rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   c706d03efc58df50f9ef5966ea33f81044000f2f
  2.   SOURCES
  3.   0019-SELinux-add-dedicated-policy-for-ipa-pki-retrieve-key-ipatests-enhance-TestSubCAkeyReplication_rhbz#1870202.patch
Blob History Raw
5144c6 
From 52929cbadf0252fcac1019b74663a2808061ea1b Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Thu, 17 Sep 2020 11:30:45 +0200
5144c6 
Subject: [PATCH] ipatests: enhance TestSubCAkeyReplication
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
enhance the test suite so that it covers:
5144c6 
- deleting subCAs (disabling them first)
5144c6 
- checking what happens when creating a dozen+ subCAs at a time
5144c6 
- adding a subCA that already exists and expect failure
5144c6
5144c6 
Related: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 .../test_replica_promotion.py                 | 52 +++++++++++++++++--
5144c6 
 1 file changed, 47 insertions(+), 5 deletions(-)
5144c6
5144c6 
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
5144c6 
index 82117054f..f0b72e1f8 100644
5144c6 
--- a/ipatests/test_integration/test_replica_promotion.py
5144c6 
+++ b/ipatests/test_integration/test_replica_promotion.py
5144c6 
@@ -474,17 +474,35 @@ class TestSubCAkeyReplication(IntegrationTest):
5144c6 
         SERVER_CERT_NICK: 'u,u,u',
5144c6 
     }
5144c6
5144c6 
-    def add_subca(self, host, name, subject):
5144c6 
+    def add_subca(self, host, name, subject, raiseonerr=True):
5144c6 
         result = host.run_command([
5144c6 
             'ipa', 'ca-add', name,
5144c6 
             '--subject', subject,
5144c6 
-            '--desc', self.SUBCA_DESC,
5144c6 
+            '--desc', self.SUBCA_DESC],
5144c6 
+            raiseonerr=raiseonerr
5144c6 
+        )
5144c6 
+        if raiseonerr:
5144c6 
+            assert "ipa: ERROR:" not in result.stderr_text
5144c6 
+            auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
5144c6 
+            return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
5144c6 
+        else:
5144c6 
+            assert "ipa: ERROR:" in result.stderr_text
5144c6 
+            assert result.returncode != 0
5144c6 
+            return result
5144c6 
+
5144c6 
+    def del_subca(self, host, name):
5144c6 
+        host.run_command([
5144c6 
+            'ipa', 'ca-disable', name
5144c6 
         ])
5144c6 
-        auth_id = "".join(re.findall(AUTH_ID_RE, result.stdout_text))
5144c6 
-        return '{} {}'.format(IPA_CA_NICKNAME, auth_id)
5144c6 
+        result = host.run_command([
5144c6 
+            'ipa', 'ca-del', name
5144c6 
+        ])
5144c6 
+        assert "Deleted CA \"{}\"".format(name) in result.stdout_text
5144c6
5144c6 
     def check_subca(self, host, name, cert_nick):
5144c6 
-        host.run_command(['ipa', 'ca-show', name])
5144c6 
+        result = host.run_command(['ipa', 'ca-show', name])
5144c6 
+        # ipa ca-show returns 0 even if the cert cannot be found locally.
