summaryrefslogtreecommitdiffstats
path: root/base/selinux/src/pki.te
diff options
context:
space:
mode:
Diffstat (limited to 'base/selinux/src/pki.te')
-rw-r--r--base/selinux/src/pki.te221
1 files changed, 0 insertions, 221 deletions
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
deleted file mode 100644
index aefcd03c8..000000000
--- a/base/selinux/src/pki.te
+++ /dev/null
@@ -1,221 +0,0 @@
-policy_module(pki,10.0.13)
-
-type pki_log_t;
-files_type(pki_log_t)
-
-type pki_common_t;
-files_type(pki_common_t)
-
-type pki_common_dev_t;
-files_type(pki_common_dev_t)
-
-type pki_tomcat_etc_rw_t;
-files_type(pki_tomcat_etc_rw_t)
-
-type pki_tomcat_cert_t;
-files_type(pki_tomcat_cert_t)
-
-tomcat_domain_template(pki_tomcat)
-
-permissive pki_tomcat_t;
-
-type pki_tomcat_lock_t;
-files_lock_file(pki_tomcat_lock_t)
-
-require {
- type systemd_unit_file_t;
- type setfiles_t;
- type load_policy_t;
- type certmonger_t;
-}
-
-allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
-allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
-
-allow pki_tomcat_t self:key write;
-allow pki_tomcat_t self:process { signal setsched signull execmem };
-allow pki_tomcat_t self:tcp_socket { accept listen };
-allow pki_tomcat_t self:unix_dgram_socket { create connect };
-allow pki_tomcat_t self:process signal;
-
-# allow writing to the kernel keyring
-allow pki_tomcat_t self:key { write read };
-
-manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
-manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
-
-manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
-manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
-
-manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
-manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
-manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
-files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
-
-# allow java subsystems to talk to the ncipher hsm
-allow pki_tomcat_t pki_common_dev_t:sock_file write;
-allow pki_tomcat_t pki_common_dev_t:dir search;
-allow pki_tomcat_t pki_common_t:dir create_dir_perms;
-manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
-can_exec(pki_tomcat_t, pki_common_t)
-init_stream_connect_script(pki_tomcat_t)
-
-# init script checks and fixes links if needed
-allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr };
-allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr };
-
-allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr };
-allow pki_tomcat_t systemd_unit_file_t:dir getattr;
-allow pki_tomcat_t systemd_unit_file_t:file getattr;
-
-allow pki_tomcat_t pki_log_t:dir getattr;
-allow pki_tomcat_t pki_log_t:dir search;
-
-kernel_read_kernel_sysctls(pki_tomcat_t)
-
-corenet_tcp_connect_http_cache_port(pki_tomcat_t)
-corenet_tcp_connect_ldap_port(pki_tomcat_t)
-corenet_tcp_connect_smtp_port(pki_tomcat_t)
-
-selinux_get_enforce_mode(pki_tomcat_t)
-
-logging_send_audit_msgs(pki_tomcat_t)
-logging_send_syslog_msg(pki_tomcat_t)
-
-miscfiles_read_hwdata(pki_tomcat_t)
-miscfiles_read_localization(pki_tomcat_t)
-files_manage_generic_tmp_files(pki_tomcat_t)
-userdom_manage_user_tmp_dirs(pki_tomcat_t)
-userdom_manage_user_tmp_files(pki_tomcat_t)
-
-# forward proxy
-# need to define ports to fix this
-#corenet_tcp_connect_pki_tomcat_port(httpd_t)
-
-# for crl publishing
-allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
-
-# for ECC
-auth_getattr_shadow(pki_tomcat_t)
-optional_policy(`
- consoletype_exec(pki_tomcat_t)
-')
-
-optional_policy(`
- hostname_exec(pki_tomcat_t)
-')
-
-# old type aliases for migration
-typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
-typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
-typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
-typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
-typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
-# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
-
-# install/ uninstall instance
-allow load_policy_t pki_log_t:file write;
-dirsrv_manage_var_lib(pki_tomcat_t)
-allow setfiles_t pki_log_t:file write;
-
-# allow certmonger to read certdb files
-pki_rw_tomcat_cert(certmonger_t)
-pki_search_tomcat_etc_rw(certmonger_t)
-
-# needed for dogtag 9 style instances
-type pki_tomcat_script_t;
-domain_type(pki_tomcat_script_t)
-gen_require(`
- type java_exec_t;
- type initrc_t;
-')
-domtrans_pattern(pki_tomcat_script_t, java_exec_t, pki_tomcat_t)
-
-role system_r types pki_tomcat_script_t;
-allow pki_tomcat_t java_exec_t:file entrypoint;
-allow initrc_t pki_tomcat_script_t:process transition;
-
-optional_policy(`
- unconfined_domain(pki_tomcat_script_t)
-')
-
-##########################
-# TPS policy
-##########################
-
-attribute pki_tps_config;
-attribute pki_tps_executable;
-attribute pki_tps_var_lib;
-attribute pki_tps_var_log;
-attribute pki_tps_var_run;
-attribute pki_tps_pidfiles;
-attribute pki_tps_script;
-attribute pki_tps_process;
-
-type pki_tps_tomcat_exec_t;
-files_type(pki_tps_tomcat_exec_t)
-
-pki_apache_template(pki_tps)
-
-# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
-allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
-
-corenet_tcp_bind_pki_tps_port(pki_tps_t)
-
-# customer may run an ldap server on 389
-corenet_tcp_connect_ldap_port(pki_tps_t)
-
-# connect to other subsystems
-corenet_tcp_connect_pki_ca_port(pki_tps_t)
-corenet_tcp_connect_pki_kra_port(pki_tps_t)
-corenet_tcp_connect_pki_tks_port(pki_tps_t)
-
-files_exec_usr_files(pki_tps_t)
-files_read_usr_symlinks(pki_tps_t)
-files_read_usr_files(pki_tps_t)
-
-# why do I need to add this?
-allow httpd_t httpd_config_t:file execute;
-files_exec_usr_files(httpd_t)
-
-##########################
-# RA policy
-#########################
-
-attribute pki_ra_config;
-attribute pki_ra_executable;
-attribute pki_ra_var_lib;
-attribute pki_ra_var_log;
-attribute pki_ra_var_run;
-attribute pki_ra_pidfiles;
-attribute pki_ra_script;
-attribute pki_ra_process;
-
-type pki_ra_tomcat_exec_t;
-files_type(pki_ra_tomcat_exec_t)
-
-pki_apache_template(pki_ra)
-
-#RA specific? talking to mysql?
-allow pki_ra_t self:udp_socket { write read create connect };
-allow pki_ra_t self:unix_dgram_socket { write create connect };
-
-corenet_tcp_bind_pki_ra_port(pki_ra_t)
-
-# talk to other subsystems
-corenet_tcp_connect_pki_ca_port(pki_ra_t)
-
-files_exec_usr_files(pki_ra_t)
-fs_getattr_xattr_fs(pki_ra_t)
-
-corenet_tcp_connect_smtp_port(pki_ra_t)
-files_search_spool(pki_ra_t)
-
-#
-# Should be changed to mta_send_mail
-#
-mta_manage_spool(pki_ra_t)
-mta_manage_queue(pki_ra_t)
-mta_read_config(pki_ra_t)
-mta_sendmail_exec(pki_ra_t)
-
generated by cgit (git 2.34.1) at 2024-05-28 23:47:36 +0000