psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   pki.te
Blob Blame History Raw 
policy_module(pki,10.0.11)

########################################
#
# Declarations
#

attribute pki_apache_domain;
attribute pki_apache_config;
attribute pki_apache_executable;
attribute pki_apache_var_lib;
attribute pki_apache_var_log;
attribute pki_apache_var_run;
attribute pki_apache_pidfiles;
attribute pki_apache_script;

type pki_log_t;
files_type(pki_log_t)

type pki_common_t;
files_type(pki_common_t)

type pki_common_dev_t;
files_type(pki_common_dev_t)

type pki_tomcat_etc_rw_t;
files_type(pki_tomcat_etc_rw_t)

type pki_tomcat_cert_t;
files_type(pki_tomcat_cert_t)

tomcat_domain_template(pki_tomcat)

type pki_tomcat_unit_file_t;
systemd_unit_file(pki_tomcat_unit_file_t)

type pki_tomcat_lock_t;
files_lock_file(pki_tomcat_lock_t)

# old type aliases for migration
typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t };
typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t };
typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t };
typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t };
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };


# pki policy types
type pki_tps_tomcat_exec_t;
files_type(pki_tps_tomcat_exec_t)

pki_apache_template(pki_tps)

# ra policy types
type pki_ra_tomcat_exec_t;
files_type(pki_ra_tomcat_exec_t)

pki_apache_template(pki_ra)

# needed for dogtag 9 style instances
type pki_tomcat_script_t;
domain_type(pki_tomcat_script_t)
role system_r types pki_tomcat_script_t;

optional_policy(`
             unconfined_domain(pki_tomcat_script_t)
')

########################################
#
# pki-tomcat local policy
#

allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
allow pki_tomcat_t self:process { signal setsched signull execmem };

allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
allow pki_tomcat_t self:tcp_socket { accept listen };

# allow writing to the kernel keyring
allow pki_tomcat_t self:key { write read };

manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)

manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)

manage_dirs_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
manage_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
manage_lnk_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
files_lock_filetrans(pki_tomcat_t,  pki_tomcat_lock_t, { dir file lnk_file })

read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t)
read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t)
allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr;
allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr;
systemd_search_unit_dirs(pki_tomcat_t)

# allow java subsystems to talk to the ncipher hsm
allow pki_tomcat_t pki_common_dev_t:sock_file write;
allow pki_tomcat_t pki_common_dev_t:dir search;
allow pki_tomcat_t pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t)
can_exec(pki_tomcat_t, pki_common_t)
init_stream_connect_script(pki_tomcat_t)

search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t)

kernel_read_kernel_sysctls(pki_tomcat_t)

corenet_tcp_connect_http_cache_port(pki_tomcat_t)
corenet_tcp_connect_ldap_port(pki_tomcat_t)
corenet_tcp_connect_smtp_port(pki_tomcat_t)
corenet_tcp_connect_pki_ca_port(pki_tomcat_t)

selinux_get_enforce_mode(pki_tomcat_t)

logging_send_audit_msgs(pki_tomcat_t)

miscfiles_read_hwdata(pki_tomcat_t)

# is this really needed?
userdom_manage_user_tmp_dirs(pki_tomcat_t)
userdom_manage_user_tmp_files(pki_tomcat_t)

# forward proxy
# need to define ports to fix this
#corenet_tcp_connect_pki_tomcat_port(httpd_t)

# for crl publishing
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink };

# for ECC
auth_getattr_shadow(pki_tomcat_t)

optional_policy(`
        consoletype_exec(pki_tomcat_t)
')

optional_policy(`
	dirsrv_manage_var_lib(pki_tomcat_t)
')

optional_policy(`
        hostname_exec(pki_tomcat_t)
')

#######################################
#
# tps local policy
#

# used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment
allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans};

corenet_tcp_bind_pki_tps_port(pki_tps_t)
# customer may run an ldap server on 389
corenet_tcp_connect_ldap_port(pki_tps_t)
# connect to other subsystems
corenet_tcp_connect_pki_ca_port(pki_tps_t)
corenet_tcp_connect_pki_kra_port(pki_tps_t)
corenet_tcp_connect_pki_tks_port(pki_tps_t)

files_exec_usr_files(pki_tps_t)