5144c6 
+        assert "ipa: ERROR:" not in result.stderr_text
5144c6 
         tasks.run_certutil(
5144c6 
             host, ['-L', '-n', cert_nick], paths.PKI_TOMCAT_ALIAS_DIR
5144c6 
         )
5144c6 
@@ -627,6 +645,30 @@ class TestSubCAkeyReplication(IntegrationTest):
5144c6 
         ssl = replica.run_command(ssl_cmd)
5144c6 
         assert 'Issuer: CN = {}'.format(self.SUBCA_MASTER) in ssl.stdout_text
5144c6
5144c6 
+    def test_del_subca_master_on_replica(self):
5144c6 
+        self.del_subca(self.replicas[0], self.SUBCA_MASTER)
5144c6 
+
5144c6 
+    def test_del_subca_replica(self):
5144c6 
+        self.del_subca(self.replicas[0], self.SUBCA_REPLICA)
5144c6 
+
5144c6 
+    def test_scale_add_subca(self):
5144c6 
+        master = self.master
5144c6 
+        replica = self.replicas[0]
5144c6 
+
5144c6 
+        subcas = {}
5144c6 
+        for i in range(0, 16):
5144c6 
+            name = "_".join((self.SUBCA_MASTER, str(i)))
5144c6 
+            cn = "_".join((self.SUBCA_MASTER_CN, str(i)))
5144c6 
+            subcas[name] = self.add_subca(master, name, cn)
5144c6 
+            self.add_subca(master, name, cn, raiseonerr=False)
5144c6 
+
5144c6 
+        # give replication some time
5144c6 
+        time.sleep(15)
5144c6 
+
5144c6 
+        for name in subcas:
5144c6 
+            self.check_subca(replica, name, subcas[name])
5144c6 
+            self.del_subca(replica, name)
5144c6 
+
5144c6
5144c6 
 class TestReplicaInstallCustodia(IntegrationTest):
5144c6 
     """
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From 5a5962426d8174212f0b7efef1a9e53aaecb5901 Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Fri, 18 Sep 2020 11:55:37 +0200
5144c6 
Subject: [PATCH] SELinux: Add dedicated policy for ipa-pki-retrieve-key
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
5144c6 
Make sure tomcat_t can execute ipa-pki-retrieve-key.
5144c6
5144c6 
Fixes: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 selinux/ipa.fc |  1 +
5144c6 
 selinux/ipa.te | 28 ++++++++++++++++++++++++++++
5144c6 
 2 files changed, 29 insertions(+)
5144c6
5144c6 
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
5144c6 
index a98cc4665..1176f383c 100644
5144c6 
--- a/selinux/ipa.fc
5144c6 
+++ b/selinux/ipa.fc
5144c6 
@@ -30,5 +30,6 @@
5144c6 
 /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat		--	gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
5144c6 
 /usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped	--	gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
5144c6 
 /usr/libexec/ipa/custodia/ipa-custodia-ra-agent		--	gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
5144c6 
+/usr/libexec/ipa/ipa-pki-retrieve-key				--	gen_context(system_u:object_r:ipa_pki_retrieve_key_exec_t,s0)
5144c6
5144c6 
 /var/log/ipa-custodia.audit.log(/.*)?				--	gen_context(system_u:object_r:ipa_custodia_log_t,s0)
5144c6 
diff --git a/selinux/ipa.te b/selinux/ipa.te
5144c6 
index 3fa4ba980..26daed293 100644
5144c6 
--- a/selinux/ipa.te
5144c6 
+++ b/selinux/ipa.te
5144c6 
@@ -75,6 +75,9 @@ files_tmp_file(ipa_custodia_tmp_t)
5144c6 
 type pki_tomcat_cert_t;
5144c6 
 type node_t;
5144c6
5144c6 
+type ipa_pki_retrieve_key_exec_t;
5144c6 
+init_script_file(ipa_pki_retrieve_key_exec_t)
5144c6 
+
5144c6 
 ########################################
5144c6 
 #
5144c6 
 # ipa_otpd local policy
5144c6 
@@ -412,3 +415,28 @@ optional_policy(`
5144c6 
 optional_policy(`
5144c6 
        systemd_private_tmp(ipa_custodia_tmp_t)
5144c6 
 ')
5144c6 
+
5144c6 
+optional_policy(`
5144c6 
+    gen_require(`
5144c6 
+        type tomcat_t;
5144c6 
+    ')
5144c6 
+    can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
5144c6 
+    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
5144c6 
+')
5144c6 
+
5144c6 
+optional_policy(`
5144c6 
+    gen_require(`
5144c6 
+        type devlog_t;
5144c6 
+    ')
5144c6 
+
5144c6 
+    dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
5144c6 
+')
5144c6 
+
5144c6 
+optional_policy(`
5144c6 
+    java_exec(ipa_custodia_pki_tomcat_exec_t)
5144c6 
+    # allow Java to read system status and RNG
5144c6 
+    dev_read_urand(ipa_custodia_t)
5144c6 
+    dev_read_rand(ipa_custodia_t)
5144c6 
+    kernel_read_network_state(ipa_custodia_t)
5144c6 
+    dev_read_sysfs(ipa_custodia_t)
5144c6 
+')
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From c126610ea6605a1ff36cecf2e2f5b2cb97130831 Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Fri, 18 Sep 2020 17:45:39 +0200
5144c6 
Subject: [PATCH] SELinux Policy: let custodia_t map custodia_tmp_t
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
This is used by the JVM perf counters.
