1 ## <summary>Certmaster SSL certificate distribution service</summary>
3 ########################################
5 ## Execute a domain transition to run certmaster.
7 ## <param name="domain">
9 ## Domain allowed to transition.
13 interface(`certmaster_domtrans',`
15 type certmaster_t, certmaster_exec_t;
18 domtrans_pattern($1, certmaster_exec_t, certmaster_t)
21 ####################################
23 ## Execute certmaster in the caller domain.
25 ## <param name="domain">
27 ## Domain allowed access.
31 interface(`certmaster_exec',`
33 type certmaster_exec_t;
36 can_exec($1, certmaster_exec_t)
37 corecmd_search_bin($1)
40 #######################################
42 ## read certmaster logs.
44 ## <param name="domain">
46 ## Domain allowed access.
50 interface(`certmaster_read_log',`
52 type certmaster_var_log_t;
55 read_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
56 logging_search_logs($1)
59 #######################################
61 ## Append to certmaster logs.
63 ## <param name="domain">
65 ## Domain allowed access.
69 interface(`certmaster_append_log',`
71 type certmaster_var_log_t;
74 append_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
75 logging_search_logs($1)
78 #######################################
80 ## Create, read, write, and delete
83 ## <param name="domain">
85 ## Domain allowed access.
89 interface(`certmaster_manage_log',`
91 type certmaster_var_log_t;
94 manage_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
95 manage_lnk_files_pattern($1, certmaster_var_log_t, certmaster_var_log_t)
96 logging_search_logs($1)
99 ########################################
101 ## All of the rules required to administrate
102 ## an snort environment
104 ## <param name="domain">
106 ## Domain allowed access.
109 ## <param name="role">
111 ## Role allowed access.
116 interface(`certmaster_admin',`
118 type certmaster_t, certmaster_var_run_t, certmaster_var_lib_t;
119 type certmaster_etc_rw_t, certmaster_var_log_t, certmaster_initrc_exec_t;
122 allow $1 certmaster_t:process { ptrace signal_perms };
123 ps_process_pattern($1, certmaster_t)
125 init_labeled_script_domtrans($1, certmaster_initrc_exec_t)
126 domain_system_change_exemption($1)
127 role_transition $2 certmaster_initrc_exec_t system_r;
131 miscfiles_manage_generic_cert_dirs($1)
132 miscfiles_manage_generic_cert_files($1)
134 admin_pattern($1, certmaster_etc_rw_t)
137 admin_pattern($1, certmaster_var_run_t)
139 logging_list_logs($1)
140 admin_pattern($1, certmaster_var_log_t)
142 files_list_var_lib($1)
143 admin_pattern($1, certmaster_var_lib_t)