policy_module(pki,10.0.2) attribute pki_ca_config; attribute pki_ca_executable; attribute pki_ca_var_lib; attribute pki_ca_var_log; attribute pki_ca_var_run; attribute pki_ca_pidfiles; attribute pki_ca_script; attribute pki_ca_process; type pki_common_t; files_type(pki_common_t) type pki_common_dev_t; files_type(pki_common_dev_t) type pki_ca_tomcat_exec_t; files_type(pki_ca_tomcat_exec_t) pki_ca_template(pki_ca) corenet_tcp_connect_pki_kra_port(pki_ca_t) corenet_tcp_connect_pki_ocsp_port(pki_ca_t) # forward proxy corenet_tcp_connect_pki_ca_port(httpd_t) # for crl publishing allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink }; # for ECC auth_getattr_shadow(pki_ca_t) attribute pki_kra_config; attribute pki_kra_executable; attribute pki_kra_var_lib; attribute pki_kra_var_log; attribute pki_kra_var_run; attribute pki_kra_pidfiles; attribute pki_kra_script; attribute pki_kra_process; type pki_kra_tomcat_exec_t; files_type(pki_kra_tomcat_exec_t) pki_ca_template(pki_kra) corenet_tcp_connect_pki_ca_port(pki_kra_t) # forward proxy corenet_tcp_connect_pki_kra_port(httpd_t) attribute pki_ocsp_config; attribute pki_ocsp_executable; attribute pki_ocsp_var_lib; attribute pki_ocsp_var_log; attribute pki_ocsp_var_run; attribute pki_ocsp_pidfiles; attribute pki_ocsp_script; attribute pki_ocsp_process; type pki_ocsp_tomcat_exec_t; files_type(pki_ocsp_tomcat_exec_t) pki_ca_template(pki_ocsp) corenet_tcp_connect_pki_ca_port(pki_ocsp_t) # forward proxy corenet_tcp_connect_pki_ocsp_port(httpd_t) attribute pki_ra_config; attribute pki_ra_executable; attribute pki_ra_var_lib; attribute pki_ra_var_log; attribute pki_ra_var_run; attribute pki_ra_pidfiles; attribute pki_ra_script; attribute pki_ra_process; type pki_ra_tomcat_exec_t; files_type(pki_ra_tomcat_exec_t) pki_ra_template(pki_ra) attribute pki_tks_config; attribute pki_tks_executable; attribute pki_tks_var_lib; attribute pki_tks_var_log; attribute pki_tks_var_run; attribute pki_tks_pidfiles; attribute pki_tks_script; attribute pki_tks_process; type pki_tks_tomcat_exec_t; files_type(pki_tks_tomcat_exec_t) pki_ca_template(pki_tks) corenet_tcp_connect_pki_ca_port(pki_tks_t) # forward proxy corenet_tcp_connect_pki_tks_port(httpd_t) # needed for token enrollment, list /var/cache/tomcat5/temp files_list_var(pki_tks_t) attribute pki_tps_config; attribute pki_tps_executable; attribute pki_tps_var_lib; attribute pki_tps_var_log; attribute pki_tps_var_run; attribute pki_tps_pidfiles; attribute pki_tps_script; attribute pki_tps_process; type pki_tps_tomcat_exec_t; files_type(pki_tps_tomcat_exec_t) pki_tps_template(pki_tps) #interprocess communication on process shutdown allow pki_ca_t pki_kra_t:process signull; allow pki_ca_t pki_ocsp_t:process signull; allow pki_ca_t pki_tks_t:process signull; allow pki_kra_t pki_ca_t:process signull; allow pki_kra_t pki_ocsp_t:process signull; allow pki_kra_t pki_tks_t:process signull; allow pki_ocsp_t pki_ca_t:process signull; allow pki_ocsp_t pki_kra_t:process signull; allow pki_ocsp_t pki_tks_t:process signull; allow pki_tks_t pki_ca_t:process signull; allow pki_tks_t pki_kra_t:process signull; allow pki_tks_t pki_ocsp_t:process signull; #allow httpd_t pki_tks_tomcat_exec_t:process signull; #allow httpd_t pki_tks_var_lib_t:process signull; # start up httpd in pki_tps_t mode can_exec(pki_tps_t, httpd_config_t) allow pki_tps_t httpd_exec_t:file entrypoint; allow pki_tps_t httpd_modules_t:lnk_file read; can_exec(pki_tps_t, httpd_suexec_exec_t) # apache permissions apache_exec_modules(pki_tps_t) apache_list_modules(pki_tps_t) apache_read_config(pki_tps_t) allow pki_tps_t lib_t:file execute_no_trans; #fowner needed for chmod allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; allow pki_tps_t self:process { setsched signal getsched signull execstack execmem sigkill}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; # used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; #netlink needed? allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; corecmd_exec_bin(pki_tps_t) corecmd_exec_shell(pki_tps_t) corecmd_read_bin_symlinks(pki_tps_t) corecmd_search_bin(pki_tps_t) corenet_sendrecv_unlabeled_packets(pki_tps_t) corenet_tcp_bind_all_nodes(pki_tps_t) corenet_tcp_bind_pki_tps_port(pki_tps_t) corenet_tcp_connect_generic_port(pki_tps_t) # customer may run an ldap server on 389 corenet_tcp_connect_ldap_port(pki_tps_t) # connect to other subsystems