Add SELinux subpackage for nCipher nfast HSM support

A number of files that need to be managed by certmonger
have unconfined_u:object_r:pki_common_t:s0.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Makefile.am

@@ -36,6 +36,7 @@ SUBDIRS = \
         po \
         pypi \
         selinux \
+        selinux/nfast \
         $(PYTHON_SUBDIRS) \
         $(SERVER_SUBDIRS) \
         $(NULL)

configure.ac

@@ -688,6 +688,7 @@ AC_CONFIG_FILES([
     po/Makefile.in
     po/Makefile.hack
     selinux/Makefile
+    selinux/nfast/Makefile
     util/Makefile
 ])
 

freeipa.spec.in

@@ -996,6 +996,16 @@ Requires(post):      selinux-policy-%{selinuxtype}
 
 %description selinux
 Custom SELinux policy module for FreeIPA
+
+%package selinux-nfast
+Summary:             FreeIPA SELinux policy for nCipher nfast HSMs
+BuildArch:           noarch
+Requires:            selinux-policy-%{selinuxtype}
+Requires(post):      selinux-policy-%{selinuxtype}
+%{?selinux_requires}
+
+%description selinux-nfast
+Custom SELinux policy module for nCipher nfast HSMs
 # with selinux
 %endif
 
@@ -1312,12 +1322,20 @@ fi
 semodule -d ipa_custodia &> /dev/null || true;
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
 
+%post selinux-nfast
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.bz2
+
 %postun selinux
 if [ $1 -eq 0 ]; then
     %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
     semodule -e ipa_custodia &> /dev/null || true;
 fi
 
+%postun selinux-nfast
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-nfast
+fi
+
 %posttrans selinux
 %selinux_relabel_post -s %{selinuxtype}
 # with_selinux
@@ -1774,6 +1792,10 @@ fi
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
 %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+
+%files selinux-nfast
+%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.*
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}-nfast
 # with selinux
 %endif
 

selinux/nfast/Makefile.am

@@ -0,0 +1,33 @@
+SELINUXTYPE = targeted
+NULL =
+
+if BUILD_SELINUX_POLICY
+MODULE = ipa-nfast.pp.bz2
+MODULE_IF = ipa-nfast.if
+else
+MODULE =
+MODULE_IF =
+endif
+
+dist_noinst_DATA =	\
+	ipa-nfast.te	\
+	$(NULL)
+
+# selinuxincludedir = $(datarootdir)/selinux/devel/include/contrib
+# nodist_selinuxinclude_DATA = \
+#	$(MODULE_IF)			\
+#	$(NULL)
+
+selinuxpolicydir = $(datarootdir)/selinux/packages/$(SELINUXTYPE)
+nodist_selinuxpolicy_DATA =	\
+	$(MODULE)				\
+	$(NULL)
+
+%.pp.bz2: %.pp
+	bzip2 -f -9 $^
+
+%.pp: %.te
+	make -f $(selinux_makefile) $@
+
+clean-local:
+	rm -f *~  *.tc *.pp *.pp.bz2

selinux/nfast/ipa-nfast.te

@@ -0,0 +1,23 @@
+policy_module(ipa-nfast, 1.0.0)
+
+#
+# A transition can't be used here because it would apply to all
+# certmonger processes and it really just needs access to
+# /opt/nfast/kmdata/local/world to read the private key material.
+#
+
+require {
+    type certmonger_t;
+    type pki_common_t;
+    type initrc_t;
+    class file { create rename unlink write execute getattr open read map };
+    class dir { getattr open read search add_name remove_name write };
+    class sock_file write;
+    class unix_stream_socket connectto;
+}
+
+allow certmonger_t initrc_t:unix_stream_socket connectto;
+allow certmonger_t pki_common_t:dir { getattr open read search add_name remove_name write };
+allow certmonger_t pki_common_t:file { create rename unlink write execute getattr open read };
+allow certmonger_t pki_common_t:file map;
+allow certmonger_t pki_common_t:sock_file write;