initial selinux checkin

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@170 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

5 files changed, 1064 insertions, 0 deletions

diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc
new file mode 100644
index 000000000..6a8a2abfe
--- /dev/null
+++ b/pki/base/selinux/src/pki.fc
@@ -0,0 +1,66 @@
+
+/usr/bin/dtomcat5-pki-ca	--	gen_context(system_u:object_r:pki_ca_exec_t,s0)
+
+/etc/init.d/pki-ca		--	gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
+
+/etc/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
+/etc/pki-ca/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
+
+/var/lib/pki-ca(/.*)?		        gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
+
+/var/run/pki-ca.pid			gen_context(system_u:object_r:pki_ca_var_run_t,s0)
+
+/var/log/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_log_t,s0)
+
+/usr/bin/dtomcat5-pki-kra	--	gen_context(system_u:object_r:pki_kra_exec_t,s0)
+
+/etc/init.d/pki-kra		--	gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
+
+/etc/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
+/etc/pki-kra/tomcat5.conf  	--      gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
+
+/var/lib/pki-kra(/.*)?		        gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
+
+/var/run/pki-kra.pid			gen_context(system_u:object_r:pki_kra_var_run_t,s0)
+
+/var/log/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_log_t,s0)
+
+/usr/bin/dtomcat5-pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
+
+/etc/init.d/pki-ocsp		--	gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
+
+/etc/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
+/etc/pki-ocsp/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
+
+/var/lib/pki-ocsp(/.*)?		        gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
+
+/var/run/pki-ocsp.pid			gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
+
+/var/log/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_log_t,s0)
+
+/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
+/etc/init.d/pki-ra      --      gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
+/etc/pki-ra(/.*)?               gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
+/var/log/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_log_t,s0)
+
+
+/usr/bin/dtomcat5-pki-tks	--	gen_context(system_u:object_r:pki_tks_exec_t,s0)
+
+/etc/init.d/pki-tks		--	gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
+
+/etc/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
+/etc/pki-tks/tomcat5.conf  	--      gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
+
+/var/lib/pki-tks(/.*)?		gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
+
+/var/run/pki-tks.pid			gen_context(system_u:object_r:pki_tks_var_run_t,s0)
+
+/var/log/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_log_t,s0)
+
+/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
+/etc/init.d/pki-tps     --      gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
+/etc/pki-tps(/.*)?              gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
+/var/log/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_log_t,s0)
+
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
new file mode 100644
index 000000000..5c2e90d91
--- /dev/null
+++ b/pki/base/selinux/src/pki.if
@@ -0,0 +1,643 @@
+
+## <summary>policy for pki</summary>
+
+########################################
+## <summary>
+##	Execute pki_ca server in the pki_ca domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_ca_script_domtrans',`
+	gen_require(`
+		attribute pki_ca_script;
+	')
+
+	init_script_domtrans_spec($1,pki_ca_script)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`pki_ca_template',`
+	gen_require(`
+		attribute pki_ca_process;
+		attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
+		attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
+		type pki_ca_tomcat_exec_t;
+		type $1_port_t;
+	')
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, pki_ca_process;
+	type $1_exec_t, pki_ca_executable;
+	domain_type($1_t)
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_script_exec_t, pki_ca_script;
+	init_script_file($1_script_exec_t)
+
+	type $1_etc_rw_t, pki_ca_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_run_t, pki_ca_var_run;
+	files_pid_file($1_var_run_t)
+
+	type $1_var_lib_t, pki_ca_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_ca_var_log;
+	logging_log_file($1_log_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	# Execstack/execmem caused by java app.
+	allow $1_t self:process { execstack execmem getsched setsched };
+
+	## internal communication is often done using fifo and unix sockets.
