Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/pki.te

policy_module(pki,10.0.11)

########################################
#
# Declarations
#

attribute pki_apache_domain;
attribute pki_apache_config;
attribute pki_apache_executable;
attribute pki_apache_var_lib;
attribute pki_apache_var_log;
attribute pki_apache_var_run;
attribute pki_apache_pidfiles;
attribute pki_apache_script;

type pki_log_t;
logging_log_file(pki_log_t)

type pki_common_t;
files_type(pki_common_t)

type pki_common_dev_t;
files_type(pki_common_dev_t)

type pki_tomcat_etc_rw_t;
files_type(pki_tomcat_etc_rw_t)

type pki_tomcat_cert_t;
miscfiles_cert_type(pki_tomcat_cert_t)

tomcat_domain_template(pki_tomcat)
domain_obj_id_change_exemption(pki_tomcat_t)

type pki_tomcat_unit_file_t;
systemd_unit_file(pki_tomcat_unit_file_t)

type pki_tomcat_lock_t;
files_lock_file(pki_tomcat_lock_t)

# old type aliases for migration
typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };


# pki policy types
type pki_tps_tomcat_exec_t;
files_type(pki_tps_tomcat_exec_t)

pki_apache_template(pki_tps)

# ra policy types
type pki_ra_tomcat_exec_t;
files_type(pki_ra_tomcat_exec_t)

pki_apache_template(pki_ra)

# needed for dogtag 9 style instances
type pki_tomcat_script_t;
domain_type(pki_tomcat_script_t)
role system_r types pki_tomcat_script_t;

optional_policy(`
             unconfined_domain(pki_tomcat_script_t)
')

########################################
#
# pki-tomcat local policy
#

allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search  sys_nice fsetid };
dontaudit  pki_tomcat_t self:capability net_admin;
allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };

allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
allow pki_tomcat_t self:tcp_socket { accept listen };

# allow writing to the kernel keyring
allow pki_tomcat_t self:key { write read };

manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;

manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)

manage_dirs_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
manage_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
manage_lnk_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
files_lock_filetrans(pki_tomcat_t,  pki_tomcat_lock_t, { dir file lnk_file })

read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
systemd_search_unit_dirs(pki_tomcat_t)

# allow java subsystems to talk to the ncipher hsm
allow pki_tomcat_t pki_common_dev_t:sock_file write;
allow pki_tomcat_t pki_common_dev_t:dir search;
allow pki_tomcat_t pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
can_exec(pki_tomcat_t, pki_common_t)
init_stream_connect_script(pki_tomcat_t)

auth_use_nsswitch(pki_tomcat_t)

search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)

kernel_read_kernel_sysctls(pki_tomcat_t)
kernel_read_net_sysctls(pki_tomcat_t)

corenet_tcp_connect_http_cache_port(pki_tomcat_t)
corenet_tcp_connect_ldap_port(pki_tomcat_t)
corenet_tcp_connect_smtp_port(pki_tomcat_t)
corenet_tcp_connect_pki_ca_port(pki_tomcat_t)

selinux_get_enforce_mode(pki_tomcat_t)

libs_exec_ldconfig(pki_tomcat_t)

logging_send_audit_msgs(pki_tomcat_t)

miscfiles_read_hwdata(pki_tomcat_t)

# is this really needed?
userdom_manage_user_tmp_dirs(pki_tomcat_t)
userdom_manage_user_tmp_files(pki_tomcat_t)

# for crl publishing
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };

# for ECC
auth_getattr_shadow(pki_tomcat_t)

optional_policy(`
        consoletype_exec(pki_tomcat_t)
')

optional_policy(`
	dirsrv_manage_var_lib(pki_tomcat_t)
')

optional_policy(`
        hostname_exec(pki_tomcat_t)
')

optional_policy(`
    ipa_read_lib(pki_tomcat_t)
')

#######################################
#
# tps local policy
#

# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};

corenet_tcp_bind_pki_tps_port(pki_tps_t)
# customer may run an ldap server on 389
corenet_tcp_connect_ldap_port(pki_tps_t)
# connect to other subsystems
corenet_tcp_connect_pki_ca_port(pki_tps_t)
corenet_tcp_connect_pki_kra_port(pki_tps_t)
corenet_tcp_connect_pki_tks_port(pki_tps_t)

files_exec_usr_files(pki_tps_t)