5144c6
5144c6 
Related: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 selinux/ipa.te | 1 +
5144c6 
 1 file changed, 1 insertion(+)
5144c6
5144c6 
diff --git a/selinux/ipa.te b/selinux/ipa.te
5144c6 
index 26daed293..0a9ccaf83 100644
5144c6 
--- a/selinux/ipa.te
5144c6 
+++ b/selinux/ipa.te
5144c6 
@@ -347,6 +347,7 @@ logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
5144c6
5144c6 
 manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
5144c6 
 manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
5144c6 
+mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
5144c6 
 files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
5144c6
5144c6 
 kernel_dgram_send(ipa_custodia_t)
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From 310dbd6eec337f0747d73fa87363083a742fc5dc Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Mon, 21 Sep 2020 11:32:52 +0200
5144c6 
Subject: [PATCH] SELinux Policy: ipa_pki_retrieve_key_exec_t =>
5144c6 
 ipa_pki_retrieve_key_t
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
5144c6 
ipa_pki_retrieve_key_exec_t.
5144c6 
As suggested by Ondrej Mosnáček.
5144c6
5144c6 
Fixes: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 selinux/ipa.te | 4 +++-
5144c6 
 1 file changed, 3 insertions(+), 1 deletion(-)
5144c6
5144c6 
diff --git a/selinux/ipa.te b/selinux/ipa.te
5144c6 
index 0a9ccaf83..92a3b2359 100644
5144c6 
--- a/selinux/ipa.te
5144c6 
+++ b/selinux/ipa.te
5144c6 
@@ -78,6 +78,8 @@ type node_t;
5144c6 
 type ipa_pki_retrieve_key_exec_t;
5144c6 
 init_script_file(ipa_pki_retrieve_key_exec_t)
5144c6
5144c6 
+type ipa_pki_retrieve_key_t;
5144c6 
+
5144c6 
 ########################################
5144c6 
 #
5144c6 
 # ipa_otpd local policy
5144c6 
@@ -422,7 +424,7 @@ optional_policy(`
5144c6 
         type tomcat_t;
5144c6 
     ')
5144c6 
     can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
5144c6 
-    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_exec_t)
5144c6 
+    pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
5144c6 
 ')
5144c6
5144c6 
 optional_policy(`
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From 0518c63768b50973f3d3129547f5b4b95335f4a8 Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Mon, 21 Sep 2020 11:37:12 +0200
5144c6 
Subject: [PATCH] SELinux Policy: ipa_custodia_pki_tomcat_exec_t =>
5144c6 
 ipa_custodia_pki_tomcat_t
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
5144c6 
ipa_custodia_pki_tomcat_t.
5144c6 
As suggested by Ondrej Mosnáček.
