diff options
Diffstat (limited to 'base/selinux/src/pki.te')
-rw-r--r-- | base/selinux/src/pki.te | 332 |
1 files changed, 332 insertions, 0 deletions
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te new file mode 100644 index 000000000..7f6e65738 --- /dev/null +++ b/base/selinux/src/pki.te @@ -0,0 +1,332 @@ +policy_module(pki,10.0.2) + +attribute pki_ca_config; +attribute pki_ca_executable; +attribute pki_ca_var_lib; +attribute pki_ca_var_log; +attribute pki_ca_var_run; +attribute pki_ca_pidfiles; +attribute pki_ca_script; +attribute pki_ca_process; + +type pki_common_t; +files_type(pki_common_t) + +type pki_common_dev_t; +files_type(pki_common_dev_t) + +type pki_ca_tomcat_exec_t; +files_type(pki_ca_tomcat_exec_t) + +pki_ca_template(pki_ca) +corenet_tcp_connect_pki_kra_port(pki_ca_t) +corenet_tcp_connect_pki_ocsp_port(pki_ca_t) + +# forward proxy +corenet_tcp_connect_pki_ca_port(httpd_t) + +# for crl publishing +allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink }; + +# for ECC +auth_getattr_shadow(pki_ca_t) + +attribute pki_kra_config; +attribute pki_kra_executable; +attribute pki_kra_var_lib; +attribute pki_kra_var_log; +attribute pki_kra_var_run; +attribute pki_kra_pidfiles; +attribute pki_kra_script; +attribute pki_kra_process; + +type pki_kra_tomcat_exec_t; +files_type(pki_kra_tomcat_exec_t) + +pki_ca_template(pki_kra) +corenet_tcp_connect_pki_ca_port(pki_kra_t) + +# forward proxy +corenet_tcp_connect_pki_kra_port(httpd_t) + +attribute pki_ocsp_config; +attribute pki_ocsp_executable; +attribute pki_ocsp_var_lib; +attribute pki_ocsp_var_log; +attribute pki_ocsp_var_run; +attribute pki_ocsp_pidfiles; +attribute pki_ocsp_script; +attribute pki_ocsp_process; + +type pki_ocsp_tomcat_exec_t; +files_type(pki_ocsp_tomcat_exec_t) + +pki_ca_template(pki_ocsp) +corenet_tcp_connect_pki_ca_port(pki_ocsp_t) + +# forward proxy +corenet_tcp_connect_pki_ocsp_port(httpd_t) + +attribute pki_ra_config; +attribute pki_ra_executable; +attribute pki_ra_var_lib; +attribute pki_ra_var_log; +attribute pki_ra_var_run; +attribute pki_ra_pidfiles; +attribute pki_ra_script; +attribute pki_ra_process; + +type pki_ra_tomcat_exec_t; +files_type(pki_ra_tomcat_exec_t) + +pki_ra_template(pki_ra) + +attribute pki_tks_config; +attribute pki_tks_executable; +attribute pki_tks_var_lib; +attribute pki_tks_var_log; +attribute pki_tks_var_run; +attribute pki_tks_pidfiles; +attribute pki_tks_script; +attribute pki_tks_process; + +type pki_tks_tomcat_exec_t; +files_type(pki_tks_tomcat_exec_t) + +pki_ca_template(pki_tks) +corenet_tcp_connect_pki_ca_port(pki_tks_t) + +# forward proxy +corenet_tcp_connect_pki_tks_port(httpd_t) + +# needed for token enrollment, list /var/cache/tomcat5/temp +files_list_var(pki_tks_t) + +attribute pki_tps_config; +attribute pki_tps_executable; +attribute pki_tps_var_lib; +attribute pki_tps_var_log; +attribute pki_tps_var_run; +attribute pki_tps_pidfiles; +attribute pki_tps_script; +attribute pki_tps_process; + +type pki_tps_tomcat_exec_t; +files_type(pki_tps_tomcat_exec_t) + +pki_tps_template(pki_tps) + +#interprocess communication on process shutdown +allow pki_ca_t pki_kra_t:process signull; +allow pki_ca_t pki_ocsp_t:process signull; +allow pki_ca_t pki_tks_t:process signull; + +allow