diff options
| author | Ade Lee <alee@redhat.com> | 2012-07-10 11:50:59 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-07-25 01:48:48 -0400 |
| commit | 5fd74e0e0c9407306e99ef4fd2e776cb911ee94a (patch) | |
| tree | 7b4c9b87431bfc59c558921df8cb02bbd31a03ba /base/selinux/src/pki.te | |
| parent | 7168edccfcdb769ead6d5cbc02f7fab9772e1a82 (diff) | |
| download | pki-5fd74e0e0c9407306e99ef4fd2e776cb911ee94a.tar.gz pki-5fd74e0e0c9407306e99ef4fd2e776cb911ee94a.tar.xz pki-5fd74e0e0c9407306e99ef4fd2e776cb911ee94a.zip | |
Selinux policy for new configuration.
Added tomcat_t for java processes. Added aliases for old types to allow
compatibility of existng subsystems. Added install scripts for pkispawn
and pkidestroy
Diffstat (limited to 'base/selinux/src/pki.te')
| -rw-r--r-- | base/selinux/src/pki.te | 119 |
1 files changed, 28 insertions, 91 deletions
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index 7f6e65738..a91385ff2 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -1,13 +1,16 @@ -policy_module(pki,10.0.2) +policy_module(pki,10.0.5) -attribute pki_ca_config; -attribute pki_ca_executable; -attribute pki_ca_var_lib; -attribute pki_ca_var_log; -attribute pki_ca_var_run; -attribute pki_ca_pidfiles; -attribute pki_ca_script; -attribute pki_ca_process; +attribute pki_tomcat_config; +attribute pki_tomcat_executable; +attribute pki_tomcat_var_lib; +attribute pki_tomcat_var_log; +attribute pki_tomcat_var_run; +attribute pki_tomcat_pidfiles; +attribute pki_tomcat_script; +attribute pki_tomcat_process; + +type pki_log_t; +files_type(pki_log_t) type pki_common_t; files_type(pki_common_t) @@ -15,57 +18,29 @@ files_type(pki_common_t) type pki_common_dev_t; files_type(pki_common_dev_t) -type pki_ca_tomcat_exec_t; -files_type(pki_ca_tomcat_exec_t) +type pki_tomcat_tomcat_exec_t; +files_type(pki_tomcat_tomcat_exec_t) -pki_ca_template(pki_ca) -corenet_tcp_connect_pki_kra_port(pki_ca_t) -corenet_tcp_connect_pki_ocsp_port(pki_ca_t) +type pki_tomcat_port_t; +corenet_port(pki_tomcat_port_t) +pki_tomcat_template(pki_tomcat) # forward proxy -corenet_tcp_connect_pki_ca_port(httpd_t) +# need to define ports to fix this +#corenet_tcp_connect_pki_tomcat_port(httpd_t) # for crl publishing -allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink }; +allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; # for ECC -auth_getattr_shadow(pki_ca_t) - -attribute pki_kra_config; -attribute pki_kra_executable; -attribute pki_kra_var_lib; -attribute pki_kra_var_log; -attribute pki_kra_var_run; -attribute pki_kra_pidfiles; -attribute pki_kra_script; -attribute pki_kra_process; - -type pki_kra_tomcat_exec_t; -files_type(pki_kra_tomcat_exec_t) - -pki_ca_template(pki_kra) -corenet_tcp_connect_pki_ca_port(pki_kra_t) - -# forward proxy -corenet_tcp_connect_pki_kra_port(httpd_t) - -attribute pki_ocsp_config; -attribute pki_ocsp_executable; -attribute pki_ocsp_var_lib; -attribute pki_ocsp_var_log; -attribute pki_ocsp_var_run; -attribute pki_ocsp_pidfiles; -attribute pki_ocsp_script; -attribute pki_ocsp_process; - -type pki_ocsp_tomcat_exec_t; -files_type(pki_ocsp_tomcat_exec_t) +auth_getattr_shadow(pki_tomcat_t) -pki_ca_template(pki_ocsp) -corenet_tcp_connect_pki_ca_port(pki_ocsp_t) - -# forward proxy -corenet_tcp_connect_pki_ocsp_port(httpd_t) +# old type aliases for migration +typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; +typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; +typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; +typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; +typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; attribute pki_ra_config; attribute pki_ra_executable; @@ -81,26 +56,8 @@ files_type(pki_ra_tomcat_exec_t) pki_ra_template(pki_ra) -attribute pki_tks_config; -attribute pki_tks_executable; -attribute pki_tks_var_lib; -attribute pki_tks_var_log; -attribute pki_tks_var_run; -attribute pki_tks_pidfiles; -attribute pki_tks_script; -attribute pki_tks_process; - -type pki_tks_tomcat_exec_t; -files_type(pki_tks_tomcat_exec_t) - -pki_ca_template(pki_tks) -corenet_tcp_connect_pki_ca_port(pki_tks_t) - -# forward proxy -corenet_tcp_connect_pki_tks_port(httpd_t) - # needed for token enrollment, list /var/cache/tomcat5/temp -files_list_var(pki_tks_t) +files_list_var(pki_tomcat_t) attribute pki_tps_config; attribute pki_tps_executable; @@ -116,26 +73,6 @@ files_type(pki_tps_tomcat_exec_t) pki_tps_template(pki_tps) -#interprocess communication on process shutdown -allow pki_ca_t pki_kra_t:process signull; -allow pki_ca_t pki_ocsp_t:process signull; -allow pki_ca_t pki_tks_t:process signull; - -allow pki_kra_t pki_ca_t:process signull; -allow pki_kra_t pki_ocsp_t:process signull; -allow pki_kra_t pki_tks_t:process signull; - -allow pki_ocsp_t pki_ca_t:process signull; -allow pki_ocsp_t pki_kra_t:process signull; -allow pki_ocsp_t pki_tks_t:process signull; - -allow pki_tks_t pki_ca_t:process signull; -allow pki_tks_t pki_kra_t:process signull; -allow pki_tks_t pki_ocsp_t:process signull; - -#allow httpd_t pki_tks_tomcat_exec_t:process signull; -#allow httpd_t pki_tks_var_lib_t:process signull; - # start up httpd in pki_tps_t mode can_exec(pki_tps_t, httpd_config_t) allow pki_tps_t httpd_exec_t:file entrypoint; |