## policy for pki
########################################
##
## Allow read and write pki cert files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_rw_tomcat_cert',`
gen_require(`
type pki_tomcat_cert_t;
type pki_tomcat_etc_rw_t;
')
allow $1 pki_tomcat_etc_rw_t:dir search_dir_perms;
rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
create_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
')
########################################
##
## Allow read and write pki cert files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_tomcat_cert',`
gen_require(`
type pki_tomcat_cert_t;
type pki_tomcat_etc_rw_t;
')
allow $1 pki_tomcat_etc_rw_t:dir manage_dir_perms;
manage_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
')
########################################
##
## Allow read and write pki cert files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_tomcat_etc_rw',`
gen_require(`
type pki_tomcat_etc_rw_t;
')
manage_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_lnk_files_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
')
########################################
##
## Allow domain to read pki cert files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_read_tomcat_cert',`
gen_require(`
type pki_tomcat_cert_t;
')
read_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
read_lnk_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
')
########################################
##
## Create a set of derived types for apache
## web content.
##
##
##
## The prefix to be used for deriving type names.
##
##
#
template(`pki_apache_template',`
gen_require(`
attribute pki_apache_domain;
attribute pki_apache_config, pki_apache_var_lib, pki_apache_var_run;
attribute pki_apache_executable, pki_apache_script, pki_apache_var_log;
')
########################################
#
# Declarations
#
type $1_t, pki_apache_domain;
type $1_exec_t, pki_apache_executable;
domain_type($1_t)
init_daemon_domain($1_t, $1_exec_t)
type $1_script_exec_t, pki_apache_script;
init_script_file($1_script_exec_t)
type $1_etc_rw_t, pki_apache_config;
files_type($1_etc_rw_t)
type $1_var_run_t, pki_apache_var_run;
files_pid_file($1_var_run_t)
type $1_var_lib_t, pki_apache_var_lib;
files_type($1_var_lib_t)
type $1_log_t, pki_apache_var_log;
logging_log_file($1_log_t)
type $1_lock_t;
files_lock_file($1_lock_t)
type $1_tmp_t;
files_tmpfs_file($1_tmp_t)
########################################
#
# $1 local policy
#
files_read_etc_files($1_t)
allow $1_t $1_etc_rw_t:lnk_file read;
manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
files_pid_filetrans($1_t,$1_var_run_t, { file dir })
manage_dirs_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
manage_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
manage_dirs_pattern($1_t, $1_log_t, $1_log_t)
manage_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { file dir } )
manage_dirs_pattern($1_t, $1_lock_t, $1_lock_t)
manage_files_pattern($1_t, $1_lock_t, $1_lock_t)
manage_lnk_files_pattern($1_t, $1_lock_t, $1_lock_t)
files_lock_filetrans($1_t, $1_lock_t, { dir file lnk_file })
manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
#talk to lunasa hsm
logging_send_syslog_msg($1_t)
kernel_read_kernel_sysctls($1_t)
kernel_read_system_state($1_t)
corenet_all_recvfrom_unlabeled($1_t)
# need to resolve addresses?
auth_use_nsswitch($1_t)
')
#######################################
##
## Send a null signal to pki apache domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_apache_domain_signal',`
gen_require(`
attribute pki_apache_domain;
')
allow $1 pki_apache_domain:process signal;
')
#######################################
##
## Send a null signal to pki apache domains.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_apache_domain_signull',`
gen_require(`
attribute pki_apache_domain;
')
allow $1 pki_apache_domain:process signull;
')
###################################
##
## Allow domain to read pki apache subsystem pid files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_apache_run',`
gen_require(`
attribute pki_apache_var_run;
')
files_search_var_lib($1)
read_files_pattern($1, pki_apache_var_run, pki_apache_var_run)
')
####################################
##
## Allow domain to manage pki apache subsystem lib files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_apache_lib',`
gen_require(`
attribute pki_apache_var_lib;
')
files_search_var_lib($1)
manage_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
manage_lnk_files_pattern($1, pki_apache_var_lib, pki_apache_var_lib)
')
##################################
##
## Dontaudit domain to write pki log files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_search_log_dirs',`
gen_require(`
type pki_log_t;
')
search_dirs_pattern($1, pki_log_t, pki_log_t)
')
##################################
##
## Dontaudit domain to write pki log files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_dontaudit_write_log',`
gen_require(`
type pki_log_t;
')
dontaudit $1 pki_log_t:file write;
')
###################################
##
## Allow domain to manage pki apache subsystem log files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_apache_log_files',`
gen_require(`
attribute pki_apache_var_log;
')
files_search_var_lib($1)
manage_files_pattern($1, pki_apache_var_log, pki_apache_var_log)
')
##################################
##
## Allow domain to manage pki apache subsystem config files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_apache_config_files',`
gen_require(`
attribute pki_apache_config;
')
files_search_var_lib($1)
manage_files_pattern($1, pki_apache_config, pki_apache_config)
')
#################################
##
## Allow domain to read pki tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_read_tomcat_lib_files',`
gen_require(`
type pki_tomcat_var_lib_t;
')
read_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
read_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
')
#################################
##
## Allow domain to manage pki tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_tomcat_lib',`
gen_require(`
type pki_tomcat_var_lib_t;
')
manage_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
manage_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
manage_lnk_files_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
')
#################################
##
## Allow domain to manage pki tomcat lib files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_tomcat_log',`
gen_require(`
type pki_tomcat_log_t;
')
manage_dirs_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
manage_files_pattern($1, pki_tomcat_log_t, pki_tomcat_log_t)
')
#################################
##
## Allow domain to read pki tomcat lib dirs
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_read_tomcat_lib_dirs',`
gen_require(`
type pki_tomcat_var_lib_t;
')
list_dirs_pattern($1, pki_tomcat_var_lib_t, pki_tomcat_var_lib_t)
')
########################################
##
## Allow read pki_common_t files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_read_common_files',`
gen_require(`
type pki_common_t;
')
read_files_pattern($1, pki_common_t, pki_common_t)
')
########################################
##
## Allow execute pki_common_t files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_exec_common_files',`
gen_require(`
type pki_common_t;
')
exec_files_pattern($1, pki_common_t, pki_common_t)
')
########################################
##
## Allow read pki_common_t files
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_common_files',`
gen_require(`
type pki_common_t;
')
manage_files_pattern($1, pki_common_t, pki_common_t)
manage_dirs_pattern($1, pki_common_t, pki_common_t)
')
########################################
##
## Connect to pki over an unix
## stream socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_stream_connect',`
gen_require(`
type pki_tomcat_t, pki_common_t;
')
files_search_pids($1)
stream_connect_pattern($1, pki_common_t, pki_common_t, pki_tomcat_t)
')
########################################
##
## Execute pki in the pkit_tomcat_t domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`pki_tomcat_systemctl',`
gen_require(`
type pki_tomcat_t;
type pki_tomcat_unit_file_t;
')
systemd_exec_systemctl($1)
systemd_read_fifo_file_passwd_run($1)
allow $1 pki_tomcat_unit_file_t:file read_file_perms;
allow $1 pki_tomcat_unit_file_t:service manage_service_perms;
ps_process_pattern($1, pki_tomcat_t)
')
########################################
##
## Create, read, write, and delete
## pki tomcat pid files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pki_manage_tomcat_pid',`
gen_require(`
type pki_tomcat_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, pki_tomcat_var_run_t, pki_tomcat_var_run_t)
')