policy_module(pki,10.0.13) type pki_log_t; files_type(pki_log_t) type pki_common_t; files_type(pki_common_t) type pki_common_dev_t; files_type(pki_common_dev_t) type pki_tomcat_etc_rw_t; files_type(pki_tomcat_etc_rw_t) type pki_tomcat_cert_t; files_type(pki_tomcat_cert_t) tomcat_domain_template(pki_tomcat) permissive pki_tomcat_t; type pki_tomcat_lock_t; files_lock_file(pki_tomcat_lock_t) require { type systemd_unit_file_t; type setfiles_t; type load_policy_t; type certmonger_t; } allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; allow pki_tomcat_t self:key write; allow pki_tomcat_t self:process { signal setsched signull execmem }; allow pki_tomcat_t self:tcp_socket { accept listen }; allow pki_tomcat_t self:unix_dgram_socket { create connect }; allow pki_tomcat_t self:process signal; # allow writing to the kernel keyring allow pki_tomcat_t self:key { write read }; manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) # allow java subsystems to talk to the ncipher hsm allow pki_tomcat_t pki_common_dev_t:sock_file write; allow pki_tomcat_t pki_common_dev_t:dir search; allow pki_tomcat_t pki_common_t:dir create_dir_perms; manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) can_exec(pki_tomcat_t, pki_common_t) init_stream_connect_script(pki_tomcat_t) # init script checks and fixes links if needed allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr }; allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr }; allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr }; allow pki_tomcat_t systemd_unit_file_t:dir getattr; allow pki_tomcat_t systemd_unit_file_t:file getattr; allow pki_tomcat_t pki_log_t:dir getattr; allow pki_tomcat_t pki_log_t:dir search; kernel_read_kernel_sysctls(pki_tomcat_t) corenet_tcp_connect_http_cache_port(pki_tomcat_t) corenet_tcp_connect_ldap_port(pki_tomcat_t) corenet_tcp_connect_smtp_port(pki_tomcat_t) selinux_get_enforce_mode(pki_tomcat_t) logging_send_audit_msgs(pki_tomcat_t) logging_send_syslog_msg(pki_tomcat_t) miscfiles_read_hwdata(pki_tomcat_t) miscfiles_read_localization(pki_tomcat_t) files_manage_generic_tmp_files(pki_tomcat_t) userdom_manage_user_tmp_dirs(pki_tomcat_t) userdom_manage_user_tmp_files(pki_tomcat_t) # forward proxy # need to define ports to fix this #corenet_tcp_connect_pki_tomcat_port(httpd_t) # for crl publishing allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; # for ECC auth_getattr_shadow(pki_tomcat_t) optional_policy(` consoletype_exec(pki_tomcat_t) ') optional_policy(` hostname_exec(pki_tomcat_t) ') # old type aliases for migration typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; # typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; # install/ uninstall instance allow load_policy_t pki_log_t:file write; dirsrv_manage_var_lib(pki_tomcat_t) allow setfiles_t pki_log_t:file write; # allow certmonger to read certdb files pki_rw_tomcat_cert(certmonger_t) pki_search_tomcat_etc_rw(certmonger_t) # needed for dogtag 9 style instances type pki_tomcat_script_t; domain_type(pki_tomcat_script_t) gen_require(` type java_exec_t; type initrc_t; ') domtrans_pattern(pki_tomcat_script_t, java_exec_t, pki_tomcat_t) role system_r types pki_tomcat_script_t; allow pki_tomcat_t java_exec_t:file entrypoint; allow initrc_t pki_tomcat_script_t:process transition; optional_policy(` unconfined_domain(pki_tomcat_script_t) ') ########################## # TPS policy ########################## attribute pki_tps_config; attribute pki_tps_executable; attribute pki_tps_var_lib; attribute pki_tps_var_log; attribute pki_tps_var_run; attribute pki_tps_pidfiles; attribute pki_tps_script; attribute pki_tps_process; type pki_tps_tomcat_exec_t; files_type(pki_tps_tomcat_exec_t) pki_apache_template(pki_tps) # used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; corenet_tcp_bind_pki_tps_port(pki_tps_t) # customer may run an ldap server on 389 corenet_tcp_connect_ldap_port(pki_tps_t) # connect to other subsystems corenet_tcp_connect_pki_ca_port(pki_tps_t) corenet_tcp_connect_pki_kra_port(pki_tps_t) corenet_tcp_connect_pki_tks_port(pki_tps_t) files_exec_usr_files(pki_tps_t) files_read_usr_symlinks(pki_tps_t) files_read_usr_files(pki_tps_t) # why do I need to add this? allow httpd_t httpd_config_t:file execute; files_exec_usr_files(httpd_t) ########################## # RA policy ######################### attribute pki_ra_config; attribute pki_ra_executable; attribute pki_ra_var_lib; attribute pki_ra_var_log; attribute pki_ra_var_run; attribute pki_ra_pidfiles; attribute pki_ra_script; attribute pki_ra_process; type pki_ra_tomcat_exec_t; files_type(pki_ra_tomcat_exec_t) pki_apache_template(pki_ra) #RA specific? talking to mysql? allow pki_ra_t self:udp_socket { write read create connect }; allow pki_ra_t self:unix_dgram_socket { write create connect }; corenet_tcp_bind_pki_ra_port(pki_ra_t) # talk to other subsystems corenet_tcp_connect_pki_ca_port(pki_ra_t) files_exec_usr_files(pki_ra_t) fs_getattr_xattr_fs(pki_ra_t) corenet_tcp_connect_smtp_port(pki_ra_t) files_search_spool(pki_ra_t) # # Should be changed to mta_send_mail # mta_manage_spool(pki_ra_t) mta_manage_queue(pki_ra_t) mta_read_config(pki_ra_t) mta_sendmail_exec(pki_ra_t)