summaryrefslogtreecommitdiffstats
path: root/base/selinux/src
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-09-24 11:23:25 -0400
committerAde Lee <alee@redhat.com>2012-10-05 15:54:37 -0400
commitdbc6dec07098e5bf91eebfa64f0bac87065ab473 (patch)
tree6ba01d97ba4821b0529e6349dabc71104cc89c1d /base/selinux/src
parent3d5dc3b62146911425752a37cb84ec7b1251dc55 (diff)
downloadpki-dbc6dec07098e5bf91eebfa64f0bac87065ab473.tar.gz
pki-dbc6dec07098e5bf91eebfa64f0bac87065ab473.tar.xz
pki-dbc6dec07098e5bf91eebfa64f0bac87065ab473.zip
Use the tomcat selinux domain for the Java processes
Diffstat (limited to 'base/selinux/src')
-rw-r--r--base/selinux/src/pki.if289
-rw-r--r--base/selinux/src/pki.te129
2 files changed, 97 insertions, 321 deletions
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 4272bd0c5..5264271eb 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -3,295 +3,6 @@
########################################
## <summary>
-## Create a set of derived types for apache
-## web content.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix to be used for deriving type names.
-## </summary>
-## </param>
-#
-template(`pki_tomcat_template',`
- gen_require(`
- attribute pki_tomcat_process;
- attribute pki_tomcat_config, pki_tomcat_var_lib, pki_tomcat_var_run;
- attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log;
- type pki_tomcat_tomcat_exec_t;
- type tomcat_exec_t;
- type rpm_var_lib_t;
- type rpm_exec_t;
- type setfiles_t;
- type load_policy_t;
- type mxi_port_t;
- type http_cache_port_t;
- type http_port_t;
- type dns_port_t;
- ')
- ########################################
- #
- # Declarations
- #
-
- type $1_t, pki_tomcat_process;
- type $1_exec_t, pki_tomcat_executable;
- domain_type($1_t)
- init_daemon_domain($1_t, $1_exec_t)
-
- type $1_script_t;
- domain_type($1_script_t)
- gen_require(`
- type java_exec_t;
- type initrc_t;
- ')
- domtrans_pattern($1_script_t, java_exec_t, $1_t)
-
- role system_r types $1_script_t;
- allow $1_t java_exec_t:file entrypoint;
- allow initrc_t $1_script_t:process transition;
-
- type $1_etc_rw_t, pki_tomcat_config;
- files_type($1_etc_rw_t)
-
- type $1_var_run_t, pki_tomcat_var_run;
- files_pid_file($1_var_run_t)
-
- type $1_var_lib_t, pki_tomcat_var_lib;
- files_type($1_var_lib_t)
-
- type $1_log_t, pki_tomcat_var_log;
- logging_log_file($1_log_t)
-
- ########################################
- #
- # $1 local policy
- #
-
- # Execstack/execmem caused by java app.
- allow $1_t self:process { execstack execmem getsched setsched signal};
- allow initrc_t self:process execstack;
-
- ## internal communication is often done using fifo and unix sockets.
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:process signull;
-
- ## ports (these will be in the tomcat domain)
- allow $1_t mxi_port_t : tcp_socket { name_bind name_connect };
- allow $1_t http_cache_port_t : tcp_socket name_bind;
- allow $1_t http_port_t : tcp_socket { name_bind name_connect };
- allow $1_t dns_port_t : tcp_socket { recv_msg send_msg name_connect };
-
- # use rpm to look at velocity version in dtomcat-foo
- allow $1_t rpm_exec_t:file exec_file_perms;
-
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
-
- corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_ocsp_port($1_t)
- corenet_tcp_connect_ocsp_port($1_t)
- corenet_tcp_connect_generic_port($1_t)
-
- # for file signing
- corenet_tcp_connect_http_port($1_t)
-
- # This is for /etc/$1/tomcat.conf:
- can_exec($1_t, $1_tomcat_exec_t)
- allow $1_t $1_tomcat_exec_t:file {getattr read};
-
- #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar
- rpm_read_db($1_t)
-
- # Init script handling
- domain_use_interactive_fds($1_t)
-
- files_read_etc_files($1_t)
-
- manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
- manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
- files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
-
- # start/stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd
- allow setfiles_t $1_etc_rw_t:file read;
-
- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t,$1_var_run_t, { file dir })
-
- manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
- manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
- read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
- files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
- allow $1_t rpm_var_lib_t:lnk_file { read getattr };
-
- manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
- manage_files_pattern($1_t, $1_log_t, $1_log_t)
- logging_log_filetrans($1_t, $1_log_t, { file dir } )
-
- corecmd_exec_bin($1_t)
- corecmd_read_bin_symlinks($1_t)
- corecmd_exec_shell($1_t)
- corecmd_search_bin($1_t)
-
- dev_list_sysfs($1_t)
- dev_read_sysfs($1_t)
- dev_read_rand($1_t)
- dev_read_urand($1_t)
-
- # Java is looking in /tmp for some reason...:
- files_manage_generic_tmp_dirs($1_t)
- files_manage_generic_tmp_files($1_t)
- files_read_usr_files($1_t)
- files_read_usr_symlinks($1_t)
- # These are used to read tomcat class files in /var/lib/tomcat
- files_read_var_lib_files($1_t)
- files_read_var_lib_symlinks($1_t)
-
- #needed in tps key archival in kra
- files_list_var($1_t)
-
- kernel_read_network_state($1_t)
- kernel_read_system_state($1_t)
- kernel_search_network_state($1_t)
- kernel_signull_unlabeled($1_t)
-
- auth_use_nsswitch($1_t)
-
- init_dontaudit_write_utmp($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
-
- miscfiles_read_localization($1_t)
- miscfiles_read_hwdata($1_t)
- miscfiles_manage_generic_cert_dirs($1_t)
- miscfiles_manage_generic_cert_files($1_t)
-
- logging_send_syslog_msg($1_t)
-
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1_t)
- term_dontaudit_use_generic_ptys($1_t)
- ')
-
- # allow java subsystems to talk to the ncipher hsm
- allow $1_t pki_common_dev_t:sock_file write;
- allow $1_t pki_common_dev_t:dir search;
- allow $1_t pki_common_t:dir create_dir_perms;
- manage_files_pattern($1_t, pki_common_t, pki_common_t)
- can_exec($1_t, pki_common_t)
- init_stream_connect_script($1_t)
-
- #allow java subsystems to talk to lunasa hsm
-
- #allow sending mail
- corenet_tcp_connect_smtp_port($1_t)
-
- # allow rpm -q in init scripts
- rpm_exec($1_t)
-
- # allow writing to the kernel keyring
- allow $1_t self:key { write read };
-
- #reverse proxy
- corenet_tcp_connect_dogtag_port($1_t)
-
- #connect to ldap
- corenet_tcp_connect_ldap_port($1_t)
-
- # tomcat connects to ephemeral ports on shutdown
- corenet_tcp_connect_all_unreserved_ports($1_t)
-
- # new tomcat perms for dogtag 10
- allow $1_t pki_tomcat_var_run_t:lnk_file read;
- can_exec($1_t, tomcat_exec_t)
- consoletype_exec($1_t)
- fs_getattr_xattr_fs($1_t)
- fs_read_hugetlbfs_files($1_t)
- hostname_exec($1_t)
- allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
- allow $1_t self:netlink_audit_socket { nlmsg_relay create write read};
- kernel_read_kernel_sysctls($1_t)
- selinux_get_enforce_mode($1_t)
- dirsrv_manage_var_lib($1_t)
- tomcat_search_cache($1_t)
-
- # write to /var/log/pki for spawn and destroy
- allow $1_t pki_log_t:dir {getattr search};
- allow load_policy_t pki_log_t:file write;
- allow setfiles_t pki_log_t:file write;
-
- optional_policy(`
- #This is broken in selinux-policy we need java_exec defined, Will add to policy
- gen_require(`
- type java_exec_t;
- ')
- can_exec($1_t, java_exec_t)
- ')
-
- optional_policy(`
- unconfined_domain($1_script_t)
- ')
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an pki_tomcat environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_tomcat_admin',`
- gen_require(`
- type pki_tomcat_tomcat_exec_t;
- attribute pki_tomcat_process;
- attribute pki_tomcat_config;
- attribute pki_tomcat_executable;
- attribute pki_tomcat_var_lib;
- attribute pki_tomcat_var_log;
- attribute pki_tomcat_var_run;
- attribute pki_tomcat_pidfiles;
- attribute pki_tomcat_script;
- ')
-
- allow $1 pki_tomcat_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_tomcat_t)
-
- # Allow pki_tomcat_t to restart the service
- pki_tomcat_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_tomcat_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_tomcat_config)
- manage_all_pattern($1, pki_tomcat_var_run)
- manage_all_pattern($1, pki_tomcat_var_lib)
- manage_all_pattern($1, pki_tomcat_var_log)
- manage_all_pattern($1, pki_tomcat_config)
- manage_all_pattern($1, pki_tomcat_tomcat_exec_t)
-')
