Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Initial rules to be tested: [builder@oliver selinux]$ svn diff ../../base/selinux Index: ../../base/selinux/src/pki.if =================================================================== --- ../../base/selinux/src/pki.if (revision 423) +++ ../../base/selinux/src/pki.if (working copy) @@ -172,6 +172,10 @@ can_exec($1_t, pki_common_t) init_stream_connect_script($1_t) + # needed for lunasa hsm + allow $1_t devlog_t:sock_file write; + allow $1_t self:unix_dgram_socket { write create connect }; + allow $1_t syslogd_t:unix_dgram_socket sendto; ') @@ -484,7 +488,7 @@ allow pki_tps_t lib_t:file execute_no_trans; allow pki_tps_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_tps_t self:process { setsched signal getsched signull}; + allow pki_tps_t self:process { setsched signal getsched signull execstack}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; @@ -648,7 +652,7 @@ allow pki_ra_t lib_t:file execute_no_trans; allow pki_ra_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_ra_t self:process { setsched getsched signal signull}; + allow pki_ra_t self:process { setsched getsched signal signull execstack}; allow pki_ra_t self:sem all_sem_perms; allow pki_ra_t self:tcp_socket create_stream_socket_perms;
Check in initial rules: [builder@dhcp231-124 selinux]$ svn ci -m "Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm" pki-selinux.spec ../../base/selinux/ Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending dogtag/selinux/pki-selinux.spec Transmitting file data ... Committed revision 489.
More changes needed for tps/ ra Index: ../../base/selinux/src/pki.if =================================================================== --- ../../base/selinux/src/pki.if (revision 489) +++ ../../base/selinux/src/pki.if (working copy) @@ -70,7 +70,7 @@ # # Execstack/execmem caused by java app. - allow $1_t self:process { execstack execmem getsched setsched }; + allow $1_t self:process { execstack execmem getsched setsched signal}; ## internal communication is often done using fifo and unix sockets. allow $1_t self:fifo_file rw_file_perms; @@ -488,7 +488,7 @@ allow pki_tps_t lib_t:file execute_no_trans; allow pki_tps_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_tps_t self:process { setsched signal getsched signull execstack}; + allow pki_tps_t self:process { setsched signal getsched signull execstack execmem}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; @@ -561,6 +561,11 @@ can_exec(pki_tps_t, pki_common_t) init_stream_connect_script(pki_tps_t) + #allow tps to talk to lunasa hsm + allow pki_tps_t devlog_t:sock_file write; + allow pki_tps_t self:unix_dgram_socket { write create connect }; + allow pki_tps_t syslogd_t:unix_dgram_socket sendto; + ') template(`pki_ra_template',` @@ -652,7 +657,7 @@ allow pki_ra_t lib_t:file execute_no_trans; allow pki_ra_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_ra_t self:process { setsched getsched signal signull execstack}; + allow pki_ra_t self:process { setsched getsched signal signull execstack execmem}; allow pki_ra_t self:sem all_sem_perms; allow pki_ra_t self:tcp_socket create_stream_socket_perms; @@ -723,7 +728,6 @@ can_exec(pki_ra_t, pki_common_t) init_stream_connect_script(pki_ra_t) - ')
[builder@dhcp231-124 selinux]$ svn ci -m "Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm - more changes" ../../base/selinux/ Sending base/selinux/src/pki.if Transmitting file data . Committed revision 490.