summaryrefslogtreecommitdiffstats
path: root/base/selinux
diff options
context:
space:
mode:
Diffstat (limited to 'base/selinux')
-rw-r--r--base/selinux/src/pki.fc9
-rw-r--r--base/selinux/src/pki.if17
-rw-r--r--base/selinux/src/pki.te14
3 files changed, 39 insertions, 1 deletions
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
index 8258b67c5..20d2c79a5 100644
--- a/base/selinux/src/pki.fc
+++ b/base/selinux/src/pki.fc
@@ -5,6 +5,7 @@
/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
@@ -31,12 +32,20 @@
/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
/var/run/pki-ca.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
/var/run/pki-kra.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index e2392634e..8399c4e9b 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -1,5 +1,22 @@
## <summary>policy for pki</summary>
+########################################
+## <summary>
+## Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pki_rw_tomcat_cert',`
+ gen_require(`
+ type pki_tomcat_cert_t;
+ ')
+
+ rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
########################################
## <summary>
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index 7fa76adb9..c8900bc7f 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,10.0.10)
+policy_module(pki,10.0.11)
type pki_log_t;
files_type(pki_log_t)
@@ -12,6 +12,9 @@ files_type(pki_common_dev_t)
type pki_tomcat_etc_rw_t;
files_type(pki_tomcat_etc_rw_t)
+type pki_tomcat_cert_t;
+files_type(pki_tomcat_cert_t)
+
tomcat_domain_template(pki_tomcat)
permissive pki_tomcat_t;
@@ -23,6 +26,7 @@ require {
type systemd_unit_file_t;
type setfiles_t;
type load_policy_t;
+ type certmonger_t;
}
allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
@@ -40,6 +44,9 @@ allow pki_tomcat_t self:key { write read };
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
@@ -77,6 +84,8 @@ logging_send_syslog_msg(pki_tomcat_t)
miscfiles_read_hwdata(pki_tomcat_t)
files_manage_generic_tmp_files(pki_tomcat_t)
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
+userdom_manage_user_tmp_files(pki_tomcat_t)
# forward proxy
# need to define ports to fix this
@@ -108,6 +117,9 @@ allow load_policy_t pki_log_t:file write;
dirsrv_manage_var_lib(pki_tomcat_t)
allow setfiles_t pki_log_t:file write;
+# allow certmonger to read certdb files
+pki_rw_tomcat_cert(certmonger_t)
+
##########################
# TPS policy
##########################