Removed unnecessary pki folder.

Previously the source code was located inside a pki folder.
This folder was created during svn migration and is no longer
needed. This folder has now been removed and the contents have
been moved up one level.

Ticket #131

8 files changed, 1557 insertions, 0 deletions

diff --git a/base/selinux/CMakeLists.txt b/base/selinux/CMakeLists.txt
new file mode 100644
index 000000000..a9ef0707f
--- /dev/null
+++ b/base/selinux/CMakeLists.txt
@@ -0,0 +1,11 @@
+project(selinux)
+
+add_subdirectory(src)
+
+# install empty directories
+install(
+    DIRECTORY
+    DESTINATION
+        ${SHARE_INSTALL_PREFIX}/selinux/modules
+)
+
diff --git a/base/selinux/LICENSE b/base/selinux/LICENSE
new file mode 100644
index 000000000..e281f4362
--- /dev/null
+++ b/base/selinux/LICENSE
@@ -0,0 +1,291 @@
+This Program is free software; you can redistribute it and/or modify 
+it under the terms of the GNU General Public License as published 
+by the Free Software Foundation; version 2 of the License.
+ 
+This Program is distributed in the hope that it will be useful, but 
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 
+or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 
+for more details.
+ 
+You should have received a copy of the GNU General Public License 
+along with this Program; if not, write to the Free Software 
+Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+ 
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
diff --git a/base/selinux/src/CMakeLists.txt b/base/selinux/src/CMakeLists.txt
new file mode 100644
index 000000000..146ab1348
--- /dev/null
+++ b/base/selinux/src/CMakeLists.txt
@@ -0,0 +1,28 @@
+set(POLICY_MAKEFILE /usr/share/selinux/devel/Makefile)
+
+set(policy_SRCS
+    pki.fc
+    pki.if
+    pki.te
+)
+
+if (LINUX)
+    if (EXISTS ${POLICY_MAKEFILE})
+        foreach(_POLICY ${policy_SRCS})
+            macro_copy_file(${CMAKE_CURRENT_SOURCE_DIR}/${_POLICY} ${CMAKE_CURRENT_BINARY_DIR}/${_POLICY})
+        endforeach(_POLICY ${policy_SRCS})
+
+        # FIXME This should be done by cmake
+        add_custom_target(selinux ALL
+            COMMAND ${CMAKE_BUILD_TOOL} -f ${POLICY_MAKEFILE}
+            WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
+        )
+
+        install(
+            FILES
+                ${CMAKE_CURRENT_BINARY_DIR}/pki.pp
+            DESTINATION
+                ${SHARE_INSTALL_PREFIX}/selinux/modules
+        )
+    endif (EXISTS ${POLICY_MAKEFILE})
+endif (LINUX)
diff --git a/base/selinux/src/Makefile b/base/selinux/src/Makefile
new file mode 100644
index 000000000..201a448a9
--- /dev/null
+++ b/base/selinux/src/Makefile
@@ -0,0 +1,18 @@
+POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
+POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
+
+all:
+	if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux development tools (selinux-policy-devel)" && exit 1; fi
+	$(MAKE) -f $(POLICY_MAKEFILE) || exit 1; 
+
+clean:
+	rm -rf tmp 
+	rm pki.pp
+
+install: all
+	install -d $(POLICY_DIR)
+	install -m 644 pki.pp $(POLICY_DIR)
+
+load:
+	/usr/sbin/semodule -i pki.pp
+
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
new file mode 100644
index 000000000..3a22d86a4
--- /dev/null
+++ b/base/selinux/src/pki.fc
@@ -0,0 +1,91 @@
+
+/usr/bin/dtomcat5-pki-ca	--	gen_context(system_u:object_r:pki_ca_exec_t,s0)
+
+/etc/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
+/etc/pki-ca/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
+
+/var/lib/pki-ca(/.*)?		        gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
+
+/var/run/pki-ca.pid			gen_context(system_u:object_r:pki_ca_var_run_t,s0)
+
+/var/log/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_log_t,s0)
+
+/usr/bin/dtomcat5-pki-kra	--	gen_context(system_u:object_r:pki_kra_exec_t,s0)
+
+/etc/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
+/etc/pki-kra/tomcat5.conf  	--      gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
+
+/var/lib/pki-kra(/.*)?		        gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
+
+/var/run/pki-kra.pid			gen_context(system_u:object_r:pki_kra_var_run_t,s0)
+
+/var/log/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_log_t,s0)
+
+/usr/bin/dtomcat5-pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
+
