[tog-pegasus] Add cimprovagt wrapper for possibility of confining providers in SELinux, update README.RedHat.Secur

vcrhonek vcrhonek at fedoraproject.org
Tue Dec 18 12:43:19 UTC 2012 

commit 791a514f5724ec8bde62b5d2dce90c96aa466b56
Author: Vitezslav Crhonek <vcrhonek at redhat.com>
Date:   Tue Dec 18 13:43:09 2012 +0100

    Add cimprovagt wrapper for possibility of confining providers in SELinux, update README.RedHat.Security accordingly, add provider specific wrapper example

 README.RedHat.Security                             |   12 ++++++++++++
 cimprovagt-wrapper.sh                              |   15 +++++++++++++++
 ...Base_OperatingSystemProvider-cimprovagt.example |    3 +++
 tog-pegasus.spec                                   |   20 +++++++++++++++++---
 4 files changed, 47 insertions(+), 3 deletions(-)
---
diff --git a/README.RedHat.Security b/README.RedHat.Security
index cf5a60e..9bc19c0 100644
--- a/README.RedHat.Security
+++ b/README.RedHat.Security
@@ -64,6 +64,18 @@
    may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus 
    configuration files which are of pegasus_conf_t file context.
 
+   It is also possible to have separate SELinux policy for each provider. Create wrapper
+   in '/usr/libexec/pegasus' with its own specific SELinux label for each confined provider.
+   The wrapper file name has to be in specific format '$MODULE-cimprovagt' (where $MODULE is
+   value of PG_ProviderModule.ModuleGroupName as set during registration of the provider).
+
+   Original Pegasus's cimprovagt binary was moved to '/usr/libexec/pegasus/cimprovagt',
+   '/usr/sbin/cimprovagt' is simple shell script now, which passes all arguments to provider specific
+   wrapper if it exists or directly to original cimprovagt in other cases.
+
+   See example wrapper for Operating System Provider from sblim-cmpi-base package (which instruments
+   Linux_OperatingSystem class):
+   cmpiOSBase_OperatingSystemProvider-cimprovagt.example
 
  ExecShield
  ~~~~~~~~~~
diff --git a/cimprovagt-wrapper.sh b/cimprovagt-wrapper.sh
new file mode 100644
index 0000000..f6648f0
--- /dev/null
+++ b/cimprovagt-wrapper.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+   
+# simple wrapper for Pegasus's cimprovagt
+# which allows providers to have separate
+# SELinux policy
+# see README.RedHat.Security for more info
+    
+provcimprovagt=/usr/libexec/pegasus/"$5"-cimprovagt
+     
+if [[ -x "$provcimprovagt" ]]
+then
+  "$provcimprovagt" "$@"
+else
+  /usr/libexec/pegasus/cimprovagt "$@"
+fi
diff --git a/cmpiOSBase_OperatingSystemProvider-cimprovagt.example b/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
new file mode 100755
index 0000000..68a2000
--- /dev/null
+++ b/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/libexec/pegasus/cimprovagt "$@"
diff --git a/tog-pegasus.spec b/tog-pegasus.spec
index 17d8527..d9a93a7 100644
--- a/tog-pegasus.spec
+++ b/tog-pegasus.spec
@@ -8,7 +8,7 @@
 
 Name:           tog-pegasus
 Version:        %{major_ver}.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 Epoch:          2
 Summary:        OpenPegasus WBEM Services for Linux
 
@@ -28,6 +28,10 @@ Source4:        tog-pegasus.tmpfiles
 Source5:        tog-pegasus.service
 #  6: This file controls access to the Pegasus services by users with the PAM pam_access module
 Source6:        access.conf
+#  7: Simple wrapper for Pegasus's cimprovagt - because of confining providers in SELinux
+Source7:        cimprovagt-wrapper.sh
+#  8: Example wrapper confining Operating System Provider from sblim-cmpi-base package
+Source8:        cmpiOSBase_OperatingSystemProvider-cimprovagt.example
 
 #  1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011
 #     Removing insecure -rpath
@@ -206,6 +210,7 @@ cp -fp %SOURCE1 doc
 cp -fp %SOURCE2 rpm
 cp -fp %SOURCE3 doc
 cp -fp %SOURCE6 rpm
+cp -fp %SOURCE8 doc
 
 export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
 export PEGASUS_HOME=%PEGASUS_RPM_HOME
@@ -269,6 +274,9 @@ rm -rf $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{major_ver}
 pushd $RPM_BUILD_ROOT/usr/%{_lib}
 ln -s libcmpiCppImpl.so.1 libcmpiCppImpl.so
 popd
+mkdir -p $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
+mv $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
+install -p -m 0755 %{SOURCE7} $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt
 
 
 %check
@@ -317,10 +325,11 @@ make prestarttests
 %defattr(0755, root, pegasus, 0755)
 /usr/sbin/*
 /usr/bin/*
+%{_libexecdir}/pegasus/
 %defattr(0644, root, pegasus, 0755)
 /usr/share/man/man8/*
 /usr/share/man/man1/*
-%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL
+%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL doc/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
 
 %files devel
 %defattr(0644,root,pegasus,0755)
@@ -459,7 +468,12 @@ fi
 
 
 %changelog
-* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek at redhat.com> - .0-8
+* Tue Dec 18 2012 Vitezslav Crhonek <vcrhonek at redhat.com> - 2:2.12.0-9
+- Add cimprovagt wrapper for possibility of confining providers in SELinux,
+  update README.RedHat.Security accordingly, add provider specific wrapper
+  example
+
+* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek at redhat.com> - 2:2.12.0-8
 - Fix tracing of CMPI messages with CMPI_DEV_DEBUG severity
   Resolves: #883395

More information about the scm-commits mailing list