diff options
Diffstat (limited to 'base/selinux')
-rw-r--r-- | base/selinux/CMakeLists.txt | 11 | ||||
-rw-r--r-- | base/selinux/LICENSE | 291 | ||||
-rw-r--r-- | base/selinux/src/CMakeLists.txt | 28 | ||||
-rw-r--r-- | base/selinux/src/Makefile | 18 | ||||
-rw-r--r-- | base/selinux/src/pki.fc | 91 | ||||
-rw-r--r-- | base/selinux/src/pki.if | 745 | ||||
-rwxr-xr-x | base/selinux/src/pki.sh | 41 | ||||
-rw-r--r-- | base/selinux/src/pki.te | 332 |
8 files changed, 1557 insertions, 0 deletions
diff --git a/base/selinux/CMakeLists.txt b/base/selinux/CMakeLists.txt new file mode 100644 index 000000000..a9ef0707f --- /dev/null +++ b/base/selinux/CMakeLists.txt @@ -0,0 +1,11 @@ +project(selinux) + +add_subdirectory(src) + +# install empty directories +install( + DIRECTORY + DESTINATION + ${SHARE_INSTALL_PREFIX}/selinux/modules +) + diff --git a/base/selinux/LICENSE b/base/selinux/LICENSE new file mode 100644 index 000000000..e281f4362 --- /dev/null +++ b/base/selinux/LICENSE @@ -0,0 +1,291 @@ +This Program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published +by the Free Software Foundation; version 2 of the License. + +This Program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +for more details. + +You should have received a copy of the GNU General Public License +along with this Program; if not, write to the Free Software +Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. diff --git a/base/selinux/src/CMakeLists.txt b/base/selinux/src/CMakeLists.txt new file mode 100644 index 000000000..146ab1348 --- /dev/null +++ b/base/selinux/src/CMakeLists.txt @@ -0,0 +1,28 @@ +set(POLICY_MAKEFILE /usr/share/selinux/devel/Makefile) + +set(policy_SRCS + pki.fc + pki.if + pki.te +) + +if (LINUX) + if (EXISTS ${POLICY_MAKEFILE}) + foreach(_POLICY ${policy_SRCS}) + macro_copy_file(${CMAKE_CURRENT_SOURCE_DIR}/${_POLICY} ${CMAKE_CURRENT_BINARY_DIR}/${_POLICY}) + endforeach(_POLICY ${policy_SRCS}) + + # FIXME This should be done by cmake + add_custom_target(selinux ALL + COMMAND ${CMAKE_BUILD_TOOL} -f ${POLICY_MAKEFILE} + WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR} + ) + + install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/pki.pp + DESTINATION + ${SHARE_INSTALL_PREFIX}/selinux/modules + ) + endif (EXISTS ${POLICY_MAKEFILE}) +endif (LINUX) diff --git a/base/selinux/src/Makefile b/base/selinux/src/Makefile new file mode 100644 index 000000000..201a448a9 --- /dev/null +++ b/base/selinux/src/Makefile @@ -0,0 +1,18 @@ +POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile +POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted + +all: + if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux development tools (selinux-policy-devel)" && exit 1; fi + $(MAKE) -f $(POLICY_MAKEFILE) || exit 1; + +clean: + rm -rf tmp + rm pki.pp + +install: all + install -d $(POLICY_DIR) + install -m 644 pki.pp $(POLICY_DIR) + +load: + /usr/sbin/semodule -i pki.pp + diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc new file mode 100644 index 000000000..3a22d86a4 --- /dev/null +++ b/base/selinux/src/pki.fc @@ -0,0 +1,91 @@ + +/usr/bin/dtomcat5-pki-ca -- gen_context(system_u:object_r:pki_ca_exec_t,s0) + +/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) +/etc/pki-ca/tomcat5.conf -- gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0) + +/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_var_lib_t,s0) + +/var/run/pki-ca.pid gen_context(system_u:object_r:pki_ca_var_run_t,s0) + +/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_ca_log_t,s0) + +/usr/bin/dtomcat5-pki-kra -- gen_context(system_u:object_r:pki_kra_exec_t,s0) + +/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) +/etc/pki-kra/tomcat5.conf -- gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0) + +/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_var_lib_t,s0) + +/var/run/pki-kra.pid gen_context(system_u:object_r:pki_kra_var_run_t,s0) + +/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_kra_log_t,s0) + +/usr/bin/dtomcat5-pki-ocsp -- gen_context(system_u:object_r:pki_ocsp_exec_t,s0) + +/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) +/etc/pki-ocsp/tomcat5.conf -- gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0) + +/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0) + +/var/run/pki-ocsp.pid gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) + +/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_log_t,s0) + +/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) +/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) +/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) +/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) + + +/usr/bin/dtomcat5-pki-tks -- gen_context(system_u:object_r:pki_tks_exec_t,s0) + +/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) +/etc/pki-tks/tomcat5.conf -- gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0) + +/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_var_lib_t,s0) + +/var/run/pki-tks.pid gen_context(system_u:object_r:pki_tks_var_run_t,s0) + +/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tks_log_t,s0) + +/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) +/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) +/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) + +# default labeling for nCipher +/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) +/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) +/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) +/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) + +# labeling for new CA under pki-cad + +/var/run/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_var_run_t,s0) +/etc/sysconfig/pki/ca(/.*)? gen_context(system_u:object_r:pki_ca_etc_rw_t,s0) + +# labeling for new KRA under pki-krad + +/var/run/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_var_run_t,s0) +/etc/sysconfig/pki/kra(/.*)? gen_context(system_u:object_r:pki_kra_etc_rw_t,s0) + +# labeling for new OCSP under pki-ocspd + +/var/run/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_var_run_t,s0) +/etc/sysconfig/pki/ocsp(/.*)? gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0) + +# labeling for new TKS under pki-tksd + +/var/run/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_var_run_t,s0) +/etc/sysconfig/pki/tks(/.*)? gen_context(system_u:object_r:pki_tks_etc_rw_t,s0) + +# labeling for new RA under pki-rad + +/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) +/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) + +# labeling for new TPS under pki-tpsd + +/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) +/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) + diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if new file mode 100644 index 000000000..0709176ea --- /dev/null +++ b/base/selinux/src/pki.if @@ -0,0 +1,745 @@ + +## <summary>policy for pki</summary> + +######################################## +## <summary> +## Create a set of derived types for apache +## web content. +## </summary> +## <param name="prefix"> +## <summary> +## The prefix to be used for deriving type names. +## </summary> +## </param> +# +template(`pki_ca_template',` + gen_require(` + attribute pki_ca_process; + attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run; + attribute pki_ca_executable, pki_ca_script, pki_ca_var_log; + type pki_ca_tomcat_exec_t; + type $1_port_t; + type rpm_var_lib_t; + type rpm_exec_t; + type setfiles_t; + ') + ######################################## + # + # Declarations + # + + type $1_t, pki_ca_process; + type $1_exec_t, pki_ca_executable; + domain_type($1_t) + init_daemon_domain($1_t, $1_exec_t) + + type $1_script_t; + domain_type($1_script_t) + gen_require(` + type java_exec_t; + type initrc_t; + ') + domtrans_pattern($1_script_t, java_exec_t, $1_t) + + role system_r types $1_script_t; + allow $1_t java_exec_t:file entrypoint; + allow initrc_t $1_script_t:process transition; + + type $1_etc_rw_t, pki_ca_config; + files_type($1_etc_rw_t) + + type $1_var_run_t, pki_ca_var_run; + files_pid_file($1_var_run_t) + + type $1_var_lib_t, pki_ca_var_lib; + files_type($1_var_lib_t) + + type $1_log_t, pki_ca_var_log; + logging_log_file($1_log_t) + + ######################################## + # + # $1 local policy + # + + # Execstack/execmem caused by java app. + allow $1_t self:process { execstack execmem getsched setsched signal}; + allow initrc_t self:process execstack; + + ## internal communication