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:process signull;
+
+	allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
+
+	corenet_all_recvfrom_unlabeled($1_t)
+	corenet_tcp_sendrecv_all_if($1_t)
+	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+
+	corenet_tcp_bind_all_nodes($1_t)
+	corenet_tcp_bind_ocsp_port($1_t)
+	corenet_tcp_connect_ocsp_port($1_t)
+
+	# This is for /etc/$1/tomcat.conf:
+	can_exec($1_t, pki_ca_tomcat_exec_t)
+
+	# Init script handling
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
+	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	corecmd_exec_bin($1_t)
+	corecmd_read_bin_symlinks($1_t)
+	corecmd_exec_shell($1_t)
+
+	dev_list_sysfs($1_t)
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+
+	# Java is looking in /tmp for some reason...:
+	files_manage_generic_tmp_dirs($1_t)
+	files_manage_generic_tmp_files($1_t)
+	files_read_usr_files($1_t)
+	files_read_usr_symlinks($1_t)
+	# These are used to read tomcat class files in /var/lib/tomcat
+	files_read_var_lib_files($1_t)
+	files_read_var_lib_symlinks($1_t)
+
+	kernel_read_network_state($1_t)
+	kernel_read_system_state($1_t)
+	kernel_search_network_state($1_t)
+	# audit2allow
+        kernel_signull_unlabeled($1_t)
+
+	auth_use_nsswitch($1_t)
+
+	init_dontaudit_write_utmp($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_ttys($1_t)
+		term_dontaudit_use_generic_ptys($1_t)
+	')
+
+#This is broken in selinux-policy we need java_exec defined, Will add to policy
+	gen_require(`
+		type java_exec_t;
+	')
+	can_exec($1_t, java_exec_t)
+
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ca environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ca_admin',`
+	gen_require(`
+		type pki_ca_tomcat_exec_t;
+		attribute pki_ca_process;
+		attribute pki_ca_config;
+		attribute pki_ca_executable;
+		attribute pki_ca_var_lib;
+		attribute pki_ca_var_log;
+		attribute pki_ca_var_run;
+		attribute pki_ca_pidfiles;
+		attribute pki_ca_script;
+	')
+
+	allow $1 pki_ca_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ca_t)
+
+	# Allow pki_ca_t to restart the service
+	pki_ca_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ca_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ca_config)
+	manage_all_pattern($1, pki_ca_var_run)
+	manage_all_pattern($1, pki_ca_var_lib)
+	manage_all_pattern($1, pki_ca_var_log)
+	manage_all_pattern($1, pki_ca_config)
+	manage_all_pattern($1, pki_ca_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_kra server in the pki_kra domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_kra_script_domtrans',`
+	gen_require(`
+		attribute pki_kra_script;
+	')
+
+	init_script_domtrans_spec($1,pki_kra_script)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_kra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_kra_admin',`
+	gen_require(`
+		type pki_kra_tomcat_exec_t;
+		attribute pki_kra_process;
+		attribute pki_kra_config;
+		attribute pki_kra_executable;
+		attribute pki_kra_var_lib;
+		attribute pki_kra_var_log;
+		attribute pki_kra_var_run;
+		attribute pki_kra_pidfiles;
+		attribute pki_kra_script;
+	')
+
+	allow $1 pki_kra_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_kra_t)
+
+	# Allow pki_kra_t to restart the service
+	pki_kra_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_kra_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_kra_config)
+	manage_all_pattern($1, pki_kra_var_run)
+	manage_all_pattern($1, pki_kra_var_lib)
+	manage_all_pattern($1, pki_kra_var_log)
+	manage_all_pattern($1, pki_kra_config)
+	manage_all_pattern($1, pki_kra_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_ocsp server in the pki_ocsp domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_ocsp_script_domtrans',`
+	gen_require(`
+		attribute pki_ocsp_script;
+	')
+