+/etc/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
+/etc/pki-ocsp/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
+
+/var/lib/pki-ocsp(/.*)?		        gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
+
+/var/run/pki-ocsp.pid			gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
+
+/var/log/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_log_t,s0)
+
+/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
+/etc/pki-ra(/.*)?               gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/log/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_log_t,s0)
+
+
+/usr/bin/dtomcat5-pki-tks	--	gen_context(system_u:object_r:pki_tks_exec_t,s0)
+
+/etc/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
+/etc/pki-tks/tomcat5.conf  	--      gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
+
+/var/lib/pki-tks(/.*)?		gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
+
+/var/run/pki-tks.pid			gen_context(system_u:object_r:pki_tks_var_run_t,s0)
+
+/var/log/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_log_t,s0)
+
+/etc/pki-tps(/.*)?              gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+/var/log/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_log_t,s0)
+
+# default labeling for nCipher
+/opt/nfast/scripts/init.d/(.*)  gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast/sbin/init.d-ncipher  gen_context(system_u:object_r:initrc_exec_t, s0)
+/opt/nfast(/.*)?                gen_context(system_u:object_r:pki_common_t, s0)
+/dev/nfast(/.*)?                gen_context(system_u:object_r:pki_common_dev_t, s0)
+
+# labeling for new CA under pki-cad
+
+/var/run/pki/ca(/.*)? 	        gen_context(system_u:object_r:pki_ca_var_run_t,s0)
+/etc/sysconfig/pki/ca(/.*)?	gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
+
+# labeling for new KRA under pki-krad
+
+/var/run/pki/kra(/.*)? 	        gen_context(system_u:object_r:pki_kra_var_run_t,s0)
+/etc/sysconfig/pki/kra(/.*)?	gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
+
+# labeling for new OCSP under pki-ocspd
+
+/var/run/pki/ocsp(/.*)?         gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
+/etc/sysconfig/pki/ocsp(/.*)?	gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
+
+# labeling for new TKS under pki-tksd
+
+/var/run/pki/tks(/.*)? 	        gen_context(system_u:object_r:pki_tks_var_run_t,s0)
+/etc/sysconfig/pki/tks(/.*)?	gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
+
+# labeling for new RA under pki-rad
+
+/var/run/pki/ra(/.*)? 	        gen_context(system_u:object_r:pki_ra_var_run_t,s0)
+/etc/sysconfig/pki/ra(/.*)?	    gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+
+# labeling for new TPS under pki-tpsd
+
+/var/run/pki/tps(/.*)? 	        gen_context(system_u:object_r:pki_tps_var_run_t,s0)
+/etc/sysconfig/pki/tps(/.*)?	gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
new file mode 100644
index 000000000..0709176ea
--- /dev/null
+++ b/base/selinux/src/pki.if
@@ -0,0 +1,745 @@
+
+## <summary>policy for pki</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`pki_ca_template',`
+	gen_require(`
+		attribute pki_ca_process;
+		attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
+		attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
+		type pki_ca_tomcat_exec_t;
+		type $1_port_t;
+                type rpm_var_lib_t;
+                type rpm_exec_t;
+		type setfiles_t;
+	')
+	########################################
+	#
+	# Declarations
+	#
+
+        type $1_t, pki_ca_process;
+        type $1_exec_t, pki_ca_executable;
+        domain_type($1_t)
+        init_daemon_domain($1_t, $1_exec_t)
+
+        type $1_script_t;
+        domain_type($1_script_t)
+        gen_require(`
+                type java_exec_t;
+                type initrc_t;
+        ')
+        domtrans_pattern($1_script_t, java_exec_t, $1_t)
+
+        role system_r types $1_script_t;
+        allow $1_t java_exec_t:file entrypoint;
+        allow initrc_t $1_script_t:process transition;
+
+	type $1_etc_rw_t, pki_ca_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_run_t, pki_ca_var_run;
+	files_pid_file($1_var_run_t)
+
+	type $1_var_lib_t, pki_ca_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_ca_var_log;
+	logging_log_file($1_log_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	# Execstack/execmem caused by java app.
