policy_module(pki,6.2.2)

attribute pki_ca_config;
attribute pki_ca_executable;
attribute pki_ca_var_lib;
attribute pki_ca_var_log;
attribute pki_ca_var_run;
attribute pki_ca_pidfiles;
attribute pki_ca_script;
attribute pki_ca_process;

type pki_common_t;
files_type(pki_common_t)

type pki_common_dev_t;
files_type(pki_common_dev_t)

type pki_ca_tomcat_exec_t;
files_type(pki_ca_tomcat_exec_t)

pki_ca_template(pki_ca)
corenet_tcp_connect_pki_kra_port(pki_ca_t)
corenet_tcp_connect_pki_ocsp_port(pki_ca_t)

# forward proxy
corenet_tcp_connect_pki_ca_port(httpd_t)

# for crl publishing
allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink };

# for ECC
auth_getattr_shadow(pki_ca_t)

attribute pki_kra_config;
attribute pki_kra_executable;
attribute pki_kra_var_lib;
attribute pki_kra_var_log;
attribute pki_kra_var_run;
attribute pki_kra_pidfiles;
attribute pki_kra_script;
attribute pki_kra_process;

type pki_kra_tomcat_exec_t;
files_type(pki_kra_tomcat_exec_t)

pki_ca_template(pki_kra)
corenet_tcp_connect_pki_ca_port(pki_kra_t)

# forward proxy
corenet_tcp_connect_pki_kra_port(httpd_t)

attribute pki_ocsp_config;
attribute pki_ocsp_executable;
attribute pki_ocsp_var_lib;
attribute pki_ocsp_var_log;
attribute pki_ocsp_var_run;
attribute pki_ocsp_pidfiles;
attribute pki_ocsp_script;
attribute pki_ocsp_process;

type pki_ocsp_tomcat_exec_t;
files_type(pki_ocsp_tomcat_exec_t)

pki_ca_template(pki_ocsp)
corenet_tcp_connect_pki_ca_port(pki_ocsp_t)

# forward proxy
corenet_tcp_connect_pki_ocsp_port(httpd_t)

attribute pki_ra_config;
attribute pki_ra_executable;
attribute pki_ra_var_lib;
attribute pki_ra_var_log;
attribute pki_ra_var_run;
attribute pki_ra_pidfiles;
attribute pki_ra_script;
attribute pki_ra_process;

type pki_ra_tomcat_exec_t;
files_type(pki_ra_tomcat_exec_t)

pki_ra_template(pki_ra)

attribute pki_tks_config;
attribute pki_tks_executable;
attribute pki_tks_var_lib;
attribute pki_tks_var_log;
attribute pki_tks_var_run;
attribute pki_tks_pidfiles;
attribute pki_tks_script;
attribute pki_tks_process;

type pki_tks_tomcat_exec_t;
files_type(pki_tks_tomcat_exec_t)

pki_ca_template(pki_tks)
corenet_tcp_connect_pki_ca_port(pki_tks_t)

# forward proxy
corenet_tcp_connect_pki_tks_port(httpd_t)

# needed for token enrollment, list /var/cache/tomcat5/temp
files_list_var(pki_tks_t)

attribute pki_tps_config;
attribute pki_tps_executable;
attribute pki_tps_var_lib;
attribute pki_tps_var_log;
attribute pki_tps_var_run;
attribute pki_tps_pidfiles;
attribute pki_tps_script;
attribute pki_tps_process;

type pki_tps_tomcat_exec_t;
files_type(pki_tps_tomcat_exec_t)

pki_tps_template(pki_tps)

#interprocess communication on process shutdown
allow pki_ca_t pki_kra_t:process signull;
allow pki_ca_t pki_ocsp_t:process signull;
allow pki_ca_t pki_tks_t:process signull;

allow pki_kra_t pki_ca_t:process signull;
allow pki_kra_t pki_ocsp_t:process signull;
allow pki_kra_t pki_tks_t:process signull;

allow pki_ocsp_t pki_ca_t:process signull;
allow pki_ocsp_t pki_kra_t:process signull;
allow pki_ocsp_t pki_tks_t:process signull;

allow pki_tks_t pki_ca_t:process signull;
allow pki_tks_t pki_kra_t:process signull;
allow pki_tks_t pki_ocsp_t:process signull;

#allow httpd_t pki_tks_tomcat_exec_t:process signull;
#allow httpd_t pki_tks_var_lib_t:process signull;