[pki-core/f16] Resolves Ticket #310 - Dogtag 9: Rebuild official PKI packages as necessary . . .
awnuk
awnuk at fedoraproject.org
Wed Sep 5 23:22:54 UTC 2012
commit 5e1acc41b07d7c528caa2f90f64e6314a3d9b60a
Author: Andrew Wnuk <awnuk at redhat.com>
Date: Wed Sep 5 16:20:37 2012 -0700
Resolves Ticket #310 - Dogtag 9: Rebuild official PKI packages as necessary . . .
.gitignore | 1 +
pki-core-selinux-Dogtag-9-f17-1.patch | 36 ---------------------
pki-core-selinux-Dogtag-9-f17-2.patch | 55 +++++++++++++++++++++++++++++++++
pki-core.spec | 11 +++++-
sources | 2 +-
5 files changed, 66 insertions(+), 39 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index b82a102..d39a4d0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,3 +13,4 @@
/pki-core-9.0.18.tar.gz
/pki-core-9.0.19.tar.gz
/pki-core-9.0.20.tar.gz
+/pki-core-9.0.22.tar.gz
diff --git a/pki-core-selinux-Dogtag-9-f17-2.patch b/pki-core-selinux-Dogtag-9-f17-2.patch
new file mode 100644
index 0000000..d8ecc5b
--- /dev/null
+++ b/pki-core-selinux-Dogtag-9-f17-2.patch
@@ -0,0 +1,55 @@
+diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
+index 0709176..7c20ef0 100644
+--- a/pki/base/selinux/src/pki.if
++++ b/pki/base/selinux/src/pki.if
+@@ -38,12 +38,18 @@ template(`pki_ca_template',`
+ gen_require(`
+ type java_exec_t;
+ type initrc_t;
++ type tomcat_exec_t;
++ type tomcat_cache_t;
+ ')
+ domtrans_pattern($1_script_t, java_exec_t, $1_t)
+
+ role system_r types $1_script_t;
+ allow $1_t java_exec_t:file entrypoint;
+ allow initrc_t $1_script_t:process transition;
++ can_exec($1_t, tomcat_exec_t)
++ miscfiles_read_hwdata($1_t)
++ allow pki_ca_t tomcat_cache_t:dir {getattr search};
++ #tomcat_search_cache($1_t)
+
+ type $1_etc_rw_t, pki_ca_config;
+ files_type($1_etc_rw_t)
+@@ -206,6 +212,21 @@ template(`pki_ca_template',`
+ optional_policy(`
+ unconfined_domain($1_script_t)
+ ')
++
++ # tomcat6 init scripts do runuser and touch lockfile
++ allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
++ allow $1_t self:netlink_audit_socket { nlmsg_relay create read write };
++ consoletype_exec($1_t)
++ fs_read_hugetlbfs_files($1_t)
++ hostname_exec($1_t)
++ kernel_read_kernel_sysctls($1_t)
++ fs_getattr_xattr_fs($1_t)
++
++ # java (mislabeled as lib_t?) calls build_classpath
++ libs_exec_lib_files($1_t)
++
++ selinux_get_enforce_mode($1_t)
++
+ ')
+
+ ########################################
+diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
+index 089859c..99ec98e 100644
+--- a/pki/base/selinux/src/pki.te
++++ b/pki/base/selinux/src/pki.te
+@@ -1,4 +1,4 @@
+-policy_module(pki,9.0.2)
++policy_module(pki,9.0.5)
+
+ attribute pki_ca_config;
+ attribute pki_ca_executable;
diff --git a/pki-core.spec b/pki-core.spec
index b761011..be0f587 100644
--- a/pki-core.spec
+++ b/pki-core.spec
@@ -1,5 +1,5 @@
Name: pki-core
-Version: 9.0.20
+Version: 9.0.22
Release: 1%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
@@ -49,7 +49,7 @@ BuildRequires: tomcatjss >= 2.0.0
Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz
Patch0: %{name}-selinux-Dogtag-9-f16.patch
-Patch1: %{name}-selinux-Dogtag-9-f17-1.patch
+Patch1: %{name}-selinux-Dogtag-9-f17-2.patch
%if 0%{?rhel}
ExcludeArch: ppc ppc64 s390 s390x
@@ -749,6 +749,13 @@ fi
%changelog
+* Wed Aug 22 2012 Ade Lee <alee at redhat.com> 9.0.22-1
+- Reverted selinux changes that broke f16 selinux policy.
+- Reapplied those changes as a modified patch to f17 build.
+
+* Fri Jul 20 2012 Ade Lee <alee at redhat.com> 9.0.21-1
+- Bugzilla Bug #841996 - latest selinux policy fix breaks dogtag
+
* Mon May 7 2012 Andrew Wnuk <awnuk at redhat.com> 9.0.20-1
- New official build
diff --git a/sources b/sources
index 7fbf8e3..0e02697 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-d2949c00af2b57de0d67601224cb6745 pki-core-9.0.20.tar.gz
+1d5e5b361653f22c0fb4eb9e88c25e98 pki-core-9.0.22.tar.gz
More information about the scm-commits
mailing list