module ipa_dogtag 2.0;

require {
	type cert_t;
	type pki_tomcat_t;
	class dir write;
	class dir add_name;
	class dir remove_name;
	class dir search;
	class dir getattr;
	class file read;
	class file getattr;
	class file open;
	class file create;
	class file write;
	class file rename;
	class lnk_file create;
	class lnk_file rename;
	class lnk_file unlink;
}

# Let dogtag write to cert_t directories
allow pki_tomcat_t cert_t:dir write;
allow pki_tomcat_t cert_t:dir add_name;
allow pki_tomcat_t cert_t:dir remove_name;

# Let dogtag write cert_t files
allow pki_tomcat_t cert_t:file create;
allow pki_tomcat_t cert_t:file write;
allow pki_tomcat_t cert_t:file rename;

# Let dogtag manage cert_t symbolic links
allow pki_tomcat_t cert_t:lnk_file create;
allow pki_tomcat_t cert_t:lnk_file rename;
allow pki_tomcat_t cert_t:lnk_file unlink;