summaryrefslogtreecommitdiffstats
path: root/base/selinux/src/pki.if
diff options
context:
space:
mode:
Diffstat (limited to 'base/selinux/src/pki.if')
-rw-r--r--base/selinux/src/pki.if243
1 files changed, 54 insertions, 189 deletions
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 0709176ea..b8c521a79 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -12,24 +12,26 @@
## </summary>
## </param>
#
-template(`pki_ca_template',`
+template(`pki_tomcat_template',`
gen_require(`
- attribute pki_ca_process;
- attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
- attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
- type pki_ca_tomcat_exec_t;
+ attribute pki_tomcat_process;
+ attribute pki_tomcat_config, pki_tomcat_var_lib, pki_tomcat_var_run;
+ attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log;
+ type pki_tomcat_tomcat_exec_t;
+ type tomcat_exec_t;
type $1_port_t;
type rpm_var_lib_t;
type rpm_exec_t;
type setfiles_t;
+ type load_policy_t;
')
########################################
#
# Declarations
#
- type $1_t, pki_ca_process;
- type $1_exec_t, pki_ca_executable;
+ type $1_t, pki_tomcat_process;
+ type $1_exec_t, pki_tomcat_executable;
domain_type($1_t)
init_daemon_domain($1_t, $1_exec_t)
@@ -45,16 +47,16 @@ template(`pki_ca_template',`
allow $1_t java_exec_t:file entrypoint;
allow initrc_t $1_script_t:process transition;
- type $1_etc_rw_t, pki_ca_config;
+ type $1_etc_rw_t, pki_tomcat_config;
files_type($1_etc_rw_t)
- type $1_var_run_t, pki_ca_var_run;
+ type $1_var_run_t, pki_tomcat_var_run;
files_pid_file($1_var_run_t)
- type $1_var_lib_t, pki_ca_var_lib;
+ type $1_var_lib_t, pki_tomcat_var_lib;
files_type($1_var_lib_t)
- type $1_log_t, pki_ca_var_log;
+ type $1_log_t, pki_tomcat_var_log;
logging_log_file($1_log_t)
########################################
@@ -195,6 +197,25 @@ template(`pki_ca_template',`
# tomcat connects to ephemeral ports on shutdown
corenet_tcp_connect_all_unreserved_ports($1_t)
+ # new tomcat perms for dogtag 10
+ allow $1_t pki_tomcat_var_run_t:lnk_file read;
+ can_exec($1_t, tomcat_exec_t)
+ consoletype_exec($1_t)
+ fs_getattr_xattr_fs($1_t)
+ fs_read_hugetlbfs_files($1_t)
+ hostname_exec($1_t)
+ miscfiles_read_hwdata($1_t)
+ allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
+ allow $1_t self:netlink_audit_socket { nlmsg_relay create write read};
+ kernel_read_kernel_sysctls($1_t)
+ selinux_get_enforce_mode($1_t)
+ dirsrv_manage_var_lib($1_t)
+
+ # write to /var/log/pki for spawn and destroy
+ allow $1_t pki_log_t:dir {getattr search};
+ allow load_policy_t pki_log_t:file write;
+ allow setfiles_t pki_log_t:file write;
+
optional_policy(`
#This is broken in selinux-policy we need java_exec defined, Will add to policy
gen_require(`
@@ -211,59 +232,7 @@ template(`pki_ca_template',`
########################################
## <summary>
## All of the rules required to administrate
-## an pki_ca environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_ca_admin',`
- gen_require(`
- type pki_ca_tomcat_exec_t;
- attribute pki_ca_process;
- attribute pki_ca_config;
- attribute pki_ca_executable;
- attribute pki_ca_var_lib;
- attribute pki_ca_var_log;
- attribute pki_ca_var_run;
- attribute pki_ca_pidfiles;
- attribute pki_ca_script;
- ')
-
- allow $1 pki_ca_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_ca_t)
-
- # Allow pki_ca_t to restart the service
- pki_ca_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_ca_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_ca_config)
- manage_all_pattern($1, pki_ca_var_run)
- manage_all_pattern($1, pki_ca_var_lib)
- manage_all_pattern($1, pki_ca_var_log)
- manage_all_pattern($1, pki_ca_config)
- manage_all_pattern($1, pki_ca_tomcat_exec_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an pki_kra environment
+## an pki_tomcat environment
## </summary>
## <param name="domain">
## <summary>
@@ -282,86 +251,34 @@ interface(`pki_ca_admin',`
## </param>
## <rolecap/>
#
-interface(`pki_kra_admin',`
+interface(`pki_tomcat_admin',`
gen_require(`
