diff options
Diffstat (limited to 'base/selinux/src/pki.te')
-rw-r--r-- | base/selinux/src/pki.te | 221 |
1 files changed, 0 insertions, 221 deletions
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te deleted file mode 100644 index aefcd03c8..000000000 --- a/base/selinux/src/pki.te +++ /dev/null @@ -1,221 +0,0 @@ -policy_module(pki,10.0.13) - -type pki_log_t; -files_type(pki_log_t) - -type pki_common_t; -files_type(pki_common_t) - -type pki_common_dev_t; -files_type(pki_common_dev_t) - -type pki_tomcat_etc_rw_t; -files_type(pki_tomcat_etc_rw_t) - -type pki_tomcat_cert_t; -files_type(pki_tomcat_cert_t) - -tomcat_domain_template(pki_tomcat) - -permissive pki_tomcat_t; - -type pki_tomcat_lock_t; -files_lock_file(pki_tomcat_lock_t) - -require { - type systemd_unit_file_t; - type setfiles_t; - type load_policy_t; - type certmonger_t; -} - -allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; -allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; - -allow pki_tomcat_t self:key write; -allow pki_tomcat_t self:process { signal setsched signull execmem }; -allow pki_tomcat_t self:tcp_socket { accept listen }; -allow pki_tomcat_t self:unix_dgram_socket { create connect }; -allow pki_tomcat_t self:process signal; - -# allow writing to the kernel keyring -allow pki_tomcat_t self:key { write read }; - -manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) -manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) - -manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) -manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) - -manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) - -# allow java subsystems to talk to the ncipher hsm -allow pki_tomcat_t pki_common_dev_t:sock_file write; -allow pki_tomcat_t pki_common_dev_t:dir search; -allow pki_tomcat_t pki_common_t:dir create_dir_perms; -manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) -can_exec(pki_tomcat_t, pki_common_t) -init_stream_connect_script(pki_tomcat_t) - -# init script checks and fixes links if needed -allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr }; -allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr }; - -allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr }; -allow pki_tomcat_t systemd_unit_file_t:dir getattr; -allow pki_tomcat_t systemd_unit_file_t:file getattr; - -allow pki_tomcat_t pki_log_t:dir getattr; -allow pki_tomcat_t pki_log_t:dir search; - -kernel_read_kernel_sysctls(pki_tomcat_t) - -corenet_tcp_connect_http_cache_port(pki_tomcat_t) -corenet_tcp_connect_ldap_port(pki_tomcat_t) -corenet_tcp_connect_smtp_port(pki_tomcat_t) - -selinux_get_enforce_mode(pki_tomcat_t) - -logging_send_audit_msgs(pki_tomcat_t) -logging_send_syslog_msg(pki_tomcat_t) - -miscfiles_read_hwdata(pki_tomcat_t) -miscfiles_read_localization(pki_tomcat_t) -files_manage_generic_tmp_files(pki_tomcat_t) -userdom_manage_user_tmp_dirs(pki_tomcat_t) -userdom_manage_user_tmp_files(pki_tomcat_t) - -# forward proxy -# need to define ports to fix this -#corenet_tcp_connect_pki_tomcat_port(httpd_t) - -# for crl publishing -allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; - -# for ECC -auth_getattr_shadow(pki_tomcat_t) -optional_policy(` - consoletype_exec(pki_tomcat_t) -') - -optional_policy(` - hostname_exec(pki_tomcat_t) -') - -# old type aliases for migration -typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; -typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; -typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; -typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; -typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; -# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; - -# install/ uninstall instance -allow load_policy_t pki_log_t:file write; -dirsrv_manage_var_lib(pki_tomcat_t) -allow setfiles_t pki_log_t:file write; - -# allow certmonger to read certdb files -pki_rw_tomcat_cert(certmonger_t) -pki_search_tomcat_etc_rw(certmonger_t) - -# needed for dogtag 9 style instances -type pki_tomcat_script_t; -domain_type(pki_tomcat_script_t) -gen_require(` - type java_exec_t; - type initrc_t; -') -domtrans_pattern(pki_tomcat_script_t, java_exec_t, pki_tomcat_t) - -role system_r types pki_tomcat_script_t; -allow pki_tomcat_t java_exec_t:file entrypoint; -allow initrc_t pki_tomcat_script_t:process transition; - -optional_policy(` - unconfined_domain(pki_tomcat_script_t) -') - -########################## -# TPS policy -########################## - -attribute pki_tps_config; -attribute pki_tps_executable; -attribute pki_tps_var_lib; -attribute pki_tps_var_log; -attribute pki_tps_var_run; -attribute pki_tps_pidfiles; -attribute pki_tps_script; -attribute pki_tps_process; - -type pki_tps_tomcat_exec_t; -files_type(pki_tps_tomcat_exec_t) - -pki_apache_template(pki_tps) - -# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment -allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; - -corenet_tcp_bind_pki_tps_port(pki_tps_t) - -# customer may run an ldap server on 389 -corenet_tcp_connect_ldap_port(pki_tps_t) - -# connect to other subsystems -corenet_tcp_connect_pki_ca_port(pki_tps_t) -corenet_tcp_connect_pki_kra_port(pki_tps_t) -corenet_tcp_connect_pki_tks_port(pki_tps_t) - -files_exec_usr_files(pki_tps_t) -files_read_usr_symlinks(pki_tps_t) -files_read_usr_files(pki_tps_t) - -# why do I need to add this? -allow httpd_t httpd_config_t:file execute; -files_exec_usr_files(httpd_t) - -########################## -# RA policy -######################### - -attribute pki_ra_config; -attribute pki_ra_executable; -attribute pki_ra_var_lib; -attribute pki_ra_var_log; -attribute pki_ra_var_run; -attribute pki_ra_pidfiles; -attribute pki_ra_script; -attribute pki_ra_process; - -type pki_ra_tomcat_exec_t; -files_type(pki_ra_tomcat_exec_t) - -pki_apache_template(pki_ra) - -#RA specific? talking to mysql? -allow pki_ra_t self:udp_socket { write read create connect }; -allow pki_ra_t self:unix_dgram_socket { write create connect }; - -corenet_tcp_bind_pki_ra_port(pki_ra_t) - -# talk to other subsystems -corenet_tcp_connect_pki_ca_port(pki_ra_t) - -files_exec_usr_files(pki_ra_t) -fs_getattr_xattr_fs(pki_ra_t) - -corenet_tcp_connect_smtp_port(pki_ra_t) -files_search_spool(pki_ra_t) - -# -# Should be changed to mta_send_mail -# -mta_manage_spool(pki_ra_t) -mta_manage_queue(pki_ra_t) -mta_read_config(pki_ra_t) -mta_sendmail_exec(pki_ra_t) - |