|
|
2ff659 |
From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001
|
|
|
2ff659 |
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
|
2ff659 |
Date: Mon, 7 Sep 2020 11:07:21 +0200
|
|
|
2ff659 |
Subject: [PATCH] SELinux Policy: let custodia replicate keys
|
|
|
2ff659 |
MIME-Version: 1.0
|
|
|
2ff659 |
Content-Type: text/plain; charset=UTF-8
|
|
|
2ff659 |
Content-Transfer-Encoding: 8bit
|
|
|
2ff659 |
|
|
|
2ff659 |
Enhance the SELinux policy so that custodia can replicate sub-CA keys
|
|
|
2ff659 |
and certificates:
|
|
|
2ff659 |
allow ipa_custodia_t self:tcp_socket { bind create };
|
|
|
2ff659 |
allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
|
2ff659 |
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
|
2ff659 |
allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
|
2ff659 |
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
|
2ff659 |
allow ipa_custodia_t self:process execmem;
|
|
|
2ff659 |
|
|
|
2ff659 |
Found by: test_replica_promotion::TestSubCAkeyReplication
|
|
|
2ff659 |
|
|
|
2ff659 |
Fixes: https://pagure.io/freeipa/issue/8488
|
|
|
2ff659 |
Signed-off-by: François Cami <fcami@redhat.com>
|
|
|
2ff659 |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
2ff659 |
---
|
|
|
2ff659 |
selinux/ipa.te | 11 +++++++++++
|
|
|
2ff659 |
1 file changed, 11 insertions(+)
|
|
|
2ff659 |
|
|
|
2ff659 |
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
|
2ff659 |
index c4c3fa805..3fa4ba980 100644
|
|
|
2ff659 |
--- a/selinux/ipa.te
|
|
|
2ff659 |
+++ b/selinux/ipa.te
|
|
|
2ff659 |
@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t)
|
|
|
2ff659 |
type ipa_custodia_tmp_t;
|
|
|
2ff659 |
files_tmp_file(ipa_custodia_tmp_t)
|
|
|
2ff659 |
|
|
|
2ff659 |
+type pki_tomcat_cert_t;
|
|
|
2ff659 |
+type node_t;
|
|
|
2ff659 |
+
|
|
|
2ff659 |
########################################
|
|
|
2ff659 |
#
|
|
|
2ff659 |
# ipa_otpd local policy
|
|
|
2ff659 |
@@ -323,10 +326,18 @@ optional_policy(`
|
|
|
2ff659 |
allow ipa_custodia_t self:capability { setgid setuid };
|
|
|
2ff659 |
allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
|
|
|
2ff659 |
allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
|
|
2ff659 |
+allow ipa_custodia_t self:process execmem;
|
|
|
2ff659 |
allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
2ff659 |
allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
|
|
2ff659 |
+allow ipa_custodia_t self:tcp_socket { bind create };
|
|
|
2ff659 |
allow ipa_custodia_t self:udp_socket create_socket_perms;
|
|
|
2ff659 |
|
|
|
2ff659 |
+allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
|
2ff659 |
+
|
|
|
2ff659 |
+allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
|
2ff659 |
+allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
|
2ff659 |
+allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
|
2ff659 |
+
|
|
|
2ff659 |
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
|
|
2ff659 |
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
|
|
2ff659 |
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
|
|
2ff659 |
--
|
|
|
2ff659 |
2.26.2
|
|
|
2ff659 |
|