+	init_script_domtrans_spec($1,pki_ocsp_script)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ocsp environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ocsp_admin',`
+	gen_require(`
+		type pki_ocsp_tomcat_exec_t;
+		attribute pki_ocsp_process;
+		attribute pki_ocsp_config;
+		attribute pki_ocsp_executable;
+		attribute pki_ocsp_var_lib;
+		attribute pki_ocsp_var_log;
+		attribute pki_ocsp_var_run;
+		attribute pki_ocsp_pidfiles;
+		attribute pki_ocsp_script;
+	')
+
+	allow $1 pki_ocsp_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ocsp_t)
+
+	# Allow pki_ocsp_t to restart the service
+	pki_ocsp_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ocsp_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ocsp_config)
+	manage_all_pattern($1, pki_ocsp_var_run)
+	manage_all_pattern($1, pki_ocsp_var_lib)
+	manage_all_pattern($1, pki_ocsp_var_log)
+	manage_all_pattern($1, pki_ocsp_config)
+	manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_ra server in the pki_ra domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_ra_script_domtrans',`
+	gen_require(`
+		attribute pki_ra_script;
+	')
+
+	init_script_domtrans_spec($1,pki_ra_script)
+')
+
+########################################
+## <summary>
+##	Create a set of derived types for apache
+##	web content.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`pki_ra_template',`
+	gen_require(`
+		attribute pki_ra_process;
+		attribute pki_ra_config, pki_ra_var_lib;
+		attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
+	')
+	########################################
+	#
+	# Declarations
+	#
+
+	type $1_t, pki_ra_process;
+	type $1_exec_t, pki_ra_executable;
+	domain_type($1_t)
+	init_daemon_domain($1_t, $1_exec_t)
+
+	type $1_script_exec_t, pki_ra_script;
+	init_script_file($1_script_exec_t)
+
+	type $1_etc_rw_t, pki_ra_config;
+	files_type($1_etc_rw_t)
+
+	type $1_var_lib_t, pki_ra_var_lib;
+	files_type($1_var_lib_t)
+
+	type $1_log_t, pki_ra_var_log;
+	logging_log_file($1_log_t)
+
+	########################################
+	#
+	# $1 local policy
+	#
+
+	## internal communication is often done using fifo and unix sockets.
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+
+	# Init script handling
+	domain_use_interactive_fds($1_t)
+
+	files_read_etc_files($1_t)
+
+	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
+	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
+	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
+	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+
+	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
+	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
+	logging_log_filetrans($1_t, $1_log_t, { file dir } )
+
+	init_dontaudit_write_utmp($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+
+	ifdef(`targeted_policy',`
+		term_dontaudit_use_unallocated_ttys($1_t)
+		term_dontaudit_use_generic_ptys($1_t)
+	')
+
+	gen_require(`
+		type httpd_t;
+	')
+
+	allow httpd_t pki_ra_etc_rw_t:file { read getattr };
+	allow httpd_t pki_ra_log_t:file read;
+	allow httpd_t pki_ra_var_lib_t:lnk_file read;
+
+
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_ra environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_ra_admin',`
+	gen_require(`
+		attribute pki_ra_process;
+		attribute pki_ra_config;
+		attribute pki_ra_executable;
+		attribute pki_ra_var_lib;
+		attribute pki_ra_var_log;
+		attribute pki_ra_script;
+	')
+
+	allow $1 pki_ra_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_ra_t)
+
+	# Allow pki_ra_t to restart the service
+	pki_ra_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_ra_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_ra_config)
+	manage_all_pattern($1, pki_ra_var_lib)
+	manage_all_pattern($1, pki_ra_var_log)
+	manage_all_pattern($1, pki_ra_config)
+')
+
+########################################
+## <summary>
+##	Execute pki_tks server in the pki_tks domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_tks_script_domtrans',`