# why do I need to add this?
#allow httpd_t httpd_config_t:file execute;

######################################
#
# ra local policy
#

#  RA specific? talking to mysql?
allow pki_ra_t self:udp_socket { write read create connect };
allow pki_ra_t self:unix_dgram_socket { write create connect };

corenet_tcp_bind_pki_ra_port(pki_ra_t)
# talk to other subsystems
corenet_tcp_connect_pki_ca_port(pki_ra_t)
corenet_tcp_connect_smtp_port(pki_ra_t)

fs_getattr_xattr_fs(pki_ra_t)

files_search_spool(pki_ra_t)
files_exec_usr_files(pki_ra_t)

optional_policy(`
	mta_send_mail(pki_ra_t)
	mta_manage_spool(pki_ra_t)
	mta_manage_queue(pki_ra_t)
	mta_read_config(pki_ra_t)
')

#####################################
#
# pki_apache_domain local policy
#


allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
allow pki_apache_domain self:process { setsched signal getsched  signull execstack execmem sigkill};

allow pki_apache_domain self:sem all_sem_perms;
allow pki_apache_domain self:tcp_socket create_stream_socket_perms;
allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read };

# allow writing to the kernel keyring
allow pki_apache_domain self:key { write read };

## internal communication is often done using fifo and unix sockets.
allow pki_apache_domain self:fifo_file rw_file_perms;
allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms;

# talk to the hsm
allow pki_apache_domain pki_common_dev_t:sock_file write;
allow pki_apache_domain pki_common_dev_t:dir search;
allow pki_apache_domain pki_common_t:dir create_dir_perms;
manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t)
can_exec(pki_apache_domain, pki_common_t)
init_stream_connect_script(pki_apache_domain)

corenet_sendrecv_unlabeled_packets(pki_apache_domain)
corenet_tcp_bind_all_nodes(pki_apache_domain)
corenet_tcp_sendrecv_all_if(pki_apache_domain)
corenet_tcp_sendrecv_all_nodes(pki_apache_domain)
corenet_tcp_sendrecv_all_ports(pki_apache_domain)
#corenet_all_recvfrom_unlabeled(pki_apache_domain)
corenet_tcp_connect_generic_port(pki_apache_domain)

# Init script handling
domain_use_interactive_fds(pki_apache_domain)

seutil_exec_setfiles(pki_apache_domain)

init_dontaudit_write_utmp(pki_apache_domain)

libs_use_ld_so(pki_apache_domain)
libs_use_shared_libs(pki_apache_domain)
libs_exec_ld_so(pki_apache_domain)
libs_exec_lib_files(pki_apache_domain)

fs_search_cgroup_dirs(pki_apache_domain)

corecmd_exec_bin(pki_apache_domain)
corecmd_exec_shell(pki_apache_domain)

dev_read_urand(pki_apache_domain)
dev_read_rand(pki_apache_domain)

# shutdown script uses ps
domain_dontaudit_read_all_domains_state(pki_apache_domain)
ps_process_pattern(pki_apache_domain, pki_apache_domain)

sysnet_read_config(pki_apache_domain)

ifdef(`targeted_policy',`
	term_dontaudit_use_unallocated_ttys(pki_apache_domain)
	term_dontaudit_use_generic_ptys(pki_apache_domain)
')

optional_policy(`
	# apache permissions
	apache_exec_modules(pki_apache_domain)
	apache_list_modules(pki_apache_domain)
	apache_read_config(pki_apache_domain)
	apache_exec(pki_apache_domain)
	apache_entrypoint(pki_apache_domain)

	# should be started using a script which will execute httpd
	# start up httpd in pki_apache_domain mode
	#can_exec(pki_apache_domain, httpd_config_t)
	#can_exec(pki_apache_domain, httpd_suexec_exec_t)
')

# allow rpm -q in init scripts
optional_policy(`
	rpm_exec(pki_apache_domain)
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.