is often done using fifo and unix sockets. + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:process signull; + + allow $1_t $1_port_t:tcp_socket {name_bind name_connect}; + + # use rpm to look at velocity version in dtomcat-foo + allow $1_t rpm_exec_t:file exec_file_perms; + + corenet_all_recvfrom_unlabeled($1_t) + corenet_tcp_sendrecv_all_if($1_t) + corenet_tcp_sendrecv_all_nodes($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + + corenet_tcp_bind_all_nodes($1_t) + corenet_tcp_bind_ocsp_port($1_t) + corenet_tcp_connect_ocsp_port($1_t) + corenet_tcp_connect_generic_port($1_t) + + # for file signing + corenet_tcp_connect_http_port($1_t) + + # This is for /etc/$1/tomcat.conf: + can_exec($1_t, $1_tomcat_exec_t) + allow $1_t $1_tomcat_exec_t:file {getattr read}; + + #installation requires this for access to /var/lib/tomcat5/common/lib/jdtcore.jar + rpm_read_db($1_t) + + # Init script handling + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) + + manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) + manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) + files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + + # start/stop using pki-cad, pki-krad, pki-ocspd, or pki-tksd + allow setfiles_t $1_etc_rw_t:file read; + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t,$1_var_run_t, { file dir }) + + manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) + allow $1_t rpm_var_lib_t:lnk_file { read getattr }; + + manage_dirs_pattern($1_t, $1_log_t, $1_log_t) + manage_files_pattern($1_t, $1_log_t, $1_log_t) + logging_log_filetrans($1_t, $1_log_t, { file dir } ) + + corecmd_exec_bin($1_t) + corecmd_read_bin_symlinks($1_t) + corecmd_exec_shell($1_t) + corecmd_search_bin($1_t) + + dev_list_sysfs($1_t) + dev_read_sysfs($1_t) + dev_read_rand($1_t) + dev_read_urand($1_t) + + # Java is looking in /tmp for some reason...: + files_manage_generic_tmp_dirs($1_t) + files_manage_generic_tmp_files($1_t) + files_read_usr_files($1_t) + files_read_usr_symlinks($1_t) + # These are used to read tomcat class files in /var/lib/tomcat + files_read_var_lib_files($1_t) + files_read_var_lib_symlinks($1_t) + + #needed in tps key archival in kra + files_list_var($1_t) + + kernel_read_network_state($1_t) + kernel_read_system_state($1_t) + kernel_search_network_state($1_t) + # audit2allow + kernel_signull_unlabeled($1_t) + + auth_use_nsswitch($1_t) + + init_dontaudit_write_utmp($1_t) + + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) + + miscfiles_read_localization($1_t) + + logging_send_syslog_msg($1_t) + + ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys($1_t) + term_dontaudit_use_generic_ptys($1_t) + ') + + # allow java subsystems to talk to the ncipher hsm + allow $1_t pki_common_dev_t:sock_file write; + allow $1_t pki_common_dev_t:dir search; + allow $1_t pki_common_t:dir create_dir_perms; + manage_files_pattern($1_t, pki_common_t, pki_common_t) + can_exec($1_t, pki_common_t) + init_stream_connect_script($1_t) + + #allow java subsystems to talk to lunasa hsm + + #allow sending mail + corenet_tcp_connect_smtp_port($1_t) + + # allow rpm -q in init scripts + rpm_exec($1_t) + + # allow writing to the kernel keyring + allow $1_t self:key { write read }; + + #reverse proxy + corenet_tcp_connect_dogtag_port($1_t) + + #connect to ldap + corenet_tcp_connect_ldap_port($1_t) + + # tomcat connects to ephemeral ports on shutdown + corenet_tcp_connect_all_unreserved_ports($1_t) + + optional_policy(` + #This is broken in selinux-policy we need java_exec defined, Will add to policy + gen_require(` + type java_exec_t; + ') + can_exec($1_t, java_exec_t) + ') + + optional_policy(` + unconfined_domain($1_script_t) + ') +') + +######################################## +## <summary> +## All of the rules required to administrate +## an pki_ca environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`pki_ca_admin',` + gen_require(` + type pki_ca_tomcat_exec_t; + attribute pki_ca_process; + attribute pki_ca_config; + attribute pki_ca_executable; + attribute pki_ca_var_lib; + attribute pki_ca_var_log; + attribute pki_ca_var_run; + attribute pki_ca_pidfiles; + attribute pki_ca_script; + ') + + allow $1 pki_ca_process:process { ptrace signal_perms }; + ps_process_pattern($1, pki_ca_t) + + # Allow pki_ca_t to restart the service + pki_ca_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pki_ca_script system_r; + allow $2 system_r; + + manage_all_pattern($1, pki_ca_config) + manage_all_pattern($1, pki_ca_var_run) + manage_all_pattern($1, pki_ca_var_lib) + manage_all_pattern($1, pki_ca_var_log) + manage_all_pattern($1, pki_ca_config) + manage_all_pattern($1, pki_ca_tomcat_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an pki_kra environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`pki_kra_admin',` + gen_require(` + type pki_kra_tomcat_exec_t; + attribute pki_kra_process; + attribute pki_kra_config; + attribute pki_kra_executable; + attribute pki_kra_var_lib; + attribute pki_kra_var_log; + attribute pki_kra_var_run; + attribute pki_kra_pidfiles; + attribute pki_kra_script; + ') + + allow $1 pki_kra_process:process { ptrace signal_perms }; + ps_process_pattern($1, pki_kra_t) + + # Allow pki_kra_t to restart the service + pki_kra_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pki_kra_script system_r; + allow $2 system_r; + + manage_all_pattern($1, pki_kra_config) + manage_all_pattern($1, pki_kra_var_run) + manage_all_pattern($1, pki_kra_var_lib) + manage_all_pattern($1, pki_kra_var_log) + manage_all_pattern($1, pki_kra_config) + manage_all_pattern($1, pki_kra_tomcat_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an pki_ocsp environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`pki_ocsp_admin',` + gen_require(` + type pki_ocsp_tomcat_exec_t; + attribute pki_ocsp_process; + attribute pki_ocsp_config; + attribute pki_ocsp_executable; + attribute pki_ocsp_var_lib; + attribute pki_ocsp_var_log; + attribute pki_ocsp_var_run; + attribute pki_ocsp_pidfiles; + attribute pki_ocsp_script; + ') + + allow $1 pki_ocsp_process:process { ptrace signal_perms }; + ps_process_pattern($1, pki_ocsp_t) + + # Allow pki_ocsp_t to restart the service + pki_ocsp_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pki_ocsp_script system_r; + allow $2 system_r; + + manage_all_pattern($1, pki_ocsp_config) + manage_all_pattern($1, pki_ocsp_var_run) + manage_all_pattern($1, pki_ocsp_var_lib) + manage_all_pattern($1, pki_ocsp_var_log) + manage_all_pattern($1, pki_ocsp_config) + manage_all_pattern($1, pki_ocsp_tomcat_exec_t) +') + +######################################## +## <summary> +## Execute pki_ra server in the pki_ra domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`pki_ra_script_domtrans',` + gen_require(` + attribute pki_ra_script; + ') + + init_script_domtrans_spec($1,pki_ra_script) +') + +######################################## +## <summary> +## Create a set of derived types for apache +## web content. +## </summary> +## <param name="prefix"> +## <summary> +## The prefix to be used for deriving type names. +## </summary> +## </param> +# +template(`pki_tps_template',` + gen_require(` + attribute pki_tps_process; + attribute pki_tps_config, pki_tps_var_lib, pki_tps_var_run; + attribute pki_tps_executable, pki_tps_script, pki_tps_var_log; + ') + ######################################## + # + # Declarations + # + + type $1_t, pki_tps_process; + type $1_exec_t, pki_tps_executable; + domain_type($1_t) + init_daemon_domain($1_t, $1_exec_t) + + type $1_script_exec_t, pki_tps_script; + init_script_file($1_script_exec_t) + + type $1_etc_rw_t, pki_tps_config; + files_type($1_etc_rw_t) + + type $1_var_run_t, pki_tps_var_run; + files_pid_file($1_var_run_t) + + type $1_var_lib_t, pki_tps_var_lib; + files_type($1_var_lib_t) + + type $1_log_t, pki_tps_var_log; + logging_log_file($1_log_t) + + ######################################## + # + # $1 local policy + # + + ## internal communication is often done using fifo and unix sockets. + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + + # Init script handling + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) + allow pki_tps_t pki_tps_etc_rw_t:lnk_file read; + + manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) + manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) + files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t,$1_var_run_t, { file dir }) + + manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) + + manage_dirs_pattern($1_t, $1_log_t, $1_log_t) + manage_files_pattern($1_t, $1_log_t, $1_log_t) + logging_log_filetrans($1_t, $1_log_t, { file dir } ) + + init_dontaudit_write_utmp($1_t) + + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) + + miscfiles_read_localization($1_t) + + ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys($1_t) + term_dontaudit_use_generic_ptys($1_t) + ') + + gen_require(` + type httpd_t; + type httpd_exec_t; + type httpd_suexec_exec_t; + ') + + #============= httpd_t ============== + allow httpd_t $1_var_run_t:dir search; + allow httpd_t $1_var_run_t:file read_file_perms; + +') + +template(`pki_ra_template',` + gen_require(` + attribute pki_ra_process; + attribute pki_ra_config, pki_ra_var_lib, pki_ra_var_run; + attribute pki_ra_executable, pki_ra_script, pki_ra_var_log; + ') + ######################################## + # + # Declarations + # + + type $1_t, pki_ra_process; + type $1_exec_t, pki_ra_executable; + domain_type($1_t) + init_daemon_domain($1_t, $1_exec_t) + + type $1_script_exec_t, pki_ra_script; + init_script_file($1_script_exec_t) + + type $1_etc_rw_t, pki_ra_config; + files_type($1_etc_rw_t) + + type $1_var_run_t, pki_ra_var_run; + files_pid_file($1_var_run_t) + + type $1_var_lib_t, pki_ra_var_lib; + files_type($1_var_lib_t) + + type $1_log_t, pki_ra_var_log; + logging_log_file($1_log_t) + + ######################################## + # + # $1 local policy + # + + ## internal communication is often done using fifo and unix sockets. + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + + # Init script handling + domain_use_interactive_fds($1_t) + + files_read_etc_files($1_t) + + manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) + manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) + files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) + + manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) + manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) + files_pid_filetrans($1_t,$1_var_run_t, { file dir }) + + manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) + files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) + + manage_dirs_pattern($1_t, $1_log_t, $1_log_t) + manage_files_pattern($1_t, $1_log_t, $1_log_t) + logging_log_filetrans($1_t, $1_log_t, { file dir } ) + + init_dontaudit_write_utmp($1_t) + + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) + + miscfiles_read_localization($1_t) + + ifdef(`targeted_policy',` + term_dontaudit_use_unallocated_ttys($1_t) + term_dontaudit_use_generic_ptys($1_t) + ') + + gen_require(` + type httpd_t; + type devlog_t; + type syslogd_t; + type httpd_exec_t; + type httpd_suexec_exec_t; + ') + + #============= httpd_t ============== + allow httpd_t $1_var_run_t:dir search; + allow httpd_t $1_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## All of the rules required to administrate +## an pki_ra environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +######################################## +## <summary> +## All of the rules required to administrate +## an pki_ra environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`pki_ra_admin',` + gen_require(` + attribute pki_ra_process; + attribute pki_ra_config; + attribute pki_ra_executable; + attribute pki_ra_var_lib; + attribute pki_ra_var_log; + attribute pki_ra_var_run; + attribute pki_ra_script; + ') + + allow $1 pki_ra_process:process { ptrace signal_perms }; + ps_process_pattern($1, pki_ra_t) + + # Allow pki_ra_t to restart the service + pki_ra_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pki_ra_script system_r; + allow $2 system_r; + + manage_all_pattern($1, pki_ra_config) + manage_all_pattern($1, pki_ra_var_run) + manage_all_pattern($1, pki_ra_var_lib) + manage_all_pattern($1, pki_ra_var_log) + manage_all_pattern($1, pki_ra_config) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an pki_tks environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`pki_tks_admin',` + gen_require(` + type pki_tks_tomcat_exec_t; + attribute pki_tks_process; + attribute pki_tks_config; + attribute pki_tks_executable; + attribute pki_tks_var_lib; + attribute pki_tks_var_log; + attribute pki_tks_var_run; + attribute pki_tks_pidfiles; + attribute