-
-########################################
-## <summary>
## Execute pki_ra server in the pki_ra domain.
## </summary>
## <param name="domain">
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index cce797d7e..a13344338 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,13 +1,4 @@
-policy_module(pki,10.0.6)
-
-attribute pki_tomcat_config;
-attribute pki_tomcat_executable;
-attribute pki_tomcat_var_lib;
-attribute pki_tomcat_var_log;
-attribute pki_tomcat_var_run;
-attribute pki_tomcat_pidfiles;
-attribute pki_tomcat_script;
-attribute pki_tomcat_process;
+policy_module(pki,10.0.10)
type pki_log_t;
files_type(pki_log_t)
@@ -18,10 +9,75 @@ files_type(pki_common_t)
type pki_common_dev_t;
files_type(pki_common_dev_t)
-type pki_tomcat_tomcat_exec_t;
-files_type(pki_tomcat_tomcat_exec_t)
+type pki_tomcat_etc_rw_t;
+files_type(pki_tomcat_etc_rw_t)
+
+tomcat_domain_template(pki_tomcat)
+
+permissive pki_tomcat_t;
+
+type pki_tomcat_lock_t;
+files_lock_file(pki_tomcat_lock_t)
+
+require {
+ type pki_tomcat_var_lib_t;
+ type pki_tomcat_t;
+ type pki_tomcat_var_run_t;
+ type pki_tomcat_log_t;
+ type systemd_unit_file_t;
+}
+
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice};
+allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
+
+allow pki_tomcat_t self:key write;
+allow pki_tomcat_t self:process { signal setsched signull execmem };
+allow pki_tomcat_t self:tcp_socket { accept listen };
+allow pki_tomcat_t self:unix_dgram_socket { create connect };
+allow pki_tomcat_t self:process signal;
+
+# allow writing to the kernel keyring
+allow pki_tomcat_t self:key { write read };
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
+files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
+
+# allow java subsystems to talk to the ncipher hsm
+allow pki_tomcat_t pki_common_dev_t:sock_file write;
+allow pki_tomcat_t pki_common_dev_t:dir search;
+allow pki_tomcat_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
+can_exec(pki_tomcat_t, pki_common_t)
+init_stream_connect_script(pki_tomcat_t)
+
+# init script checks and fixes links if needed
+allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr };
+allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr };
+allow pki_tomcat_t self:capability sys_nice;
+allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr };
+allow pki_tomcat_t systemd_unit_file_t:dir getattr;
+allow pki_tomcat_t systemd_unit_file_t:file getattr;
-pki_tomcat_template(pki_tomcat)
+allow pki_tomcat_t pki_log_t:dir getattr;
+allow pki_tomcat_t pki_log_t:dir search;
+
+kernel_read_kernel_sysctls(pki_tomcat_t)
+
+corenet_tcp_connect_http_cache_port(pki_tomcat_t)
+corenet_tcp_connect_ldap_port(pki_tomcat_t)
+corenet_tcp_connect_smtp_port(pki_tomcat_t)
+
+selinux_get_enforce_mode(pki_tomcat_t)
+
+logging_send_audit_msgs(pki_tomcat_t)
+logging_send_syslog_msg(pki_tomcat_t)
+
+miscfiles_read_hwdata(pki_tomcat_t)
# forward proxy
# need to define ports to fix this
@@ -32,6 +88,13 @@ allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
# for ECC
auth_getattr_shadow(pki_tomcat_t)
+optional_policy(`
+ consoletype_exec(pki_tomcat_t)
+')
+
+optional_policy(`
+ hostname_exec(pki_tomcat_t)
+')
# old type aliases for migration
typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
@@ -40,22 +103,10 @@ typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_oc
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
-attribute pki_ra_config;
-attribute pki_ra_executable;
-attribute pki_ra_var_lib;
-attribute pki_ra_var_log;
-attribute pki_ra_var_run;
-attribute pki_ra_pidfiles;
-attribute pki_ra_script;
-attribute pki_ra_process;
-
-type pki_ra_tomcat_exec_t;
-files_type(pki_ra_tomcat_exec_t)
-
-pki_ra_template(pki_ra)
-# needed for token enrollment, list /var/cache/tomcat5/temp
-files_list_var(pki_tomcat_t)
+##########################
+# TPS policy
+##########################
attribute pki_tps_config;
attribute pki_tps_executable;
@@ -81,6 +132,7 @@ can_exec(pki_tps_t, httpd_suexec_exec_t)
apache_exec_modules(pki_tps_t)
apache_list_modules(pki_tps_t)
apache_read_config(pki_tps_t)
+apache_exec(pki_tps_t)
allow pki_tps_t lib_t:file execute_no_trans;
@@ -166,9 +218,23 @@ rpm_exec(pki_tps_t)
# allow writing to the kernel keyring
allow pki_tps_t self:key { write read };
-# new for f14
-apache_exec(pki_tps_t)
+##########################
+# RA policy
+#########################
+
+attribute pki_ra_config;
+attribute pki_ra_executable;
+attribute pki_ra_var_lib;
+attribute pki_ra_var_log;
+attribute pki_ra_var_run;
+attribute pki_ra_pidfiles;
+attribute pki_ra_script;
+attribute pki_ra_process;
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_ra_template(pki_ra)
# start up httpd in pki_ra_t mode
allow pki_ra_t httpd_config_t:file { read getattr execute };
allow pki_ra_t httpd_exec_t:file entrypoint;
@@ -179,6 +245,7 @@ allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute };
apache_read_config(pki_ra_t)
apache_exec_modules(pki_ra_t)
apache_list_modules(pki_ra_t)
+apache_exec(pki_ra_t)
allow pki_ra_t lib_t:file execute_no_trans;
@@ -263,5 +330,3 @@ rpm_exec(pki_ra_t)
# allow writing to the kernel keyring
allow pki_ra_t self:key { write read };
-# new for f14
-apache_exec(pki_ra_t)