Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/contrib/pki.te

285 lines
8.4 KiB
Text

policy_module(pki,10.0.11)
########################################
#
# Declarations
#
attribute pki_apache_domain;
attribute pki_apache_config;
attribute pki_apache_executable;
attribute pki_apache_var_lib;
attribute pki_apache_var_log;
attribute pki_apache_var_run;
attribute pki_apache_pidfiles;
attribute pki_apache_script;
type pki_log_t;
logging_log_file(pki_log_t)
type pki_common_t;
files_type(pki_common_t)
type pki_common_dev_t;
files_type(pki_common_dev_t)
type pki_tomcat_etc_rw_t;
files_type(pki_tomcat_etc_rw_t)
type pki_tomcat_cert_t;
miscfiles_cert_type(pki_tomcat_cert_t)
tomcat_domain_template(pki_tomcat)
domain_obj_id_change_exemption(pki_tomcat_t)
type pki_tomcat_unit_file_t;
systemd_unit_file(pki_tomcat_unit_file_t)
type pki_tomcat_lock_t;
files_lock_file(pki_tomcat_lock_t)
# old type aliases for migration
typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
# pki policy types
type pki_tps_tomcat_exec_t;
files_type(pki_tps_tomcat_exec_t)
pki_apache_template(pki_tps)
# ra policy types
type pki_ra_tomcat_exec_t;
files_type(pki_ra_tomcat_exec_t)
pki_apache_template(pki_ra)
# needed for dogtag 9 style instances
type pki_tomcat_script_t;
domain_type(pki_tomcat_script_t)
role system_r types pki_tomcat_script_t;
optional_policy(`
unconfined_domain(pki_tomcat_script_t)
')
########################################
#
# pki-tomcat local policy
#
allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search sys_nice fsetid };
dontaudit pki_tomcat_t self:capability net_admin;
allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
allow pki_tomcat_t self:tcp_socket { accept listen };
# allow writing to the kernel keyring
allow pki_tomcat_t self:key { write read };
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
systemd_search_unit_dirs(pki_tomcat_t)
# allow java subsystems to talk to the ncipher hsm
allow pki_tomcat_t pki_common_dev_t:sock_file write;
allow pki_tomcat_t pki_common_dev_t:dir search;
allow pki_tomcat_t pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
can_exec(pki_tomcat_t, pki_common_t)
init_stream_connect_script(pki_tomcat_t)
auth_use_nsswitch(pki_tomcat_t)
search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
kernel_read_kernel_sysctls(pki_tomcat_t)
kernel_read_net_sysctls(pki_tomcat_t)
corenet_tcp_connect_http_cache_port(pki_tomcat_t)
corenet_tcp_connect_ldap_port(pki_tomcat_t)
corenet_tcp_connect_smtp_port(pki_tomcat_t)
corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
selinux_get_enforce_mode(pki_tomcat_t)
libs_exec_ldconfig(pki_tomcat_t)
logging_send_audit_msgs(pki_tomcat_t)
miscfiles_read_hwdata(pki_tomcat_t)
# is this really needed?
userdom_manage_user_tmp_dirs(pki_tomcat_t)
userdom_manage_user_tmp_files(pki_tomcat_t)
# for crl publishing
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
# for ECC
auth_getattr_shadow(pki_tomcat_t)
optional_policy(`
consoletype_exec(pki_tomcat_t)
')
optional_policy(`
dirsrv_manage_var_lib(pki_tomcat_t)
')
optional_policy(`
hostname_exec(pki_tomcat_t)
')
optional_policy(`
ipa_read_lib(pki_tomcat_t)
')
#######################################
#
# tps local policy
#
# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
corenet_tcp_bind_pki_tps_port(pki_tps_t)
# customer may run an ldap server on 389
corenet_tcp_connect_ldap_port(pki_tps_t)
# connect to other subsystems
corenet_tcp_connect_pki_ca_port(pki_tps_t)
corenet_tcp_connect_pki_kra_port(pki_tps_t)
corenet_tcp_connect_pki_tks_port(pki_tps_t)
files_exec_usr_files(pki_tps_t)
######################################
#
# ra local policy
#
# RA specific? talking to mysql?
allow pki_ra_t self:udp_socket { write read create connect };
allow pki_ra_t self:unix_dgram_socket { write create connect };
corenet_tcp_bind_pki_ra_port(pki_ra_t)
# talk to other subsystems
corenet_tcp_connect_http_port(pki_ra_t)
corenet_tcp_connect_pki_ca_port(pki_ra_t)
corenet_tcp_connect_smtp_port(pki_ra_t)
fs_getattr_xattr_fs(pki_ra_t)
files_search_spool(pki_ra_t)
files_exec_usr_files(pki_ra_t)
optional_policy(`
mta_send_mail(pki_ra_t)
mta_manage_spool(pki_ra_t)
mta_manage_queue(pki_ra_t)
mta_read_config(pki_ra_t)
')
#####################################
#
# pki_apache_domain local policy
#
allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search fowner fsetid kill chown};
allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
allow pki_apache_domain self:sem all_sem_perms;
allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
# allow writing to the kernel keyring
allow pki_apache_domain self:key { write read };
## internal communication is often done using fifo and unix sockets.
allow pki_apache_domain self:fifo_file rw_file_perms;
allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
# talk to the hsm
allow pki_apache_domain pki_common_dev_t:sock_file write;
allow pki_apache_domain pki_common_dev_t:dir search;
allow pki_apache_domain pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
can_exec(pki_apache_domain, pki_common_t)
init_stream_connect_script(pki_apache_domain)
corenet_sendrecv_unlabeled_packets(pki_apache_domain)
corenet_tcp_bind_all_nodes(pki_apache_domain)
corenet_tcp_sendrecv_all_if(pki_apache_domain)
corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
corenet_tcp_sendrecv_all_ports(pki_apache_domain)
#corenet_all_recvfrom_unlabeled(pki_apache_domain)
corenet_tcp_connect_generic_port(pki_apache_domain)
# Init script handling
domain_use_interactive_fds(pki_apache_domain)
seutil_exec_setfiles(pki_apache_domain)
init_dontaudit_write_utmp(pki_apache_domain)
libs_use_ld_so(pki_apache_domain)
libs_use_shared_libs(pki_apache_domain)
libs_exec_ld_so(pki_apache_domain)
libs_exec_lib_files(pki_apache_domain)
fs_search_cgroup_dirs(pki_apache_domain)
corecmd_exec_bin(pki_apache_domain)
corecmd_exec_shell(pki_apache_domain)
dev_read_urand(pki_apache_domain)
dev_read_rand(pki_apache_domain)
# shutdown script uses ps
domain_dontaudit_read_all_domains_state(pki_apache_domain)
ps_process_pattern(pki_apache_domain, pki_apache_domain)
sysnet_read_config(pki_apache_domain)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(pki_apache_domain)
term_dontaudit_use_generic_ptys(pki_apache_domain)
')
optional_policy(`
# apache permissions
apache_exec_modules(pki_apache_domain)
apache_list_modules(pki_apache_domain)
apache_read_config(pki_apache_domain)
apache_exec(pki_apache_domain)
apache_exec_suexec(pki_apache_domain)
apache_entrypoint(pki_apache_domain)
')
# allow rpm -q in init scripts
optional_policy(`
rpm_exec(pki_apache_domain)
')