[tog-pegasus] Add cimprovagt wrapper for possibility of confining providers in SELinux, update README.RedHat.Secur
vcrhonek
vcrhonek at fedoraproject.org
Tue Dec 18 12:43:19 UTC 2012
commit 791a514f5724ec8bde62b5d2dce90c96aa466b56
Author: Vitezslav Crhonek <vcrhonek at redhat.com>
Date: Tue Dec 18 13:43:09 2012 +0100
Add cimprovagt wrapper for possibility of confining providers in SELinux, update README.RedHat.Security accordingly, add provider specific wrapper example
README.RedHat.Security | 12 ++++++++++++
cimprovagt-wrapper.sh | 15 +++++++++++++++
...Base_OperatingSystemProvider-cimprovagt.example | 3 +++
tog-pegasus.spec | 20 +++++++++++++++++---
4 files changed, 47 insertions(+), 3 deletions(-)
---
diff --git a/README.RedHat.Security b/README.RedHat.Security
index cf5a60e..9bc19c0 100644
--- a/README.RedHat.Security
+++ b/README.RedHat.Security
@@ -64,6 +64,18 @@
may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus
configuration files which are of pegasus_conf_t file context.
+ It is also possible to have separate SELinux policy for each provider. Create wrapper
+ in '/usr/libexec/pegasus' with its own specific SELinux label for each confined provider.
+ The wrapper file name has to be in specific format '$MODULE-cimprovagt' (where $MODULE is
+ value of PG_ProviderModule.ModuleGroupName as set during registration of the provider).
+
+ Original Pegasus's cimprovagt binary was moved to '/usr/libexec/pegasus/cimprovagt',
+ '/usr/sbin/cimprovagt' is simple shell script now, which passes all arguments to provider specific
+ wrapper if it exists or directly to original cimprovagt in other cases.
+
+ See example wrapper for Operating System Provider from sblim-cmpi-base package (which instruments
+ Linux_OperatingSystem class):
+ cmpiOSBase_OperatingSystemProvider-cimprovagt.example
ExecShield
~~~~~~~~~~
diff --git a/cimprovagt-wrapper.sh b/cimprovagt-wrapper.sh
new file mode 100644
index 0000000..f6648f0
--- /dev/null
+++ b/cimprovagt-wrapper.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# simple wrapper for Pegasus's cimprovagt
+# which allows providers to have separate
+# SELinux policy
+# see README.RedHat.Security for more info
+
+provcimprovagt=/usr/libexec/pegasus/"$5"-cimprovagt
+
+if [[ -x "$provcimprovagt" ]]
+then
+ "$provcimprovagt" "$@"
+else
+ /usr/libexec/pegasus/cimprovagt "$@"
+fi
diff --git a/cmpiOSBase_OperatingSystemProvider-cimprovagt.example b/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
new file mode 100755
index 0000000..68a2000
--- /dev/null
+++ b/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/libexec/pegasus/cimprovagt "$@"
diff --git a/tog-pegasus.spec b/tog-pegasus.spec
index 17d8527..d9a93a7 100644
--- a/tog-pegasus.spec
+++ b/tog-pegasus.spec
@@ -8,7 +8,7 @@
Name: tog-pegasus
Version: %{major_ver}.0
-Release: 8%{?dist}
+Release: 9%{?dist}
Epoch: 2
Summary: OpenPegasus WBEM Services for Linux
@@ -28,6 +28,10 @@ Source4: tog-pegasus.tmpfiles
Source5: tog-pegasus.service
# 6: This file controls access to the Pegasus services by users with the PAM pam_access module
Source6: access.conf
+# 7: Simple wrapper for Pegasus's cimprovagt - because of confining providers in SELinux
+Source7: cimprovagt-wrapper.sh
+# 8: Example wrapper confining Operating System Provider from sblim-cmpi-base package
+Source8: cmpiOSBase_OperatingSystemProvider-cimprovagt.example
# 1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011
# Removing insecure -rpath
@@ -206,6 +210,7 @@ cp -fp %SOURCE1 doc
cp -fp %SOURCE2 rpm
cp -fp %SOURCE3 doc
cp -fp %SOURCE6 rpm
+cp -fp %SOURCE8 doc
export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
export PEGASUS_HOME=%PEGASUS_RPM_HOME
@@ -269,6 +274,9 @@ rm -rf $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{major_ver}
pushd $RPM_BUILD_ROOT/usr/%{_lib}
ln -s libcmpiCppImpl.so.1 libcmpiCppImpl.so
popd
+mkdir -p $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
+mv $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
+install -p -m 0755 %{SOURCE7} $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt
%check
@@ -317,10 +325,11 @@ make prestarttests
%defattr(0755, root, pegasus, 0755)
/usr/sbin/*
/usr/bin/*
+%{_libexecdir}/pegasus/
%defattr(0644, root, pegasus, 0755)
/usr/share/man/man8/*
/usr/share/man/man1/*
-%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL
+%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL doc/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
%files devel
%defattr(0644,root,pegasus,0755)
@@ -459,7 +468,12 @@ fi
%changelog
-* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek at redhat.com> - .0-8
+* Tue Dec 18 2012 Vitezslav Crhonek <vcrhonek at redhat.com> - 2:2.12.0-9
+- Add cimprovagt wrapper for possibility of confining providers in SELinux,
+ update README.RedHat.Security accordingly, add provider specific wrapper
+ example
+
+* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek at redhat.com> - 2:2.12.0-8
- Fix tracing of CMPI messages with CMPI_DEV_DEBUG severity
Resolves: #883395
More information about the scm-commits
mailing list