+	gen_require(`
+		attribute pki_tks_script;
+	')
+
+	init_script_domtrans_spec($1,pki_tks_script)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_tks environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_tks_admin',`
+	gen_require(`
+		type pki_tks_tomcat_exec_t;
+		attribute pki_tks_process;
+		attribute pki_tks_config;
+		attribute pki_tks_executable;
+		attribute pki_tks_var_lib;
+		attribute pki_tks_var_log;
+		attribute pki_tks_var_run;
+		attribute pki_tks_pidfiles;
+		attribute pki_tks_script;
+	')
+
+	allow $1 pki_tks_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_tks_t)
+
+	# Allow pki_tks_t to restart the service
+	pki_tks_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_tks_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_tks_config)
+	manage_all_pattern($1, pki_tks_var_run)
+	manage_all_pattern($1, pki_tks_var_lib)
+	manage_all_pattern($1, pki_tks_var_log)
+	manage_all_pattern($1, pki_tks_config)
+	manage_all_pattern($1, pki_tks_tomcat_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute pki_tps server in the pki_tps domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`pki_tps_script_domtrans',`
+	gen_require(`
+		attribute pki_tps_script;
+	')
+
+	init_script_domtrans_spec($1,pki_tps_script)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an pki_tps environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the syslog domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`pki_tps_admin',`
+	gen_require(`
+		attribute pki_tps_process;
+		attribute pki_tps_config;
+		attribute pki_tps_executable;
+		attribute pki_tps_var_lib;
+		attribute pki_tps_var_log;
+		attribute pki_tps_script;
+	')
+
+	allow $1 pki_tps_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_tps_t)
+
+	# Allow pki_tps_t to restart the service
+	pki_tps_script_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 pki_tps_script system_r;
+	allow $2 system_r;
+
+	manage_all_pattern($1, pki_tps_config)
+	manage_all_pattern($1, pki_tps_var_lib)
+	manage_all_pattern($1, pki_tps_var_log)
+	manage_all_pattern($1, pki_tps_config)
+')
diff --git a/pki/base/selinux/src/pki.sh b/pki/base/selinux/src/pki.sh
new file mode 100755
index 000000000..bf95ba98c
--- /dev/null
+++ b/pki/base/selinux/src/pki.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+USAGE="$0 [ --update ]"
+
+if [ ! -f /usr/share/selinux/devel/Makefile ]; then
+echo 'selinux-policy-devel not installed, package required for building policy'
+echo '# yum install selinux-policy-devel'
+exit 1
+fi
+
+if [ $# -eq 1 ]; then
+	if [ "$1" = "--update" ] ; then
+		time=`ls -l --time-style="+%x %X" pki_ca.te | awk '{ printf "%s %s", $6, $7 }'`
+		rules=`ausearch --start $time -m avc --raw -se pki_ca`
+		if [ x"$rules" != "x" ] ; then
+			echo "Found avc's to update policy with"
+			echo -e "$rules" | audit2allow -R
+			echo "Do you want these changes added to policy [y/n]?"
+			read ANS
+			if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then
+				echo "Updating policy"
+				echo -e "$rules" | audit2allow -R >> pki_ca.te
+				# Fall though and rebuild policy
+			else
+				exit 0
+			fi
+		else
+			echo "No new avcs found"
+			exit 0
+		fi
+	else
+		echo -e $USAGE
+		exit 1
+	fi
+elif [ $# -ge 2 ] ; then
+	echo -e $USAGE
+	exit 1
+fi
+
+echo "Building and Loading Policy"
+make -f /usr/share/selinux/devel/Makefile
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
new file mode 100644
index 000000000..3219cbed1
--- /dev/null
+++ b/pki/base/selinux/src/pki.te
@@ -0,0 +1,91 @@
+policy_module(pki,1.0.0)
+
+attribute pki_ca_config;
+attribute pki_ca_executable;
+attribute pki_ca_var_lib;
+attribute pki_ca_var_log;
+attribute pki_ca_var_run;
+attribute pki_ca_pidfiles;
+attribute pki_ca_script;
+attribute pki_ca_process;
+
