[people/stevee/selinux-policy.git] / policy / modules / services / certmaster.if

## <summary>Certmaster SSL certificate distribution service</summary>

########################################
## <summary>
##	Execute a domain transition to run certmaster.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`certmaster_domtrans',`
	gen_require(`
		type certmaster_t, certmaster_exec_t;
	')

	domtrans_pattern($1, certmaster_exec_t, certmaster_t)
')

####################################
## <summary>
##	Execute certmaster in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`certmaster_exec',`
	gen_require(`
		type certmaster_exec_t;
	')

	can_exec($1, certmaster_exec_t)
	corecmd_search_bin($1)
')

#######################################
## <summary>
##	read certmaster logs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`certmaster_read_log',`
	gen_require(`
		type certmaster_var_log_t;
	')

	read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
	logging_search_logs($1)
')

#######################################
## <summary>
##	Append to certmaster logs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`certmaster_append_log',`
	gen_require(`
		type certmaster_var_log_t;
	')

	append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
	logging_search_logs($1)
')

#######################################
## <summary>
##	Create, read, write, and delete
##	certmaster logs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`certmaster_manage_log',`
	gen_require(`
		type certmaster_var_log_t;
	')

	manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
	manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
	logging_search_logs($1)
')

########################################
## <summary>
##	All of the rules required to administrate
##	an snort environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
## 	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`certmaster_admin',`
	gen_require(`
		type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
		type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
	')

	allow $1 certmaster_t:process signal_perms;
	ps_process_pattern($1, certmaster_t)

	tunable_policy(`deny_ptrace',`',`
		allow $1 certmaster_t:process ptrace;
	')

	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 certmaster_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_etc($1)
	miscfiles_manage_generic_cert_dirs($1)
	miscfiles_manage_generic_cert_files($1)

	admin_pattern($1, certmaster_etc_rw_t)

	files_list_pids($1)
	admin_pattern($1, certmaster_var_run_t)

	logging_list_logs($1)
	admin_pattern($1, certmaster_var_log_t)

	files_list_var_lib($1)
	admin_pattern($1, certmaster_var_lib_t)
')
Commit	Line	Data
3392356f CP	1	## <summary>Certmaster SSL certificate distribution service</summary>
	2
	3	########################################
	4	## <summary>
	5	## Execute a domain transition to run certmaster.
	6	## </summary>
	7	## <param name="domain">
c5eae5f8	8	## <summary>
3392356f	9	## Domain allowed to transition.
c5eae5f8	10	## </summary>
3392356f CP	11	## </param>
	12	#
	13	interface(`certmaster_domtrans',`
	14	gen_require(`
	15	type certmaster_t, certmaster_exec_t;
	16	')
	17
	18	domtrans_pattern($1, certmaster_exec_t, certmaster_t)
	19	')
	20
e9bf16d2 JS	21	####################################
	22	## <summary>
	23	## Execute certmaster in the caller domain.
	24	## </summary>
	25	## <param name="domain">
	26	## <summary>
	27	## Domain allowed access.
	28	## </summary>
	29	## </param>
	30	#
	31	interface(`certmaster_exec',`
	32	gen_require(`
	33	type certmaster_exec_t;
	34	')
	35
	36	can_exec($1, certmaster_exec_t)
	37	corecmd_search_bin($1)
	38	')
	39
3392356f CP	40	#######################################
3392356f CP	41	## <summary>
3f67f722	42	## read certmaster logs.
3392356f CP	43	## </summary>
3392356f CP	44	## <param name="domain">
3f67f722 CP	45	## <summary>
	46	## Domain allowed access.
	47	## </summary>
3392356f CP	48	## </param>
	49	#
	50	interface(`certmaster_read_log',`
3f67f722 CP	51	gen_require(`
	52	type certmaster_var_log_t;
	53	')
3392356f	54
3f67f722	55	read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
3392356f CP	56	logging_search_logs($1)
	57	')
	58
	59	#######################################
	60	## <summary>
3f67f722	61	## Append to certmaster logs.
3392356f CP	62	## </summary>
3392356f CP	63	## <param name="domain">
3f67f722 CP	64	## <summary>
	65	## Domain allowed access.
	66	## </summary>
3392356f CP	67	## </param>
	68	#
	69	interface(`certmaster_append_log',`
3f67f722 CP	70	gen_require(`
	71	type certmaster_var_log_t;
	72	')
3392356f	73
3f67f722	74	append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
3392356f CP	75	logging_search_logs($1)
	76	')
	77
	78	#######################################
	79	## <summary>
3f67f722 CP	80	## Create, read, write, and delete
3f67f722 CP	81	## certmaster logs.
3392356f CP	82	## </summary>
3392356f CP	83	## <param name="domain">
3f67f722 CP	84	## <summary>
	85	## Domain allowed access.
	86	## </summary>
3392356f CP	87	## </param>
	88	#
	89	interface(`certmaster_manage_log',`
3f67f722 CP	90	gen_require(`
	91	type certmaster_var_log_t;
	92	')
3392356f	93
3f67f722 CP	94	manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
3f67f722 CP	95	manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
3392356f CP	96	logging_search_logs($1)
	97	')
	98
	99	########################################
	100	## <summary>
e9bf16d2	101	## All of the rules required to administrate
3392356f CP	102	## an snort environment
	103	## </summary>
	104	## <param name="domain">
	105	## <summary>
	106	## Domain allowed access.
	107	## </summary>
	108	## </param>
	109	## <param name="role">
	110	## <summary>
3c484f5b	111	## Role allowed access.
3392356f CP	112	## </summary>
	113	## </param>
	114	## <rolecap/>
	115	#
	116	interface(`certmaster_admin',`
	117	gen_require(`
	118	type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
6bb4d401	119	type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
3392356f CP	120	')
3392356f CP	121
995bdbb1	122	allow $1 certmaster_t:process signal_perms;
3392356f CP	123	ps_process_pattern($1, certmaster_t)
3392356f CP	124
995bdbb1	125	tunable_policy(`deny_ptrace',`',`
	126	allow $1 certmaster_t:process ptrace;
	127	')
	128
3392356f CP	129	init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
	130	domain_system_change_exemption($1)
	131	role_transition $2 certmaster_initrc_exec_t system_r;
	132	allow $2 system_r;
	133
	134	files_list_etc($1)
c5eae5f8 DG	135	miscfiles_manage_generic_cert_dirs($1)
c5eae5f8 DG	136	miscfiles_manage_generic_cert_files($1)
3392356f CP	137
	138	admin_pattern($1, certmaster_etc_rw_t)
	139
	140	files_list_pids($1)
	141	admin_pattern($1, certmaster_var_run_t)
	142
	143	logging_list_logs($1)
	144	admin_pattern($1, certmaster_var_log_t)
c0f5fa01	145
3392356f CP	146	files_list_var_lib($1)
	147	admin_pattern($1, certmaster_var_lib_t)
	148	')