module ipa_dogtag 1.4;

require {
	type httpd_t;
	type cert_t;
	type pki_ca_t;
	type pki_ca_var_lib_t;
	class dir write;
	class dir add_name;
	class dir remove_name;
	class dir search;
	class dir getattr;
	class file create;
	class file write;
	class file rename;
	class lnk_file create;
	class lnk_file rename;
	class lnk_file unlink;
}

# Let dogtag write to cert_t directories
allow pki_ca_t cert_t:dir write;
allow pki_ca_t cert_t:dir add_name;
allow pki_ca_t cert_t:dir remove_name;

# Let dogtag write cert_t files
allow pki_ca_t cert_t:file create;
allow pki_ca_t cert_t:file write;
allow pki_ca_t cert_t:file rename;

# Let dogtag manage cert_t symbolic links
allow pki_ca_t cert_t:lnk_file create;
allow pki_ca_t cert_t:lnk_file rename;
allow pki_ca_t cert_t:lnk_file unlink;

# Let apache read the CRLs
allow httpd_t pki_ca_var_lib_t:dir { search getattr };