From 5fd74e0e0c9407306e99ef4fd2e776cb911ee94a Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 10 Jul 2012 11:50:59 -0400
Subject: Selinux policy for new configuration.

Added tomcat_t for java processes.  Added aliases for old types to allow
compatibility of existng subsystems.  Added install scripts for pkispawn
and pkidestroy
---
 base/selinux/src/pki.if | 243 +++++++++++-------------------------------------
 1 file changed, 54 insertions(+), 189 deletions(-)

(limited to 'base/selinux/src/pki.if')

diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 0709176ea..b8c521a79 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -12,24 +12,26 @@
 ##	</summary>
 ## </param>
 #
-template(`pki_ca_template',`
+template(`pki_tomcat_template',`
 	gen_require(`
-		attribute pki_ca_process;
-		attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
-		attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
-		type pki_ca_tomcat_exec_t;
+		attribute pki_tomcat_process;
+		attribute pki_tomcat_config, pki_tomcat_var_lib, pki_tomcat_var_run;
+		attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log;
+		type pki_tomcat_tomcat_exec_t;
+                type tomcat_exec_t;
 		type $1_port_t;
                 type rpm_var_lib_t;
                 type rpm_exec_t;
 		type setfiles_t;
+                type load_policy_t;
 	')
 	########################################
 	#
 	# Declarations
 	#
 
-        type $1_t, pki_ca_process;
-        type $1_exec_t, pki_ca_executable;
+        type $1_t, pki_tomcat_process;
+        type $1_exec_t, pki_tomcat_executable;
         domain_type($1_t)
         init_daemon_domain($1_t, $1_exec_t)
 
@@ -45,16 +47,16 @@ template(`pki_ca_template',`
         allow $1_t java_exec_t:file entrypoint;
         allow initrc_t $1_script_t:process transition;
 
-	type $1_etc_rw_t, pki_ca_config;
+	type $1_etc_rw_t, pki_tomcat_config;
 	files_type($1_etc_rw_t)
 
-	type $1_var_run_t, pki_ca_var_run;
+	type $1_var_run_t, pki_tomcat_var_run;
 	files_pid_file($1_var_run_t)
 
-	type $1_var_lib_t, pki_ca_var_lib;
+	type $1_var_lib_t, pki_tomcat_var_lib;
 	files_type($1_var_lib_t)
 
-	type $1_log_t, pki_ca_var_log;
+	type $1_log_t, pki_tomcat_var_log;
 	logging_log_file($1_log_t)
 
 	########################################
@@ -195,6 +197,25 @@ template(`pki_ca_template',`
         # tomcat connects to ephemeral ports on shutdown
         corenet_tcp_connect_all_unreserved_ports($1_t)
 
+        # new tomcat perms for dogtag 10
+        allow $1_t pki_tomcat_var_run_t:lnk_file read;
+        can_exec($1_t, tomcat_exec_t)
+        consoletype_exec($1_t)
+        fs_getattr_xattr_fs($1_t)
+        fs_read_hugetlbfs_files($1_t)
+        hostname_exec($1_t)
+        miscfiles_read_hwdata($1_t)
+        allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
+        allow $1_t self:netlink_audit_socket { nlmsg_relay create write read};
+        kernel_read_kernel_sysctls($1_t)
+        selinux_get_enforce_mode($1_t)
+        dirsrv_manage_var_lib($1_t)
+
+        # write to /var/log/pki for spawn and destroy
+        allow $1_t pki_log_t:dir {getattr search};
+        allow load_policy_t pki_log_t:file write;
+        allow setfiles_t pki_log_t:file write;
+
         optional_policy(`
             #This is broken in selinux-policy we need java_exec defined, Will add to policy
             gen_require(`
@@ -211,59 +232,7 @@ template(`pki_ca_template',`
 ########################################
 ## <summary>
 ##	All of the rules required to administrate 
-##	an pki_ca environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the syslog domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_ca_admin',`
-	gen_require(`
-		type pki_ca_tomcat_exec_t;
-		attribute pki_ca_process;
-		attribute pki_ca_config;
-		attribute pki_ca_executable;
-		attribute pki_ca_var_lib;
-		attribute pki_ca_var_log;
-		attribute pki_ca_var_run;
-		attribute pki_ca_pidfiles;
-		attribute pki_ca_script;
-	')
-
-	allow $1 pki_ca_process:process { ptrace signal_perms };
-	ps_process_pattern($1, pki_ca_t)
-
-	# Allow pki_ca_t to restart the service
-	pki_ca_script_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 pki_ca_script system_r;
-	allow $2 system_r;
-
-	manage_all_pattern($1, pki_ca_config)
-	manage_all_pattern($1, pki_ca_var_run)
-	manage_all_pattern($1, pki_ca_var_lib)
-	manage_all_pattern($1, pki_ca_var_log)
-	manage_all_pattern($1, pki_ca_config)
-	manage_all_pattern($1, pki_ca_tomcat_exec_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to administrate 
-##	an pki_kra environment
+##	an pki_tomcat environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -282,86 +251,34 @@ interface(`pki_ca_admin',`
 ## </param>
 ## <rolecap/>
 #
-interface(`pki_kra_admin',`
+interface(`pki_tomcat_admin',`
 	gen_require(`
-		type pki_kra_tomcat_exec_t;
-		attribute pki_kra_process;
-		attribute pki_kra_config;
-		attribute pki_kra_executable;
-		attribute pki_kra_var_lib;
-		attribute pki_kra_var_log;
-		attribute pki_kra_var_run;
-		attribute pki_kra_pidfiles;
-		attribute pki_kra_script;
+		type pki_tomcat_tomcat_exec_t;
+		attribute pki_tomcat_process;
+		attribute pki_tomcat_config;
+		attribute pki_tomcat_executable;
+		attribute pki_tomcat_var_lib;
+		attribute pki_tomcat_var_log;
+		attribute pki_tomcat_var_run;
+		attribute pki_tomcat_pidfiles;
+		attribute pki_tomcat_script;
 	')
 
-	allow $1 pki_kra_process:process { ptrace signal_perms };
-	ps_process_pattern($1, pki_kra_t)
+	allow $1 pki_tomcat_process:process { ptrace signal_perms };
+	ps_process_pattern($1, pki_tomcat_t)
 
-	# Allow pki_kra_t to restart the service
-	pki_kra_script_domtrans($1)
+	# Allow pki_tomcat_t to restart the service
+	pki_tomcat_script_domtrans($1)
 	domain_system_change_exemption($1)
-	role_transition $2 pki_kra_script system_r;
+	role_transition $2 pki_tomcat_script system_r;
 	allow $2 system_r;
 
-	manage_all_pattern($1, pki_kra_config)
-	manage_all_pattern($1, pki_kra_var_run)
-	manage_all_pattern($1, pki_kra_var_lib)
-	manage_all_pattern($1, pki_kra_var_log)
-	manage_all_pattern($1, pki_kra_config)
-	manage_all_pattern($1, pki_kra_tomcat_exec_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to administrate 
-##	an pki_ocsp environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the syslog domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_ocsp_admin',`
-	gen_require(`
-		type pki_ocsp_tomcat_exec_t;
-		attribute pki_ocsp_process;
-		attribute pki_ocsp_config;
-		attribute pki_ocsp_executable;
-		attribute pki_ocsp_var_lib;
-		attribute pki_ocsp_var_log;
-		attribute pki_ocsp_var_run;
-		attribute pki_ocsp_pidfiles;
-		attribute pki_ocsp_script;
-	')
-
-	allow $1 pki_ocsp_process:process { ptrace signal_perms };
-	ps_process_pattern($1, pki_ocsp_t)
-
-	# Allow pki_ocsp_t to restart the service
-	pki_ocsp_script_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 pki_ocsp_script system_r;
-	allow $2 system_r;
-
-	manage_all_pattern($1, pki_ocsp_config)
-	manage_all_pattern($1, pki_ocsp_var_run)
-	manage_all_pattern($1, pki_ocsp_var_lib)
-	manage_all_pattern($1, pki_ocsp_var_log)
-	manage_all_pattern($1, pki_ocsp_config)
-	manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
+	manage_all_pattern($1, pki_tomcat_config)
+	manage_all_pattern($1, pki_tomcat_var_run)
+	manage_all_pattern($1, pki_tomcat_var_lib)
+	manage_all_pattern($1, pki_tomcat_var_log)
+	manage_all_pattern($1, pki_tomcat_config)
+	manage_all_pattern($1, pki_tomcat_tomcat_exec_t)
 ')
 
 ########################################
@@ -624,58 +541,6 @@ interface(`pki_ra_admin',`
 	manage_all_pattern($1, pki_ra_config)
 ')
 
-########################################
-## <summary>
-##	All of the rules required to administrate 
-##	an pki_tks environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be allowed to manage the syslog domain.
-##	</summary>
-## </param>
-## <param name="terminal">
-##	<summary>
-##	The type of the user terminal.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`pki_tks_admin',`
-	gen_require(`
-		type pki_tks_tomcat_exec_t;
-		attribute pki_tks_process;
-		attribute pki_tks_config;
-		attribute pki_tks_executable;
-		attribute pki_tks_var_lib;
-		attribute pki_tks_var_log;
-		attribute pki_tks_var_run;
-		attribute pki_tks_pidfiles;
-		attribute pki_tks_script;
-	')
-
-	allow $1 pki_tks_process:process { ptrace signal_perms };
-	ps_process_pattern($1, pki_tks_t)
-
-	# Allow pki_tks_t to restart the service
-	pki_tks_script_domtrans($1)
-	domain_system_change_exemption($1)
-	role_transition $2 pki_tks_script system_r;
-	allow $2 system_r;
-
-	manage_all_pattern($1, pki_tks_config)
-	manage_all_pattern($1, pki_tks_var_run)
-	manage_all_pattern($1, pki_tks_var_lib)
-	manage_all_pattern($1, pki_tks_var_log)
-	manage_all_pattern($1, pki_tks_config)
-	manage_all_pattern($1, pki_tks_tomcat_exec_t)
-')
-
 ########################################
 ## <summary>
 ##	Execute pki_tps server in the pki_tps domain.
-- 
cgit