+	allow $1_t self:process { execstack execmem getsched setsched signal};
+	allow initrc_t self:process execstack;
+
+	## internal communication is often done using fifo and unix sockets.
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:process signull;
+
+	allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
+
+        # use rpm to look at velocity version in dtomcat-foo
+        allow $1_t rpm_exec_t:file exec_file_perms;
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+
+	corenet_tcp_bind_all_nodes($1_t)
+	corenet_tcp_bind_ocsp_port($1_t)
+	corenet_tcp_connect_ocsp_port($1_t)
+        corenet_tcp_connect_generic_port($1_t)
+
+        # for file signing
+        corenet_tcp_connect_http_port($1_t)
+
+	# This is for /etc/$1/tomcat.conf:
+	can_exec($1_t, $1_tomcat_exec_t)
+        allow $1_t $1_tomcat_exec_t:file {getattr read};
+
+        #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar 
+        rpm_read_db($1_t)
+
+	# Init script handling
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	# start/stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd
+	allow setfiles_t $1_etc_rw_t:file read;
+
+	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+        allow $1_t rpm_var_lib_t:lnk_file { read getattr };
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	corecmd_exec_bin($1_t)
+	corecmd_read_bin_symlinks($1_t)
+	corecmd_exec_shell($1_t)
+        corecmd_search_bin($1_t)
+
+	dev_list_sysfs($1_t)
+        dev_read_sysfs($1_t)
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+
+	# Java is looking in /tmp for some reason...:
+	files_manage_generic_tmp_dirs($1_t)
+	files_manage_generic_tmp_files($1_t)
+	files_read_usr_files($1_t)
+	files_read_usr_symlinks($1_t)
+	# These are used to read tomcat class files in /var/lib/tomcat
+	files_read_var_lib_files($1_t)
+	files_read_var_lib_symlinks($1_t)
+        
+        #needed in tps key archival in kra
+        files_list_var($1_t)
+
+	kernel_read_network_state($1_t)
+	kernel_read_system_state($1_t)
+	kernel_search_network_state($1_t)
+	# audit2allow
+        kernel_signull_unlabeled($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	init_dontaudit_write_utmp($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_ttys($1_t)
+		term_dontaudit_use_generic_ptys($1_t)
+	')
+
+        # allow java subsystems to talk to the ncipher hsm
+        allow $1_t pki_common_dev_t:sock_file write;
+        allow $1_t pki_common_dev_t:dir search;
+        allow $1_t pki_common_t:dir create_dir_perms;
+        manage_files_pattern($1_t, pki_common_t, pki_common_t)
+        can_exec($1_t, pki_common_t)
+        init_stream_connect_script($1_t)
+
+        #allow java subsystems to talk to lunasa hsm
+
+        #allow sending mail
+        corenet_tcp_connect_smtp_port($1_t)
+
+        # allow rpm -q in init scripts
+        rpm_exec($1_t)
+        
+        # allow writing to the kernel keyring
+        allow $1_t self:key { write read };
+
+        #reverse proxy
+        corenet_tcp_connect_dogtag_port($1_t)
+
+        #connect to ldap
+        corenet_tcp_connect_ldap_port($1_t)
+
+        # tomcat connects to ephemeral ports on shutdown
+        corenet_tcp_connect_all_unreserved_ports($1_t)
+
+        optional_policy(`
+            #This is broken in selinux-policy we need java_exec defined, Will add to policy
+            gen_require(`
+                type java_exec_t;
+            ')
+            can_exec($1_t, java_exec_t)
+        ')
+
+        optional_policy(`
+            unconfined_domain($1_script_t)
+        ')
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ca environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ca_admin',`
+	gen_require(`
+		type pki_ca_tomcat_exec_t;
+		attribute pki_ca_process;
+		attribute pki_ca_config;
+		attribute pki_ca_executable;
+		attribute pki_ca_var_lib;
+		attribute pki_ca_var_log;
+		attribute pki_ca_var_run;
+		attribute pki_ca_pidfiles;
+		attribute pki_ca_script;
+	')
+
+	allow $1 pki_ca_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ca_t)
+
+	# Allow pki_ca_t to restart the service
+	pki_ca_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ca_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ca_config)
+	manage_all_pattern($1, pki_ca_var_run)
+	manage_all_pattern($1, pki_ca_var_lib)
+	manage_all_pattern($1, pki_ca_var_log)
+	manage_all_pattern($1, pki_ca_config)
