Bug 547471 - Apply PKI SELinux changes to PKI registry model
Summary: Apply PKI SELinux changes to PKI registry model
Status: MODIFIED
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: SELinux
Version: 1.3
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: freeipa20
TreeView+ depends on / blocked
 
Reported: 2009-12-14 18:39 UTC by Matthew Harmsen
Modified: 2015-01-05 00:16 UTC (History)
6 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
patch to fix (1.89 KB, patch)
2009-12-17 20:35 UTC, Ade Lee
no flags Details | Diff
CS/IPA TIP changes for "base" (64 bytes, text/plain)
2010-01-12 01:49 UTC, Matthew Harmsen
no flags Details
CS/IPA TIP changes for "dogtag" (64 bytes, text/plain)
2010-01-12 01:54 UTC, Matthew Harmsen
no flags Details
CS/IPA TIP changes for "dogtag" (64 bytes, text/plain)
2010-01-12 22:22 UTC, Matthew Harmsen
no flags Details
CS/IPA TIP RA/TPS registry changes for "base" (64 bytes, text/plain)
2010-01-21 05:50 UTC, Matthew Harmsen
no flags Details
CS/IPA TIP RA/TPS registry changes for "dogtag" (64 bytes, text/plain)
2010-01-21 05:51 UTC, Matthew Harmsen
no flags Details
CS/IPA TIPS RA/TPS registry changes for "base" (52 bytes, text/plain)
2010-01-21 22:35 UTC, Matthew Harmsen
no flags Details
CS/IPA TIPS RA/TPS registry changes for "dogtag" (52 bytes, text/plain)
2010-01-21 22:36 UTC, Matthew Harmsen
no flags Details

Description Matthew Harmsen 2009-12-14 18:39:40 UTC
Make the registry changes associated with Bugzilla Bug #529070 -  rpm packaging problems (cannot reinstall correctly) SELinux compliant.

Comment 1 Ade Lee 2009-12-17 20:35:53 UTC
Created attachment 379086 [details]
patch to fix

Easier than I originally thought ..

mharmsen, please review.

Comment 2 Matthew Harmsen 2009-12-17 23:31:05 UTC
I had questions regarding the following:

* /var/lock/pki/ca(/.*)?   --- this is an instance specific lockfile associated 
                               with each instance's pidfile
* /var/lock/subsys/pki-cad --- this is a subsystem specific lockfile associated 
                               with pki-cad (present when at least one instance
                               is running)
* /var/lib/<pki_ca_instance_name>/<pki_ca_instance_name> --- this is the legacy
                                                             "script" (which used
                                                             to be a symlink)

But after testing things out (running SELinux enabled and in enforcing mode and performing a "tail -f /var/log/audit/audit"), and speaking with nkinder of 389 (he informed me that there should not be a need for special labeling of our instance-specific lock files), I discovered that everything was working great!

# ls -lZ /var/lock/pki/ca/pki-ca.pid 
-rw-------. pkiuser pkiuser unconfined_u:object_r:var_lock_t:s0 /var/lock/pki/ca/pki-ca.pid

# ls -lZ /var/lock/subsys/pki-cad 
-rw-------. root root unconfined_u:object_r:var_lock_t:s0 /var/lock/subsys/pki-cad

# ls -lZ /var/lib/pki-ca/pki-ca
-rwxrwx---. root root system_u:object_r:pki_ca_var_lib_t:s0 /var/lib/pki-ca/pki-ca


attachment (id=379086) +mharmsen

Comment 3 Ade Lee 2009-12-18 01:50:48 UTC
[builder@dhcp231-70 base]$ svn ci -m "Bugzilla BZ 547571: Apply PKI SELinux changes to PKI registry model" 
Sending        base/ca/shared/conf/schema.ldif
Sending        base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java
Sending        base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
Sending        base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
Sending        base/kra/shared/conf/schema.ldif
Sending        base/ocsp/shared/conf/schema.ldif
Sending        base/selinux/src/pki.fc
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        base/tks/shared/conf/schema.ldif
Transmitting file data ...........
Committed revision 894.

Accidentally committed changes for 547527 as well.  No problem.

Comment 4 Matthew Harmsen 2009-12-18 04:15:40 UTC
This feature has been fully documented at:

   * http://pki.fedoraproject.org/wiki/PKI_Registry

Comment 5 Matthew Harmsen 2010-01-12 01:49:09 UTC
Created attachment 383142 [details]
CS/IPA TIP changes for "base"

These base 'diffs' apply to the following CS/IPA bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into
pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
* Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
* Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .

Comment 6 Matthew Harmsen 2010-01-12 01:54:12 UTC
Created attachment 383147 [details]
CS/IPA TIP changes for "dogtag"

These dogtag 'diffs' apply to the following CS/IPA bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into
pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
* Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
* Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .

Comment 7 Ade Lee 2010-01-12 21:21:11 UTC
https://bugzilla.redhat.com/attachment.cgi?id=383136 alee+

https://bugzilla.redhat.com/attachment.cgi?id=383138 alee+ 

https://bugzilla.redhat.com/attachment.cgi?id=383139 alee+

https://bugzilla.redhat.com/attachment.cgi?id=383137  

The device "||:" in the scriptlets is used incorrectly.  According to
https://fedoraproject.org/wiki/Packaging:ScriptletSnippets:

Except in some really exceptional cases (if any), we want all scriptlets to
exit with the zero exit status. Because rpm in its default configuration does
not at the moment execute shell scriptlets with the -e argument to the shell,
excluding explicit exit calls (frowned upon with a non-zero argument!), the
exit status of the last command in a scriptlet determines its exit status. Most
commands in the snippets in this document have a "|| :" appended to them, which
is a generic trick to force the zero exit status for those commands whether
they worked or not. Usually the most important bit is to apply this to the last
command executed in a scriptlet, or to add a separate command such as plain ":"
or "exit 0" as the last one in a scriptlet.

In the patch provided, the "||:" is appended to some some commands in the
scriptlets where it is not the last command.  Also, some scriptlets do not
include "||:" on the last command.

Comment 8 Matthew Harmsen 2010-01-12 22:22:34 UTC
Created attachment 383357 [details]
CS/IPA TIP changes for "dogtag"

These dogtag 'diffs' apply to the following CS/IPA bugs:
* Bugzilla Bug #475895 - Disallow creation of an initial login shell
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into
pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . .
* Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . .
* Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
* Corrected "|| :" scriptlet logic

Comment 9 Ade Lee 2010-01-12 22:28:11 UTC
https://bugzilla.redhat.com/attachment.cgi?id=383356 alee+

Comment 10 Matthew Harmsen 2010-01-12 22:51:15 UTC
CS/IPA TIP:

# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       selinux/src/pki.if
M       selinux/src/pki.fc
M       selinux/src/pki.te
M       setup/pkicreate
M       setup/pkicommon
D       tks/setup/postinstall
D       tks/shared/etc/init.d/httpd
A       tks/shared/etc/init.d/pki-tksd
M       tks/build.xml
D       ocsp/setup/postinstall
D       ocsp/shared/etc/init.d/httpd
A       ocsp/shared/etc/init.d/pki-ocspd
M       ocsp/build.xml
D       kra/setup/postinstall
A       kra/shared/etc/init.d/pki-krad
D       kra/shared/etc/init.d/httpd
M       kra/build.xml

# svn commit
Sending        base/kra/build.xml
Deleting       base/kra/setup/postinstall
Deleting       base/kra/shared/etc/init.d/httpd
Adding         base/kra/shared/etc/init.d/pki-krad
Sending        base/ocsp/build.xml
Deleting       base/ocsp/setup/postinstall
Deleting       base/ocsp/shared/etc/init.d/httpd
Adding         base/ocsp/shared/etc/init.d/pki-ocspd
Sending        base/selinux/src/pki.fc
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        base/setup/pkicommon
Sending        base/setup/pkicreate
Sending        base/tks/build.xml
Deleting       base/tks/setup/postinstall
Deleting       base/tks/shared/etc/init.d/httpd
Adding         base/tks/shared/etc/init.d/pki-tksd
Transmitting file data ...........
Committed revision 908.


# cd pki/dogtag

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       ca/pki-ca.spec
M       selinux/pki-selinux.spec
M       setup/pki-setup.spec
M       tks/pki-tks.spec
M       ocsp/pki-ocsp.spec
M       kra/pki-kra.spec

# svn commit
Sending        dogtag/ca/pki-ca.spec
Sending        dogtag/kra/pki-kra.spec
Sending        dogtag/ocsp/pki-ocsp.spec
Sending        dogtag/selinux/pki-selinux.spec
Sending        dogtag/setup/pki-setup.spec
Sending        dogtag/tks/pki-tks.spec
Transmitting file data ......
Committed revision 909.

Comment 11 Matthew Harmsen 2010-01-21 05:50:03 UTC
Created attachment 385852 [details]
CS/IPA TIP RA/TPS registry changes for "base"

These base 'diffs' apply to the following bugs:
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . .
* Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . .

Comment 12 Matthew Harmsen 2010-01-21 05:51:20 UTC
Created attachment 385853 [details]
CS/IPA TIP RA/TPS registry changes for "dogtag"

These dogtag 'diffs' apply to the following bugs:
* Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
* Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model
* Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . .
* Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . .

Comment 13 Matthew Harmsen 2010-01-21 22:35:23 UTC
Created attachment 386036 [details]
CS/IPA TIPS RA/TPS registry changes for "base"

Per code review:

pki.if:
* removed the following lines from 'pki_tps_template':
  class dir search;
  class file read;
  class file open;
* removed the following lines from 'pki_ra_template':
  class dir search;
  class file read;
  class file open;

pkicommon:
* in 'create_user' changed:
  system( "$command" );
* to:
  my $report = "";
  ...
  $report = `$command`;
  if( $report ne "" ) {
      emit( "$report", "error" );
  }
* in 'create_group' changed:
      system( "$command" );
  to:
      my $report = "";
      ...
      $report = `$command`;
      if( $report ne "" ) {
          emit( "$report", "error" );
      }

pki-rad:
* removed the following lines from 'reload_instance()':
     # overwrite output from "killproc"
     echo -n $"Stopping ${prog}:                                        "
* from 'reload()' changed:
     echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
  to:
     echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"

pki-tpsd:
* removed the following lines from 'reload_instance()':
     # overwrite output from "killproc"
     echo -n $"Stopping ${prog}:                                        "
* from 'reload()' changed:
     echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):"
  to:
     echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"

Comment 14 Matthew Harmsen 2010-01-21 22:36:12 UTC
Created attachment 386037 [details]
CS/IPA TIPS RA/TPS registry changes for "dogtag"

Per code review:

pki-setup.spec:
* Made certain that ALL four bugs were referenced in the changelog.

pki-selinux.spec:
* Made certain that ALL four bugs were referenced in the changelog.

pki-ra.spec:
* Made certain that ALL four bugs were referenced in the changelog.

pki-tps.spec:
* Made certain that ALL four bugs were referenced in the changelog.
* Changed 'strip' to '%{__strip}'

Comment 16 Matthew Harmsen 2010-01-21 23:27:15 UTC
# cd pki/base

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       selinux/src/pki.if
M       selinux/src/pki.fc
M       selinux/src/pki.te
M       setup/pkicreate
M       setup/pkicommon
D       ra/setup/postinstall
M       ra/apache/conf/httpd.conf
D       ra/etc/init.d/httpd
A       ra/etc/init.d/pki-rad
M       ra/build.xml
M       tps/configure
M       tps/Makefile.in
M       tps/build.xml
M       tps/configure.ac
M       tps/setup_package
M       tps/apache/conf/httpd.conf
D       tps/setup/postinstall
M       tps/Makefile.am
D       tps/etc/init.d/httpd
A       tps/etc/init.d/pki-tpsd

# svn commit
Sending        base/ra/apache/conf/httpd.conf
Sending        base/ra/build.xml
Deleting       base/ra/etc/init.d/httpd
Adding         base/ra/etc/init.d/pki-rad
Deleting       base/ra/setup/postinstall
Sending        base/selinux/src/pki.fc
Sending        base/selinux/src/pki.if
Sending        base/selinux/src/pki.te
Sending        base/setup/pkicommon
Sending        base/setup/pkicreate
Sending        base/tps/Makefile.am
Sending        base/tps/Makefile.in
Sending        base/tps/apache/conf/httpd.conf
Sending        base/tps/build.xml
Sending        base/tps/configure
Sending        base/tps/configure.ac
Deleting       base/tps/etc/init.d/httpd
Adding         base/tps/etc/init.d/pki-tpsd
Deleting       base/tps/setup/postinstall
Sending        base/tps/setup_package
Transmitting file data ................
Committed revision 933.


# cd pki/dogtag

# svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M       selinux/pki-selinux.spec
M       selinux/build_dogtag
M       setup/build_dogtag
M       setup/pki-setup.spec
M       ra/pki-ra.spec
M       tps/pki-tps.spec

# svn commit
Sending        dogtag/ra/pki-ra.spec
Sending        dogtag/selinux/build_dogtag
Sending        dogtag/selinux/pki-selinux.spec
Sending        dogtag/setup/build_dogtag
Sending        dogtag/setup/pki-setup.spec
Sending        dogtag/tps/pki-tps.spec
Transmitting file data ......
Committed revision 934.

Comment 18 Fedora Update System 2010-02-02 19:48:52 UTC
pki-setup-1.3.3-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/pki-setup-1.3.3-2.fc12

Comment 19 Fedora Update System 2010-02-23 05:26:33 UTC
pki-setup-1.3.3-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.