pki_tks_script; + ') + + allow $1 pki_tks_process:process { ptrace signal_perms }; + ps_process_pattern($1, pki_tks_t) + + # Allow pki_tks_t to restart the service + pki_tks_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pki_tks_script system_r; + allow $2 system_r; + + manage_all_pattern($1, pki_tks_config) + manage_all_pattern($1, pki_tks_var_run) + manage_all_pattern($1, pki_tks_var_lib) + manage_all_pattern($1, pki_tks_var_log) + manage_all_pattern($1, pki_tks_config) + manage_all_pattern($1, pki_tks_tomcat_exec_t) +') + +######################################## +## <summary> +## Execute pki_tps server in the pki_tps domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`pki_tps_script_domtrans',` + gen_require(` + attribute pki_tps_script; + ') + + init_script_domtrans_spec($1,pki_tps_script) +') + + +######################################## +## <summary> +## All of the rules required to administrate +## an pki_tps environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the syslog domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the user terminal. +## </summary> +## </param> +## <rolecap/> +# +interface(`pki_tps_admin',` + gen_require(` + attribute pki_tps_process; + attribute pki_tps_config; + attribute pki_tps_executable; + attribute pki_tps_var_lib; + attribute pki_tps_var_log; + attribute pki_tps_var_run; + attribute pki_tps_script; + ') + + allow $1 pki_tps_process:process { ptrace signal_perms }; + ps_process_pattern($1, pki_tps_t) + + # Allow pki_tps_t to restart the service + pki_tps_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 pki_tps_script system_r; + allow $2 system_r; + + manage_all_pattern($1, pki_tps_config) + manage_all_pattern($1, pki_tps_var_run) + manage_all_pattern($1, pki_tps_var_lib) + manage_all_pattern($1, pki_tps_var_log) + manage_all_pattern($1, pki_tps_config) +') diff --git a/base/selinux/src/pki.sh b/base/selinux/src/pki.sh new file mode 100755 index 000000000..bf95ba98c --- /dev/null +++ b/base/selinux/src/pki.sh @@ -0,0 +1,41 @@ +#!/bin/sh + +USAGE="$0 [ --update ]" + +if [ ! -f /usr/share/selinux/devel/Makefile ]; then +echo 'selinux-policy-devel not installed, package required for building policy' +echo '# yum install selinux-policy-devel' +exit 1 +fi + +if [ $# -eq 1 ]; then + if [ "$1" = "--update" ] ; then + time=`ls -l --time-style="+%x %X" pki_ca.te | awk '{ printf "%s %s", $6, $7 }'` + rules=`ausearch --start $time -m avc --raw -se pki_ca` + if [ x"$rules" != "x" ] ; then + echo "Found avc's to update policy with" + echo -e "$rules" | audit2allow -R + echo "Do you want these changes added to policy [y/n]?" + read ANS + if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then + echo "Updating policy" + echo -e "$rules" | audit2allow -R >> pki_ca.te + # Fall though and rebuild policy + else + exit 0 + fi + else + echo "No new avcs found" + exit 0 + fi + else + echo -e $USAGE + exit 1 + fi +elif [ $# -ge 2 ] ; then + echo -e $USAGE + exit 1 +fi + +echo "Building and Loading Policy" +make -f /usr/share/selinux/devel/Makefile diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te new file mode 100644 index 000000000..7f6e65738 --- /dev/null +++ b/base/selinux/src/pki.te @@ -0,0 +1,332 @@ +policy_module(pki,10.0.2) + +attribute pki_ca_config; +attribute pki_ca_executable; +attribute pki_ca_var_lib; +attribute pki_ca_var_log; +attribute pki_ca_var_run; +attribute pki_ca_pidfiles; +attribute pki_ca_script; +attribute pki_ca_process; + +type pki_common_t; +files_type(pki_common_t) + +type pki_common_dev_t; +files_type(pki_common_dev_t) + +type pki_ca_tomcat_exec_t; +files_type(pki_ca_tomcat_exec_t) + +pki_ca_template(pki_ca) +corenet_tcp_connect_pki_kra_port(pki_ca_t) +corenet_tcp_connect_pki_ocsp_port(pki_ca_t) + +# forward proxy +corenet_tcp_connect_pki_ca_port(httpd_t) + +# for crl publishing +allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink }; + +# for ECC +auth_getattr_shadow(pki_ca_t) + +attribute pki_kra_config; +attribute pki_kra_executable; +attribute pki_kra_var_lib; +attribute pki_kra_var_log; +attribute pki_kra_var_run; +attribute pki_kra_pidfiles; +attribute pki_kra_script; +attribute pki_kra_process; + +type