+	manage_all_pattern($1, pki_ca_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_kra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_kra_admin',`
+	gen_require(`
+		type pki_kra_tomcat_exec_t;
+		attribute pki_kra_process;
+		attribute pki_kra_config;
+		attribute pki_kra_executable;
+		attribute pki_kra_var_lib;
+		attribute pki_kra_var_log;
+		attribute pki_kra_var_run;
+		attribute pki_kra_pidfiles;
+		attribute pki_kra_script;
+	')
+
+	allow $1 pki_kra_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_kra_t)
+
+	# Allow pki_kra_t to restart the service
+	pki_kra_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_kra_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_kra_config)
+	manage_all_pattern($1, pki_kra_var_run)
+	manage_all_pattern($1, pki_kra_var_lib)
+	manage_all_pattern($1, pki_kra_var_log)
+	manage_all_pattern($1, pki_kra_config)
+	manage_all_pattern($1, pki_kra_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ocsp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ocsp_admin',`
+	gen_require(`
+		type pki_ocsp_tomcat_exec_t;
+		attribute pki_ocsp_process;
+		attribute pki_ocsp_config;
+		attribute pki_ocsp_executable;
+		attribute pki_ocsp_var_lib;
+		attribute pki_ocsp_var_log;
+		attribute pki_ocsp_var_run;
+		attribute pki_ocsp_pidfiles;
+		attribute pki_ocsp_script;
+	')
+
+	allow $1 pki_ocsp_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ocsp_t)
+
+	# Allow pki_ocsp_t to restart the service
+	pki_ocsp_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ocsp_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ocsp_config)
+	manage_all_pattern($1, pki_ocsp_var_run)
+	manage_all_pattern($1, pki_ocsp_var_lib)
+	manage_all_pattern($1, pki_ocsp_var_log)
+	manage_all_pattern($1, pki_ocsp_config)
+	manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_ra server in the pki_ra domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_ra_script_domtrans',`
+	gen_require(`
+		attribute pki_ra_script;
+	')
+
+	init_script_domtrans_spec($1,pki_ra_script)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`pki_tps_template',`
+	gen_require(`
+		attribute pki_tps_process;
+		attribute pki_tps_config, pki_tps_var_lib, pki_tps_var_run;
+		attribute pki_tps_executable, pki_tps_script, pki_tps_var_log;
+	')
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, pki_tps_process;
+	type $1_exec_t, pki_tps_executable;
+	domain_type($1_t)
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_script_exec_t, pki_tps_script;
+	init_script_file($1_script_exec_t)
+
+	type $1_etc_rw_t, pki_tps_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_run_t, pki_tps_var_run;
+	files_pid_file($1_var_run_t)
+
+	type $1_var_lib_t, pki_tps_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_tps_var_log;
+	logging_log_file($1_log_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	## internal communication is often done using fifo and unix sockets.
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+
+	# Init script handling
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+        allow pki_tps_t pki_tps_etc_rw_t:lnk_file read;
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	init_dontaudit_write_utmp($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_ttys($1_t)
+		term_dontaudit_use_generic_ptys($1_t)
+	')
+
+	gen_require(`
+		type httpd_t;
+                type httpd_exec_t;
+                type httpd_suexec_exec_t;
+	')
+
+	#============= httpd_t ==============
+	allow httpd_t $1_var_run_t:dir search;
+	allow httpd_t $1_var_run_t:file read_file_perms;
+
+')
+
+template(`pki_ra_template',`
+	gen_require(`
+		attribute pki_ra_process;
+		attribute pki_ra_config, pki_ra_var_lib, pki_ra_var_run;
+		attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
+	')
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, pki_ra_process;
+	type $1_exec_t, pki_ra_executable;
+	domain_type($1_t)
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_script_exec_t, pki_ra_script;
+	init_script_file($1_script_exec_t)
+
+	type $1_etc_rw_t, pki_ra_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_run_t, pki_ra_var_run;
+	files_pid_file($1_var_run_t)
+
+	type $1_var_lib_t, pki_ra_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_ra_var_log;
+	logging_log_file($1_log_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	## internal communication is often done using fifo and unix sockets.
