-05-25 15:05:36 EDT
Check in initial rules:

[builder@dhcp231-124 selinux]$ svn ci -m "Bugzilla Bug 499242 -  selinux policy updates needed to ensure that CS works with lunasa hsm" pki-selinux.spec ../../base/selinux/
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        dogtag/selinux/pki-selinux.spec
Transmitting file data ...
Committed revision 489.
Comment 3 Ade Lee 2009-05-25 16:38:18 EDT
More changes needed for tps/ ra

Index: ../../base/selinux/src/pki.if
===================================================================
--- ../../base/selinux/src/pki.if       (revision 489)
+++ ../../base/selinux/src/pki.if       (working copy)
@@ -70,7 +70,7 @@
        #
 
        # Execstack/execmem caused by java app.
-       allow $1_t self:process { execstack execmem getsched setsched };
+       allow $1_t self:process { execstack execmem getsched setsched signal};
 
        ## internal communication is often done using fifo and unix sockets.
        allow $1_t self:fifo_file rw_file_perms;
@@ -488,7 +488,7 @@
         allow pki_tps_t lib_t:file execute_no_trans;
 
         allow pki_tps_t self:capability { setuid sys_nice setgid dac_override };
-        allow pki_tps_t self:process { setsched signal getsched  signull execstack};
+        allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem};
         allow pki_tps_t self:sem all_sem_perms;
         allow pki_tps_t self:tcp_socket create_stream_socket_perms;
 
@@ -561,6 +561,11 @@
         can_exec(pki_tps_t, pki_common_t)
         init_stream_connect_script(pki_tps_t)
 
+        #allow tps to talk to lunasa hsm
+        allow pki_tps_t devlog_t:sock_file write;
+        allow pki_tps_t self:unix_dgram_socket { write create connect };
+        allow pki_tps_t syslogd_t:unix_dgram_socket sendto;
+
 ')
 
 template(`pki_ra_template',`
@@ -652,7 +657,7 @@
         allow pki_ra_t lib_t:file execute_no_trans;
 
         allow pki_ra_t self:capability { setuid sys_nice setgid dac_override };
-        allow pki_ra_t self:process { setsched getsched signal signull execstack};
+        allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
         allow pki_ra_t self:sem all_sem_perms;
         allow pki_ra_t self:tcp_socket create_stream_socket_perms;
 
@@ -723,7 +728,6 @@
         can_exec(pki_ra_t, pki_common_t)
         init_stream_connect_script(pki_ra_t)
 
-
 ')
Comment 4 Ade Lee 2009-05-25 16:40:13 EDT
[builder@dhcp231-124 selinux]$ svn ci -m "Bugzilla Bug 499242 -  selinux policy updates needed to ensure that CS works with lunasa hsm - more changes" ../../base/selinux/
Sending        base/selinux/src/pki.if
Transmitting file data .
Committed revision 490.

Note You need to log in before you can comment on or make changes to this bug.