######################################
#
# ra local policy
#

#  RA specific? talking to mysql?
allow pki_ra_t self:udp_socket { write read create connect };
allow pki_ra_t self:unix_dgram_socket { write create connect };

corenet_tcp_bind_pki_ra_port(pki_ra_t)
# talk to other subsystems
corenet_tcp_connect_http_port(pki_ra_t)
corenet_tcp_connect_pki_ca_port(pki_ra_t)
corenet_tcp_connect_smtp_port(pki_ra_t)

fs_getattr_xattr_fs(pki_ra_t)

files_search_spool(pki_ra_t)
files_exec_usr_files(pki_ra_t)

optional_policy(`
	mta_send_mail(pki_ra_t)
	mta_manage_spool(pki_ra_t)
	mta_manage_queue(pki_ra_t)
	mta_read_config(pki_ra_t)
')

#####################################
#
# pki_apache_domain local policy
#


allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search  fowner fsetid kill chown};
allow pki_apache_domain self:process { setsched signal getsched  signull execstack execmem sigkill};

allow pki_apache_domain self:sem all_sem_perms;
allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };

# allow writing to the kernel keyring
allow pki_apache_domain self:key { write read };

## internal communication is often done using fifo and unix sockets.
allow pki_apache_domain self:fifo_file rw_file_perms;
allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;

# talk to the hsm
allow pki_apache_domain pki_common_dev_t:sock_file write;
allow pki_apache_domain pki_common_dev_t:dir search;
allow pki_apache_domain pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
can_exec(pki_apache_domain, pki_common_t)
init_stream_connect_script(pki_apache_domain)

corenet_sendrecv_unlabeled_packets(pki_apache_domain)
corenet_tcp_bind_all_nodes(pki_apache_domain)
corenet_tcp_sendrecv_all_if(pki_apache_domain)
corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
corenet_tcp_sendrecv_all_ports(pki_apache_domain)
#corenet_all_recvfrom_unlabeled(pki_apache_domain)
corenet_tcp_connect_generic_port(pki_apache_domain)

# Init script handling
domain_use_interactive_fds(pki_apache_domain)

seutil_exec_setfiles(pki_apache_domain)

init_dontaudit_write_utmp(pki_apache_domain)

libs_use_ld_so(pki_apache_domain)
libs_use_shared_libs(pki_apache_domain)
libs_exec_ld_so(pki_apache_domain)
libs_exec_lib_files(pki_apache_domain)

fs_search_cgroup_dirs(pki_apache_domain)

corecmd_exec_bin(pki_apache_domain)
corecmd_exec_shell(pki_apache_domain)

dev_read_urand(pki_apache_domain)
dev_read_rand(pki_apache_domain)

# shutdown script uses ps
domain_dontaudit_read_all_domains_state(pki_apache_domain)
ps_process_pattern(pki_apache_domain, pki_apache_domain)

sysnet_read_config(pki_apache_domain)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(pki_apache_domain)
	term_dontaudit_use_generic_ptys(pki_apache_domain)
')

optional_policy(`
	# apache permissions
	apache_exec_modules(pki_apache_domain)
	apache_list_modules(pki_apache_domain)
	apache_read_config(pki_apache_domain)
	apache_exec(pki_apache_domain)
	apache_exec_suexec(pki_apache_domain)
	apache_entrypoint(pki_apache_domain)
')

# allow rpm -q in init scripts
optional_policy(`
	rpm_exec(pki_apache_domain)
')
extract all compressed files to make viewing source code easier and updated oreon-backgrounds and oreon-release packages 2024-07-03 21:20:34 -07:00			`policy_module(pki,10.0.11)`

			`########################################`
			`#`
			`# Declarations`
			`#`

			`attribute pki_apache_domain;`
			`attribute pki_apache_config;`
			`attribute pki_apache_executable;`
			`attribute pki_apache_var_lib;`
			`attribute pki_apache_var_log;`
			`attribute pki_apache_var_run;`
			`attribute pki_apache_pidfiles;`
			`attribute pki_apache_script;`

			`type pki_log_t;`
			`logging_log_file(pki_log_t)`

			`type pki_common_t;`
			`files_type(pki_common_t)`

			`type pki_common_dev_t;`
			`files_type(pki_common_dev_t)`

			`type pki_tomcat_etc_rw_t;`
			`files_type(pki_tomcat_etc_rw_t)`

			`type pki_tomcat_cert_t;`
			`miscfiles_cert_type(pki_tomcat_cert_t)`

			`tomcat_domain_template(pki_tomcat)`
			`domain_obj_id_change_exemption(pki_tomcat_t)`

