1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 0709176..7c20ef0 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -38,12 +38,18 @@ template(`pki_ca_template',`
gen_require(`
type java_exec_t;
type initrc_t;
+ type tomcat_exec_t;
+ type tomcat_cache_t;
')
domtrans_pattern($1_script_t, java_exec_t, $1_t)
role system_r types $1_script_t;
allow $1_t java_exec_t:file entrypoint;
allow initrc_t $1_script_t:process transition;
+ can_exec($1_t, tomcat_exec_t)
+ miscfiles_read_hwdata($1_t)
+ allow pki_ca_t tomcat_cache_t:dir {getattr search};
+ #tomcat_search_cache($1_t)
type $1_etc_rw_t, pki_ca_config;
files_type($1_etc_rw_t)
@@ -206,6 +212,21 @@ template(`pki_ca_template',`
optional_policy(`
unconfined_domain($1_script_t)
')
+
+ # tomcat6 init scripts do runuser and touch lockfile
+ allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
+ allow $1_t self:netlink_audit_socket { nlmsg_relay create read write };
+ consoletype_exec($1_t)
+ fs_read_hugetlbfs_files($1_t)
+ hostname_exec($1_t)
+ kernel_read_kernel_sysctls($1_t)
+ fs_getattr_xattr_fs($1_t)
+
+ # java (mislabeled as lib_t?) calls build_classpath
+ libs_exec_lib_files($1_t)
+
+ selinux_get_enforce_mode($1_t)
+
')
########################################
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index 089859c..99ec98e 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,9.0.2)
+policy_module(pki,9.0.5)
attribute pki_ca_config;
attribute pki_ca_executable;
|