Bug 506378 - additional selinux rule for tps
additional selinux rule for tps
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: SELinux (Show other bugs)
unspecified
All Linux
low Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-06-16 20:03 EDT by Chandrasekar Kannan
Modified: 2015-01-05 20:19 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:36:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chandrasekar Kannan 2009-06-16 20:03:19 EDT
not sure how I ended up with this.
But my audit.log comes up with this allow policy

[root@beta ~]# cat /var/log/audit/audit.log | audit2allow


#============= pki_tps_t ==============
allow pki_tps_t self:capability kill;
allow pki_tps_t self:process sigkill;
Comment 1 Ade Lee 2009-06-17 11:08:35 EDT
Index: dogtag/selinux/pki-selinux.spec
===================================================================
--- dogtag/selinux/pki-selinux.spec     (revision 619)
+++ dogtag/selinux/pki-selinux.spec     (working copy)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.1.0
-%define base_release      8
+%define base_release      9
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -249,6 +249,8 @@
 ###############################################################################
 
 %changelog
+* Wed Jun 17 2009 Ade Lee <alee@redhat.com> 1.1.0-9
+- Bugzilla Bug 506387 and 506133 - ECC and messages for tps
 * Mon Jun 15 2009 Ade Lee <alee@redhat.com> 1.1.0-8
 - Bugzilla Bug 504765 - more selinux messages when restarting RA
 * Tue Jun 9 2009 Ade Lee <alee@redhat.com> 1.1.0-7
Index: base/selinux/src/pki.if
===================================================================
--- base/selinux/src/pki.if     (revision 619)
+++ base/selinux/src/pki.if     (working copy)
@@ -492,8 +492,8 @@
         allow pki_tps_t lib_t:file execute_no_trans;
 
         #fowner needed for chmod
-        allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid};
-        allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem};
+        allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
+        allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem sigkill};
         allow pki_tps_t self:sem all_sem_perms;
         allow pki_tps_t self:tcp_socket create_stream_socket_perms;
 
Index: base/selinux/src/pki.te
===================================================================
--- base/selinux/src/pki.te     (revision 619)
+++ base/selinux/src/pki.te     (working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.10)
+policy_module(pki,1.0.11)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
@@ -25,6 +25,9 @@
 # for crl publishing
 allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink };
 
+# for ECC
+auth_getattr_shadow(pki_ca_t)
+
 attribute pki_kra_config;
 attribute pki_kra_executable;
 attribute pki_kra_var_lib;
Comment 2 Ade Lee 2009-06-17 11:09:58 EDT
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug 506387 and 506133 - ECC and messages for tps" 
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        dogtag/selinux/pki-selinux.spec
Transmitting file data ...
Committed revision 620.
Comment 3 Kashyap Chamarthy 2009-06-22 10:20:48 EDT
Verified. I installed/configured pki-tps on a new build and verified the audit log. Haven't seen it here. 

Chandra: you may have encountered these when configured nethsm/luna ?? 

Do you want to confirm or shall I close it as "Verified""

Note You need to log in before you can comment on or make changes to this bug.