pki/base/selinux/src/pki.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138

policy_module(pki,6.2.2)

attribute pki_ca_config;
attribute pki_ca_executable;
attribute pki_ca_var_lib;
attribute pki_ca_var_log;
attribute pki_ca_var_run;
attribute pki_ca_pidfiles;
attribute pki_ca_script;
attribute pki_ca_process;

type pki_common_t;
files_type(pki_common_t)

type pki_common_dev_t;
files_type(pki_common_dev_t)

type pki_ca_tomcat_exec_t;
files_type(pki_ca_tomcat_exec_t)

pki_ca_template(pki_ca)
corenet_tcp_connect_pki_kra_port(pki_ca_t)
corenet_tcp_connect_pki_ocsp_port(pki_ca_t)

# forward proxy
corenet_tcp_connect_pki_ca_port(httpd_t)

# for crl publishing
allow pki_ca_t pki_ca_var_lib_t:lnk_file { rename create unlink };

# for ECC
auth_getattr_shadow(pki_ca_t)

attribute pki_kra_config;
attribute pki_kra_executable;
attribute pki_kra_var_lib;
attribute pki_kra_var_log;
attribute pki_kra_var_run;
attribute pki_kra_pidfiles;
attribute pki_kra_script;
attribute pki_kra_process;

type pki_kra_tomcat_exec_t;
files_type(pki_kra_tomcat_exec_t)

pki_ca_template(pki_kra)
corenet_tcp_connect_pki_ca_port(pki_kra_t)

# forward proxy
corenet_tcp_connect_pki_kra_port(httpd_t)

attribute pki_ocsp_config;
attribute pki_ocsp_executable;
attribute pki_ocsp_var_lib;
attribute pki_ocsp_var_log;
attribute pki_ocsp_var_run;
attribute pki_ocsp_pidfiles;
attribute pki_ocsp_script;
attribute pki_ocsp_process;

type pki_ocsp_tomcat_exec_t;
files_type(pki_ocsp_tomcat_exec_t)

pki_ca_template(pki_ocsp)
corenet_tcp_connect_pki_ca_port(pki_ocsp_t)

# forward proxy
corenet_tcp_connect_pki_ocsp_port(httpd_t)

attribute pki_ra_config;
attribute pki_ra_executable;
attribute pki_ra_var_lib;
attribute pki_ra_var_log;
attribute pki_ra_var_run;
attribute pki_ra_pidfiles;
attribute pki_ra_script;
attribute pki_ra_process;

type pki_ra_tomcat_exec_t;
files_type(pki_ra_tomcat_exec_t)

pki_ra_template(pki_ra)

attribute pki_tks_config;
attribute pki_tks_executable;
attribute pki_tks_var_lib;
attribute pki_tks_var_log;
attribute pki_tks_var_run;
attribute pki_tks_pidfiles;
attribute pki_tks_script;
attribute pki_tks_process;

type pki_tks_tomcat_exec_t;
files_type(pki_tks_tomcat_exec_t)

pki_ca_template(pki_tks)
corenet_tcp_connect_pki_ca_port(pki_tks_t)

# forward proxy
corenet_tcp_connect_pki_tks_port(httpd_t)

# needed for token enrollment, list /var/cache/tomcat5/temp
files_list_var(pki_tks_t)

attribute pki_tps_config;
attribute pki_tps_executable;
attribute pki_tps_var_lib;
attribute pki_tps_var_log;
attribute pki_tps_var_run;
attribute pki_tps_pidfiles;
attribute pki_tps_script;
attribute pki_tps_process;

type pki_tps_tomcat_exec_t;
files_type(pki_tps_tomcat_exec_t)

pki_tps_template(pki_tps)

#interprocess communication on process shutdown
allow pki_ca_t pki_kra_t:process signull;
allow pki_ca_t pki_ocsp_t:process signull;
allow pki_ca_t pki_tks_t:process signull;

allow pki_kra_t pki_ca_t:process signull;
allow pki_kra_t pki_ocsp_t:process signull;
allow pki_kra_t pki_tks_t:process signull;

allow pki_ocsp_t pki_ca_t:process signull;
allow pki_ocsp_t pki_kra_t:process signull;
allow pki_ocsp_t pki_tks_t:process signull;

allow pki_tks_t pki_ca_t:process signull;
allow pki_tks_t pki_kra_t:process signull;
allow pki_tks_t pki_ocsp_t:process signull;

#allow httpd_t pki_tks_tomcat_exec_t:process signull;
#allow httpd_t pki_tks_var_lib_t:process signull;