policy_module(pki,10.0.11)

########################################

#

# Declarations

#

attribute pki_apache_domain;

attribute pki_apache_config;

attribute pki_apache_executable;

attribute pki_apache_var_lib;

attribute pki_apache_var_log;

attribute pki_apache_var_run;

attribute pki_apache_pidfiles;

attribute pki_apache_script;

type pki_log_t;

files_type(pki_log_t)

type pki_common_t;

files_type(pki_common_t)

type pki_common_dev_t;

files_type(pki_common_dev_t)

type pki_tomcat_etc_rw_t;

files_type(pki_tomcat_etc_rw_t)

type pki_tomcat_cert_t;

files_type(pki_tomcat_cert_t)

tomcat_domain_template(pki_tomcat)

type pki_tomcat_unit_file_t;

systemd_unit_file(pki_tomcat_unit_file_t)

type pki_tomcat_lock_t;

files_lock_file(pki_tomcat_lock_t)

# old type aliases for migration

typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };

typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };

typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };

typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };

typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };

# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };

# pki policy types

type pki_tps_tomcat_exec_t;

files_type(pki_tps_tomcat_exec_t)

pki_apache_template(pki_tps)

# ra policy types

type pki_ra_tomcat_exec_t;

files_type(pki_ra_tomcat_exec_t)

pki_apache_template(pki_ra)

# needed for dogtag 9 style instances

type pki_tomcat_script_t;

domain_type(pki_tomcat_script_t)

role system_r types pki_tomcat_script_t;

optional_policy(`

             unconfined_domain(pki_tomcat_script_t)

')

########################################

#

# pki-tomcat local policy

#

allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};

allow pki_tomcat_t self:process { signal setsched signull execmem };

allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };

allow pki_tomcat_t self:tcp_socket { accept listen };

# allow writing to the kernel keyring

allow pki_tomcat_t self:key { write read };

manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)

manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)

manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)

manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)

manage_dirs_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)

manage_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)

manage_lnk_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)

files_lock_filetrans(pki_tomcat_t,  pki_tomcat_lock_t, { dir file lnk_file })

read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)

read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)

allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;

allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;

systemd_search_unit_dirs(pki_tomcat_t)

# allow java subsystems to talk to the ncipher hsm

allow pki_tomcat_t pki_common_dev_t:sock_file write;

allow pki_tomcat_t pki_common_dev_t:dir search;

allow pki_tomcat_t pki_common_t:dir create_dir_perms;

manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)

can_exec(pki_tomcat_t, pki_common_t)

init_stream_connect_script(pki_tomcat_t)

search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)

kernel_read_kernel_sysctls(pki_tomcat_t)

corenet_tcp_connect_http_cache_port(pki_tomcat_t)

corenet_tcp_connect_ldap_port(pki_tomcat_t)

corenet_tcp_connect_smtp_port(pki_tomcat_t)

corenet_tcp_connect_pki_ca_port(pki_tomcat_t)

selinux_get_enforce_mode(pki_tomcat_t)

logging_send_audit_msgs(pki_tomcat_t)

miscfiles_read_hwdata(pki_tomcat_t)

# is this really needed?

userdom_manage_user_tmp_dirs(pki_tomcat_t)

userdom_manage_user_tmp_files(pki_tomcat_t)

# forward proxy

# need to define ports to fix this

#corenet_tcp_connect_pki_tomcat_port(httpd_t)

# for crl publishing

allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };

# for ECC

auth_getattr_shadow(pki_tomcat_t)

optional_policy(`

        consoletype_exec(pki_tomcat_t)

')

optional_policy(`

	dirsrv_manage_var_lib(pki_tomcat_t)

')

optional_policy(`

        hostname_exec(pki_tomcat_t)

')

#######################################

#

# tps local policy

#

# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment

allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};

corenet_tcp_bind_pki_tps_port(pki_tps_t)

# customer may run an ldap server on 389

corenet_tcp_connect_ldap_port(pki_tps_t)

