285 lines
8.4 KiB
Text
285 lines
8.4 KiB
Text
policy_module(pki,10.0.11)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute pki_apache_domain;
|
|
attribute pki_apache_config;
|
|
attribute pki_apache_executable;
|
|
attribute pki_apache_var_lib;
|
|
attribute pki_apache_var_log;
|
|
attribute pki_apache_var_run;
|
|
attribute pki_apache_pidfiles;
|
|
attribute pki_apache_script;
|
|
|
|
type pki_log_t;
|
|
logging_log_file(pki_log_t)
|
|
|
|
type pki_common_t;
|
|
files_type(pki_common_t)
|
|
|
|
type pki_common_dev_t;
|
|
files_type(pki_common_dev_t)
|
|
|
|
type pki_tomcat_etc_rw_t;
|
|
files_type(pki_tomcat_etc_rw_t)
|
|
|
|
type pki_tomcat_cert_t;
|
|
miscfiles_cert_type(pki_tomcat_cert_t)
|
|
|
|
tomcat_domain_template(pki_tomcat)
|
|
domain_obj_id_change_exemption(pki_tomcat_t)
|
|
|
|
type pki_tomcat_unit_file_t;
|
|
systemd_unit_file(pki_tomcat_unit_file_t)
|
|
|
|
type pki_tomcat_lock_t;
|
|
files_lock_file(pki_tomcat_lock_t)
|
|
|
|
# old type aliases for migration
|
|
typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
|
|
typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
|
|
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
|
|
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
|
|
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
|
|
|
|
|
|
# pki policy types
|
|
type pki_tps_tomcat_exec_t;
|
|
files_type(pki_tps_tomcat_exec_t)
|
|
|
|
pki_apache_template(pki_tps)
|
|
|
|
# ra policy types
|
|
type pki_ra_tomcat_exec_t;
|
|
files_type(pki_ra_tomcat_exec_t)
|
|
|
|
pki_apache_template(pki_ra)
|
|
|
|
# needed for dogtag 9 style instances
|
|
type pki_tomcat_script_t;
|
|
domain_type(pki_tomcat_script_t)
|
|
role system_r types pki_tomcat_script_t;
|
|
|
|
optional_policy(`
|
|
unconfined_domain(pki_tomcat_script_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# pki-tomcat local policy
|
|
#
|
|
|
|
allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_read_search sys_nice fsetid };
|
|
dontaudit pki_tomcat_t self:capability net_admin;
|
|
allow pki_tomcat_t self:process { signal setsched signull execmem setfscreate };
|
|
|
|
allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
|
|
allow pki_tomcat_t self:tcp_socket { accept listen };
|
|
|
|
# allow writing to the kernel keyring
|
|
allow pki_tomcat_t self:key { write read };
|
|
|
|
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
|
|
manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
|
|
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
|
|
allow pki_tomcat_t pki_tomcat_etc_rw_t:file relabel_file_perms;
|
|
|
|
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
|
|
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
|
|
|
|
read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
|
|
read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
|
|
allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
|
|
allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
|
|
systemd_search_unit_dirs(pki_tomcat_t)
|
|
|
|
# allow java subsystems to talk to the ncipher hsm
|
|
allow pki_tomcat_t pki_common_dev_t:sock_file write;
|
|
allow pki_tomcat_t pki_common_dev_t:dir search;
|
|
allow pki_tomcat_t pki_common_t:dir create_dir_perms;
|
|
manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
|
|
can_exec(pki_tomcat_t, pki_common_t)
|
|
init_stream_connect_script(pki_tomcat_t)
|
|
|
|
auth_use_nsswitch(pki_tomcat_t)
|
|
|
|
search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
|
|
|
|
kernel_read_kernel_sysctls(pki_tomcat_t)
|
|
kernel_read_net_sysctls(pki_tomcat_t)
|
|
|
|
corenet_tcp_connect_http_cache_port(pki_tomcat_t)
|
|
corenet_tcp_connect_ldap_port(pki_tomcat_t)
|
|
corenet_tcp_connect_smtp_port(pki_tomcat_t)
|
|
corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
|
|
|
|
selinux_get_enforce_mode(pki_tomcat_t)
|
|
|
|
libs_exec_ldconfig(pki_tomcat_t)
|
|
|
|
logging_send_audit_msgs(pki_tomcat_t)
|
|
|
|
miscfiles_read_hwdata(pki_tomcat_t)
