diff options
Diffstat (limited to 'pki/base/selinux/src/pki.te')
| -rw-r--r-- | pki/base/selinux/src/pki.te | 138 |
1 files changed, 138 insertions, 0 deletions
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te new file mode 100644 index 000000000..4f35944db --- /dev/null +++ b/pki/base/selinux/src/pki.te @@ -0,0 +1,138 @@ +policy_module(pki,6.2.2) + +attribute pki_ca_config; +attribute pki_ca_executable; +attribute pki_ca_var_lib; +attribute pki_ca_var_log; +attribute pki_ca_var_run; +attribute pki_ca_pidfiles; +attribute pki_ca_script; +attribute pki_ca_process; + +type pki_common_t; +files_type(pki_common_t) + +type pki_common_dev_t; +files_type(pki_common_dev_t) + +type pki_ca_tomcat_exec_t; +files_type(pki_ca_tomcat_exec_t) + +pki_ca_template(pki_ca) +corenet_tcp_connect_pki_kra_port(pki_ca_t) +corenet_tcp_connect_pki_ocsp_port(pki_ca_t) + +# forward proxy +corenet_tcp_connect_pki_ca_port(httpd_t) + +# for crl publishing +allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink }; + +# for ECC +auth_getattr_shadow(pki_ca_t) + +attribute pki_kra_config; +attribute pki_kra_executable; +attribute pki_kra_var_lib; +attribute pki_kra_var_log; +attribute pki_kra_var_run; +attribute pki_kra_pidfiles; +attribute pki_kra_script; +attribute pki_kra_process; + +type pki_kra_tomcat_exec_t; +files_type(pki_kra_tomcat_exec_t) + +pki_ca_template(pki_kra) +corenet_tcp_connect_pki_ca_port(pki_kra_t) + +# forward proxy +corenet_tcp_connect_pki_kra_port(httpd_t) + +attribute pki_ocsp_config; +attribute pki_ocsp_executable; +attribute pki_ocsp_var_lib; +attribute pki_ocsp_var_log; +attribute pki_ocsp_var_run; +attribute pki_ocsp_pidfiles; +attribute pki_ocsp_script; +attribute pki_ocsp_process; + +type pki_ocsp_tomcat_exec_t; +files_type(pki_ocsp_tomcat_exec_t) + +pki_ca_template(pki_ocsp) +corenet_tcp_connect_pki_ca_port(pki_ocsp_t) + +# forward proxy +corenet_tcp_connect_pki_ocsp_port(httpd_t) + +attribute pki_ra_config; +attribute pki_ra_executable; +attribute pki_ra_var_lib; +attribute pki_ra_var_log; +attribute pki_ra_var_run; +attribute pki_ra_pidfiles; +attribute pki_ra_script; +attribute pki_ra_process; + +type pki_ra_tomcat_exec_t; +files_type(pki_ra_tomcat_exec_t) + +pki_ra_template(pki_ra) + +attribute pki_tks_config; +attribute pki_tks_executable; +attribute pki_tks_var_lib; +attribute pki_tks_var_log; +attribute pki_tks_var_run; +attribute pki_tks_pidfiles; +attribute pki_tks_script; +attribute pki_tks_process; + +type pki_tks_tomcat_exec_t; +files_type(pki_tks_tomcat_exec_t) + +pki_ca_template(pki_tks) +corenet_tcp_connect_pki_ca_port(pki_tks_t) + +# forward proxy +corenet_tcp_connect_pki_tks_port(httpd_t) + +# needed for token enrollment, list /var/cache/tomcat5/temp +files_list_var(pki_tks_t) + +attribute pki_tps_config; +attribute pki_tps_executable; +attribute pki_tps_var_lib; +attribute pki_tps_var_log; +attribute pki_tps_var_run; +attribute pki_tps_pidfiles; +attribute pki_tps_script; +attribute pki_tps_process; + +type pki_tps_tomcat_exec_t; +files_type(pki_tps_tomcat_exec_t) + +pki_tps_template(pki_tps) + +#interprocess communication on process shutdown +allow pki_ca_t pki_kra_t:process signull; +allow pki_ca_t pki_ocsp_t:process signull; +allow pki_ca_t pki_tks_t:process signull; + +allow pki_kra_t pki_ca_t:process signull; +allow pki_kra_t pki_ocsp_t:process signull; +allow pki_kra_t pki_tks_t:process signull; + +allow pki_ocsp_t pki_ca_t:process signull; +allow pki_ocsp_t pki_kra_t:process signull; +allow pki_ocsp_t pki_tks_t:process signull; + +allow pki_tks_t pki_ca_t:process signull; +allow pki_tks_t pki_kra_t:process signull; +allow pki_tks_t pki_ocsp_t:process signull; + +#allow httpd_t pki_tks_tomcat_exec_t:process signull; +#allow httpd_t pki_tks_var_lib_t:process signull; + |