[Pki-devel] AVCs for Dogtag 10.0.2 RA and TPS . . .

Matthew Harmsen mharmsen at redhat.com
Tue Apr 30 02:18:14 UTC 2013 

Ade,

I successfully installed a CA, KRA, OCSP, and TKS using command-line 
pkispawn with a configuration file.

Thus far, I have provided a Karma point for TPS and for RA; currently 
having trouble with pki-console (due to my X Display not working, not 
the package itself).

Once you re-spin pki-core, I can perform a GUI install of these 
subsystems and provide a karma point for both pki-coreand 
dogtag-pki-theme (once I confirm that console is working).

After this, in order to confirm that dogtag-pki is working, I will need 
to remove all of the packages from my system and configure it to point 
to the appropriate test repo to make certain that it will grab the 
correct versions of Dogtag.

Per your request, here are the TPS and RA AVC's showing up in the 
audit.log (I installed the TPS prior to the RA without cleaning the 
audit log):*
*

    *TPS:*
    *# getenforce*
    Permissive

    *# cat /var/log/audit/audit.log | audit2allow -R*

    require {
         type httpd_suexec_exec_t;
         type pki_tps_t;
         class file { read getattr execute };
    }

    #============= pki_tps_t ==============
    allow pki_tps_t httpd_suexec_exec_t:file { read getattr execute };
    files_manage_generic_tmp_dirs(pki_tps_t)
    files_manage_generic_tmp_files(pki_tps_t)



    *RA:*
    *# getenforce*
    Permissive

    *# cat /var/log/audit/audit.log | audit2allow -R*

    require {
         type pki_tps_t;
         type pki_ra_t;
         type httpd_suexec_exec_t;
         class file { getattr read execute };
    }

    #============= pki_ra_t ==============
    allow pki_ra_t httpd_suexec_exec_t:file { read getattr execute };
    files_manage_generic_tmp_dirs(pki_ra_t)
    files_manage_generic_tmp_files(pki_ra_t)

    #============= pki_tps_t ==============
    allow pki_tps_t httpd_suexec_exec_t:file { read getattr execute };
    files_manage_generic_tmp_dirs(pki_tps_t)
    files_manage_generic_tmp_files(pki_tps_t)

-- Matt


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20130429/d94c634d/attachment.htm>

More information about the Pki-devel mailing list