]>
Commit | Line | Data |
---|---|---|
3392356f CP |
1 | ## <summary>Certmaster SSL certificate distribution service</summary> |
2 | ||
3 | ######################################## | |
4 | ## <summary> | |
5 | ## Execute a domain transition to run certmaster. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
c5eae5f8 | 8 | ## <summary> |
3392356f | 9 | ## Domain allowed to transition. |
c5eae5f8 | 10 | ## </summary> |
3392356f CP |
11 | ## </param> |
12 | # | |
13 | interface(`certmaster_domtrans',` | |
14 | gen_require(` | |
15 | type certmaster_t, certmaster_exec_t; | |
16 | ') | |
17 | ||
18 | domtrans_pattern($1, certmaster_exec_t, certmaster_t) | |
19 | ') | |
20 | ||
e9bf16d2 JS |
21 | #################################### |
22 | ## <summary> | |
23 | ## Execute certmaster in the caller domain. | |
24 | ## </summary> | |
25 | ## <param name="domain"> | |
26 | ## <summary> | |
27 | ## Domain allowed access. | |
28 | ## </summary> | |
29 | ## </param> | |
30 | # | |
31 | interface(`certmaster_exec',` | |
32 | gen_require(` | |
33 | type certmaster_exec_t; | |
34 | ') | |
35 | ||
36 | can_exec($1, certmaster_exec_t) | |
37 | corecmd_search_bin($1) | |
38 | ') | |
39 | ||
3392356f CP |
40 | ####################################### |
41 | ## <summary> | |
3f67f722 | 42 | ## read certmaster logs. |
3392356f CP |
43 | ## </summary> |
44 | ## <param name="domain"> | |
3f67f722 CP |
45 | ## <summary> |
46 | ## Domain allowed access. | |
47 | ## </summary> | |
3392356f CP |
48 | ## </param> |
49 | # | |
50 | interface(`certmaster_read_log',` | |
3f67f722 CP |
51 | gen_require(` |
52 | type certmaster_var_log_t; | |
53 | ') | |
3392356f | 54 | |
3f67f722 | 55 | read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) |
3392356f CP |
56 | logging_search_logs($1) |
57 | ') | |
58 | ||
59 | ####################################### | |
60 | ## <summary> | |
3f67f722 | 61 | ## Append to certmaster logs. |
3392356f CP |
62 | ## </summary> |
63 | ## <param name="domain"> | |
3f67f722 CP |
64 | ## <summary> |
65 | ## Domain allowed access. | |
66 | ## </summary> | |
3392356f CP |
67 | ## </param> |
68 | # | |
69 | interface(`certmaster_append_log',` | |
3f67f722 CP |
70 | gen_require(` |
71 | type certmaster_var_log_t; | |
72 | ') | |
3392356f | 73 | |
3f67f722 | 74 | append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) |
3392356f CP |
75 | logging_search_logs($1) |
76 | ') | |
77 | ||
78 | ####################################### | |
79 | ## <summary> | |
3f67f722 CP |
80 | ## Create, read, write, and delete |
81 | ## certmaster logs. | |
3392356f CP |
82 | ## </summary> |
83 | ## <param name="domain"> | |
3f67f722 CP |
84 | ## <summary> |
85 | ## Domain allowed access. | |
86 | ## </summary> | |
3392356f CP |
87 | ## </param> |
88 | # | |
89 | interface(`certmaster_manage_log',` | |
3f67f722 CP |
90 | gen_require(` |
91 | type certmaster_var_log_t; | |
92 | ') | |
3392356f | 93 | |
3f67f722 CP |
94 | manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) |
95 | manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t) | |
3392356f CP |
96 | logging_search_logs($1) |
97 | ') | |
98 | ||
99 | ######################################## | |
100 | ## <summary> | |
e9bf16d2 | 101 | ## All of the rules required to administrate |
3392356f CP |
102 | ## an snort environment |
103 | ## </summary> | |
104 | ## <param name="domain"> | |
105 | ## <summary> | |
106 | ## Domain allowed access. | |
107 | ## </summary> | |
108 | ## </param> | |
109 | ## <param name="role"> | |
110 | ## <summary> | |
3c484f5b | 111 | ## Role allowed access. |
3392356f CP |
112 | ## </summary> |
113 | ## </param> | |
114 | ## <rolecap/> | |
115 | # | |
116 | interface(`certmaster_admin',` | |
117 | gen_require(` | |
118 | type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t; | |
6bb4d401 | 119 | type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t; |
3392356f CP |
120 | ') |
121 | ||
995bdbb1 | 122 | allow $1 certmaster_t:process signal_perms; |
3392356f CP |
123 | ps_process_pattern($1, certmaster_t) |
124 | ||
995bdbb1 | 125 | tunable_policy(`deny_ptrace',`',` |
126 | allow $1 certmaster_t:process ptrace; | |
127 | ') | |
128 | ||
3392356f CP |
129 | init_labeled_script_domtrans($1, certmaster_initrc_exec_t) |
130 | domain_system_change_exemption($1) | |
131 | role_transition $2 certmaster_initrc_exec_t system_r; | |
132 | allow $2 system_r; | |
133 | ||
134 | files_list_etc($1) | |
c5eae5f8 DG |
135 | miscfiles_manage_generic_cert_dirs($1) |
136 | miscfiles_manage_generic_cert_files($1) | |
3392356f CP |
137 | |
138 | admin_pattern($1, certmaster_etc_rw_t) | |
139 | ||
140 | files_list_pids($1) | |
141 | admin_pattern($1, certmaster_var_run_t) | |
142 | ||
143 | logging_list_logs($1) | |
144 | admin_pattern($1, certmaster_var_log_t) | |
c0f5fa01 | 145 | |
3392356f CP |
146 | files_list_var_lib($1) |
147 | admin_pattern($1, certmaster_var_lib_t) | |
148 | ') |