Add cimprovagt wrapper for possibility of confining providers in SELinux, update README.RedHat.Security accordingly, add provider specific wrapper example
This commit is contained in:
Vitezslav Crhonek
parent
59552ff23b
commit
791a514f57
@ -64,6 +64,18 @@
|
||||
may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus
|
||||
configuration files which are of pegasus_conf_t file context.
|
||||
|
||||
It is also possible to have separate SELinux policy for each provider. Create wrapper
|
||||
in '/usr/libexec/pegasus' with its own specific SELinux label for each confined provider.
|
||||
The wrapper file name has to be in specific format '$MODULE-cimprovagt' (where $MODULE is
|
||||
value of PG_ProviderModule.ModuleGroupName as set during registration of the provider).
|
||||
|
||||
Original Pegasus's cimprovagt binary was moved to '/usr/libexec/pegasus/cimprovagt',
|
||||
'/usr/sbin/cimprovagt' is simple shell script now, which passes all arguments to provider specific
|
||||
wrapper if it exists or directly to original cimprovagt in other cases.
|
||||
|
||||
See example wrapper for Operating System Provider from sblim-cmpi-base package (which instruments
|
||||
Linux_OperatingSystem class):
|
||||
cmpiOSBase_OperatingSystemProvider-cimprovagt.example
|
||||
|
||||
ExecShield
|
||||
~~~~~~~~~~
|
||||
|
||||
15
cimprovagt-wrapper.sh
Normal file
15
cimprovagt-wrapper.sh
Normal file
@ -0,0 +1,15 @@
|
||||
#!/bin/bash
|
||||
|
||||
# simple wrapper for Pegasus's cimprovagt
|
||||
# which allows providers to have separate
|
||||
# SELinux policy
|
||||
# see README.RedHat.Security for more info
|
||||
|
||||
provcimprovagt=/usr/libexec/pegasus/"$5"-cimprovagt
|
||||
|
||||
if [[ -x "$provcimprovagt" ]]
|
||||
then
|
||||
"$provcimprovagt" "$@"
|
||||
else
|
||||
/usr/libexec/pegasus/cimprovagt "$@"
|
||||
fi
|
||||
3
cmpiOSBase_OperatingSystemProvider-cimprovagt.example
Executable file
3
cmpiOSBase_OperatingSystemProvider-cimprovagt.example
Executable file
@ -0,0 +1,3 @@
|
||||
#!/bin/bash
|
||||
|
||||
/usr/libexec/pegasus/cimprovagt "$@"
|
||||
@ -8,7 +8,7 @@
|
||||
|
||||
Name: tog-pegasus
|
||||
Version: %{major_ver}.0
|
||||
Release: 8%{?dist}
|
||||
Release: 9%{?dist}
|
||||
Epoch: 2
|
||||
Summary: OpenPegasus WBEM Services for Linux
|
||||
|
||||
@ -28,6 +28,10 @@ Source4: tog-pegasus.tmpfiles
|
||||
Source5: tog-pegasus.service
|
||||
# 6: This file controls access to the Pegasus services by users with the PAM pam_access module
|
||||
Source6: access.conf
|
||||
# 7: Simple wrapper for Pegasus's cimprovagt - because of confining providers in SELinux
|
||||
Source7: cimprovagt-wrapper.sh
|
||||
# 8: Example wrapper confining Operating System Provider from sblim-cmpi-base package
|
||||
Source8: cmpiOSBase_OperatingSystemProvider-cimprovagt.example
|
||||
|
||||
# 1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011
|
||||
# Removing insecure -rpath
|
||||
@ -206,6 +210,7 @@ cp -fp %SOURCE1 doc
|
||||
cp -fp %SOURCE2 rpm
|
||||
cp -fp %SOURCE3 doc
|
||||
cp -fp %SOURCE6 rpm
|
||||
cp -fp %SOURCE8 doc
|
||||
|
||||
export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
|
||||
export PEGASUS_HOME=%PEGASUS_RPM_HOME
|
||||
@ -269,6 +274,9 @@ rm -rf $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{major_ver}
|
||||
pushd $RPM_BUILD_ROOT/usr/%{_lib}
|
||||
ln -s libcmpiCppImpl.so.1 libcmpiCppImpl.so
|
||||
popd
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
|
||||
mv $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
|
||||
install -p -m 0755 %{SOURCE7} $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt
|
||||
|
||||
|
||||
%check
|
||||
@ -317,10 +325,11 @@ make prestarttests
|
||||
%defattr(0755, root, pegasus, 0755)
|
||||
/usr/sbin/*
|
||||
/usr/bin/*
|
||||
%{_libexecdir}/pegasus/
|
||||
%defattr(0644, root, pegasus, 0755)
|
||||
/usr/share/man/man8/*
|
||||
/usr/share/man/man1/*
|
||||
%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL
|
||||
%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL doc/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
|
||||
|
||||
%files devel
|
||||
%defattr(0644,root,pegasus,0755)
|
||||
@ -459,7 +468,12 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - .0-8
|
||||
* Tue Dec 18 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.12.0-9
|
||||
- Add cimprovagt wrapper for possibility of confining providers in SELinux,
|
||||
update README.RedHat.Security accordingly, add provider specific wrapper
|
||||
example
|
||||
|
||||
* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.12.0-8
|
||||
- Fix tracing of CMPI messages with CMPI_DEV_DEBUG severity
|
||||
Resolves: #883395
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user