corenet_tcp_connect_pki_ca_port(pki_tps_t) corenet_tcp_connect_pki_kra_port(pki_tps_t) corenet_tcp_connect_pki_tks_port(pki_tps_t) corenet_tcp_sendrecv_all_if(pki_tps_t) corenet_tcp_sendrecv_all_nodes(pki_tps_t) corenet_tcp_sendrecv_all_ports(pki_tps_t) corenet_all_recvfrom_unlabeled(pki_tps_t) dev_read_urand(pki_tps_t) files_exec_usr_files(pki_tps_t) files_read_usr_symlinks(pki_tps_t) files_read_usr_files(pki_tps_t) #installation and debug uses /tmp files_manage_generic_tmp_dirs(pki_tps_t) files_manage_generic_tmp_files(pki_tps_t) kernel_read_kernel_sysctls(pki_tps_t) kernel_read_system_state(pki_tps_t) # need to resolve addresses? auth_use_nsswitch(pki_tps_t) sysnet_read_config(pki_tps_t) allow httpd_t pki_tps_etc_rw_t:dir search; allow httpd_t pki_tps_etc_rw_t:file rw_file_perms; allow httpd_t pki_tps_log_t:dir rw_dir_perms; allow httpd_t pki_tps_log_t:file manage_file_perms; allow httpd_t pki_tps_t:process { signal signull }; allow httpd_t pki_tps_var_lib_t:dir { getattr search }; allow httpd_t pki_tps_var_lib_t:lnk_file read; allow httpd_t pki_tps_var_lib_t:file read_file_perms; # why do I need to add this? allow httpd_t httpd_config_t:file execute; files_exec_usr_files(httpd_t) # talk to the hsm allow pki_tps_t pki_common_dev_t:sock_file write; allow pki_tps_t pki_common_dev_t:dir search; allow pki_tps_t pki_common_t:dir create_dir_perms; manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t) can_exec(pki_tps_t, pki_common_t) init_stream_connect_script(pki_tps_t) #allow tps to talk to lunasa hsm logging_send_syslog_msg(pki_tps_t) # allow rpm -q in init scripts rpm_exec(pki_tps_t) # allow writing to the kernel keyring allow pki_tps_t self:key { write read }; # new for f14 apache_exec(pki_tps_t) # start up httpd in pki_ra_t mode allow pki_ra_t httpd_config_t:file { read getattr execute }; allow pki_ra_t httpd_exec_t:file entrypoint; allow pki_ra_t httpd_modules_t:lnk_file read; allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute }; #apache permissions apache_read_config(pki_ra_t) apache_exec_modules(pki_ra_t) apache_list_modules(pki_ra_t) allow pki_ra_t lib_t:file execute_no_trans; allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid}; allow pki_ra_t self:process { setsched getsched signal signull execstack execmem}; allow pki_ra_t self:sem all_sem_perms; allow pki_ra_t self:tcp_socket create_stream_socket_perms; #RA specific? talking to mysql? allow pki_ra_t self:udp_socket { write read create connect }; allow pki_ra_t self:unix_dgram_socket { write create connect }; # netlink needed? allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; corecmd_exec_bin(pki_ra_t) corecmd_exec_shell(pki_ra_t) corecmd_read_bin_symlinks(pki_ra_t) corecmd_search_bin(pki_ra_t) corenet_sendrecv_unlabeled_packets(pki_ra_t) corenet_tcp_bind_all_nodes(pki_ra_t) corenet_tcp_bind_pki_ra_port(pki_ra_t) corenet_tcp_sendrecv_all_if(pki_ra_t) corenet_tcp_sendrecv_all_nodes(pki_ra_t) corenet_tcp_sendrecv_all_ports(pki_ra_t) corenet_all_recvfrom_unlabeled(pki_ra_t) corenet_tcp_connect_generic_port(pki_ra_t) # talk to other subsystems corenet_tcp_connect_pki_ca_port(pki_ra_t) dev_read_urand(pki_ra_t) files_exec_usr_files(pki_ra_t) fs_getattr_xattr_fs(pki_ra_t) # ra writes files to /tmp files_manage_generic_tmp_files(pki_ra_t) kernel_read_kernel_sysctls(pki_ra_t) kernel_read_system_state(pki_ra_t) logging_send_syslog_msg(pki_ra_t) corenet_tcp_connect_smtp_port(pki_ra_t) files_search_spool(pki_ra_t) # # Should be changed to mta_send_mail # mta_manage_spool(pki_ra_t) mta_manage_queue(pki_ra_t) mta_read_config(pki_ra_t) mta_sendmail_exec(pki_ra_t) #resolve names? auth_use_nsswitch(pki_ra_t) sysnet_read_config(pki_ra_t) allow httpd_t pki_ra_etc_rw_t:dir search; allow httpd_t pki_ra_etc_rw_t:file rw_file_perms; allow httpd_t pki_ra_log_t:dir rw_dir_perms; allow httpd_t pki_ra_log_t:file manage_file_perms; allow httpd_t pki_ra_t:process { signal signull }; allow httpd_t pki_ra_var_lib_t:dir { getattr search }; allow httpd_t pki_ra_var_lib_t:lnk_file read; allow httpd_t pki_ra_var_lib_t:file read_file_perms; # talk to the hsm allow pki_ra_t pki_common_dev_t:sock_file write; allow pki_ra_t pki_common_dev_t:dir search; allow pki_ra_t pki_common_t:dir create_dir_perms; manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t) can_exec(pki_ra_t, pki_common_t) init_stream_connect_script(pki_ra_t) # allow rpm -q in init scripts rpm_exec(pki_ra_t) # allow writing to the kernel keyring allow pki_ra_t self:key { write read }; # new for f14 apache_exec(pki_ra_t)