# connect to other subsystems

corenet_tcp_connect_pki_ca_port(pki_tps_t)

corenet_tcp_connect_pki_kra_port(pki_tps_t)

corenet_tcp_connect_pki_tks_port(pki_tps_t)

files_exec_usr_files(pki_tps_t)

# why do I need to add this?

#allow httpd_t httpd_config_t:file execute;

######################################

#

# ra local policy

#

#  RA specific? talking to mysql?

allow pki_ra_t self:udp_socket { write read create connect };

allow pki_ra_t self:unix_dgram_socket { write create connect };

corenet_tcp_bind_pki_ra_port(pki_ra_t)

# talk to other subsystems

corenet_tcp_connect_pki_ca_port(pki_ra_t)

corenet_tcp_connect_smtp_port(pki_ra_t)

fs_getattr_xattr_fs(pki_ra_t)

files_search_spool(pki_ra_t)

files_exec_usr_files(pki_ra_t)

optional_policy(`

	mta_send_mail(pki_ra_t)

	mta_manage_spool(pki_ra_t)

	mta_manage_queue(pki_ra_t)

	mta_read_config(pki_ra_t)

')

#####################################

#

# pki_apache_domain local policy

#

allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};

allow pki_apache_domain self:process { setsched signal getsched  signull execstack execmem sigkill};

allow pki_apache_domain self:sem all_sem_perms;

allow pki_apache_domain self:tcp_socket create_stream_socket_perms;

allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };

# allow writing to the kernel keyring

allow pki_apache_domain self:key { write read };

## internal communication is often done using fifo and unix sockets.

allow pki_apache_domain self:fifo_file rw_file_perms;

allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;

# talk to the hsm

allow pki_apache_domain pki_common_dev_t:sock_file write;

allow pki_apache_domain pki_common_dev_t:dir search;

allow pki_apache_domain pki_common_t:dir create_dir_perms;

manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)

can_exec(pki_apache_domain, pki_common_t)

init_stream_connect_script(pki_apache_domain)

corenet_sendrecv_unlabeled_packets(pki_apache_domain)

corenet_tcp_bind_all_nodes(pki_apache_domain)

corenet_tcp_sendrecv_all_if(pki_apache_domain)

corenet_tcp_sendrecv_all_nodes(pki_apache_domain)

corenet_tcp_sendrecv_all_ports(pki_apache_domain)

#corenet_all_recvfrom_unlabeled(pki_apache_domain)

corenet_tcp_connect_generic_port(pki_apache_domain)

# Init script handling

domain_use_interactive_fds(pki_apache_domain)

seutil_exec_setfiles(pki_apache_domain)

init_dontaudit_write_utmp(pki_apache_domain)

libs_use_ld_so(pki_apache_domain)

libs_use_shared_libs(pki_apache_domain)

libs_exec_ld_so(pki_apache_domain)

libs_exec_lib_files(pki_apache_domain)

fs_search_cgroup_dirs(pki_apache_domain)

corecmd_exec_bin(pki_apache_domain)

corecmd_exec_shell(pki_apache_domain)

dev_read_urand(pki_apache_domain)

dev_read_rand(pki_apache_domain)

# shutdown script uses ps

domain_dontaudit_read_all_domains_state(pki_apache_domain)

ps_process_pattern(pki_apache_domain, pki_apache_domain)

sysnet_read_config(pki_apache_domain)

ifdef(`targeted_policy',`

	term_dontaudit_use_unallocated_ttys(pki_apache_domain)

	term_dontaudit_use_generic_ptys(pki_apache_domain)

')

optional_policy(`

	# apache permissions

	apache_exec_modules(pki_apache_domain)

	apache_list_modules(pki_apache_domain)

	apache_read_config(pki_apache_domain)

	apache_exec(pki_apache_domain)

	apache_entrypoint(pki_apache_domain)

	# should be started using a script which will execute httpd

	# start up httpd in pki_apache_domain mode

	#can_exec(pki_apache_domain, httpd_config_t)

	#can_exec(pki_apache_domain, httpd_suexec_exec_t)

')

# allow rpm -q in init scripts

optional_policy(`

	rpm_exec(pki_apache_domain)

')