+type pki_ca_tomcat_exec_t;
+files_type(pki_ca_tomcat_exec_t)
+
+pki_ca_template(pki_ca)
+
+attribute pki_kra_config;
+attribute pki_kra_executable;
+attribute pki_kra_var_lib;
+attribute pki_kra_var_log;
+attribute pki_kra_var_run;
+attribute pki_kra_pidfiles;
+attribute pki_kra_script;
+attribute pki_kra_process;
+
+type pki_kra_tomcat_exec_t;
+files_type(pki_kra_tomcat_exec_t)
+
+pki_ca_template(pki_kra)
+
+
+attribute pki_ocsp_config;
+attribute pki_ocsp_executable;
+attribute pki_ocsp_var_lib;
+attribute pki_ocsp_var_log;
+attribute pki_ocsp_var_run;
+attribute pki_ocsp_pidfiles;
+attribute pki_ocsp_script;
+attribute pki_ocsp_process;
+
+type pki_ocsp_tomcat_exec_t;
+files_type(pki_ocsp_tomcat_exec_t)
+
+pki_ca_template(pki_ocsp)
+
+
+attribute pki_ra_config;
+attribute pki_ra_executable;
+attribute pki_ra_var_lib;
+attribute pki_ra_var_log;
+attribute pki_ra_var_run;
+attribute pki_ra_pidfiles;
+attribute pki_ra_script;
+attribute pki_ra_process;
+
+type pki_ra_tomcat_exec_t;
+files_type(pki_ra_tomcat_exec_t)
+
+pki_ra_template(pki_ra)
+
+
+attribute pki_tks_config;
+attribute pki_tks_executable;
+attribute pki_tks_var_lib;
+attribute pki_tks_var_log;
+attribute pki_tks_var_run;
+attribute pki_tks_pidfiles;
+attribute pki_tks_script;
+attribute pki_tks_process;
+
+type pki_tks_tomcat_exec_t;
+files_type(pki_tks_tomcat_exec_t)
+
+pki_ca_template(pki_tks)
+
+
+attribute pki_tps_config;
+attribute pki_tps_executable;
+attribute pki_tps_var_lib;
+attribute pki_tps_var_log;
+attribute pki_tps_var_run;
+attribute pki_tps_pidfiles;
+attribute pki_tps_script;
+attribute pki_tps_process;
+
+type pki_tps_tomcat_exec_t;
+files_type(pki_tps_tomcat_exec_t)
+
+pki_ra_template(pki_tps)
+
+
diff --git a/pki/dogtag/selinux/pki-selinux.spec b/pki/dogtag/selinux/pki-selinux.spec
new file mode 100644
index 000000000..da6019c3b
--- /dev/null
+++ b/pki/dogtag/selinux/pki-selinux.spec
@@ -0,0 +1,223 @@
+# BEGIN COPYRIGHT BLOCK
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# (C) 2007 Red Hat, Inc.
+# All rights reserved.
+# END COPYRIGHT BLOCK
+
+###############################################################################
+###                          D E F I N I T I O N S                          ###
+###############################################################################
+
+## Entity Definitions
+%define base_entity       Dogtag
+%define base_prefix       pki
+
+## Product Definitions
+%define base_system       Certificate System
+%define base_product      PKI Selinux Policies
+%define base_component    selinux
+%define base_pki          %{base_entity} %{base_system}
+
+## Package Header Definitions
+%define base_name         %{base_prefix}-%{base_component}
+%define base_version      1.0.0
+%define base_release      1
+%define base_group        System Environment/Shells
+%define base_vendor       Red Hat, Inc.
+%define base_license      GPLv2 with exceptions
+%define base_packager     %{base_vendor} <http://bugzilla.redhat.com/bugzilla>
+%define base_summary      %{base_pki} - %{base_product}
+%define base_url          http://pki.fedoraproject.org/wiki/PKI_Documentation
+
+## Helper Definitions
+%define pki_ca            %{base_entity} Certificate Authority
+%define pki_drm           %{base_entity} Data Recovery Manager
+%define pki_ds            Fedora Directory Server
+%define pki_ocsp          %{base_entity} Online Certificate Status Protocol Manager
+%define pki_ra            %{base_entity} Registration Authority
+%define pki_tks           %{base_entity} Token Key Service
+%define pki_tps           %{base_entity} Token Processing System
+
+## Don't build the debug packages
+%define debug_package     %{nil}
+
+
+##===================##
+## Linux Definitions ##
+##===================##
+%ifos Linux
+## A distribution model is required on certain Linux operating systems!
