Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
  can be removed from IPA policy

Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in
system.

https://fedorahosted.org/freeipa/ticket/3234

---

I tested an installation of IPA on F18 with SELinux enforcing mode and so far
so good. Unit tests passed, CRL generation still works, certmonger was still
able resubmit a cert.

To verify that SELinux rules allowing access of httpd/krb5kdc/named to dirsrv
socket, you ran run this SELinux search:

sesearch -A -s httpd_t -t dirsrv_var_run_t -c sock_file -p write


I saw few (benign?) AVCs not caused by this patch, I filed Bugzillas for those:

krb5: https://bugzilla.redhat.com/show_bug.cgi?id=873564
pki-ca: https://bugzilla.redhat.com/show_bug.cgi?id=873585

Martin
From 371ac8af4979336ea8daf0d0b26fe7b05dd09ce9 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Fri, 2 Nov 2012 12:58:40 +0100
Subject: [PATCH] Update SELinux policy for dogtag10

Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
  can be removed from IPA policy

Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in
system.

https://fedorahosted.org/freeipa/ticket/3234
---
 selinux/ipa_dogtag/ipa_dogtag.te | 32 +++++++++++---------------------
 selinux/ipa_httpd/ipa_httpd.te   | 18 ++----------------
 2 files changed, 13 insertions(+), 37 deletions(-)

diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te
index 1404e17ca6d40f6678fe15a1a371a7d004df3dba..713ea560b825851b60ae14e1c58d6155858d5b21 100644
--- a/selinux/ipa_dogtag/ipa_dogtag.te
+++ b/selinux/ipa_dogtag/ipa_dogtag.te
@@ -1,11 +1,8 @@
-module ipa_dogtag 1.5;
+module ipa_dogtag 2.0;
 
 require {
-	type httpd_t;
 	type cert_t;
-	type pki_ca_t;
-	type pki_ca_var_lib_t;
-	type certmonger_t;
+	type pki_tomcat_t;
 	class dir write;
 	class dir add_name;
 	class dir remove_name;
@@ -23,23 +20,16 @@ require {
 }
 
 # Let dogtag write to cert_t directories
-allow pki_ca_t cert_t:dir write;
-allow pki_ca_t cert_t:dir add_name;
-allow pki_ca_t cert_t:dir remove_name;
+allow pki_tomcat_t cert_t:dir write;
+allow pki_tomcat_t cert_t:dir add_name;
+allow pki_tomcat_t cert_t:dir remove_name;
 
 # Let dogtag write cert_t files
-allow pki_ca_t cert_t:file create;
-allow pki_ca_t cert_t:file write;
-allow pki_ca_t cert_t:file rename;
+allow pki_tomcat_t cert_t:file create;
+allow pki_tomcat_t cert_t:file write;
+allow pki_tomcat_t cert_t:file rename;
 
 # Let dogtag manage cert_t symbolic links
-allow pki_ca_t cert_t:lnk_file create;
-allow pki_ca_t cert_t:lnk_file rename;
-allow pki_ca_t cert_t:lnk_file unlink;
-
-# Let apache read the CRLs
-allow httpd_t pki_ca_var_lib_t:dir { search getattr };
-
-# Let certmonger manage the dogtag certificate database for renewals
-allow certmonger_t pki_ca_var_lib_t:dir { search getattr} ;
-allow certmonger_t pki_ca_var_lib_t:file { read write getattr open };
+allow pki_tomcat_t cert_t:lnk_file create;
+allow pki_tomcat_t cert_t:lnk_file rename;
+allow pki_tomcat_t cert_t:lnk_file unlink;
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index 65b161fe58cbe64c476fc6abb17b68d741d5d321..f0cc6daa69463bee77d436bf71f4274cdd74c355 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -1,25 +1,11 @@
-module ipa_httpd 1.2;
+module ipa_httpd 2.0;
 
 require {
         type httpd_t;
-        type named_t;
-        type initrc_t;
-        type var_run_t;
-        type krb5kdc_t;
         type cert_t;
-        class sock_file write;
-        class unix_stream_socket connectto;
         class file write;
 }
 
-# Let Apache, bind and the KDC talk to DS over ldapi
-allow httpd_t var_run_t:sock_file write;
-allow httpd_t initrc_t:unix_stream_socket connectto;
-allow krb5kdc_t var_run_t:sock_file write;
-allow krb5kdc_t initrc_t:unix_stream_socket connectto;
-allow named_t var_run_t:sock_file write;
-allow named_t initrc_t:unix_stream_socket connectto;
-
 # Let Apache access the NSS certificate database so it can issue certs
-# See ipa_httpd.fe for the list of files that are granted write access
+# See ipa_httpd.fc for the list of files that are granted write access
 allow httpd_t cert_t:file write;
-- 
1.7.11.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to