|
|
e120ed9 |
policy_module(pki,10.0.11)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
########################################
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
# Declarations
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
|
|
|
e120ed9 |
attribute pki_apache_domain;
|
|
|
e120ed9 |
attribute pki_apache_config;
|
|
|
e120ed9 |
attribute pki_apache_executable;
|
|
|
e120ed9 |
attribute pki_apache_var_lib;
|
|
|
e120ed9 |
attribute pki_apache_var_log;
|
|
|
e120ed9 |
attribute pki_apache_var_run;
|
|
|
e120ed9 |
attribute pki_apache_pidfiles;
|
|
|
e120ed9 |
attribute pki_apache_script;
|
|
|
e120ed9 |
|
|
|
e120ed9 |
type pki_log_t;
|
|
|
e120ed9 |
files_type(pki_log_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
type pki_common_t;
|
|
|
e120ed9 |
files_type(pki_common_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
type pki_common_dev_t;
|
|
|
e120ed9 |
files_type(pki_common_dev_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
type pki_tomcat_etc_rw_t;
|
|
|
e120ed9 |
files_type(pki_tomcat_etc_rw_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
type pki_tomcat_cert_t;
|
|
|
e120ed9 |
files_type(pki_tomcat_cert_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
tomcat_domain_template(pki_tomcat)
|
|
|
e120ed9 |
|
|
|
8639e4a |
type pki_tomcat_unit_file_t;
|
|
|
8639e4a |
systemd_unit_file(pki_tomcat_unit_file_t)
|
|
|
8639e4a |
|
|
|
e120ed9 |
type pki_tomcat_lock_t;
|
|
|
e120ed9 |
files_lock_file(pki_tomcat_lock_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# old type aliases for migration
|
|
|
e120ed9 |
typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
|
|
|
e120ed9 |
typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
|
|
|
e120ed9 |
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
|
|
|
e120ed9 |
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
|
|
|
e120ed9 |
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
|
|
|
e120ed9 |
# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# pki policy types
|
|
|
e120ed9 |
type pki_tps_tomcat_exec_t;
|
|
|
e120ed9 |
files_type(pki_tps_tomcat_exec_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
pki_apache_template(pki_tps)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# ra policy types
|
|
|
e120ed9 |
type pki_ra_tomcat_exec_t;
|
|
|
e120ed9 |
files_type(pki_ra_tomcat_exec_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
pki_apache_template(pki_ra)
|
|
|
e120ed9 |
|
|
|
d98de70 |
# needed for dogtag 9 style instances
|
|
|
d98de70 |
type pki_tomcat_script_t;
|
|
|
d98de70 |
domain_type(pki_tomcat_script_t)
|
|
|
d98de70 |
role system_r types pki_tomcat_script_t;
|
|
|
d98de70 |
|
|
|
d98de70 |
optional_policy(`
|
|
|
d98de70 |
unconfined_domain(pki_tomcat_script_t)
|
|
|
d98de70 |
')
|
|
|
d98de70 |
|
|
|
e120ed9 |
########################################
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
# pki-tomcat local policy
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
|
|
|
e120ed9 |
allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
|
|
|
e120ed9 |
allow pki_tomcat_t self:process { signal setsched signull execmem };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
|
|
|
e120ed9 |
allow pki_tomcat_t self:tcp_socket { accept listen };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# allow writing to the kernel keyring
|
|
|
e120ed9 |
allow pki_tomcat_t self:key { write read };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
|
|
|
e120ed9 |
manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
|
e120ed9 |
manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
|
e120ed9 |
manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
|
e120ed9 |
manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t)
|
|
|
e120ed9 |
files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file })
|
|
|
e120ed9 |
|
|
|
8639e4a |
read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
|
|
|
8639e4a |
read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
|
|
|
8639e4a |
allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
|
|
|
c273220 |
allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
|
|
|
1e0c581 |
systemd_search_unit_dirs(pki_tomcat_t)
|
|
|
8639e4a |
|
|
|
e120ed9 |
# allow java subsystems to talk to the ncipher hsm
|
|
|
e120ed9 |
allow pki_tomcat_t pki_common_dev_t:sock_file write;
|
|
|
e120ed9 |
allow pki_tomcat_t pki_common_dev_t:dir search;
|
|
|
e120ed9 |
allow pki_tomcat_t pki_common_t:dir create_dir_perms;
|
|
|
e120ed9 |
manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
|
|
|
e120ed9 |
can_exec(pki_tomcat_t, pki_common_t)
|
|
|
e120ed9 |
init_stream_connect_script(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
kernel_read_kernel_sysctls(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
corenet_tcp_connect_http_cache_port(pki_tomcat_t)
|
|
|
e120ed9 |
corenet_tcp_connect_ldap_port(pki_tomcat_t)
|
|
|
e120ed9 |
corenet_tcp_connect_smtp_port(pki_tomcat_t)
|
|
|
267068a |
corenet_tcp_connect_pki_ca_port(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
selinux_get_enforce_mode(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
logging_send_audit_msgs(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
miscfiles_read_hwdata(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# is this really needed?