pki_kra_tomcat_exec_t; +files_type(pki_kra_tomcat_exec_t) + +pki_ca_template(pki_kra) +corenet_tcp_connect_pki_ca_port(pki_kra_t) + +# forward proxy +corenet_tcp_connect_pki_kra_port(httpd_t) + +attribute pki_ocsp_config; +attribute pki_ocsp_executable; +attribute pki_ocsp_var_lib; +attribute pki_ocsp_var_log; +attribute pki_ocsp_var_run; +attribute pki_ocsp_pidfiles; +attribute pki_ocsp_script; +attribute pki_ocsp_process; + +type pki_ocsp_tomcat_exec_t; +files_type(pki_ocsp_tomcat_exec_t) + +pki_ca_template(pki_ocsp) +corenet_tcp_connect_pki_ca_port(pki_ocsp_t) + +# forward proxy +corenet_tcp_connect_pki_ocsp_port(httpd_t) + +attribute pki_ra_config; +attribute pki_ra_executable; +attribute pki_ra_var_lib; +attribute pki_ra_var_log; +attribute pki_ra_var_run; +attribute pki_ra_pidfiles; +attribute pki_ra_script; +attribute pki_ra_process; + +type pki_ra_tomcat_exec_t; +files_type(pki_ra_tomcat_exec_t) + +pki_ra_template(pki_ra) + +attribute pki_tks_config; +attribute pki_tks_executable; +attribute pki_tks_var_lib; +attribute pki_tks_var_log; +attribute pki_tks_var_run; +attribute pki_tks_pidfiles; +attribute pki_tks_script; +attribute pki_tks_process; + +type pki_tks_tomcat_exec_t; +files_type(pki_tks_tomcat_exec_t) + +pki_ca_template(pki_tks) +corenet_tcp_connect_pki_ca_port(pki_tks_t) + +# forward proxy +corenet_tcp_connect_pki_tks_port(httpd_t) + +# needed for token enrollment, list /var/cache/tomcat5/temp +files_list_var(pki_tks_t) + +attribute pki_tps_config; +attribute pki_tps_executable; +attribute pki_tps_var_lib; +attribute pki_tps_var_log; +attribute pki_tps_var_run; +attribute pki_tps_pidfiles; +attribute pki_tps_script; +attribute pki_tps_process; + +type pki_tps_tomcat_exec_t; +files_type(pki_tps_tomcat_exec_t) + +pki_tps_template(pki_tps) + +#interprocess communication on process shutdown +allow pki_ca_t pki_kra_t:process signull; +allow pki_ca_t pki_ocsp_t:process signull; +allow pki_ca_t pki_tks_t:process signull; + +allow pki_kra_t pki_ca_t:process signull; +allow pki_kra_t pki_ocsp_t:process signull; +allow pki_kra_t pki_tks_t:process signull; + +allow pki_ocsp_t pki_ca_t:process signull; +allow pki_ocsp_t pki_kra_t:process signull; +allow pki_ocsp_t pki_tks_t:process signull; + +allow pki_tks_t pki_ca_t:process signull; +allow pki_tks_t pki_kra_t:process signull; +allow pki_tks_t pki_ocsp_t:process signull; + +#allow httpd_t pki_tks_tomcat_exec_t:process signull; +#allow httpd_t pki_tks_var_lib_t:process signull; + +# start up httpd in pki_tps_t mode +can_exec(pki_tps_t, httpd_config_t) +allow pki_tps_t httpd_exec_t:file entrypoint; +allow pki_tps_t httpd_modules_t:lnk_file read; +can_exec(pki_tps_t, httpd_suexec_exec_t) + +# apache permissions +apache_exec_modules(pki_tps_t) +apache_list_modules(pki_tps_t) +apache_read_config(pki_tps_t) + +allow pki_tps_t lib_t:file execute_no_trans; + +#fowner needed for chmod +allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; +allow pki_tps_t self:process { setsched signal getsched signull execstack execmem sigkill}; +allow pki_tps_t self:sem all_sem_perms; +allow pki_tps_t self:tcp_socket create_stream_socket_perms; + +# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment +allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; + + #netlink needed? +allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; + +corecmd_exec_bin(pki_tps_t) +corecmd_exec_shell(pki_tps_t) +corecmd_read_bin_symlinks(pki_tps_t) +corecmd_search_bin(pki_tps_t) + +corenet_sendrecv_unlabeled_packets(pki_tps_t) +corenet_tcp_bind_all_nodes(pki_tps_t) +corenet_tcp_bind_pki_tps_port(pki_tps_t) +corenet_tcp_connect_generic_port(pki_tps_t) + +# customer may run an ldap server on 389 +corenet_tcp_connect_ldap_port(pki_tps_t) + +# connect to other subsystems +corenet_tcp_connect_pki_ca_port(pki_tps_t) +corenet_tcp_connect_pki_kra_port(pki_tps_t) +corenet_tcp_connect_pki_tks_port(pki_tps_t) + +corenet_tcp_sendrecv_all_if(pki_tps_t) +corenet_tcp_sendrecv_all_nodes(pki_tps_t) +corenet_tcp_sendrecv_all_ports(pki_tps_t) +corenet_all_recvfrom_unlabeled(pki_tps_t) + +dev_read_urand(pki_tps_t) +files_exec_usr_files(pki_tps_t) +files_read_usr_symlinks(pki_tps_t) +files_read_usr_files(pki_tps_t) + +#installation and debug uses /tmp +files_manage_generic_tmp_dirs(pki_tps_t) +files_manage_generic_tmp_files(pki_tps_t) + +kernel_read_kernel_sysctls(pki_tps_t) +kernel_read_system_state(pki_tps_t) + +# need to resolve addresses? +auth_use_nsswitch(pki_tps_t) + +sysnet_read_config(pki_tps_t) + +allow httpd_t pki_tps_etc_rw_t:dir search; +allow httpd_t pki_tps_etc_rw_t:file rw_file_perms; +allow httpd_t pki_tps_log_t:dir rw_dir_perms; +allow httpd_t pki_tps_log_t:file manage_file_perms; +allow httpd_t pki_tps_t:process { signal signull }; +allow httpd_t pki_tps_var_lib_t:dir { getattr search }; +allow httpd_t pki_tps_var_lib_t:lnk_file read; +allow httpd_t pki_tps_var_lib_t:file read_file_perms; + +# why do I need to add this? +allow httpd_t httpd_config_t:file execute; +files_exec_usr_files(httpd_t) + +# talk to the hsm +allow pki_tps_t pki_common_dev_t:sock_file write; +allow pki_tps_t pki_common_dev_t:dir search; +allow pki_tps_t pki_common_t:dir create_dir_perms; +manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t) +can_exec(pki_tps_t, pki_common_t) +init_stream_connect_script(pki_tps_t) + +#allow tps to talk to lunasa hsm +logging_send_syslog_msg(pki_tps_t) + +# allow rpm -q in init scripts +rpm_exec(pki_tps_t) + +# allow writing to the kernel keyring +allow pki_tps_t self:key { write read }; + +# new for f14 +apache_exec(pki_tps_t) + + # start up httpd in pki_ra_t mode +allow pki_ra_t httpd_config_t:file { read getattr execute }; +allow pki_ra_t httpd_exec_t:file entrypoint; +allow pki_ra_t httpd_modules_t:lnk_file read; +allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute }; + +#apache permissions +apache_read_config(pki_ra_t) +apache_exec_modules(pki_ra_t) +apache_list_modules(pki_ra_t) + +allow pki_ra_t lib_t:file execute_no_trans; + +allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid}; +allow pki_ra_t self:process { setsched getsched signal signull execstack execmem}; +allow pki_ra_t self:sem all_sem_perms; +allow pki_ra_t self:tcp_socket create_stream_socket_perms; + +#RA specific? talking to mysql? +allow pki_ra_t self:udp_socket { write read create connect }; +allow pki_ra_t self:unix_dgram_socket { write create connect }; + +# netlink needed? +allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; + +corecmd_exec_bin(pki_ra_t) +corecmd_exec_shell(pki_ra_t) +corecmd_read_bin_symlinks(pki_ra_t) +corecmd_search_bin(pki_ra_t) + +corenet_sendrecv_unlabeled_packets(pki_ra_t) +corenet_tcp_bind_all_nodes(pki_ra_t) +corenet_tcp_bind_pki_ra_port(pki_ra_t) + +corenet_tcp_sendrecv_all_if(pki_ra_t) +corenet_tcp_sendrecv_all_nodes(pki_ra_t) +corenet_tcp_sendrecv_all_ports(pki_ra_t) +corenet_all_recvfrom_unlabeled(pki_ra_t) +corenet_tcp_connect_generic_port(pki_ra_t) + +# talk to other subsystems +corenet_tcp_connect_pki_ca_port(pki_ra_t) + +dev_read_urand(pki_ra_t) +files_exec_usr_files(pki_ra_t) +fs_getattr_xattr_fs(pki_ra_t) + +# ra writes files to /tmp +files_manage_generic_tmp_files(pki_ra_t) + +kernel_read_kernel_sysctls(pki_ra_t) +kernel_read_system_state(pki_ra_t) + +logging_send_syslog_msg(pki_ra_t) + +corenet_tcp_connect_smtp_port(pki_ra_t) +files_search_spool(pki_ra_t) + +# +# Should be changed to mta_send_mail +# +mta_manage_spool(pki_ra_t) +mta_manage_queue(pki_ra_t) +mta_read_config(pki_ra_t) +mta_sendmail_exec(pki_ra_t) + +#resolve names? +auth_use_nsswitch(pki_ra_t) + +sysnet_read_config(pki_ra_t) + +allow httpd_t pki_ra_etc_rw_t:dir search; +allow httpd_t pki_ra_etc_rw_t:file rw_file_perms; +allow httpd_t pki_ra_log_t:dir rw_dir_perms; +allow httpd_t pki_ra_log_t:file manage_file_perms; +allow httpd_t pki_ra_t:process { signal signull }; +allow httpd_t pki_ra_var_lib_t:dir { getattr search }; +allow httpd_t pki_ra_var_lib_t:lnk_file read; +allow httpd_t pki_ra_var_lib_t:file read_file_perms; + +# talk to the hsm +allow pki_ra_t pki_common_dev_t:sock_file write; +allow pki_ra_t pki_common_dev_t:dir search; +allow pki_ra_t pki_common_t:dir create_dir_perms; +manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t) +can_exec(pki_ra_t, pki_common_t) +init_stream_connect_script(pki_ra_t) + +# allow rpm -q in init scripts +rpm_exec(pki_ra_t) + +# allow writing to the kernel keyring +allow pki_ra_t self:key { write read }; + +# new for f14 +apache_exec(pki_ra_t) |