summaryrefslogtreecommitdiffstats
path: root/base/selinux/src/pki.if
diff options
context:
space:
mode:
Diffstat (limited to 'base/selinux/src/pki.if')
-rw-r--r--base/selinux/src/pki.if289
1 files changed, 0 insertions, 289 deletions
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 4272bd0c5..5264271eb 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -3,295 +3,6 @@
########################################
## <summary>
-## Create a set of derived types for apache
-## web content.
-## </summary>
-## <param name="prefix">
-## <summary>
-## The prefix to be used for deriving type names.
-## </summary>
-## </param>
-#
-template(`pki_tomcat_template',`
- gen_require(`
- attribute pki_tomcat_process;
- attribute pki_tomcat_config, pki_tomcat_var_lib, pki_tomcat_var_run;
- attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log;
- type pki_tomcat_tomcat_exec_t;
- type tomcat_exec_t;
- type rpm_var_lib_t;
- type rpm_exec_t;
- type setfiles_t;
- type load_policy_t;
- type mxi_port_t;
- type http_cache_port_t;
- type http_port_t;
- type dns_port_t;
- ')
- ########################################
- #
- # Declarations
- #
-
- type $1_t, pki_tomcat_process;
- type $1_exec_t, pki_tomcat_executable;
- domain_type($1_t)
- init_daemon_domain($1_t, $1_exec_t)
-
- type $1_script_t;
- domain_type($1_script_t)
- gen_require(`
- type java_exec_t;
- type initrc_t;
- ')
- domtrans_pattern($1_script_t, java_exec_t, $1_t)
-
- role system_r types $1_script_t;
- allow $1_t java_exec_t:file entrypoint;
- allow initrc_t $1_script_t:process transition;
-
- type $1_etc_rw_t, pki_tomcat_config;
- files_type($1_etc_rw_t)
-
- type $1_var_run_t, pki_tomcat_var_run;
- files_pid_file($1_var_run_t)
-
- type $1_var_lib_t, pki_tomcat_var_lib;
- files_type($1_var_lib_t)
-
- type $1_log_t, pki_tomcat_var_log;
- logging_log_file($1_log_t)
-
- ########################################
- #
- # $1 local policy
- #
-
- # Execstack/execmem caused by java app.
- allow $1_t self:process { execstack execmem getsched setsched signal};
- allow initrc_t self:process execstack;
-
- ## internal communication is often done using fifo and unix sockets.
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:process signull;
-
- ## ports (these will be in the tomcat domain)
- allow $1_t mxi_port_t : tcp_socket { name_bind name_connect };
- allow $1_t http_cache_port_t : tcp_socket name_bind;
- allow $1_t http_port_t : tcp_socket { name_bind name_connect };
- allow $1_t dns_port_t : tcp_socket { recv_msg send_msg name_connect };
-
- # use rpm to look at velocity version in dtomcat-foo
- allow $1_t rpm_exec_t:file exec_file_perms;
-
- corenet_all_recvfrom_unlabeled($1_t)
- corenet_tcp_sendrecv_all_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
-
- corenet_tcp_bind_all_nodes($1_t)
- corenet_tcp_bind_ocsp_port($1_t)
- corenet_tcp_connect_ocsp_port($1_t)
- corenet_tcp_connect_generic_port($1_t)
-
- # for file signing
- corenet_tcp_connect_http_port($1_t)
-
- # This is for /etc/$1/tomcat.conf:
- can_exec($1_t, $1_tomcat_exec_t)
- allow $1_t $1_tomcat_exec_t:file {getattr read};
-
- #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar
- rpm_read_db($1_t)
-
- # Init script handling
- domain_use_interactive_fds($1_t)
-
- files_read_etc_files($1_t)
-
- manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
- manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
- files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
-
- # start/stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd
- allow setfiles_t $1_etc_rw_t:file read;
-
- manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
- manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
- files_pid_filetrans($1_t,$1_var_run_t, { file dir })
-
- manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
- manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
- read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
- files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
- allow $1_t rpm_var_lib_t:lnk_file { read getattr };
-
- manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