|
|
|
e120ed9 |
userdom_manage_user_tmp_dirs(pki_tomcat_t)
|
|
|
e120ed9 |
userdom_manage_user_tmp_files(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# forward proxy
|
|
|
e120ed9 |
# need to define ports to fix this
|
|
|
e120ed9 |
#corenet_tcp_connect_pki_tomcat_port(httpd_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# for crl publishing
|
|
|
e120ed9 |
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# for ECC
|
|
|
e120ed9 |
auth_getattr_shadow(pki_tomcat_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
optional_policy(`
|
|
|
e120ed9 |
consoletype_exec(pki_tomcat_t)
|
|
|
e120ed9 |
')
|
|
|
e120ed9 |
|
|
|
e120ed9 |
optional_policy(`
|
|
|
e120ed9 |
dirsrv_manage_var_lib(pki_tomcat_t)
|
|
|
e120ed9 |
')
|
|
|
e120ed9 |
|
|
|
e120ed9 |
optional_policy(`
|
|
|
e120ed9 |
hostname_exec(pki_tomcat_t)
|
|
|
e120ed9 |
')
|
|
|
e120ed9 |
|
|
|
e120ed9 |
#######################################
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
# tps local policy
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
|
|
|
e120ed9 |
allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};
|
|
|
e120ed9 |
|
|
|
e120ed9 |
corenet_tcp_bind_pki_tps_port(pki_tps_t)
|
|
|
e120ed9 |
# customer may run an ldap server on 389
|
|
|
e120ed9 |
corenet_tcp_connect_ldap_port(pki_tps_t)
|
|
|
e120ed9 |
# connect to other subsystems
|
|
|
e120ed9 |
corenet_tcp_connect_pki_ca_port(pki_tps_t)
|
|
|
e120ed9 |
corenet_tcp_connect_pki_kra_port(pki_tps_t)
|
|
|
e120ed9 |
corenet_tcp_connect_pki_tks_port(pki_tps_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
files_exec_usr_files(pki_tps_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# why do I need to add this?
|
|
|
e120ed9 |
#allow httpd_t httpd_config_t:file execute;
|
|
|
e120ed9 |
|
|
|
e120ed9 |
######################################
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
# ra local policy
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# RA specific? talking to mysql?
|
|
|
e120ed9 |
allow pki_ra_t self:udp_socket { write read create connect };
|
|
|
e120ed9 |
allow pki_ra_t self:unix_dgram_socket { write create connect };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
corenet_tcp_bind_pki_ra_port(pki_ra_t)
|
|
|
e120ed9 |
# talk to other subsystems
|
|
|
e120ed9 |
corenet_tcp_connect_pki_ca_port(pki_ra_t)
|
|
|
e120ed9 |
corenet_tcp_connect_smtp_port(pki_ra_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
fs_getattr_xattr_fs(pki_ra_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
files_search_spool(pki_ra_t)
|
|
|
e120ed9 |
files_exec_usr_files(pki_ra_t)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
optional_policy(`
|
|
|
e120ed9 |
mta_send_mail(pki_ra_t)
|
|
|
e120ed9 |
mta_manage_spool(pki_ra_t)
|
|
|
e120ed9 |
mta_manage_queue(pki_ra_t)
|
|
|
e120ed9 |
mta_read_config(pki_ra_t)
|
|
|
e120ed9 |
')
|
|
|
e120ed9 |
|
|
|
e120ed9 |
#####################################
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
# pki_apache_domain local policy
|
|
|
e120ed9 |
#
|
|
|
e120ed9 |
|
|
|
e120ed9 |
|
|
|
e120ed9 |
allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
|
|
|
e120ed9 |
allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill};
|
|
|
e120ed9 |
|
|
|
e120ed9 |
allow pki_apache_domain self:sem all_sem_perms;
|
|
|
e120ed9 |
allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
|
|
|
e120ed9 |
allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# allow writing to the kernel keyring
|
|
|
e120ed9 |
allow pki_apache_domain self:key { write read };
