path: root/base/selinux/src/pki.te

policy_module(pki,10.0.6)

attribute pki_tomcat_config;
attribute pki_tomcat_executable;
attribute pki_tomcat_var_lib;
attribute pki_tomcat_var_log;
attribute pki_tomcat_var_run;
attribute pki_tomcat_pidfiles;
attribute pki_tomcat_script;
attribute pki_tomcat_process;

type pki_log_t;
files_type(pki_log_t)

type pki_common_t;
files_type(pki_common_t)

type pki_common_dev_t;
files_type(pki_common_dev_t)

type pki_tomcat_tomcat_exec_t;
files_type(pki_tomcat_tomcat_exec_t)

pki_tomcat_template(pki_tomcat)

# forward proxy
# need to define ports to fix this
#corenet_tcp_connect_pki_tomcat_port(httpd_t)

# for crl publishing
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };

# for ECC
auth_getattr_shadow(pki_tomcat_t)

# old type aliases for migration
typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
attribute pki_ra_config;
attribute pki_ra_executable;
attribute pki_ra_var_lib;
attribute pki_ra_var_log;
attribute pki_ra_var_run;
attribute pki_ra_pidfiles;
attribute pki_ra_script;
attribute pki_ra_process;

type pki_ra_tomcat_exec_t;
files_type(pki_ra_tomcat_exec_t)

pki_ra_template(pki_ra)

# needed for token enrollment, list /var/cache/tomcat5/temp
files_list_var(pki_tomcat_t)

attribute pki_tps_config;
attribute pki_tps_executable;
attribute pki_tps_var_lib;
attribute pki_tps_var_log;
attribute pki_tps_var_run;
attribute pki_tps_pidfiles;
attribute pki_tps_script;
attribute pki_tps_process;

type pki_tps_tomcat_exec_t;
files_type(pki_tps_tomcat_exec_t)

pki_tps_template(pki_tps)

# start up httpd in pki_tps_t mode
can_exec(pki_tps_t, httpd_config_t)
allow pki_tps_t httpd_exec_t:file entrypoint;
allow pki_tps_t httpd_modules_t:lnk_file read;
can_exec(pki_tps_t, httpd_suexec_exec_t)

# apache permissions
apache_exec_modules(pki_tps_t)
apache_list_modules(pki_tps_t)
apache_read_config(pki_tps_t)

allow pki_tps_t lib_t:file execute_no_trans;

#fowner needed for chmod
allow pki_tps_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
allow pki_tps_t self:process { setsched signal getsched  signull execstack execmem sigkill};
allow pki_tps_t self:sem all_sem_perms;
allow pki_tps_t self:tcp_socket create_stream_socket_perms;

# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};

 #netlink needed?
allow pki_tps_t self:netlink_route_socket { write getattr read bind create nlmsg_read };

corecmd_exec_bin(pki_tps_t)
corecmd_exec_shell(pki_tps_t)
corecmd_read_bin_symlinks(pki_tps_t)
corecmd_search_bin(pki_tps_t)

corenet_sendrecv_unlabeled_packets(pki_tps_t)
corenet_tcp_bind_all_nodes(pki_tps_t)
corenet_tcp_bind_pki_tps_port(pki_tps_t)
corenet_tcp_connect_generic_port(pki_tps_t)

# customer may run an ldap server on 389
corenet_tcp_connect_ldap_port(pki_tps_t)

# connect to other subsystems
corenet_tcp_connect_pki_ca_port(pki_tps_t)
corenet_tcp_connect_pki_kra_port(pki_tps_t)
corenet_tcp_connect_pki_tks_port(pki_tps_t)

corenet_tcp_sendrecv_all_if(pki_tps_t)
corenet_tcp_sendrecv_all_nodes(pki_tps_t)
corenet_tcp_sendrecv_all_ports(pki_tps_t)
corenet_all_recvfrom_unlabeled(pki_tps_t)

dev_read_urand(pki_tps_t)
files_exec_usr_files(pki_tps_t)
files_read_usr_symlinks(pki_tps_t)
files_read_usr_files(pki_tps_t)

#installation and debug uses /tmp
files_manage_generic_tmp_dirs(pki_tps_t)
files_manage_generic_tmp_files(pki_tps_t)

kernel_read_kernel_sysctls(pki_tps_t)
kernel_read_system_state(pki_tps_t)

# need to resolve addresses?
auth_use_nsswitch(pki_tps_t)

sysnet_read_config(pki_tps_t)

allow httpd_t pki_tps_etc_rw_t:dir search;
allow httpd_t pki_tps_etc_rw_t:file rw_file_perms;
allow httpd_t pki_tps_log_t:dir rw_dir_perms;
allow httpd_t pki_tps_log_t:file manage_file_perms;
allow httpd_t pki_tps_t:process { signal signull };
allow httpd_t pki_tps_var_lib_t:dir { getattr search };
allow httpd_t pki_tps_var_lib_t:lnk_file read;
allow httpd_t pki_tps_var_lib_t:file read_file_perms;

