sharing between dogtag and Apache

Dominick Grift domg472 at gmail.com
Mon Aug 24 19:19:17 UTC 2009 

On Mon, Aug 24, 2009 at 02:23:08PM -0400, Rob Crittenden wrote:
> I'm running dogtag, a certificate server, which can publish CRLs. Right  
> now I'm writing them within the dogtag context which writes the files as  
> pki_ca_var_lib_t.
>
> I want to make these available from within Apache so I did:
>
> Alias /ipa/crl /var/lib/pki-ca/publish
>
> Trouble is Apache can't read the files. The simplest route is to simply  
> grant httpd read/search/getattr access to the directory and files. I've  
> got that working now.
>
> This grants Apache the rights to read anything in there though, not  
> really the best solution.
>
> Can I create a new label, say pki_ca_publish_t, and use that to share  
> between the two? How might I go about doing that?

I am not very experience with this specific matter but in theory the following may work:

So lets assume dogtag creates stuff in /var/lib/pki-ca/ with type pki_ca_var_lib_t.
If you can direct dogtag to create the specific files that you want apache to have access to in for example /var/lib/pki-ca/mystuff
That you could, in theory create a new filetrans pattern.

you'd specify a context for /var/lib/pki-ca/mystuff
/var/lib/pki-ca/mystuff(/.*)? gen_context(system_u:object_r:pki_ca_mystuff_var_lib_t, s0)
restorecon -R -v /var/lib/pki-ca/
( assuming the mystuff dir is already there ) (also see if this actually works, it might conflict with the pki-ca dir specification)

You'd also need a custom filetrans rule:
require { type domain_that_needs_to_create_the_stuff_t, pki_ca_var_lib_t; }

type pki_ca_mystuff_var_lib_t;
files_type(pki_ca_mystuff_var_lib_t)

manage_files_pattern(domain_that_needs_to_create_the_stuff_t, pki_ca_mystuff_var_lib_t, pki_ca_mystuff_var_lib_t)
filetrans_pattern(domain_that_needs_to_create_the_stuff_t, pki_ca_var_lib_t, pki_ca_mystuff_var_lib_t, file)

In theory dogtag (or domain_that_needs_to_create_the_stuff_t) will create files in /var/lib/pki-ca/mystuff with type pki_ca_mystuff_var_lib_t

This would mean that you do not have to give apache read access to pki_ca_var_lib_t files but instead pki_ca_mystuff_var_lib_t

Whether this theory actually works in practice depends on whether you can direct dogtag (or whatever creates these thing) to create the ones shared with apache in another location, and that you can specify a different context for this location.

So in practice this may not be so easy to accomplish.

hth
>
> thanks
>
> rob



> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090824/857a84d4/attachment.sig>

More information about the fedora-selinux-list mailing list