|
|
|
e120ed9 |
|
|
|
e120ed9 |
## internal communication is often done using fifo and unix sockets.
|
|
|
e120ed9 |
allow pki_apache_domain self:fifo_file rw_file_perms;
|
|
|
e120ed9 |
allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# talk to the hsm
|
|
|
e120ed9 |
allow pki_apache_domain pki_common_dev_t:sock_file write;
|
|
|
e120ed9 |
allow pki_apache_domain pki_common_dev_t:dir search;
|
|
|
e120ed9 |
allow pki_apache_domain pki_common_t:dir create_dir_perms;
|
|
|
e120ed9 |
manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
|
|
|
e120ed9 |
can_exec(pki_apache_domain, pki_common_t)
|
|
|
e120ed9 |
init_stream_connect_script(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
corenet_sendrecv_unlabeled_packets(pki_apache_domain)
|
|
|
e120ed9 |
corenet_tcp_bind_all_nodes(pki_apache_domain)
|
|
|
e120ed9 |
corenet_tcp_sendrecv_all_if(pki_apache_domain)
|
|
|
e120ed9 |
corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
|
|
|
e120ed9 |
corenet_tcp_sendrecv_all_ports(pki_apache_domain)
|
|
|
5f41e50 |
#corenet_all_recvfrom_unlabeled(pki_apache_domain)
|
|
|
e120ed9 |
corenet_tcp_connect_generic_port(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# Init script handling
|
|
|
e120ed9 |
domain_use_interactive_fds(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
seutil_exec_setfiles(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
init_dontaudit_write_utmp(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
libs_use_ld_so(pki_apache_domain)
|
|
|
e120ed9 |
libs_use_shared_libs(pki_apache_domain)
|
|
|
e120ed9 |
libs_exec_ld_so(pki_apache_domain)
|
|
|
e120ed9 |
libs_exec_lib_files(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
fs_search_cgroup_dirs(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
corecmd_exec_bin(pki_apache_domain)
|
|
|
e120ed9 |
corecmd_exec_shell(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
dev_read_urand(pki_apache_domain)
|
|
|
e120ed9 |
dev_read_rand(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# shutdown script uses ps
|
|
|
e120ed9 |
domain_dontaudit_read_all_domains_state(pki_apache_domain)
|
|
|
e120ed9 |
ps_process_pattern(pki_apache_domain, pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
sysnet_read_config(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
ifdef(`targeted_policy',`
|
|
|
e120ed9 |
term_dontaudit_use_unallocated_ttys(pki_apache_domain)
|
|
|
e120ed9 |
term_dontaudit_use_generic_ptys(pki_apache_domain)
|
|
|
e120ed9 |
')
|
|
|
e120ed9 |
|
|
|
e120ed9 |
optional_policy(`
|
|
|
e120ed9 |
# apache permissions
|
|
|
e120ed9 |
apache_exec_modules(pki_apache_domain)
|
|
|
e120ed9 |
apache_list_modules(pki_apache_domain)
|
|
|
e120ed9 |
apache_read_config(pki_apache_domain)
|
|
|
e120ed9 |
apache_exec(pki_apache_domain)
|
|
|
e120ed9 |
apache_entrypoint(pki_apache_domain)
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# should be started using a script which will execute httpd
|
|
|
e120ed9 |
# start up httpd in pki_apache_domain mode
|
|
|
e120ed9 |
#can_exec(pki_apache_domain, httpd_config_t)
|
|
|
e120ed9 |
#can_exec(pki_apache_domain, httpd_suexec_exec_t)
|
|
|
e120ed9 |
')
|
|
|
e120ed9 |
|
|
|
e120ed9 |
# allow rpm -q in init scripts
|
|
|
e120ed9 |
optional_policy(`
|
|
|
e120ed9 |
rpm_exec(pki_apache_domain)
|
|
|
e120ed9 |
')
|
|
|
e120ed9 |
|