-
Notifications
You must be signed in to change notification settings - Fork 334
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add SELinux subpackage for nCipher nfast HSM support
A number of files that need to be managed by certmonger have unconfined_u:object_r:pki_common_t:s0. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
- Loading branch information
Showing
5 changed files
with
80 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -36,6 +36,7 @@ SUBDIRS = \ | |
po \ | ||
pypi \ | ||
selinux \ | ||
selinux/nfast \ | ||
$(PYTHON_SUBDIRS) \ | ||
$(SERVER_SUBDIRS) \ | ||
$(NULL) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
SELINUXTYPE = targeted | ||
NULL = | ||
|
||
if BUILD_SELINUX_POLICY | ||
MODULE = ipa-nfast.pp.bz2 | ||
MODULE_IF = ipa-nfast.if | ||
else | ||
MODULE = | ||
MODULE_IF = | ||
endif | ||
|
||
dist_noinst_DATA = \ | ||
ipa-nfast.te \ | ||
$(NULL) | ||
|
||
# selinuxincludedir = $(datarootdir)/selinux/devel/include/contrib | ||
# nodist_selinuxinclude_DATA = \ | ||
# $(MODULE_IF) \ | ||
# $(NULL) | ||
|
||
selinuxpolicydir = $(datarootdir)/selinux/packages/$(SELINUXTYPE) | ||
nodist_selinuxpolicy_DATA = \ | ||
$(MODULE) \ | ||
$(NULL) | ||
|
||
%.pp.bz2: %.pp | ||
bzip2 -f -9 $^ | ||
|
||
%.pp: %.te | ||
make -f $(selinux_makefile) $@ | ||
|
||
clean-local: | ||
rm -f *~ *.tc *.pp *.pp.bz2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
policy_module(ipa-nfast, 1.0.0) | ||
|
||
# | ||
# A transition can't be used here because it would apply to all | ||
# certmonger processes and it really just needs access to | ||
# /opt/nfast/kmdata/local/world to read the private key material. | ||
# | ||
|
||
require { | ||
type certmonger_t; | ||
type pki_common_t; | ||
type initrc_t; | ||
class file { create rename unlink write execute getattr open read map }; | ||
class dir { getattr open read search add_name remove_name write }; | ||
class sock_file write; | ||
class unix_stream_socket connectto; | ||
} | ||
|
||
allow certmonger_t initrc_t:unix_stream_socket connectto; | ||
allow certmonger_t pki_common_t:dir { getattr open read search add_name remove_name write }; | ||
allow certmonger_t pki_common_t:file { create rename unlink write execute getattr open read }; | ||
allow certmonger_t pki_common_t:file map; | ||
allow certmonger_t pki_common_t:sock_file write; |