diff options
Diffstat (limited to 'base/selinux')
-rw-r--r-- | base/selinux/src/pki.fc | 9 | ||||
-rw-r--r-- | base/selinux/src/pki.if | 17 | ||||
-rw-r--r-- | base/selinux/src/pki.te | 14 |
3 files changed, 39 insertions, 1 deletions
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc index 8258b67c5..20d2c79a5 100644 --- a/base/selinux/src/pki.fc +++ b/base/selinux/src/pki.fc @@ -5,6 +5,7 @@ /etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) /var/log/pki gen_context(system_u:object_r:pki_log_t,s0) /usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) +/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) /etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) /var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) @@ -31,12 +32,20 @@ /var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) /var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) /var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) /etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) /var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) /var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) /var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) /etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) /var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) /var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) /var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) +/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) +/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) +/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) +/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index e2392634e..8399c4e9b 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -1,5 +1,22 @@ ## <summary>policy for pki</summary> +######################################## +## <summary> +## Allow read and write pki cert files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pki_rw_tomcat_cert',` + gen_require(` + type pki_tomcat_cert_t; + ') + + rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) +') ######################################## ## <summary> diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index 7fa76adb9..c8900bc7f 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,10.0.10) +policy_module(pki,10.0.11) type pki_log_t; files_type(pki_log_t) @@ -12,6 +12,9 @@ files_type(pki_common_dev_t) type pki_tomcat_etc_rw_t; files_type(pki_tomcat_etc_rw_t) +type pki_tomcat_cert_t; +files_type(pki_tomcat_cert_t) + tomcat_domain_template(pki_tomcat) permissive pki_tomcat_t; @@ -23,6 +26,7 @@ require { type systemd_unit_file_t; type setfiles_t; type load_policy_t; + type certmonger_t; } allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; @@ -40,6 +44,9 @@ allow pki_tomcat_t self:key { write read }; manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) +manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) + manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) @@ -77,6 +84,8 @@ logging_send_syslog_msg(pki_tomcat_t) miscfiles_read_hwdata(pki_tomcat_t) files_manage_generic_tmp_files(pki_tomcat_t) +userdom_manage_user_tmp_dirs(pki_tomcat_t) +userdom_manage_user_tmp_files(pki_tomcat_t) # forward proxy # need to define ports to fix this @@ -108,6 +117,9 @@ allow load_policy_t pki_log_t:file write; dirsrv_manage_var_lib(pki_tomcat_t) allow setfiles_t pki_log_t:file write; +# allow certmonger to read certdb files +pki_rw_tomcat_cert(certmonger_t) + ########################## # TPS policy ########################## |