# why do I need to add this?
allow httpd_t httpd_config_t:file execute;
files_exec_usr_files(httpd_t)

# talk to the hsm
allow pki_tps_t pki_common_dev_t:sock_file write;
allow pki_tps_t pki_common_dev_t:dir search;
allow pki_tps_t pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_tps_t, pki_common_t, pki_common_t)
can_exec(pki_tps_t, pki_common_t)
init_stream_connect_script(pki_tps_t)

#allow tps to talk to lunasa hsm
logging_send_syslog_msg(pki_tps_t)

# allow rpm -q in init scripts
rpm_exec(pki_tps_t)

# allow writing to the kernel keyring
allow pki_tps_t self:key { write read };

# new for f14
apache_exec(pki_tps_t)

 # start up httpd in pki_ra_t mode
allow pki_ra_t httpd_config_t:file { read getattr execute };
allow pki_ra_t httpd_exec_t:file entrypoint;
allow pki_ra_t httpd_modules_t:lnk_file read;
allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute };

#apache permissions
apache_read_config(pki_ra_t)
apache_exec_modules(pki_ra_t)
apache_list_modules(pki_ra_t)

allow pki_ra_t lib_t:file execute_no_trans;

allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner fsetid};
allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
allow pki_ra_t self:sem all_sem_perms;
allow pki_ra_t self:tcp_socket create_stream_socket_perms;

#RA specific? talking to mysql?
allow pki_ra_t self:udp_socket { write read create connect };
allow pki_ra_t self:unix_dgram_socket { write create connect };

# netlink needed?
allow pki_ra_t self:netlink_route_socket { write getattr read bind create nlmsg_read };

corecmd_exec_bin(pki_ra_t)
corecmd_exec_shell(pki_ra_t)
corecmd_read_bin_symlinks(pki_ra_t)
corecmd_search_bin(pki_ra_t)

corenet_sendrecv_unlabeled_packets(pki_ra_t)
corenet_tcp_bind_all_nodes(pki_ra_t)
corenet_tcp_bind_pki_ra_port(pki_ra_t)

corenet_tcp_sendrecv_all_if(pki_ra_t)
corenet_tcp_sendrecv_all_nodes(pki_ra_t)
corenet_tcp_sendrecv_all_ports(pki_ra_t)
corenet_all_recvfrom_unlabeled(pki_ra_t)
corenet_tcp_connect_generic_port(pki_ra_t)

# talk to other subsystems
corenet_tcp_connect_pki_ca_port(pki_ra_t)

dev_read_urand(pki_ra_t)
files_exec_usr_files(pki_ra_t)
fs_getattr_xattr_fs(pki_ra_t)

# ra writes files to /tmp
files_manage_generic_tmp_files(pki_ra_t)

kernel_read_kernel_sysctls(pki_ra_t)
kernel_read_system_state(pki_ra_t)

logging_send_syslog_msg(pki_ra_t)

corenet_tcp_connect_smtp_port(pki_ra_t)
files_search_spool(pki_ra_t)

#
# Should be changed to mta_send_mail
#
mta_manage_spool(pki_ra_t)
mta_manage_queue(pki_ra_t)
mta_read_config(pki_ra_t)
mta_sendmail_exec(pki_ra_t)

#resolve names?
auth_use_nsswitch(pki_ra_t)

sysnet_read_config(pki_ra_t)

allow httpd_t pki_ra_etc_rw_t:dir search;
allow httpd_t pki_ra_etc_rw_t:file rw_file_perms;
allow httpd_t pki_ra_log_t:dir rw_dir_perms;
allow httpd_t pki_ra_log_t:file manage_file_perms;
allow httpd_t pki_ra_t:process { signal signull };
allow httpd_t pki_ra_var_lib_t:dir { getattr search };
allow httpd_t pki_ra_var_lib_t:lnk_file read;
allow httpd_t pki_ra_var_lib_t:file read_file_perms;

# talk to the hsm
allow pki_ra_t pki_common_dev_t:sock_file write;
allow pki_ra_t pki_common_dev_t:dir search;
allow pki_ra_t pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_ra_t, pki_common_t, pki_common_t)
can_exec(pki_ra_t, pki_common_t)
init_stream_connect_script(pki_ra_t)

# allow rpm -q in init scripts
rpm_exec(pki_ra_t)

# allow writing to the kernel keyring
allow pki_ra_t self:key { write read };

# new for f14
apache_exec(pki_ra_t)