Add cimprovagt wrapper for possibility of confining providers in SELinux, update README.RedHat.Security accordingly, add provider specific wrapper example

This commit is contained in:
Vitezslav Crhonek 2012-12-18 13:43:09 +01:00
parent 59552ff23b
commit 791a514f57
4 changed files with 47 additions and 3 deletions

View File

@ -64,6 +64,18 @@
may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus
configuration files which are of pegasus_conf_t file context.
It is also possible to have separate SELinux policy for each provider. Create wrapper
in '/usr/libexec/pegasus' with its own specific SELinux label for each confined provider.
The wrapper file name has to be in specific format '$MODULE-cimprovagt' (where $MODULE is
value of PG_ProviderModule.ModuleGroupName as set during registration of the provider).
Original Pegasus's cimprovagt binary was moved to '/usr/libexec/pegasus/cimprovagt',
'/usr/sbin/cimprovagt' is simple shell script now, which passes all arguments to provider specific
wrapper if it exists or directly to original cimprovagt in other cases.
See example wrapper for Operating System Provider from sblim-cmpi-base package (which instruments
Linux_OperatingSystem class):
cmpiOSBase_OperatingSystemProvider-cimprovagt.example
ExecShield
~~~~~~~~~~

15
cimprovagt-wrapper.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/bash
# simple wrapper for Pegasus's cimprovagt
# which allows providers to have separate
# SELinux policy
# see README.RedHat.Security for more info
provcimprovagt=/usr/libexec/pegasus/"$5"-cimprovagt
if [[ -x "$provcimprovagt" ]]
then
"$provcimprovagt" "$@"
else
/usr/libexec/pegasus/cimprovagt "$@"
fi

View File

@ -0,0 +1,3 @@
#!/bin/bash
/usr/libexec/pegasus/cimprovagt "$@"

View File

@ -8,7 +8,7 @@
Name: tog-pegasus
Version: %{major_ver}.0
Release: 8%{?dist}
Release: 9%{?dist}
Epoch: 2
Summary: OpenPegasus WBEM Services for Linux
@ -28,6 +28,10 @@ Source4: tog-pegasus.tmpfiles
Source5: tog-pegasus.service
# 6: This file controls access to the Pegasus services by users with the PAM pam_access module
Source6: access.conf
# 7: Simple wrapper for Pegasus's cimprovagt - because of confining providers in SELinux
Source7: cimprovagt-wrapper.sh
# 8: Example wrapper confining Operating System Provider from sblim-cmpi-base package
Source8: cmpiOSBase_OperatingSystemProvider-cimprovagt.example
# 1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011
# Removing insecure -rpath
@ -206,6 +210,7 @@ cp -fp %SOURCE1 doc
cp -fp %SOURCE2 rpm
cp -fp %SOURCE3 doc
cp -fp %SOURCE6 rpm
cp -fp %SOURCE8 doc
export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
export PEGASUS_HOME=%PEGASUS_RPM_HOME
@ -269,6 +274,9 @@ rm -rf $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{major_ver}
pushd $RPM_BUILD_ROOT/usr/%{_lib}
ln -s libcmpiCppImpl.so.1 libcmpiCppImpl.so
popd
mkdir -p $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
mv $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
install -p -m 0755 %{SOURCE7} $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt
%check
@ -317,10 +325,11 @@ make prestarttests
%defattr(0755, root, pegasus, 0755)
/usr/sbin/*
/usr/bin/*
%{_libexecdir}/pegasus/
%defattr(0644, root, pegasus, 0755)
/usr/share/man/man8/*
/usr/share/man/man1/*
%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL
%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL doc/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
%files devel
%defattr(0644,root,pegasus,0755)
@ -459,7 +468,12 @@ fi
%changelog
* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - .0-8
* Tue Dec 18 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.12.0-9
- Add cimprovagt wrapper for possibility of confining providers in SELinux,
update README.RedHat.Security accordingly, add provider specific wrapper
example
* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.12.0-8
- Fix tracing of CMPI messages with CMPI_DEV_DEBUG severity
Resolves: #883395