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+
+	# Init script handling
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	init_dontaudit_write_utmp($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_ttys($1_t)
+		term_dontaudit_use_generic_ptys($1_t)
+	')
+
+	gen_require(`
+		type httpd_t;
+                type devlog_t;
+                type syslogd_t;
+                type httpd_exec_t;
+                type httpd_suexec_exec_t;
+	')
+
+	#============= httpd_t ==============
+	allow httpd_t $1_var_run_t:dir search;
+	allow httpd_t $1_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ra_admin',`
+	gen_require(`
+		attribute pki_ra_process;
+		attribute pki_ra_config;
+		attribute pki_ra_executable;
+		attribute pki_ra_var_lib;
+		attribute pki_ra_var_log;
+		attribute pki_ra_var_run;
+		attribute pki_ra_script;
+	')
+
+	allow $1 pki_ra_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ra_t)
+
+	# Allow pki_ra_t to restart the service
+	pki_ra_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ra_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ra_config)
+	manage_all_pattern($1, pki_ra_var_run)
+	manage_all_pattern($1, pki_ra_var_lib)
+	manage_all_pattern($1, pki_ra_var_log)
+	manage_all_pattern($1, pki_ra_config)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_tks environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_tks_admin',`
+	gen_require(`
+		type pki_tks_tomcat_exec_t;
+		attribute pki_tks_process;
+		attribute pki_tks_config;
+		attribute pki_tks_executable;
+		attribute pki_tks_var_lib;
+		attribute pki_tks_var_log;
+		attribute pki_tks_var_run;
+		attribute pki_tks_pidfiles;
+		attribute pki_tks_script;
+	')
+
+	allow $1 pki_tks_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_tks_t)
+
+	# Allow pki_tks_t to restart the service
+	pki_tks_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_tks_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_tks_config)
+	manage_all_pattern($1, pki_tks_var_run)
+	manage_all_pattern($1, pki_tks_var_lib)
+	manage_all_pattern($1, pki_tks_var_log)
+	manage_all_pattern($1, pki_tks_config)
+	manage_all_pattern($1, pki_tks_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_tps server in the pki_tps domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_tps_script_domtrans',`
+	gen_require(`
+		attribute pki_tps_script;
+	')
+
+	init_script_domtrans_spec($1,pki_tps_script)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_tps environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_tps_admin',`
+	gen_require(`
+		attribute pki_tps_process;
+		attribute pki_tps_config;
+		attribute pki_tps_executable;
+		attribute pki_tps_var_lib;
+		attribute pki_tps_var_log;
+		attribute pki_tps_var_run;
+		attribute pki_tps_script;
+	')
+
+	allow $1 pki_tps_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_tps_t)
+
+	# Allow pki_tps_t to restart the service
+	pki_tps_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_tps_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_tps_config)
+	manage_all_pattern($1, pki_tps_var_run)
+	manage_all_pattern($1, pki_tps_var_lib)
+	manage_all_pattern($1, pki_tps_var_log)
+	manage_all_pattern($1, pki_tps_config)
+')
diff --git a/base/selinux/src/pki.sh b/base/selinux/src/pki.sh
new file mode 100755
index 000000000..bf95ba98c
--- /dev/null
+++ b/base/selinux/src/pki.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+USAGE="$0 [ --update ]"
+
+if [ ! -f /usr/share/selinux/devel/Makefile ]; then
+echo 'selinux-policy-devel not installed, package required for building policy'
+echo '# yum install selinux-policy-devel'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+	if [ "$1" = "--update" ] ; then
+		time=`ls -l --time-style="+%x %X" pki_ca.te | awk '{ printf "%s %s", $6, $7 }'`
+		rules=`ausearch --start $time -m avc --raw -se pki_ca`
+		if [ x"$rules" != "x" ] ; then
+			echo "Found avc's to update policy with"
+			echo -e "$rules" | audit2allow -R
+			echo "Do you want these changes added to policy [y/n]?"
