]>
Commit | Line | Data |
---|---|---|
5d4f4b53 | 1 | policy_module(openca, 1.2.0) |
5bd9fd7b CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type openca_ca_t; | |
9 | type openca_ca_exec_t; | |
10 | domain_type(openca_ca_t) | |
0bfccda4 | 11 | domain_entry_file(openca_ca_t, openca_ca_exec_t) |
5bd9fd7b CP |
12 | role system_r types openca_ca_t; |
13 | ||
14 | # cjp: seems like some of these types | |
15 | # can be removed and replaced with generic | |
16 | # etc or usr files. | |
17 | ||
18 | # /etc/openca standard files | |
19 | type openca_etc_t; | |
6224fc14 | 20 | files_config_file(openca_etc_t) |
5bd9fd7b CP |
21 | |
22 | # /etc/openca template files | |
23 | type openca_etc_in_t; | |
24 | files_type(openca_etc_in_t) | |
25 | ||
26 | # /etc/openca writeable (from CGI script) files | |
27 | type openca_etc_writeable_t; | |
28 | files_type(openca_etc_writeable_t) | |
29 | ||
30 | # /usr/share/openca/crypto/keys | |
31 | type openca_usr_share_t; | |
32 | files_type(openca_usr_share_t) | |
33 | ||
34 | # /var/lib/openca | |
35 | type openca_var_lib_t; | |
36 | files_type(openca_var_lib_t) | |
37 | ||
38 | # /var/lib/openca/crypto/keys | |
39 | type openca_var_lib_keys_t; | |
40 | files_type(openca_var_lib_keys_t) | |
41 | ||
42 | ######################################## | |
43 | # | |
44 | # Local policy | |
45 | # | |
46 | ||
47 | # Allow access to other files under /etc/openca | |
c0868a7a CP |
48 | allow openca_ca_t openca_etc_t:file read_file_perms; |
49 | allow openca_ca_t openca_etc_t:dir list_dir_perms; | |
5bd9fd7b CP |
50 | |
51 | # Allow access to writeable files under /etc/openca | |
0bfccda4 CP |
52 | manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) |
53 | manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t) | |
5bd9fd7b CP |
54 | |
55 | # Allow access to other /var/lib/openca files | |
0bfccda4 CP |
56 | manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) |
57 | manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t) | |
5bd9fd7b CP |
58 | |
59 | # Allow access to private CA key | |
0bfccda4 CP |
60 | manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) |
61 | manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t) | |
5bd9fd7b CP |
62 | |
63 | # Allow access to other /usr/share/openca files | |
0bfccda4 CP |
64 | read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) |
65 | read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t) | |
c0868a7a | 66 | allow openca_ca_t openca_usr_share_t:dir list_dir_perms; |
5bd9fd7b CP |
67 | |
68 | # the perl executable will be able to run a perl script | |
69 | corecmd_exec_bin(openca_ca_t) | |
70 | ||
71 | dev_read_rand(openca_ca_t) | |
72 | ||
73 | files_list_default(openca_ca_t) | |
74 | ||
75 | init_use_fds(openca_ca_t) | |
76 | init_use_script_fds(openca_ca_t) | |
77 | ||
5bd9fd7b CP |
78 | libs_exec_lib_files(openca_ca_t) |
79 | ||
80 | apache_append_log(openca_ca_t) | |
81 | # Allow the script to return its output | |
82 | apache_rw_cache_files(openca_ca_t) |