From 0bce20a04e06bfdf5317735da0f347d57afc5aa4 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 9 Sep 2014 17:31:46 -0700 Subject: Remove 'pki-selinux' code - PKI TRAC Ticket #1139 - Remove 'selinux' code from 'master' branch --- base/selinux/CMakeLists.txt | 11 -- base/selinux/LICENSE | 291 --------------------------------------- base/selinux/src/CMakeLists.txt | 28 ---- base/selinux/src/Makefile | 18 --- base/selinux/src/pki.fc | 51 ------- base/selinux/src/pki.if | 293 ---------------------------------------- base/selinux/src/ | 41 ------ base/selinux/src/pki.te | 221 ------------------------------ 8 files changed, 954 deletions(-) delete mode 100644 base/selinux/CMakeLists.txt delete mode 100644 base/selinux/LICENSE delete mode 100644 base/selinux/src/CMakeLists.txt delete mode 100644 base/selinux/src/Makefile delete mode 100644 base/selinux/src/pki.fc delete mode 100644 base/selinux/src/pki.if delete mode 100755 base/selinux/src/ delete mode 100644 base/selinux/src/pki.te (limited to 'base') then echo "You need to install the SELinux development tools (selinux-policy-devel)" && exit 1; fi - $(MAKE) -f $(POLICY_MAKEFILE) || exit 1; - -clean: - rm -rf tmp - rm pki.pp - -install: all - install -d $(POLICY_DIR) - install -m 644 pki.pp $(POLICY_DIR) - -load: - /usr/sbin/semodule -i pki.pp - diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc deleted file mode 100644 index 20d2c79a5..000000000 --- a/base/selinux/src/pki.fc +++ /dev/null @@ -1,51 +0,0 @@ -/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -/var/log/pki gen_context(system_u:object_r:pki_log_t,s0) -/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) -/etc/pki/pki-tomcat/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) - -/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) -/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0) -/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0) -/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0) -/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) -/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0) - -/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) -/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0) -/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0) -/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0) -/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0) -/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0) - -# default labeling for nCipher -/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0) -/opt/nfast/sbin/init.d-ncipher gen_context(system_u:object_r:initrc_exec_t, s0) -/opt/nfast(/.*)? gen_context(system_u:object_r:pki_common_t, s0) -/dev/nfast(/.*)? gen_context(system_u:object_r:pki_common_dev_t, s0) - -# old paths (for migration) -/etc/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -/var/lib/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -/var/run/ gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -/var/log/pki-ca(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -/var/lib/pki-ca/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -/etc/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -/var/lib/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -/var/run/ gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -/var/log/pki-kra(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -/var/lib/pki-kra/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -/etc/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -/var/lib/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -/var/run/ gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -/var/log/pki-ocsp(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -/var/lib/pki-ocsp/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) -/etc/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) -/var/lib/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) -/var/run/ gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) -/var/log/pki-tks(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) -/var/lib/pki-tks/alias(/.*)? gen_context(system_u:object_r:pki_tomcat_cert_t,s0) - diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if deleted file mode 100644 index 423546d1f..000000000 --- a/base/selinux/src/pki.if +++ /dev/null @@ -1,293 +0,0 @@ - -## policy for pki -######################################## -## -## Allow read and write pki cert files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pki_rw_tomcat_cert',` - gen_require(` - type pki_tomcat_cert_t; - ') - - rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) -') - -######################################## -## -## Allow read and write pki cert files. -## -## -## -## Domain allowed access. -## -## -# -interface(`pki_search_tomcat_etc_rw',` - gen_require(` - type pki_tomcat_etc_rw_t; - ') - - search_dirs_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) -') - -######################################## -## -## Create a set of derived types for apache -## web content. -## -## -## -## The prefix to be used for deriving type names. -## -## -# -template(`pki_apache_template',` - gen_require(` - attribute $1_process; - attribute $1_config, $1_var_lib, $1_var_run; - attribute $1_executable, $1_script, $1_var_log; - type pki_common_t, pki_common_dev_t; - type httpd_config_t; - ') - ######################################## - # - # Declarations - # - - type $1_t, $1_process; - type $1_exec_t, $1_executable; - domain_type($1_t) - init_daemon_domain($1_t, $1_exec_t) - - type $1_script_exec_t, $1_script; - init_script_file($1_script_exec_t) - - type $1_etc_rw_t, $1_config; - files_type($1_etc_rw_t) - - type $1_var_run_t, $1_var_run; - files_pid_file($1_var_run_t) - - type $1_var_lib_t, $1_var_lib; - files_type($1_var_lib_t) - - type $1_log_t, $1_var_log; - logging_log_file($1_log_t) - - ######################################## - # - # $1 local policy - # - - allow $1_t lib_t:file execute_no_trans; - allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; - allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill}; - allow $1_t self:sem all_sem_perms; - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; - - # allow writing to the kernel keyring - allow $1_t self:key { write read }; - - ## internal communication is often done using fifo and unix sockets. - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - - # Init script handling - domain_use_interactive_fds($1_t) - - files_read_etc_files($1_t) - allow $1_t $1_etc_rw_t:lnk_file read; - - manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) - manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t) - files_etc_filetrans($1_t,$1_etc_rw_t, { file dir }) - - manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) - manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) - files_pid_filetrans($1_t,$1_var_run_t, { file dir }) - - manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t) - manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) - read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t) - files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } ) - - manage_dirs_pattern($1_t, $1_log_t, $1_log_t) - manage_files_pattern($1_t, $1_log_t, $1_log_t) - logging_log_filetrans($1_t, $1_log_t, { file dir } ) - - # lock files - files_create_lock_dirs($1_t) - files_manage_generic_locks($1_t) - files_delete_generic_locks($1_t) - files_rw_lock_dirs($1_t) - - seutil_exec_setfiles($1_t) - - init_dontaudit_write_utmp($1_t) - - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - libs_exec_ld_so($1_t) - - fs_search_cgroup_dirs($1_t) - - miscfiles_read_localization($1_t) - - optional_policy(` - # apache permissions - apache_exec_modules($1_t) - apache_list_modules($1_t) - apache_read_config($1_t) - apache_exec($1_t) - - # should be started using a script which will execute httpd - # start up httpd in $1_t mode - can_exec($1_t, httpd_config_t) - allow $1_t httpd_exec_t:file entrypoint; - allow $1_t httpd_modules_t:lnk_file read; - can_exec($1_t, httpd_suexec_exec_t) - ') - - corecmd_exec_bin($1_t) - corecmd_exec_shell($1_t) - corecmd_read_bin_symlinks($1_t) - corecmd_search_bin($1_t) - - corenet_sendrecv_unlabeled_packets($1_t) - corenet_tcp_bind_all_nodes($1_t) - corenet_tcp_sendrecv_all_if($1_t) - corenet_tcp_sendrecv_all_nodes($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_all_recvfrom_unlabeled($1_t) - corenet_tcp_connect_generic_port($1_t) - - # talk to the hsm - allow $1_t pki_common_dev_t:sock_file write; - allow $1_t pki_common_dev_t:dir search; - allow $1_t pki_common_t:dir create_dir_perms; - manage_files_pattern($1_t, pki_common_t, pki_common_t) - can_exec($1_t, pki_common_t) - init_stream_connect_script($1_t) - - #talk to lunasa hsm - logging_send_syslog_msg($1_t) - - # allow rpm -q in init scripts - rpm_exec($1_t) - - #installation and debug uses /tmp - files_manage_generic_tmp_dirs($1_t) - files_manage_generic_tmp_files($1_t) - - kernel_read_kernel_sysctls($1_t) - kernel_read_system_state($1_t) - - # need to resolve addresses? - auth_use_nsswitch($1_t) - - sysnet_read_config($1_t) - dev_read_urand($1_t) - dev_read_rand($1_t) - - # shutdown script uses ps - domain_dontaudit_read_all_domains_state($1_t) - ps_process_pattern($1_t, $1_t) - - ifdef(`targeted_policy',` - term_dontaudit_use_unallocated_ttys($1_t) - term_dontaudit_use_generic_ptys($1_t) - ') - - gen_require(` - type httpd_t; - type httpd_exec_t; - type httpd_suexec_exec_t; - ') - - #============= httpd_t ============== - allow httpd_t $1_var_run_t:dir search; - allow httpd_t $1_var_run_t:file read_file_perms; - allow httpd_t $1_etc_rw_t:dir search; - allow httpd_t $1_etc_rw_t:file rw_file_perms; - allow httpd_t $1_log_t:dir rw_dir_perms; - allow httpd_t $1_log_t:file manage_file_perms; - allow httpd_t $1_t:process { signal signull }; - allow httpd_t $1_var_lib_t:dir { getattr search }; - allow httpd_t $1_var_lib_t:lnk_file read; - allow httpd_t $1_var_lib_t:file read_file_perms; -') - -######################################## -## -## Execute pki_apache server in the pki_apache domain. -## -## -## -## The type of the process performing this action. -## -## -# -interface(`pki_apache_script_domtrans',` - gen_require(` - attribute $1_script; - ') - - init_script_domtrans_spec($1, $1_script) -') - - -######################################## -## -## All of the rules required to administrate -## an pki_apache environment -## -## -## -## Domain allowed access. -## -## -## -## -## The role to be allowed to manage the syslog domain. -## -## -## -## -## The type of the user terminal. -## -## -## -# -interface(`pki_apache_admin',` - gen_require(` - attribute $1_process; - attribute $1_config; - attribute $1_executable; - attribute $1_var_lib; - attribute $1_var_log; - attribute $1_var_run; - attribute $1_script; - ') - - allow $1 $1_process:process { ptrace signal_perms }; - ps_process_pattern($1, $1_t) - - # Allow pki_apache_t to restart the service - $1_script_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 $1_script system_r; - allow $2 system_r; - - manage_all_pattern($1, $1_config) - manage_all_pattern($1, $1_var_run) - manage_all_pattern($1, $1_var_lib) - manage_all_pattern($1, $1_var_log) - manage_all_pattern($1, $1_config) -') diff --git a/base/selinux/src/ b/base/selinux/src/ deleted file mode 100755 index bf95ba98c..000000000 --- a/base/selinux/src/ +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/sh - -USAGE="$0 [ --update ]" - -if [ ! -f /usr/share/selinux/devel/Makefile ]; then -echo 'selinux-policy-devel not installed, package required for building policy' -echo '# yum install selinux-policy-devel' -exit 1 -fi - -if [ $# -eq 1 ]; then - if [ "$1" = "--update" ] ; then - time=`ls -l --time-style="+%x %X" pki_ca.te | awk '{ printf "%s %s", $6, $7 }'` - rules=`ausearch --start $time -m avc --raw -se pki_ca` - if [ x"$rules" != "x" ] ; then - echo "Found avc's to update policy with" - echo -e "$rules" | audit2allow -R - echo "Do you want these changes added to policy [y/n]?" - read ANS - if [ "$ANS" = "y" -o "$ANS" = "Y" ] ; then - echo "Updating policy" - echo -e "$rules" | audit2allow -R >> pki_ca.te - # Fall though and rebuild policy - else - exit 0 - fi - else - echo "No new avcs found" - exit 0 - fi - else - echo -e $USAGE - exit 1 - fi -elif [ $# -ge 2 ] ; then - echo -e $USAGE - exit 1 -fi - -echo "Building and Loading Policy" -make -f /usr/share/selinux/devel/Makefile diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te deleted file mode 100644 index aefcd03c8..000000000 --- a/base/selinux/src/pki.te +++ /dev/null @@ -1,221 +0,0 @@ -policy_module(pki,10.0.13) - -type pki_log_t; -files_type(pki_log_t) - -type pki_common_t; -files_type(pki_common_t) - -type pki_common_dev_t; -files_type(pki_common_dev_t) - -type pki_tomcat_etc_rw_t; -files_type(pki_tomcat_etc_rw_t) - -type pki_tomcat_cert_t; -files_type(pki_tomcat_cert_t) - -tomcat_domain_template(pki_tomcat) - -permissive pki_tomcat_t; - -type pki_tomcat_lock_t; -files_lock_file(pki_tomcat_lock_t) - -require { - type systemd_unit_file_t; - type setfiles_t; - type load_policy_t; - type certmonger_t; -} - -allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; -allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; - -allow pki_tomcat_t self:key write; -allow pki_tomcat_t self:process { signal setsched signull execmem }; -allow pki_tomcat_t self:tcp_socket { accept listen }; -allow pki_tomcat_t self:unix_dgram_socket { create connect }; -allow pki_tomcat_t self:process signal; - -# allow writing to the kernel keyring -allow pki_tomcat_t self:key { write read }; - -manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) -manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) - -manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) -manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) - -manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) -files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) - -# allow java subsystems to talk to the ncipher hsm -allow pki_tomcat_t pki_common_dev_t:sock_file write; -allow pki_tomcat_t pki_common_dev_t:dir search; -allow pki_tomcat_t pki_common_t:dir create_dir_perms; -manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) -can_exec(pki_tomcat_t, pki_common_t) -init_stream_connect_script(pki_tomcat_t) - -# init script checks and fixes links if needed -allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr }; -allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr }; - -allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr }; -allow pki_tomcat_t systemd_unit_file_t:dir getattr; -allow pki_tomcat_t systemd_unit_file_t:file getattr; - -allow pki_tomcat_t pki_log_t:dir getattr; -allow pki_tomcat_t pki_log_t:dir search; - -kernel_read_kernel_sysctls(pki_tomcat_t) - -corenet_tcp_connect_http_cache_port(pki_tomcat_t) -corenet_tcp_connect_ldap_port(pki_tomcat_t) -corenet_tcp_connect_smtp_port(pki_tomcat_t) - -selinux_get_enforce_mode(pki_tomcat_t) - -logging_send_audit_msgs(pki_tomcat_t) -logging_send_syslog_msg(pki_tomcat_t) - -miscfiles_read_hwdata(pki_tomcat_t) -miscfiles_read_localization(pki_tomcat_t) -files_manage_generic_tmp_files(pki_tomcat_t) -userdom_manage_user_tmp_dirs(pki_tomcat_t) -userdom_manage_user_tmp_files(pki_tomcat_t) - -# forward proxy -# need to define ports to fix this -#corenet_tcp_connect_pki_tomcat_port(httpd_t) - -# for crl publishing -allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; - -# for ECC -auth_getattr_shadow(pki_tomcat_t) -optional_policy(` - consoletype_exec(pki_tomcat_t) -') - -optional_policy(` - hostname_exec(pki_tomcat_t) -') - -# old type aliases for migration -typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; -typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; -typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; -typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; -typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; -# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; - -# install/ uninstall instance -allow load_policy_t pki_log_t:file write; -dirsrv_manage_var_lib(pki_tomcat_t) -allow setfiles_t pki_log_t:file write; - -# allow certmonger to read certdb files -pki_rw_tomcat_cert(certmonger_t) -pki_search_tomcat_etc_rw(certmonger_t) - -# needed for dogtag 9 style instances -type pki_tomcat_script_t; -domain_type(pki_tomcat_script_t) -gen_require(` - type java_exec_t; - type initrc_t; -') -domtrans_pattern(pki_tomcat_script_t, java_exec_t, pki_tomcat_t) - -role system_r types pki_tomcat_script_t; -allow pki_tomcat_t java_exec_t:file entrypoint; -allow initrc_t pki_tomcat_script_t:process transition; - -optional_policy(` - unconfined_domain(pki_tomcat_script_t) -') - -########################## -# TPS policy -########################## - -attribute pki_tps_config; -attribute pki_tps_executable; -attribute pki_tps_var_lib; -attribute pki_tps_var_log; -attribute pki_tps_var_run; -attribute pki_tps_pidfiles; -attribute pki_tps_script; -attribute pki_tps_process; - -type pki_tps_tomcat_exec_t; -files_type(pki_tps_tomcat_exec_t) - -pki_apache_template(pki_tps) - -# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment -allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; - -corenet_tcp_bind_pki_tps_port(pki_tps_t) - -# customer may run an ldap server on 389 -corenet_tcp_connect_ldap_port(pki_tps_t) - -# connect to other subsystems -corenet_tcp_connect_pki_ca_port(pki_tps_t) -corenet_tcp_connect_pki_kra_port(pki_tps_t) -corenet_tcp_connect_pki_tks_port(pki_tps_t) - -files_exec_usr_files(pki_tps_t) -files_read_usr_symlinks(pki_tps_t) -files_read_usr_files(pki_tps_t) - -# why do I need to add this? -allow httpd_t httpd_config_t:file execute; -files_exec_usr_files(httpd_t) - -########################## -# RA policy -######################### - -attribute pki_ra_config; -attribute pki_ra_executable; -attribute pki_ra_var_lib; -attribute pki_ra_var_log; -attribute pki_ra_var_run; -attribute pki_ra_pidfiles; -attribute pki_ra_script; -attribute pki_ra_process; - -type pki_ra_tomcat_exec_t; -files_type(pki_ra_tomcat_exec_t) - -pki_apache_template(pki_ra) - -#RA specific? talking to mysql? -allow pki_ra_t self:udp_socket { write read create connect }; -allow pki_ra_t self:unix_dgram_socket { write create connect }; - -corenet_tcp_bind_pki_ra_port(pki_ra_t) - -# talk to other subsystems -corenet_tcp_connect_pki_ca_port(pki_ra_t) - -files_exec_usr_files(pki_ra_t) -fs_getattr_xattr_fs(pki_ra_t) - -corenet_tcp_connect_smtp_port(pki_ra_t) -files_search_spool(pki_ra_t) - -# -# Should be changed to mta_send_mail -# -mta_manage_spool(pki_ra_t) -mta_manage_queue(pki_ra_t) -mta_read_config(pki_ra_t) -mta_sendmail_exec(pki_ra_t) - -- cgit