			`type pki_tomcat_unit_file_t;`
			`systemd_unit_file(pki_tomcat_unit_file_t)`

			`type pki_tomcat_lock_t;`
			`files_lock_file(pki_tomcat_lock_t)`

			`# old type aliases for migration`
			`typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };`
			`typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };`
			`typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };`
			`typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };`
			`typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };`


			`# pki policy types`
			`type pki_tps_tomcat_exec_t;`
			`files_type(pki_tps_tomcat_exec_t)`

			`pki_apache_template(pki_tps)`

			`# ra policy types`
			`type pki_ra_tomcat_exec_t;`
			`files_type(pki_ra_tomcat_exec_t)`

			`pki_apache_template(pki_ra)`

			`# needed for dogtag 9 style instances`
			`type pki_tomcat_script_t;`
			`domain_type(pki_tomcat_script_t)`
			`role system_r types pki_tomcat_script_t;`

			optional_policy(`
			`unconfined_domain(pki_tomcat_script_t)`
			`')`

			`########################################`
			`#`
			`# pki-tomcat local policy`
			`#`

			`allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search sys_nice fsetid };`
			`dontaudit pki_tomcat_t self:capability net_admin;`
			`allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };`

			`allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };`
			`allow pki_tomcat_t self:tcp_socket { accept listen };`

			`# allow writing to the kernel keyring`
			`allow pki_tomcat_t self:key { write read };`

			`manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)`
			`manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)`
			`manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)`
			`allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;`

			`manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)`
			`manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)`
			`manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)`

			`manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)`
			`manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)`
			`manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)`
			`files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })`

			`read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)`
			`read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)`
			`allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;`
			`allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;`
			`systemd_search_unit_dirs(pki_tomcat_t)`

			`# allow java subsystems to talk to the ncipher hsm`
			`allow pki_tomcat_t pki_common_dev_t:sock_file write;`
			`allow pki_tomcat_t pki_common_dev_t:dir search;`
			`allow pki_tomcat_t pki_common_t:dir create_dir_perms;`
			`manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)`
			`can_exec(pki_tomcat_t, pki_common_t)`
			`init_stream_connect_script(pki_tomcat_t)`

			`auth_use_nsswitch(pki_tomcat_t)`

			`search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)`

			`kernel_read_kernel_sysctls(pki_tomcat_t)`
			`kernel_read_net_sysctls(pki_tomcat_t)`

			`corenet_tcp_connect_http_cache_port(pki_tomcat_t)`
			`corenet_tcp_connect_ldap_port(pki_tomcat_t)`
			`corenet_tcp_connect_smtp_port(pki_tomcat_t)`
			`corenet_tcp_connect_pki_ca_port(pki_tomcat_t)`

			`selinux_get_enforce_mode(pki_tomcat_t)`

			`libs_exec_ldconfig(pki_tomcat_t)`

			`logging_send_audit_msgs(pki_tomcat_t)`

			`miscfiles_read_hwdata(pki_tomcat_t)`

			`# is this really needed?`
			`userdom_manage_user_tmp_dirs(pki_tomcat_t)`
			`userdom_manage_user_tmp_files(pki_tomcat_t)`

			`# for crl publishing`
			`allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };`

			`# for ECC`
			`auth_getattr_shadow(pki_tomcat_t)`

			optional_policy(`
			`consoletype_exec(pki_tomcat_t)`
			`')`

			optional_policy(`
			`dirsrv_manage_var_lib(pki_tomcat_t)`
			`')`

			optional_policy(`
			`hostname_exec(pki_tomcat_t)`
			`')`

			optional_policy(`
			`ipa_read_lib(pki_tomcat_t)`
			`')`

			`#######################################`
			`#`
			`# tps local policy`
			`#`

			`# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment`
			`allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};`

			`corenet_tcp_bind_pki_tps_port(pki_tps_t)`
			`# customer may run an ldap server on 389`
			`corenet_tcp_connect_ldap_port(pki_tps_t)`
			`# connect to other subsystems`
			`corenet_tcp_connect_pki_ca_port(pki_tps_t)`
			`corenet_tcp_connect_pki_kra_port(pki_tps_t)`
			`corenet_tcp_connect_pki_tks_port(pki_tps_t)`

