rpms/tog-pegasus
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Add cimprovagt wrapper for possibility of confining providers in SELinux, update README.RedHat.Security accordingly, add provider specific wrapper example

Browse Source
This commit is contained in:
Vitezslav Crhonek 2012-12-18 13:43:09 +01:00
parent 59552ff23b
commit 791a514f57
4 changed files with 47 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.RedHat.Security
View File

@ -64,6 +64,18 @@
may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus may modify the repository, and only the pegasus_exec_conf_t context may modify the pegasus
configuration files which are of pegasus_conf_t file context. configuration files which are of pegasus_conf_t file context.
It is also possible to have separate SELinux policy for each provider. Create wrapper
in '/usr/libexec/pegasus' with its own specific SELinux label for each confined provider.
The wrapper file name has to be in specific format '$MODULE-cimprovagt' (where $MODULE is
value of PG_ProviderModule.ModuleGroupName as set during registration of the provider).
Original Pegasus's cimprovagt binary was moved to '/usr/libexec/pegasus/cimprovagt',
'/usr/sbin/cimprovagt' is simple shell script now, which passes all arguments to provider specific
wrapper if it exists or directly to original cimprovagt in other cases.
See example wrapper for Operating System Provider from sblim-cmpi-base package (which instruments
Linux_OperatingSystem class):
cmpiOSBase_OperatingSystemProvider-cimprovagt.example
ExecShield ExecShield
~~~~~~~~~~ ~~~~~~~~~~

15
cimprovagt-wrapper.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/bash
# simple wrapper for Pegasus's cimprovagt
# which allows providers to have separate
# SELinux policy
# see README.RedHat.Security for more info
provcimprovagt=/usr/libexec/pegasus/"$5"-cimprovagt
if [[ -x "$provcimprovagt" ]]
then
"$provcimprovagt" "$@"
else
/usr/libexec/pegasus/cimprovagt "$@"
fi

3
cmpiOSBase_OperatingSystemProvider-cimprovagt.example Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
/usr/libexec/pegasus/cimprovagt "$@"

20
tog-pegasus.spec
View File

@ -8,7 +8,7 @@
Name: tog-pegasus Name: tog-pegasus
Version: %{major_ver}.0 Version: %{major_ver}.0
Release: 8%{?dist} Release: 9%{?dist}
Epoch: 2 Epoch: 2
Summary: OpenPegasus WBEM Services for Linux Summary: OpenPegasus WBEM Services for Linux
@ -28,6 +28,10 @@ Source4: tog-pegasus.tmpfiles
Source5: tog-pegasus.service Source5: tog-pegasus.service
# 6: This file controls access to the Pegasus services by users with the PAM pam_access module # 6: This file controls access to the Pegasus services by users with the PAM pam_access module
Source6: access.conf Source6: access.conf
# 7: Simple wrapper for Pegasus's cimprovagt - because of confining providers in SELinux
Source7: cimprovagt-wrapper.sh
# 8: Example wrapper confining Operating System Provider from sblim-cmpi-base package
Source8: cmpiOSBase_OperatingSystemProvider-cimprovagt.example
# 1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011 # 1: http://cvs.rdg.opengroup.org/bugzilla/show_bug.cgi?id=5011
# Removing insecure -rpath # Removing insecure -rpath
@ -206,6 +210,7 @@ cp -fp %SOURCE1 doc
cp -fp %SOURCE2 rpm cp -fp %SOURCE2 rpm
cp -fp %SOURCE3 doc cp -fp %SOURCE3 doc
cp -fp %SOURCE6 rpm cp -fp %SOURCE6 rpm
cp -fp %SOURCE8 doc
export PEGASUS_ROOT=%PEGASUS_RPM_ROOT export PEGASUS_ROOT=%PEGASUS_RPM_ROOT
export PEGASUS_HOME=%PEGASUS_RPM_HOME export PEGASUS_HOME=%PEGASUS_RPM_HOME
@ -269,6 +274,9 @@ rm -rf $RPM_BUILD_ROOT/usr/share/doc/%{name}-%{major_ver}
pushd $RPM_BUILD_ROOT/usr/%{_lib} pushd $RPM_BUILD_ROOT/usr/%{_lib}
ln -s libcmpiCppImpl.so.1 libcmpiCppImpl.so ln -s libcmpiCppImpl.so.1 libcmpiCppImpl.so
popd popd
mkdir -p $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
mv $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt $RPM_BUILD_ROOT/%{_libexecdir}/pegasus
install -p -m 0755 %{SOURCE7} $RPM_BUILD_ROOT/%{_sbindir}/cimprovagt
%check %check
@ -317,10 +325,11 @@ make prestarttests
%defattr(0755, root, pegasus, 0755) %defattr(0755, root, pegasus, 0755)
/usr/sbin/* /usr/sbin/*
/usr/bin/* /usr/bin/*
%{_libexecdir}/pegasus/
%defattr(0644, root, pegasus, 0755) %defattr(0644, root, pegasus, 0755)
/usr/share/man/man8/* /usr/share/man/man8/*
/usr/share/man/man1/* /usr/share/man/man1/*
%doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL %doc doc/license.txt doc/Admin_Guide_Release.pdf doc/PegasusSSLGuidelines.htm doc/SecurityGuidelinesForDevelopers.html doc/README.RedHat.Security src/Clients/repupgrade/doc/repupgrade.html doc/README.RedHat.SSL doc/cmpiOSBase_OperatingSystemProvider-cimprovagt.example
%files devel %files devel
%defattr(0644,root,pegasus,0755) %defattr(0644,root,pegasus,0755)
@ -459,7 +468,12 @@ fi
%changelog %changelog
* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - .0-8 * Tue Dec 18 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.12.0-9
- Add cimprovagt wrapper for possibility of confining providers in SELinux,
update README.RedHat.Security accordingly, add provider specific wrapper
example
* Thu Dec 06 2012 Vitezslav Crhonek <vcrhonek@redhat.com> - 2:2.12.0-8
- Fix tracing of CMPI messages with CMPI_DEV_DEBUG severity - Fix tracing of CMPI messages with CMPI_DEV_DEBUG severity
Resolves: #883395 Resolves: #883395