+##
+## check for a pre-defined distribution model
+%define undefined_distro  %(test "%{dist}" = "" && echo 1 || echo 0)
+%if %{undefined_distro}
+%define is_fedora         %(test -e /etc/fedora-release && echo 1 || echo 0)
+%if %{is_fedora}
+## define a default distribution model on Fedora Linux
+%define dist_prefix       .fc
+%define dist_version      %(echo `rpm -qf --qf='%{VERSION}' /etc/fedora-release` | tr -d [A-Za-z])
+%define dist              %{dist_prefix}%{dist_version}
+%else
+%define is_redhat         %(test -e /etc/redhat-release && echo 1 || echo 0)
+%if %{is_redhat}
+## define a default distribution model on Red Hat Linux
+%define dist_prefix       .el
+%define dist_version      %(echo `rpm -qf --qf='%{VERSION}' /etc/redhat-release` | tr -d [A-Za-z])
+%define dist              %{dist_prefix}%{dist_version}
+%endif
+%endif
+%endif
+%endif
+
+
+
+###############################################################################
+###                       P A C K A G E   H E A D E R                       ###
+###############################################################################
+
+Name:           %{base_name}
+Version:        %{base_version}
+Release:        %{base_release}%{?dist}
+Summary:        %{base_summary}
+Vendor:         %{base_vendor}
+URL:            %{base_url}
+License:        %{base_license}
+Packager:       %{base_packager}
+Group:          %{base_group}
+
+
+## Without AutoReqProv: no, rpmbuild finds all sorts of crazy
+## dependencies that we don't care about, and refuses to install
+AutoReqProv:    no
+
+BuildArch:      noarch
+BuildRoot:      %{_builddir}/%{base_name}-root
+
+
+## NOTE:  This spec file may require a specific JDK, "gcc", and/or "gcc-c++"
+##        packages as well as the "rpm" and "rpm-build" packages.
+##
+##        Technically, "ant" should not need to be in "BuildRequires" since
+##        it is the Java equivalent of "make" (and/or "Autotools").
+##
+BuildRequires:  ant >= 1.6.2
+
+## Without Requires something, rpmbuild will abort!
+Requires:       %{base_prefix}-native-tools >= 1.0.0, perl >= 5.8.0, perl-libwww-perl >= 5.8.0, policycoreutils
+
+
+## This package is non-relocatable!
+#Prefix:
+
+Source0:        %{base_name}-%{base_version}.tar.gz
+
+## This package currently contains no patches!
+#Patch0:
+
+
+%description
+Public Key Infrastructure (PKI) setup scripts used to create and remove
+instances from %{base_entity} PKI deployments.
+
+
+
+###############################################################################
+###                  P R E P A R A T I O N   &   S E T U P                  ###
+###############################################################################
+
+## On Linux systems, prep and setup expect there to be a Source file
+## in the /usr/src/redhat/SOURCES directory - it will be unpacked
+## in the _builddir (not BuildRoot)
+%prep
+
+
+%setup -q
+
+
+## This package currently contains no patches!
+#%patch0
+# patches
+
+
+
+###############################################################################
+###                        B U I L D   P R O C E S S                        ###
+###############################################################################
+
+%build
+ant -Dspecfile=%{base_name}.spec
+
+
+
+###############################################################################
+###                 I N S T A L L A T I O N   P R O C E S S                 ###
+###############################################################################
+
+%install
+cd dist/binary
+unzip %{name}-%{version}.zip -d ${RPM_BUILD_ROOT}
+
+
+
+###############################################################################
+###                      C L E A N U P   P R O C E S S                      ###
+###############################################################################
+
+%clean
+rm -rf ${RPM_BUILD_ROOT}
+
+
+
+###############################################################################
+###  P R E  &  P O S T   I N S T A L L / U N I N S T A L L   S C R I P T S  ###
+###############################################################################
+
+## This package currently contains no pre-installation process!
+#%pre
+
+
+## This package currently contains no post-installation process!
+#%post
+
+
+## This package currently contains no pre-uninstallation process!
+#%preun
+
+
+## This package currently contains no post-uninstallation process!
+#%postun
+
+
+
+###############################################################################
+###   I N V E N T O R Y   O F   F I L E S   A N D   D I R E C T O R I E S   ### 
+###############################################################################
+
+%files
+%attr(00755,root,root) %{_bindir}/*
+%attr(-,root,root)     %{_datadir}/doc/%{base_name}-%{base_version}/*
+%attr(-,root,root)     %{_datadir}/%{base_prefix}/scripts/*
+
+
+
+###############################################################################
+###                            C H A N G E L O G                            ###
+###############################################################################
+
+%changelog
+* Mon Jan 16 2009 Ade Lee <alee@redhat.com> 1.0.0-1
+- Initial release
+
+