+			read ANS
+			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+				echo "Updating policy"
+				echo -e "$rules" | audit2allow -R >> pki_ca.te
+				# Fall though and rebuild policy
+			else
+				exit 0
+			fi
+		else
+			echo "No new avcs found"
+			exit 0
+		fi
+	else
+		echo -e $USAGE
+		exit 1
+	fi
+elif [ $# -ge 2 ] ; then
+	echo -e $USAGE
+	exit 1
+fi
+
+echo "Building and Loading Policy"
+make -f /usr/share/selinux/devel/Makefile
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
new file mode 100644
index 000000000..7f6e65738
--- /dev/null
+++ b/base/selinux/src/pki.te
@@ -0,0 +1,332 @@
+policy_module(pki,10.0.2)
+
+attribute pki_ca_config;
+attribute pki_ca_executable;
+attribute pki_ca_var_lib;
+attribute pki_ca_var_log;
+attribute pki_ca_var_run;
+attribute pki_ca_pidfiles;
+attribute pki_ca_script;
+attribute pki_ca_process;
+
+type pki_common_t;
+files_type(pki_common_t)
+
+type pki_common_dev_t;
+files_type(pki_common_dev_t)
+
+type pki_ca_tomcat_exec_t;
+files_type(pki_ca_tomcat_exec_t)
+
+pki_ca_template(pki_ca)
+corenet_tcp_connect_pki_kra_port(pki_ca_t)
+corenet_tcp_connect_pki_ocsp_port(pki_ca_t)
+
+# forward proxy
+corenet_tcp_connect_pki_ca_port(httpd_t)
+
+# for crl publishing
+allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink };
+
+# for ECC
+auth_getattr_shadow(pki_ca_t)
+
+attribute pki_kra_config;
+attribute pki_kra_executable;
+attribute pki_kra_var_lib;
+attribute pki_kra_var_log;
+attribute pki_kra_var_run;
+attribute pki_kra_pidfiles;
+attribute pki_kra_script;
+attribute pki_kra_process;
+
+type pki_kra_tomcat_exec_t;
+files_type(pki_kra_tomcat_exec_t)
+
+pki_ca_template(pki_kra)
+corenet_tcp_connect_pki_ca_port(pki_kra_t)
+
+# forward proxy
+corenet_tcp_connect_pki_kra_port(httpd_t)
+
+attribute pki_ocsp_config;
+attribute pki_ocsp_executable;
+attribute pki_ocsp_var_lib;
+attribute pki_ocsp_var_log;
+attribute pki_ocsp_var_run;
+attribute pki_ocsp_pidfiles;
+attribute pki_ocsp_script;
+attribute pki_ocsp_process;
+
+type pki_ocsp_tomcat_exec_t;
+files_type(pki_ocsp_tomcat_exec_t)
+
+pki_ca_template(pki_ocsp)
+corenet_tcp_connect_pki_ca_port(pki_ocsp_t)
+
+# forward proxy
+corenet_tcp_connect_pki_ocsp_port(httpd_t)
+
+attribute pki_ra_config;
+attribute pki_ra_executable;
+attribute pki_ra_var_lib;
+attribute pki_ra_var_log;
+attribute pki_ra_var_run;
+attribute pki_ra_pidfiles;
+attribute pki_ra_script;
+attribute pki_ra_process;
+
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_ra_template(pki_ra)
+
+attribute pki_tks_config;
+attribute pki_tks_executable;
+attribute pki_tks_var_lib;
+attribute pki_tks_var_log;
+attribute pki_tks_var_run;
+attribute pki_tks_pidfiles;
+attribute pki_tks_script;
+attribute pki_tks_process;
+
+type pki_tks_tomcat_exec_t;
+files_type(pki_tks_tomcat_exec_t)
+
+pki_ca_template(pki_tks)
+corenet_tcp_connect_pki_ca_port(pki_tks_t)
+
+# forward proxy
+corenet_tcp_connect_pki_tks_port(httpd_t)
+
+# needed for token enrollment, list /var/cache/tomcat5/temp
+files_list_var(pki_tks_t)
+
+attribute pki_tps_config;
+attribute pki_tps_executable;
+attribute pki_tps_var_lib;
+attribute pki_tps_var_log;
+attribute pki_tps_var_run;
+attribute pki_tps_pidfiles;
+attribute pki_tps_script;