			`files_exec_usr_files(pki_tps_t)`

			`######################################`
			`#`
			`# ra local policy`
			`#`

			`# RA specific? talking to mysql?`
			`allow pki_ra_t self:udp_socket { write read create connect };`
			`allow pki_ra_t self:unix_dgram_socket { write create connect };`

			`corenet_tcp_bind_pki_ra_port(pki_ra_t)`
			`# talk to other subsystems`
			`corenet_tcp_connect_http_port(pki_ra_t)`
			`corenet_tcp_connect_pki_ca_port(pki_ra_t)`
			`corenet_tcp_connect_smtp_port(pki_ra_t)`

			`fs_getattr_xattr_fs(pki_ra_t)`

			`files_search_spool(pki_ra_t)`
			`files_exec_usr_files(pki_ra_t)`

			optional_policy(`
			`mta_send_mail(pki_ra_t)`
			`mta_manage_spool(pki_ra_t)`
			`mta_manage_queue(pki_ra_t)`
			`mta_read_config(pki_ra_t)`
			`')`

			`#####################################`
			`#`
			`# pki_apache_domain local policy`
			`#`


			`allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search fowner fsetid kill chown};`
			`allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};`

			`allow pki_apache_domain self:sem all_sem_perms;`
			`allow pki_apache_domain self:tcp_socket create_stream_socket_perms;`
			`allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };`

			`# allow writing to the kernel keyring`
			`allow pki_apache_domain self:key { write read };`

			`## internal communication is often done using fifo and unix sockets.`
			`allow pki_apache_domain self:fifo_file rw_file_perms;`
			`allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;`

			`# talk to the hsm`
			`allow pki_apache_domain pki_common_dev_t:sock_file write;`
			`allow pki_apache_domain pki_common_dev_t:dir search;`
			`allow pki_apache_domain pki_common_t:dir create_dir_perms;`
			`manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)`
			`can_exec(pki_apache_domain, pki_common_t)`
			`init_stream_connect_script(pki_apache_domain)`

			`corenet_sendrecv_unlabeled_packets(pki_apache_domain)`
			`corenet_tcp_bind_all_nodes(pki_apache_domain)`
			`corenet_tcp_sendrecv_all_if(pki_apache_domain)`
			`corenet_tcp_sendrecv_all_nodes(pki_apache_domain)`
			`corenet_tcp_sendrecv_all_ports(pki_apache_domain)`
			`#corenet_all_recvfrom_unlabeled(pki_apache_domain)`
			`corenet_tcp_connect_generic_port(pki_apache_domain)`

			`# Init script handling`
			`domain_use_interactive_fds(pki_apache_domain)`

			`seutil_exec_setfiles(pki_apache_domain)`

			`init_dontaudit_write_utmp(pki_apache_domain)`

			`libs_use_ld_so(pki_apache_domain)`
			`libs_use_shared_libs(pki_apache_domain)`
			`libs_exec_ld_so(pki_apache_domain)`
			`libs_exec_lib_files(pki_apache_domain)`

			`fs_search_cgroup_dirs(pki_apache_domain)`

			`corecmd_exec_bin(pki_apache_domain)`
			`corecmd_exec_shell(pki_apache_domain)`

			`dev_read_urand(pki_apache_domain)`
			`dev_read_rand(pki_apache_domain)`

			`# shutdown script uses ps`
			`domain_dontaudit_read_all_domains_state(pki_apache_domain)`
			`ps_process_pattern(pki_apache_domain, pki_apache_domain)`

			`sysnet_read_config(pki_apache_domain)`

			ifdef(`targeted_policy',`
			`term_dontaudit_use_unallocated_ttys(pki_apache_domain)`
			`term_dontaudit_use_generic_ptys(pki_apache_domain)`
			`')`

			optional_policy(`
			`# apache permissions`
			`apache_exec_modules(pki_apache_domain)`
			`apache_list_modules(pki_apache_domain)`
			`apache_read_config(pki_apache_domain)`
			`apache_exec(pki_apache_domain)`
			`apache_exec_suexec(pki_apache_domain)`
			`apache_entrypoint(pki_apache_domain)`
			`')`

			`# allow rpm -q in init scripts`
			optional_policy(`
			`rpm_exec(pki_apache_domain)`
			`')`