|
|
|
|
# is this really needed?
|
|
userdom_manage_user_tmp_dirs(pki_tomcat_t)
|
|
userdom_manage_user_tmp_files(pki_tomcat_t)
|
|
|
|
# for crl publishing
|
|
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
|
|
|
|
# for ECC
|
|
auth_getattr_shadow(pki_tomcat_t)
|
|
|
|
optional_policy(`
|
|
consoletype_exec(pki_tomcat_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dirsrv_manage_var_lib(pki_tomcat_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(pki_tomcat_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ipa_read_lib(pki_tomcat_t)
|
|
')
|
|
|
|
#######################################
|
|
#
|
|
# tps local policy
|
|
#
|
|
|
|
# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
|
|
allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
|
|
|
|
corenet_tcp_bind_pki_tps_port(pki_tps_t)
|
|
# customer may run an ldap server on 389
|
|
corenet_tcp_connect_ldap_port(pki_tps_t)
|
|
# connect to other subsystems
|
|
corenet_tcp_connect_pki_ca_port(pki_tps_t)
|
|
corenet_tcp_connect_pki_kra_port(pki_tps_t)
|
|
corenet_tcp_connect_pki_tks_port(pki_tps_t)
|
|
|
|
files_exec_usr_files(pki_tps_t)
|
|
|
|
######################################
|
|
#
|
|
# ra local policy
|
|
#
|
|
|
|
# RA specific? talking to mysql?
|
|
allow pki_ra_t self:udp_socket { write read create connect };
|
|
allow pki_ra_t self:unix_dgram_socket { write create connect };
|
|
|
|
corenet_tcp_bind_pki_ra_port(pki_ra_t)
|
|
# talk to other subsystems
|
|
corenet_tcp_connect_http_port(pki_ra_t)
|
|
corenet_tcp_connect_pki_ca_port(pki_ra_t)
|
|
corenet_tcp_connect_smtp_port(pki_ra_t)
|
|
|
|
fs_getattr_xattr_fs(pki_ra_t)
|
|
|
|
files_search_spool(pki_ra_t)
|
|
files_exec_usr_files(pki_ra_t)
|
|
|
|
optional_policy(`
|
|
mta_send_mail(pki_ra_t)
|
|
mta_manage_spool(pki_ra_t)
|
|
mta_manage_queue(pki_ra_t)
|
|
mta_read_config(pki_ra_t)
|
|
')
|
|
|
|
#####################################
|
|
#
|
|
# pki_apache_domain local policy
|
|
#
|
|
|
|
|
|
allow pki_apache_domain self:capability { setuid sys_nice setgid dac_read_search fowner fsetid kill chown};
|
|
allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
|
|
|
|
allow pki_apache_domain self:sem all_sem_perms;
|
|
allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
|
|
allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
|
|
|
|
# allow writing to the kernel keyring
|
|
allow pki_apache_domain self:key { write read };
|
|
|
|
## internal communication is often done using fifo and unix sockets.
|
|
allow pki_apache_domain self:fifo_file rw_file_perms;
|
|
allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
# talk to the hsm
|
|
allow pki_apache_domain pki_common_dev_t:sock_file write;
|
|
allow pki_apache_domain pki_common_dev_t:dir search;
|
|
allow pki_apache_domain pki_common_t:dir create_dir_perms;
|
|
manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
|
|
can_exec(pki_apache_domain, pki_common_t)
|
|
init_stream_connect_script(pki_apache_domain)
|
|
|
|
corenet_sendrecv_unlabeled_packets(pki_apache_domain)
|
|
corenet_tcp_bind_all_nodes(pki_apache_domain)
|
|
corenet_tcp_sendrecv_all_if(pki_apache_domain)
|
|
corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
|
|
corenet_tcp_sendrecv_all_ports(pki_apache_domain)
|
|
#corenet_all_recvfrom_unlabeled(pki_apache_domain)
|
|
corenet_tcp_connect_generic_port(pki_apache_domain)
|
|
|
|
# Init script handling
|
|
domain_use_interactive_fds(pki_apache_domain)
|
|
|
|
seutil_exec_setfiles(pki_apache_domain)
|
|
|
|
init_dontaudit_write_utmp(pki_apache_domain)
|
|
|
|
libs_use_ld_so(pki_apache_domain)
|
|
libs_use_shared_libs(pki_apache_domain)
|
|
libs_exec_ld_so(pki_apache_domain)
|
|
libs_exec_lib_files(pki_apache_domain)
|
|
|
|
fs_search_cgroup_dirs(pki_apache_domain)
|
|
|
|
corecmd_exec_bin(pki_apache_domain)
|
|
corecmd_exec_shell(pki_apache_domain)
|
|
|
|
dev_read_urand(pki_apache_domain)
|
|
dev_read_rand(pki_apache_domain)
|
|
|
|
# shutdown script uses ps
|
|
domain_dontaudit_read_all_domains_state(pki_apache_domain)
|
|
ps_process_pattern(pki_apache_domain, pki_apache_domain)
|
|
|
|
sysnet_read_config(pki_apache_domain)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_dontaudit_use_unallocated_ttys(pki_apache_domain)
|
|
term_dontaudit_use_generic_ptys(pki_apache_domain)
|
|
')
|
|
|
|
optional_policy(`
|
|
# apache permissions
|
|
apache_exec_modules(pki_apache_domain)
|
|
apache_list_modules(pki_apache_domain)
|
|
apache_read_config(pki_apache_domain)
|
|
apache_exec(pki_apache_domain)
|
|
apache_exec_suexec(pki_apache_domain)
|
|
apache_entrypoint(pki_apache_domain)
|
|
')
|
|
|
|
# allow rpm -q in init scripts
|
|
optional_policy(`
|
|
rpm_exec(pki_apache_domain)
|
|
')
|
|
|