+attribute pki_tps_process;
+
+type pki_tps_tomcat_exec_t;
+files_type(pki_tps_tomcat_exec_t)
+
+pki_tps_template(pki_tps)
+
+#interprocess communication on process shutdown
+allow pki_ca_t pki_kra_t:process signull;
+allow pki_ca_t pki_ocsp_t:process signull;
+allow pki_ca_t pki_tks_t:process signull;
+
+allow pki_kra_t pki_ca_t:process signull;
+allow pki_kra_t pki_ocsp_t:process signull;
+allow pki_kra_t pki_tks_t:process signull;
+
+allow pki_ocsp_t pki_ca_t:process signull;
+allow pki_ocsp_t pki_kra_t:process signull;
+allow pki_ocsp_t pki_tks_t:process signull;
+
+allow pki_tks_t pki_ca_t:process signull;
+allow pki_tks_t pki_kra_t:process signull;
+allow pki_tks_t pki_ocsp_t:process signull;
+
+#allow httpd_t pki_tks_tomcat_exec_t:process signull;
+#allow httpd_t pki_tks_var_lib_t:process signull;
+
+# start up httpd in pki_tps_t mode
+can_exec(pki_tps_t, httpd_config_t)
+allow pki_tps_t httpd_exec_t:file entrypoint;
+allow pki_tps_t httpd_modules_t:lnk_file read;
+can_exec(pki_tps_t, httpd_suexec_exec_t)
+
+# apache permissions
+apache_exec_modules(pki_tps_t)
+apache_list_modules(pki_tps_t)
+apache_read_config(pki_tps_t)
+
+allow pki_tps_t lib_t:file execute_no_trans;
+
+#fowner needed for chmod
+allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
+allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem sigkill};
+allow pki_tps_t self:sem all_sem_perms;
+allow pki_tps_t self:tcp_socket create_stream_socket_perms;
+
+# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
+allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
+
+ #netlink needed?
+allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+corecmd_exec_bin(pki_tps_t)
+corecmd_exec_shell(pki_tps_t)
+corecmd_read_bin_symlinks(pki_tps_t)
+corecmd_search_bin(pki_tps_t)
+
+corenet_sendrecv_unlabeled_packets(pki_tps_t)
+corenet_tcp_bind_all_nodes(pki_tps_t)
+corenet_tcp_bind_pki_tps_port(pki_tps_t)
+corenet_tcp_connect_generic_port(pki_tps_t)
+
+# customer may run an ldap server on 389
+corenet_tcp_connect_ldap_port(pki_tps_t)
+
+# connect to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_tps_t)
+corenet_tcp_connect_pki_kra_port(pki_tps_t)
+corenet_tcp_connect_pki_tks_port(pki_tps_t)
+
+corenet_tcp_sendrecv_all_if(pki_tps_t)
+corenet_tcp_sendrecv_all_nodes(pki_tps_t)
+corenet_tcp_sendrecv_all_ports(pki_tps_t)
+corenet_all_recvfrom_unlabeled(pki_tps_t)
+
+dev_read_urand(pki_tps_t)
+files_exec_usr_files(pki_tps_t)
+files_read_usr_symlinks(pki_tps_t)
+files_read_usr_files(pki_tps_t)
+
+#installation and debug uses /tmp
+files_manage_generic_tmp_dirs(pki_tps_t)
+files_manage_generic_tmp_files(pki_tps_t)
+
+kernel_read_kernel_sysctls(pki_tps_t)
+kernel_read_system_state(pki_tps_t)
+
+# need to resolve addresses?
+auth_use_nsswitch(pki_tps_t)
+
+sysnet_read_config(pki_tps_t)
+
+allow httpd_t pki_tps_etc_rw_t:dir search;
+allow httpd_t pki_tps_etc_rw_t:file rw_file_perms;
+allow httpd_t pki_tps_log_t:dir rw_dir_perms;
+allow httpd_t pki_tps_log_t:file manage_file_perms;
+allow httpd_t pki_tps_t:process { signal signull };
+allow httpd_t pki_tps_var_lib_t:dir { getattr search };
+allow httpd_t pki_tps_var_lib_t:lnk_file read;
+allow httpd_t pki_tps_var_lib_t:file read_file_perms;
+
+# why do I need to add this?
