policy_module(pki,10.0.11) ######################################## # # Declarations # attribute pki_apache_domain; attribute pki_apache_config; attribute pki_apache_executable; attribute pki_apache_var_lib; attribute pki_apache_var_log; attribute pki_apache_var_run; attribute pki_apache_pidfiles; attribute pki_apache_script; type pki_log_t; files_type(pki_log_t) type pki_common_t; files_type(pki_common_t) type pki_common_dev_t; files_type(pki_common_dev_t) type pki_tomcat_etc_rw_t; files_type(pki_tomcat_etc_rw_t) type pki_tomcat_cert_t; files_type(pki_tomcat_cert_t) tomcat_domain_template(pki_tomcat) type pki_tomcat_unit_file_t; systemd_unit_file(pki_tomcat_unit_file_t) type pki_tomcat_lock_t; files_lock_file(pki_tomcat_lock_t) # old type aliases for migration typealias pki_tomcat_t alias { pki_ca_t pki_kra_t pki_ocsp_t pki_tks_t }; typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_etc_rw_t pki_tks_etc_rw_t }; typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; # typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; # pki policy types type pki_tps_tomcat_exec_t; files_type(pki_tps_tomcat_exec_t) pki_apache_template(pki_tps) # ra policy types type pki_ra_tomcat_exec_t; files_type(pki_ra_tomcat_exec_t) pki_apache_template(pki_ra) # needed for dogtag 9 style instances type pki_tomcat_script_t; domain_type(pki_tomcat_script_t) role system_r types pki_tomcat_script_t; optional_policy(` unconfined_domain(pki_tomcat_script_t) ') ######################################## # # pki-tomcat local policy # allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; allow pki_tomcat_t self:process { signal setsched signull execmem }; allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; allow pki_tomcat_t self:tcp_socket { accept listen }; # allow writing to the kernel keyring allow pki_tomcat_t self:key { write read }; manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t) manage_dirs_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) manage_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) manage_lnk_files_pattern(pki_tomcat_t, pki_tomcat_lock_t, pki_tomcat_lock_t) files_lock_filetrans(pki_tomcat_t, pki_tomcat_lock_t, { dir file lnk_file }) read_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t,pki_tomcat_unit_file_t) read_lnk_files_pattern(pki_tomcat_t, pki_tomcat_unit_file_t, pki_tomcat_unit_file_t) allow pki_tomcat_t pki_tomcat_unit_file_t:file setattr; allow pki_tomcat_t pki_tomcat_unit_file_t:lnk_file setattr; systemd_search_unit_dirs(pki_tomcat_t) # allow java subsystems to talk to the ncipher hsm allow pki_tomcat_t pki_common_dev_t:sock_file write; allow pki_tomcat_t pki_common_dev_t:dir search; allow pki_tomcat_t pki_common_t:dir create_dir_perms; manage_files_pattern(pki_tomcat_t, pki_common_t, pki_common_t) can_exec(pki_tomcat_t, pki_common_t) init_stream_connect_script(pki_tomcat_t) search_dirs_pattern(pki_tomcat_t, pki_log_t, pki_log_t) kernel_read_kernel_sysctls(pki_tomcat_t) corenet_tcp_connect_http_cache_port(pki_tomcat_t) corenet_tcp_connect_ldap_port(pki_tomcat_t) corenet_tcp_connect_smtp_port(pki_tomcat_t) corenet_tcp_connect_pki_ca_port(pki_tomcat_t) selinux_get_enforce_mode(pki_tomcat_t) logging_send_audit_msgs(pki_tomcat_t) miscfiles_read_hwdata(pki_tomcat_t) # is this really needed? userdom_manage_user_tmp_dirs(pki_tomcat_t) userdom_manage_user_tmp_files(pki_tomcat_t) # forward proxy # need to define ports to fix this #corenet_tcp_connect_pki_tomcat_port(httpd_t) # for crl publishing allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { rename create unlink }; # for ECC auth_getattr_shadow(pki_tomcat_t) optional_policy(` consoletype_exec(pki_tomcat_t) ') optional_policy(` dirsrv_manage_var_lib(pki_tomcat_t) ') optional_policy(` hostname_exec(pki_tomcat_t) ') ####################################### # # tps local policy # # used to