[people/stevee/selinux-policy.git] / policy / modules / services / openca.te

policy_module(openca, 1.2.0)

########################################
#
# Declarations
#

type openca_ca_t;
type openca_ca_exec_t;
domain_type(openca_ca_t)
domain_entry_file(openca_ca_t, openca_ca_exec_t)
role system_r types openca_ca_t;

# cjp: seems like some of these types
# can be removed and replaced with generic
# etc or usr files.

# /etc/openca standard files
type openca_etc_t;
files_config_file(openca_etc_t)

# /etc/openca template files
type openca_etc_in_t;
files_type(openca_etc_in_t)

# /etc/openca writeable (from CGI script) files
type openca_etc_writeable_t;
files_type(openca_etc_writeable_t)

# /usr/share/openca/crypto/keys
type openca_usr_share_t;
files_type(openca_usr_share_t)

# /var/lib/openca
type openca_var_lib_t;
files_type(openca_var_lib_t)

# /var/lib/openca/crypto/keys
type openca_var_lib_keys_t;
files_type(openca_var_lib_keys_t)

########################################
#
# Local policy
#

# Allow access to other files under /etc/openca
allow openca_ca_t openca_etc_t:file read_file_perms;
allow openca_ca_t openca_etc_t:dir list_dir_perms;

# Allow access to writeable files under /etc/openca
manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)

# Allow access to other /var/lib/openca files
manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)

# Allow access to private CA key
manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)

# Allow access to other /usr/share/openca files
read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
allow openca_ca_t openca_usr_share_t:dir list_dir_perms;

# the perl executable will be able to run a perl script
corecmd_exec_bin(openca_ca_t)

dev_read_rand(openca_ca_t)

files_list_default(openca_ca_t)

init_use_fds(openca_ca_t)
init_use_script_fds(openca_ca_t)

libs_exec_lib_files(openca_ca_t)

apache_append_log(openca_ca_t)
# Allow the script to return its output
apache_rw_cache_files(openca_ca_t)
Commit	Line	Data
5d4f4b53	1	policy_module(openca, 1.2.0)
5bd9fd7b CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type openca_ca_t;
	9	type openca_ca_exec_t;
	10	domain_type(openca_ca_t)
0bfccda4	11	domain_entry_file(openca_ca_t, openca_ca_exec_t)
5bd9fd7b CP	12	role system_r types openca_ca_t;
	13
	14	# cjp: seems like some of these types
	15	# can be removed and replaced with generic
	16	# etc or usr files.
	17
	18	# /etc/openca standard files
	19	type openca_etc_t;
6224fc14	20	files_config_file(openca_etc_t)
5bd9fd7b CP	21
	22	# /etc/openca template files
	23	type openca_etc_in_t;
	24	files_type(openca_etc_in_t)
	25
	26	# /etc/openca writeable (from CGI script) files
	27	type openca_etc_writeable_t;
	28	files_type(openca_etc_writeable_t)
	29
	30	# /usr/share/openca/crypto/keys
	31	type openca_usr_share_t;
	32	files_type(openca_usr_share_t)
	33
	34	# /var/lib/openca
	35	type openca_var_lib_t;
	36	files_type(openca_var_lib_t)
	37
	38	# /var/lib/openca/crypto/keys
	39	type openca_var_lib_keys_t;
	40	files_type(openca_var_lib_keys_t)
	41
	42	########################################
	43	#
	44	# Local policy
	45	#
	46
	47	# Allow access to other files under /etc/openca
c0868a7a CP	48	allow openca_ca_t openca_etc_t:file read_file_perms;
c0868a7a CP	49	allow openca_ca_t openca_etc_t:dir list_dir_perms;
5bd9fd7b CP	50
5bd9fd7b CP	51	# Allow access to writeable files under /etc/openca
0bfccda4 CP	52	manage_dirs_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
0bfccda4 CP	53	manage_files_pattern(openca_ca_t, openca_etc_writeable_t, openca_etc_writeable_t)
5bd9fd7b CP	54
5bd9fd7b CP	55	# Allow access to other /var/lib/openca files
0bfccda4 CP	56	manage_dirs_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
0bfccda4 CP	57	manage_files_pattern(openca_ca_t, openca_var_lib_t, openca_var_lib_t)
5bd9fd7b CP	58
5bd9fd7b CP	59	# Allow access to private CA key
0bfccda4 CP	60	manage_dirs_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
0bfccda4 CP	61	manage_files_pattern(openca_ca_t, openca_var_lib_keys_t, openca_var_lib_keys_t)
5bd9fd7b CP	62
5bd9fd7b CP	63	# Allow access to other /usr/share/openca files
0bfccda4 CP	64	read_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
0bfccda4 CP	65	read_lnk_files_pattern(openca_ca_t, openca_usr_share_t, openca_usr_share_t)
c0868a7a	66	allow openca_ca_t openca_usr_share_t:dir list_dir_perms;
5bd9fd7b CP	67
	68	# the perl executable will be able to run a perl script
	69	corecmd_exec_bin(openca_ca_t)
	70
	71	dev_read_rand(openca_ca_t)
	72
	73	files_list_default(openca_ca_t)
	74
	75	init_use_fds(openca_ca_t)
	76	init_use_script_fds(openca_ca_t)
	77
5bd9fd7b CP	78	libs_exec_lib_files(openca_ca_t)
	79
	80	apache_append_log(openca_ca_t)
	81	# Allow the script to return its output
	82	apache_rw_cache_files(openca_ca_t)