5144c6
5144c6 
Fixes: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 selinux/ipa.te | 4 +++-
5144c6 
 1 file changed, 3 insertions(+), 1 deletion(-)
5144c6
5144c6 
diff --git a/selinux/ipa.te b/selinux/ipa.te
5144c6 
index 92a3b2359..b2c618a53 100644
5144c6 
--- a/selinux/ipa.te
5144c6 
+++ b/selinux/ipa.te
5144c6 
@@ -63,6 +63,8 @@ init_script_file(ipa_custodia_dmldap_exec_t)
5144c6 
 type ipa_custodia_pki_tomcat_exec_t;
5144c6 
 init_script_file(ipa_custodia_pki_tomcat_exec_t)
5144c6
5144c6 
+type ipa_custodia_pki_tomcat_t;
5144c6 
+
5144c6 
 type ipa_custodia_ra_agent_exec_t;
5144c6 
 init_script_file(ipa_custodia_ra_agent_exec_t)
5144c6
5144c6 
@@ -436,7 +438,7 @@ optional_policy(`
5144c6 
 ')
5144c6
5144c6 
 optional_policy(`
5144c6 
-    java_exec(ipa_custodia_pki_tomcat_exec_t)
5144c6 
+    java_exec(ipa_custodia_pki_tomcat_t)
5144c6 
     # allow Java to read system status and RNG
5144c6 
     dev_read_urand(ipa_custodia_t)
5144c6 
     dev_read_rand(ipa_custodia_t)
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From 25cf7af0d41bbd34621f37c95802675b42baeae9 Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Tue, 22 Sep 2020 11:36:13 +0200
5144c6 
Subject: [PATCH] SELinux Policy: flag ipa_pki_retrieve_key_exec_t as
5144c6 
 domain_type
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
Fixes: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 selinux/ipa.te | 1 +
5144c6 
 1 file changed, 1 insertion(+)
5144c6
5144c6 
diff --git a/selinux/ipa.te b/selinux/ipa.te
5144c6 
index b2c618a53..42b010133 100644
5144c6 
--- a/selinux/ipa.te
5144c6 
+++ b/selinux/ipa.te
5144c6 
@@ -78,6 +78,7 @@ type pki_tomcat_cert_t;
5144c6 
 type node_t;
5144c6
5144c6 
 type ipa_pki_retrieve_key_exec_t;
5144c6 
+domain_type(ipa_pki_retrieve_key_exec_t)
5144c6 
 init_script_file(ipa_pki_retrieve_key_exec_t)
5144c6
5144c6 
 type ipa_pki_retrieve_key_t;
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From 7ad04841245668e3126cb1718ef7ec1b744526e8 Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Tue, 22 Sep 2020 13:12:05 +0200
5144c6 
Subject: [PATCH] SELinux Policy: make interfaces for kernel modules
5144c6 
 non-optional
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
Interfaces for kernel modules do not need to be in an optional module.
5144c6 
Also make sure ipa_custodia_t can log.
5144c6 
Suggested by Lukas Vrabec.
5144c6
5144c6 
Fixes: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 selinux/ipa.te | 16 +++++++++-------
5144c6 
 1 file changed, 9 insertions(+), 7 deletions(-)
5144c6
5144c6 
diff --git a/selinux/ipa.te b/selinux/ipa.te
5144c6 
index 42b010133..f984a0f94 100644
5144c6 
--- a/selinux/ipa.te
5144c6 
+++ b/selinux/ipa.te
5144c6 
@@ -78,10 +78,9 @@ type pki_tomcat_cert_t;
5144c6 
 type node_t;
5144c6
5144c6 
 type ipa_pki_retrieve_key_exec_t;
5144c6 
-domain_type(ipa_pki_retrieve_key_exec_t)
5144c6 
-init_script_file(ipa_pki_retrieve_key_exec_t)
5144c6 
-
5144c6 
 type ipa_pki_retrieve_key_t;
5144c6 
+domain_type(ipa_pki_retrieve_key_t)
5144c6 
+init_script_file(ipa_pki_retrieve_key_exec_t)
5144c6
5144c6 
 ########################################
5144c6 
 #
5144c6 
@@ -356,6 +355,7 @@ mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