serve cgi web pages under /var/lib/pki-tps, formatting, enrollment allow pki_tps_t pki_tps_var_lib_t:file {execute execute_no_trans}; corenet_tcp_bind_pki_tps_port(pki_tps_t) # customer may run an ldap server on 389 corenet_tcp_connect_ldap_port(pki_tps_t) # connect to other subsystems corenet_tcp_connect_pki_ca_port(pki_tps_t) corenet_tcp_connect_pki_kra_port(pki_tps_t) corenet_tcp_connect_pki_tks_port(pki_tps_t) files_exec_usr_files(pki_tps_t) # why do I need to add this? #allow httpd_t httpd_config_t:file execute; ###################################### # # ra local policy # # RA specific? talking to mysql? allow pki_ra_t self:udp_socket { write read create connect }; allow pki_ra_t self:unix_dgram_socket { write create connect }; corenet_tcp_bind_pki_ra_port(pki_ra_t) # talk to other subsystems corenet_tcp_connect_pki_ca_port(pki_ra_t) corenet_tcp_connect_smtp_port(pki_ra_t) fs_getattr_xattr_fs(pki_ra_t) files_search_spool(pki_ra_t) files_exec_usr_files(pki_ra_t) optional_policy(` mta_send_mail(pki_ra_t) mta_manage_spool(pki_ra_t) mta_manage_queue(pki_ra_t) mta_read_config(pki_ra_t) ') ##################################### # # pki_apache_domain local policy # allow pki_apache_domain self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; allow pki_apache_domain self:process { setsched signal getsched signull execstack execmem sigkill}; allow pki_apache_domain self:sem all_sem_perms; allow pki_apache_domain self:tcp_socket create_stream_socket_perms; allow pki_apache_domain self:netlink_route_socket { write getattr read bind create nlmsg_read }; # allow writing to the kernel keyring allow pki_apache_domain self:key { write read }; ## internal communication is often done using fifo and unix sockets. allow pki_apache_domain self:fifo_file rw_file_perms; allow pki_apache_domain self:unix_stream_socket create_stream_socket_perms; # talk to the hsm allow pki_apache_domain pki_common_dev_t:sock_file write; allow pki_apache_domain pki_common_dev_t:dir search; allow pki_apache_domain pki_common_t:dir create_dir_perms; manage_files_pattern(pki_apache_domain, pki_common_t, pki_common_t) can_exec(pki_apache_domain, pki_common_t) init_stream_connect_script(pki_apache_domain) corenet_sendrecv_unlabeled_packets(pki_apache_domain) corenet_tcp_bind_all_nodes(pki_apache_domain) corenet_tcp_sendrecv_all_if(pki_apache_domain) corenet_tcp_sendrecv_all_nodes(pki_apache_domain) corenet_tcp_sendrecv_all_ports(pki_apache_domain) #corenet_all_recvfrom_unlabeled(pki_apache_domain) corenet_tcp_connect_generic_port(pki_apache_domain) # Init script handling domain_use_interactive_fds(pki_apache_domain) seutil_exec_setfiles(pki_apache_domain) init_dontaudit_write_utmp(pki_apache_domain) libs_use_ld_so(pki_apache_domain) libs_use_shared_libs(pki_apache_domain) libs_exec_ld_so(pki_apache_domain) libs_exec_lib_files(pki_apache_domain) fs_search_cgroup_dirs(pki_apache_domain) corecmd_exec_bin(pki_apache_domain) corecmd_exec_shell(pki_apache_domain) dev_read_urand(pki_apache_domain) dev_read_rand(pki_apache_domain) # shutdown script uses ps domain_dontaudit_read_all_domains_state(pki_apache_domain) ps_process_pattern(pki_apache_domain, pki_apache_domain) sysnet_read_config(pki_apache_domain) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys(pki_apache_domain) term_dontaudit_use_generic_ptys(pki_apache_domain) ') optional_policy(` # apache permissions apache_exec_modules(pki_apache_domain) apache_list_modules(pki_apache_domain) apache_read_config(pki_apache_domain) apache_exec(pki_apache_domain) apache_entrypoint(pki_apache_domain) # should be started using a script which will execute httpd # start up httpd in pki_apache_domain mode #can_exec(pki_apache_domain, httpd_config_t) #can_exec(pki_apache_domain, httpd_suexec_exec_t) ') # allow rpm -q in init scripts optional_policy(` rpm_exec(pki_apache_domain) ')