- type pki_kra_tomcat_exec_t;
- attribute pki_kra_process;
- attribute pki_kra_config;
- attribute pki_kra_executable;
- attribute pki_kra_var_lib;
- attribute pki_kra_var_log;
- attribute pki_kra_var_run;
- attribute pki_kra_pidfiles;
- attribute pki_kra_script;
+ type pki_tomcat_tomcat_exec_t;
+ attribute pki_tomcat_process;
+ attribute pki_tomcat_config;
+ attribute pki_tomcat_executable;
+ attribute pki_tomcat_var_lib;
+ attribute pki_tomcat_var_log;
+ attribute pki_tomcat_var_run;
+ attribute pki_tomcat_pidfiles;
+ attribute pki_tomcat_script;
')
- allow $1 pki_kra_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_kra_t)
+ allow $1 pki_tomcat_process:process { ptrace signal_perms };
+ ps_process_pattern($1, pki_tomcat_t)
- # Allow pki_kra_t to restart the service
- pki_kra_script_domtrans($1)
+ # Allow pki_tomcat_t to restart the service
+ pki_tomcat_script_domtrans($1)
domain_system_change_exemption($1)
- role_transition $2 pki_kra_script system_r;
+ role_transition $2 pki_tomcat_script system_r;
allow $2 system_r;
- manage_all_pattern($1, pki_kra_config)
- manage_all_pattern($1, pki_kra_var_run)
- manage_all_pattern($1, pki_kra_var_lib)
- manage_all_pattern($1, pki_kra_var_log)
- manage_all_pattern($1, pki_kra_config)
- manage_all_pattern($1, pki_kra_tomcat_exec_t)
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an pki_ocsp environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_ocsp_admin',`
- gen_require(`
- type pki_ocsp_tomcat_exec_t;
- attribute pki_ocsp_process;
- attribute pki_ocsp_config;
- attribute pki_ocsp_executable;
- attribute pki_ocsp_var_lib;
- attribute pki_ocsp_var_log;
- attribute pki_ocsp_var_run;
- attribute pki_ocsp_pidfiles;
- attribute pki_ocsp_script;
- ')
-
- allow $1 pki_ocsp_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_ocsp_t)
-
- # Allow pki_ocsp_t to restart the service
- pki_ocsp_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_ocsp_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_ocsp_config)
- manage_all_pattern($1, pki_ocsp_var_run)
- manage_all_pattern($1, pki_ocsp_var_lib)
- manage_all_pattern($1, pki_ocsp_var_log)
- manage_all_pattern($1, pki_ocsp_config)
- manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
+ manage_all_pattern($1, pki_tomcat_config)
+ manage_all_pattern($1, pki_tomcat_var_run)
+ manage_all_pattern($1, pki_tomcat_var_lib)
+ manage_all_pattern($1, pki_tomcat_var_log)
+ manage_all_pattern($1, pki_tomcat_config)
+ manage_all_pattern($1, pki_tomcat_tomcat_exec_t)
')
########################################
@@ -626,58 +543,6 @@ interface(`pki_ra_admin',`
########################################
## <summary>
-## All of the rules required to administrate
-## an pki_tks environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be allowed to manage the syslog domain.
-## </summary>
-## </param>
-## <param name="terminal">
-## <summary>
-## The type of the user terminal.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_tks_admin',`
- gen_require(`
- type pki_tks_tomcat_exec_t;
- attribute pki_tks_process;
- attribute pki_tks_config;
- attribute pki_tks_executable;
- attribute pki_tks_var_lib;
- attribute pki_tks_var_log;
- attribute pki_tks_var_run;
- attribute pki_tks_pidfiles;
- attribute pki_tks_script;
- ')
-
- allow $1 pki_tks_process:process { ptrace signal_perms };
- ps_process_pattern($1, pki_tks_t)
-
- # Allow pki_tks_t to restart the service
- pki_tks_script_domtrans($1)
- domain_system_change_exemption($1)
- role_transition $2 pki_tks_script system_r;
- allow $2 system_r;
-
- manage_all_pattern($1, pki_tks_config)
- manage_all_pattern($1, pki_tks_var_run)
- manage_all_pattern($1, pki_tks_var_lib)
- manage_all_pattern($1, pki_tks_var_log)
- manage_all_pattern($1, pki_tks_config)
- manage_all_pattern($1, pki_tks_tomcat_exec_t)
-')
-
-########################################
-## <summary>
## Execute pki_tps server in the pki_tps domain.
## </summary>
## <param name="domain">
generated by cgit (git 2.34.1) at 2024-04-16 19:02:42 +0000