5144c6 
 files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
5144c6
5144c6 
 kernel_dgram_send(ipa_custodia_t)
5144c6 
+kernel_read_network_state(ipa_custodia_t)
5144c6
5144c6 
 auth_read_passwd(ipa_custodia_t)
5144c6
5144c6 
@@ -366,6 +366,10 @@ can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
5144c6 
 corecmd_exec_bin(ipa_custodia_t)
5144c6 
 corecmd_mmap_bin_files(ipa_custodia_t)
5144c6
5144c6 
+dev_read_urand(ipa_custodia_t)
5144c6 
+dev_read_rand(ipa_custodia_t)
5144c6 
+dev_read_sysfs(ipa_custodia_t)
5144c6 
+
5144c6 
 domain_use_interactive_fds(ipa_custodia_t)
5144c6
5144c6 
 files_mmap_usr_files(ipa_custodia_t)
5144c6 
@@ -377,6 +381,8 @@ files_read_etc_files(ipa_custodia_t)
5144c6 
 libs_exec_ldconfig(ipa_custodia_t)
5144c6 
 libs_ldconfig_exec_entry_type(ipa_custodia_t)
5144c6
5144c6 
+logging_send_syslog_msg(ipa_custodia_t)
5144c6 
+
5144c6 
 miscfiles_read_generic_certs(ipa_custodia_t)
5144c6 
 miscfiles_read_localization(ipa_custodia_t)
5144c6
5144c6 
@@ -441,8 +447,4 @@ optional_policy(`
5144c6 
 optional_policy(`
5144c6 
     java_exec(ipa_custodia_pki_tomcat_t)
5144c6 
     # allow Java to read system status and RNG
5144c6 
-    dev_read_urand(ipa_custodia_t)
5144c6 
-    dev_read_rand(ipa_custodia_t)
5144c6 
-    kernel_read_network_state(ipa_custodia_t)
5144c6 
-    dev_read_sysfs(ipa_custodia_t)
5144c6 
 ')
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From 6a31605c1d249416ed7627755bca23a1cc45a581 Mon Sep 17 00:00:00 2001
5144c6 
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
5144c6 
Date: Tue, 22 Sep 2020 13:34:40 +0200
5144c6 
Subject: [PATCH] SELinux Policy: Allow tomcat_t to read kerberos keytabs
5144c6 
MIME-Version: 1.0
5144c6 
Content-Type: text/plain; charset=UTF-8
5144c6 
Content-Transfer-Encoding: 8bit
5144c6
5144c6 
This is required to fix:
5144c6 
avc: denied  { search } for  pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0
5144c6
5144c6 
Macros suggested by: Ondrej Mosnacek
5144c6
5144c6 
Fixes: https://pagure.io/freeipa/issue/8488
5144c6 
Signed-off-by: François Cami <fcami@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
5144c6 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
5144c6 
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
5144c6 
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
5144c6 
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
5144c6 
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
5144c6 
---
5144c6 
 selinux/ipa.te | 8 ++++++++
5144c6 
 1 file changed, 8 insertions(+)
5144c6
5144c6 
diff --git a/selinux/ipa.te b/selinux/ipa.te
5144c6 
index f984a0f94..fa577191c 100644
5144c6 
--- a/selinux/ipa.te
5144c6 
+++ b/selinux/ipa.te
5144c6 
@@ -448,3 +448,11 @@ optional_policy(`
5144c6 
     java_exec(ipa_custodia_pki_tomcat_t)
5144c6 
     # allow Java to read system status and RNG
5144c6 
 ')
5144c6 
+
5144c6 
+optional_policy(`
5144c6 
+    gen_require(`
5144c6 
+        type tomcat_t;
5144c6 
+    ')
5144c6 
+    kerberos_read_config(tomcat_t)
5144c6 
+    kerberos_read_keytab(tomcat_t)
5144c6 
+')
5144c6 
--
5144c6 
2.26.2
5144c6

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation