## policy for pki
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
template(`pki_apache_template',`
gen_require(`
attribute $1_process;
attribute $1_config, $1_var_lib, $1_var_run;
attribute $1_executable, $1_script, $1_var_log;
type pki_common_t, pki_common_dev_t;
type httpd_config_t;
')
########################################
#
# Declarations
#
type $1_t, $1_process;
type $1_exec_t, $1_executable;
domain_type($1_t)
init_daemon_domain($1_t, $1_exec_t)
type $1_script_exec_t, $1_script;
init_script_file($1_script_exec_t)
type $1_etc_rw_t, $1_config;
files_type($1_etc_rw_t)
type $1_var_run_t, $1_var_run;
files_pid_file($1_var_run_t)
type $1_var_lib_t, $1_var_lib;
files_type($1_var_lib_t)
type $1_log_t, $1_var_log;
logging_log_file($1_log_t)
########################################
#
# $1 local policy
#
allow $1_t lib_t:file execute_no_trans;
allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill};
allow $1_t self:sem all_sem_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
# allow writing to the kernel keyring
allow $1_t self:key { write read };
## internal communication is often done using fifo and unix sockets.
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
# Init script handling
domain_use_interactive_fds($1_t)
files_read_etc_files($1_t)
allow $1_t $1_etc_rw_t:lnk_file read;
manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t,$1_var_run_t, { file dir })
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
manage_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { file dir } )
# lock files
files_create_lock_dirs($1_t)
files_manage_generic_locks($1_t)
files_delete_generic_locks($1_t)
files_rw_lock_dirs($1_t)
seutil_exec_setfiles($1_t)
init_dontaudit_write_utmp($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
libs_exec_ld_so($1_t)
fs_search_cgroup_dirs($1_t)
miscfiles_read_localization($1_t)
optional_policy(`
# apache permissions
apache_exec_modules($1_t)
apache_list_modules($1_t)
apache_read_config($1_t)
apache_exec($1_t)
# should be started using a script which will execute httpd
# start up httpd in $1_t mode
can_exec($1_t, httpd_config_t)
allow $1_t httpd_exec_t:file entrypoint;
allow $1_t httpd_modules_t:lnk_file read;
can_exec($1_t, httpd_suexec_exec_t)
')
corecmd_exec_bin($1_t)
corecmd_exec_shell($1_t)
corecmd_read_bin_symlinks($1_t)
corecmd_search_bin($1_t)
corenet_sendrecv_unlabeled_packets($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_all_recvfrom_unlabeled($1_t)
corenet_tcp_connect_generic_port($1_t)
# talk to the hsm
allow $1_t pki_common_dev_t:sock_file write;
allow $1_t pki_common_dev_t:dir search;
allow $1_t pki_common_t:dir create_dir_perms;
manage_files_pattern($1_t, pki_common_t, pki_common_t)
can_exec($1_t, pki_common_t)
init_stream_connect_script($1_t)
#talk to lunasa hsm
logging_send_syslog_msg($1_t)
# allow rpm -q in init scripts
rpm_exec($1_t)
#installation and debug uses /tmp
files_manage_generic_tmp_dirs($1_t)
files_manage_generic_tmp_files($1_t)
kernel_read_kernel_sysctls($1_t)
kernel_read_system_state($1_t)
# need to resolve addresses?
auth_use_nsswitch($1_t)
sysnet_read_config($1_t)
dev_read_urand($1_t)
dev_read_rand($1_t)
# shutdown script uses ps
domain_dontaudit_read_all_domains_state($1_t)
ps_process_pattern($1_t, $1_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1_t)
term_dontaudit_use_generic_ptys($1_t)
')
gen_require(`
type httpd_t;
type httpd_exec_t;
type httpd_suexec_exec_t;
')
#============= httpd_t ==============
allow httpd_t $1_var_run_t:dir search;
allow httpd_t $1_var_run_t:file read_file_perms;
allow httpd_t $1_etc_rw_t:dir search;
allow httpd_t $1_etc_rw_t:file rw_file_perms;
allow httpd_t $1_log_t:dir rw_dir_perms;
allow httpd_t $1_log_t:file manage_file_perms;
allow httpd_t $1_t:process { signal signull };
allow httpd_t $1_var_lib_t:dir { getattr search };
allow httpd_t $1_var_lib_t:lnk_file read;
allow httpd_t $1_var_lib_t:file read_file_perms;
')
########################################
##
## Execute pki_apache server in the pki_apache domain.
##
##
##
## The type of the process performing this action.
##
##
#
interface(`pki_apache_script_domtrans',`
gen_require(`
attribute $1_script;
')
init_script_domtrans_spec($1, $1_script)
')
########################################
##
## All of the rules required to administrate
## an pki_apache environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the syslog domain.
##
##
##
##
## The type of the user terminal.
##
##
##
#
interface(`pki_apache_admin',`
gen_require(`
attribute $1_process;
attribute $1_config;
attribute $1_executable;
attribute $1_var_lib;
attribute $1_var_log;
attribute $1_var_run;
attribute $1_script;
')
allow $1 $1_process:process { ptrace signal_perms };
ps_process_pattern($1, $1_t)
# Allow pki_apache_t to restart the service
$1_script_domtrans($1)
domain_system_change_exemption($1)
role_transition $2 $1_script system_r;
allow $2 system_r;
manage_all_pattern($1, $1_config)
manage_all_pattern($1, $1_var_run)
manage_all_pattern($1, $1_var_lib)
manage_all_pattern($1, $1_var_log)
manage_all_pattern($1, $1_config)
')