+allow httpd_t httpd_config_t:file execute;
+files_exec_usr_files(httpd_t)
+
+# talk to the hsm
+allow pki_tps_t pki_common_dev_t:sock_file write;
+allow pki_tps_t pki_common_dev_t:dir search;
+allow pki_tps_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t)
+can_exec(pki_tps_t, pki_common_t)
+init_stream_connect_script(pki_tps_t)
+
+#allow tps to talk to lunasa hsm
+logging_send_syslog_msg(pki_tps_t)
+
+# allow rpm -q in init scripts
+rpm_exec(pki_tps_t)
+
+# allow writing to the kernel keyring
+allow pki_tps_t self:key { write read };
+
+# new for f14
+apache_exec(pki_tps_t)
+
+ # start up httpd in pki_ra_t mode
+allow pki_ra_t httpd_config_t:file { read getattr execute };
+allow pki_ra_t httpd_exec_t:file entrypoint;
+allow pki_ra_t httpd_modules_t:lnk_file read;
+allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute };
+
+#apache permissions
+apache_read_config(pki_ra_t)
+apache_exec_modules(pki_ra_t)
+apache_list_modules(pki_ra_t)
+
+allow pki_ra_t lib_t:file execute_no_trans;
+
+allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid};
+allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
+allow pki_ra_t self:sem all_sem_perms;
+allow pki_ra_t self:tcp_socket create_stream_socket_perms;
+
+#RA specific? talking to mysql?
+allow pki_ra_t self:udp_socket { write read create connect };
+allow pki_ra_t self:unix_dgram_socket { write create connect };
+
+# netlink needed?
+allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+
+corecmd_exec_bin(pki_ra_t)
+corecmd_exec_shell(pki_ra_t)
+corecmd_read_bin_symlinks(pki_ra_t)
+corecmd_search_bin(pki_ra_t)
+
+corenet_sendrecv_unlabeled_packets(pki_ra_t)
+corenet_tcp_bind_all_nodes(pki_ra_t)
+corenet_tcp_bind_pki_ra_port(pki_ra_t)
+
+corenet_tcp_sendrecv_all_if(pki_ra_t)
+corenet_tcp_sendrecv_all_nodes(pki_ra_t)
+corenet_tcp_sendrecv_all_ports(pki_ra_t)
+corenet_all_recvfrom_unlabeled(pki_ra_t)
+corenet_tcp_connect_generic_port(pki_ra_t)
+
+# talk to other subsystems
+corenet_tcp_connect_pki_ca_port(pki_ra_t)
+
+dev_read_urand(pki_ra_t)
+files_exec_usr_files(pki_ra_t)
+fs_getattr_xattr_fs(pki_ra_t)
+
+# ra writes files to /tmp
+files_manage_generic_tmp_files(pki_ra_t)
+
+kernel_read_kernel_sysctls(pki_ra_t)
+kernel_read_system_state(pki_ra_t)
+
+logging_send_syslog_msg(pki_ra_t)
+
+corenet_tcp_connect_smtp_port(pki_ra_t)
+files_search_spool(pki_ra_t)
+
+#
+# Should be changed to mta_send_mail
+#
+mta_manage_spool(pki_ra_t)
+mta_manage_queue(pki_ra_t)
+mta_read_config(pki_ra_t)
+mta_sendmail_exec(pki_ra_t)
+
+#resolve names?
+auth_use_nsswitch(pki_ra_t)
+
+sysnet_read_config(pki_ra_t)
+
+allow httpd_t pki_ra_etc_rw_t:dir search;
+allow httpd_t pki_ra_etc_rw_t:file rw_file_perms;
+allow httpd_t pki_ra_log_t:dir rw_dir_perms;
+allow httpd_t pki_ra_log_t:file manage_file_perms;
+allow httpd_t pki_ra_t:process { signal signull };
+allow httpd_t pki_ra_var_lib_t:dir { getattr search };
+allow httpd_t pki_ra_var_lib_t:lnk_file read;
+allow httpd_t pki_ra_var_lib_t:file read_file_perms;
+
+# talk to the hsm
+allow pki_ra_t pki_common_dev_t:sock_file write;
+allow pki_ra_t pki_common_dev_t:dir search;
+allow pki_ra_t pki_common_t:dir create_dir_perms;
+manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t)
+can_exec(pki_ra_t, pki_common_t)
+init_stream_connect_script(pki_ra_t)
+
+# allow rpm -q in init scripts
+rpm_exec(pki_ra_t)
+
+# allow writing to the kernel keyring
+allow pki_ra_t self:key { write read };
+
+# new for f14
+apache_exec(pki_ra_t)