pki_kra_t pki_ca_t:process signull; +allow pki_kra_t pki_ocsp_t:process signull; +allow pki_kra_t pki_tks_t:process signull; + +allow pki_ocsp_t pki_ca_t:process signull; +allow pki_ocsp_t pki_kra_t:process signull; +allow pki_ocsp_t pki_tks_t:process signull; + +allow pki_tks_t pki_ca_t:process signull; +allow pki_tks_t pki_kra_t:process signull; +allow pki_tks_t pki_ocsp_t:process signull; + +#allow httpd_t pki_tks_tomcat_exec_t:process signull; +#allow httpd_t pki_tks_var_lib_t:process signull; + +# start up httpd in pki_tps_t mode +can_exec(pki_tps_t, httpd_config_t) +allow pki_tps_t httpd_exec_t:file entrypoint; +allow pki_tps_t httpd_modules_t:lnk_file read; +can_exec(pki_tps_t, httpd_suexec_exec_t) + +# apache permissions +apache_exec_modules(pki_tps_t) +apache_list_modules(pki_tps_t) +apache_read_config(pki_tps_t) + +allow pki_tps_t lib_t:file execute_no_trans; + +#fowner needed for chmod +allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; +allow pki_tps_t self:process { setsched signal getsched signull execstack execmem sigkill}; +allow pki_tps_t self:sem all_sem_perms; +allow pki_tps_t self:tcp_socket create_stream_socket_perms; + +# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment +allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; + + #netlink needed? +allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; + +corecmd_exec_bin(pki_tps_t) +corecmd_exec_shell(pki_tps_t) +corecmd_read_bin_symlinks(pki_tps_t) +corecmd_search_bin(pki_tps_t) + +corenet_sendrecv_unlabeled_packets(pki_tps_t) +corenet_tcp_bind_all_nodes(pki_tps_t) +corenet_tcp_bind_pki_tps_port(pki_tps_t) +corenet_tcp_connect_generic_port(pki_tps_t) + +# customer may run an ldap server on 389 +corenet_tcp_connect_ldap_port(pki_tps_t) + +# connect to other subsystems +corenet_tcp_connect_pki_ca_port(pki_tps_t) +corenet_tcp_connect_pki_kra_port(pki_tps_t) +corenet_tcp_connect_pki_tks_port(pki_tps_t) + +corenet_tcp_sendrecv_all_if(pki_tps_t) +corenet_tcp_sendrecv_all_nodes(pki_tps_t) +corenet_tcp_sendrecv_all_ports(pki_tps_t) +corenet_all_recvfrom_unlabeled(pki_tps_t) + +dev_read_urand(pki_tps_t) +files_exec_usr_files(pki_tps_t) +files_read_usr_symlinks(pki_tps_t) +files_read_usr_files(pki_tps_t) + +#installation and debug uses /tmp +files_manage_generic_tmp_dirs(pki_tps_t) +files_manage_generic_tmp_files(pki_tps_t) + +kernel_read_kernel_sysctls(pki_tps_t) +kernel_read_system_state(pki_tps_t) + +# need to resolve addresses? +auth_use_nsswitch(pki_tps_t) + +sysnet_read_config(pki_tps_t) + +allow httpd_t pki_tps_etc_rw_t:dir search; +allow httpd_t pki_tps_etc_rw_t:file rw_file_perms; +allow httpd_t pki_tps_log_t:dir rw_dir_perms; +allow httpd_t pki_tps_log_t:file manage_file_perms; +allow httpd_t pki_tps_t:process { signal signull }; +allow httpd_t pki_tps_var_lib_t:dir { getattr search }; +allow httpd_t pki_tps_var_lib_t:lnk_file read; +allow httpd_t pki_tps_var_lib_t:file read_file_perms; + +# why do I need to add this? +allow httpd_t httpd_config_t:file execute; +files_exec_usr_files(httpd_t) + +# talk to the hsm +allow pki_tps_t pki_common_dev_t:sock_file write; +allow pki_tps_t pki_common_dev_t:dir search; +allow pki_tps_t pki_common_t:dir