- manage_files_pattern($1_t, $1_log_t, $1_log_t)
- logging_log_filetrans($1_t, $1_log_t, { file dir } )
-
- corecmd_exec_bin($1_t)
- corecmd_read_bin_symlinks($1_t)
- corecmd_exec_shell($1_t)
- corecmd_search_bin($1_t)
-
- dev_list_sysfs($1_t)
- dev_read_sysfs($1_t)
- dev_read_rand($1_t)
- dev_read_urand($1_t)
-
- # Java is looking in /tmp for some reason...:
- files_manage_generic_tmp_dirs($1_t)
- files_manage_generic_tmp_files($1_t)
- files_read_usr_files($1_t)
- files_read_usr_symlinks($1_t)
- # These are used to read tomcat class files in /var/lib/tomcat
- files_read_var_lib_files($1_t)
- files_read_var_lib_symlinks($1_t)
-
- #needed in tps key archival in kra
- files_list_var($1_t)
-
- kernel_read_network_state($1_t)
- kernel_read_system_state($1_t)
- kernel_search_network_state($1_t)
- kernel_signull_unlabeled($1_t)
-
- auth_use_nsswitch($1_t)
-
- init_dontaudit_write_utmp($1_t)
-
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
-
- miscfiles_read_localization($1_t)
- miscfiles_read_hwdata($1_t)
- miscfiles_manage_generic_cert_dirs($1_t)
- miscfiles_manage_generic_cert_files($1_t)
-
- logging_send_syslog_msg($1_t)
-
- ifdef(`targeted_policy',`
- term_dontaudit_use_unallocated_ttys($1_t)
- term_dontaudit_use_generic_ptys($1_t)
- ')
-
- # allow java subsystems to talk to the ncipher hsm
- allow $1_t pki_common_dev_t:sock_file write;
- allow $1_t pki_common_dev_t:dir search;
- allow $1_t pki_common_t:dir create_dir_perms;
- manage_files_pattern($1_t, pki_common_t, pki_common_t)
- can_exec($1_t, pki_common_t)
- init_stream_connect_script($1_t)
-
- #allow java subsystems to talk to lunasa hsm
-
- #allow sending mail
- corenet_tcp_connect_smtp_port($1_t)
-
- # allow rpm -q in init scripts
- rpm_exec($1_t)
-
- # allow writing to the kernel keyring
- allow $1_t self:key { write read };
-
- #reverse proxy
- corenet_tcp_connect_dogtag_port($1_t)
-
- #connect to ldap
- corenet_tcp_connect_ldap_port($1_t)
-
- # tomcat connects to ephemeral ports on shutdown
- corenet_tcp_connect_all_unreserved_ports($1_t)
-
- # new tomcat perms for dogtag 10
- allow $1_t pki_tomcat_var_run_t:lnk_file read;
- can_exec($1_t, tomcat_exec_t)
- consoletype_exec($1_t)
- fs_getattr_xattr_fs($1_t)
- fs_read_hugetlbfs_files($1_t)
- hostname_exec($1_t)
- allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
- allow $1_t self:netlink_audit_socket { nlmsg_relay create write read};
- kernel_read_kernel_sysctls($1_t)
- selinux_get_enforce_mode($1_t)
- dirsrv_manage_var_lib($1_t)
- tomcat_search_cache($1_t)
-
- # write to /var/log/pki for spawn and destroy
- allow $1_t pki_log_t:dir {getattr search};
- allow load_policy_t pki_log_t:file write;
- allow setfiles_t pki_log_t:file write;
-
- optional_policy(`
- #This is broken in selinux-policy we need java_exec defined, Will add to policy
- gen_require(`
- type java_exec_t;
- ')
- can_exec($1_t, java_exec_t)
- ')
-
- optional_policy(`
- unconfined_domain($1_script_t)
- ')
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an pki_tomcat environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_tomcat_admin',`
- gen_require(`
- type pki_tomcat_tomcat_exec_t;
- attribute pki_tomcat_process;
- attribute pki_tomcat_config;
- attribute pki_tomcat_executable;
- attribute pki_tomcat_var_lib;
- attribute pki_tomcat_var_log;
- attribute pki_tomcat_var_run;
- attribute pki_tomcat_pidfiles;
- attribute pki_tomcat_script;
- ')
-
- allow $1 pki_tomcat_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_tomcat_t)
-
- # Allow pki_tomcat_t to restart the service
- pki_tomcat_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_tomcat_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_tomcat_config)
- manage_all_pattern($1, pki_tomcat_var_run)
- manage_all_pattern($1, pki_tomcat_var_lib)
- manage_all_pattern($1, pki_tomcat_var_log)
- manage_all_pattern($1, pki_tomcat_config)
- manage_all_pattern($1, pki_tomcat_tomcat_exec_t)
-')
-
-########################################
-## <summary>
## Execute pki_ra server in the pki_ra domain.
## </summary>
## <param name="domain">