create_dir_perms; +manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t) +can_exec(pki_tps_t, pki_common_t) +init_stream_connect_script(pki_tps_t) + +#allow tps to talk to lunasa hsm +logging_send_syslog_msg(pki_tps_t) + +# allow rpm -q in init scripts +rpm_exec(pki_tps_t) + +# allow writing to the kernel keyring +allow pki_tps_t self:key { write read }; + +# new for f14 +apache_exec(pki_tps_t) + + # start up httpd in pki_ra_t mode +allow pki_ra_t httpd_config_t:file { read getattr execute }; +allow pki_ra_t httpd_exec_t:file entrypoint; +allow pki_ra_t httpd_modules_t:lnk_file read; +allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute }; + +#apache permissions +apache_read_config(pki_ra_t) +apache_exec_modules(pki_ra_t) +apache_list_modules(pki_ra_t) + +allow pki_ra_t lib_t:file execute_no_trans; + +allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid}; +allow pki_ra_t self:process { setsched getsched signal signull execstack execmem}; +allow pki_ra_t self:sem all_sem_perms; +allow pki_ra_t self:tcp_socket create_stream_socket_perms; + +#RA specific? talking to mysql? +allow pki_ra_t self:udp_socket { write read create connect }; +allow pki_ra_t self:unix_dgram_socket { write create connect }; + +# netlink needed? +allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; + +corecmd_exec_bin(pki_ra_t) +corecmd_exec_shell(pki_ra_t) +corecmd_read_bin_symlinks(pki_ra_t) +corecmd_search_bin(pki_ra_t) + +corenet_sendrecv_unlabeled_packets(pki_ra_t) +corenet_tcp_bind_all_nodes(pki_ra_t) +corenet_tcp_bind_pki_ra_port(pki_ra_t) + +corenet_tcp_sendrecv_all_if(pki_ra_t) +corenet_tcp_sendrecv_all_nodes(pki_ra_t) +corenet_tcp_sendrecv_all_ports(pki_ra_t) +corenet_all_recvfrom_unlabeled(pki_ra_t) +corenet_tcp_connect_generic_port(pki_ra_t) + +# talk to other subsystems +corenet_tcp_connect_pki_ca_port(pki_ra_t) + +dev_read_urand(pki_ra_t) +files_exec_usr_files(pki_ra_t) +fs_getattr_xattr_fs(pki_ra_t) + +# ra writes files to /tmp +files_manage_generic_tmp_files(pki_ra_t) + +kernel_read_kernel_sysctls(pki_ra_t) +kernel_read_system_state(pki_ra_t) + +logging_send_syslog_msg(pki_ra_t) + +corenet_tcp_connect_smtp_port(pki_ra_t) +files_search_spool(pki_ra_t) + +# +# Should be changed to mta_send_mail +# +mta_manage_spool(pki_ra_t) +mta_manage_queue(pki_ra_t) +mta_read_config(pki_ra_t) +mta_sendmail_exec(pki_ra_t) + +#resolve names? +auth_use_nsswitch(pki_ra_t) + +sysnet_read_config(pki_ra_t) + +allow httpd_t pki_ra_etc_rw_t:dir search; +allow httpd_t pki_ra_etc_rw_t:file rw_file_perms; +allow httpd_t pki_ra_log_t:dir rw_dir_perms; +allow httpd_t pki_ra_log_t:file manage_file_perms; +allow httpd_t pki_ra_t:process { signal signull }; +allow httpd_t pki_ra_var_lib_t:dir { getattr search }; +allow httpd_t pki_ra_var_lib_t:lnk_file read; +allow httpd_t pki_ra_var_lib_t:file read_file_perms; + +# talk to the hsm +allow pki_ra_t pki_common_dev_t:sock_file write; +allow pki_ra_t pki_common_dev_t:dir search; +allow pki_ra_t pki_common_t:dir create_dir_perms; +manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t) +can_exec(pki_ra_t, pki_common_t) +init_stream_connect_script(pki_ra_t) + +# allow rpm -q in init scripts +rpm_exec(pki_ra_t) + +# allow writing to the kernel keyring +allow pki_ra_t self:key { write read }; + +# new for f14 +apache_exec(pki_ra_t) |