policy/modules/services/certmonger.if

   1 ## <summary>Certificate status monitor and PKI enrollment client</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Execute a domain transition to run certmonger.
   6 ## </summary>
   7 ## <param name="domain">
   8 ##      <summary>
   9 ##      Domain allowed to transition.
  10 ##      </summary>
  11 ## </param>
  12 #
  13 interface(`certmonger_domtrans',`
  14         gen_require(`
  15                 type certmonger_t, certmonger_exec_t;
  16         ')
  17
  18         domtrans_pattern($1, certmonger_exec_t, certmonger_t)
  19 ')
  20
  21 ########################################
  22 ## <summary>
  23 ##      Send and receive messages from
  24 ##      certmonger over dbus.
  25 ## </summary>
  26 ## <param name="domain">
  27 ##      <summary>
  28 ##      Domain allowed access.
  29 ##      </summary>
  30 ## </param>
  31 #
  32 interface(`certmonger_dbus_chat',`
  33         gen_require(`
  34                 type certmonger_t;
  35                 class dbus send_msg;
  36         ')
  37
  38         allow $1 certmonger_t:dbus send_msg;
  39         allow certmonger_t $1:dbus send_msg;
  40 ')
  41
  42 ########################################
  43 ## <summary>
  44 ##      Execute certmonger server in the certmonger domain.
  45 ## </summary>
  46 ## <param name="domain">
  47 ##      <summary>
  48 ##      Domain allowed to transition.
  49 ##      </summary>
  50 ## </param>
  51 #
  52 interface(`certmonger_initrc_domtrans',`
  53         gen_require(`
  54                 type certmonger_initrc_exec_t;
  55         ')
  56
  57         init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
  58 ')
  59
  60 ########################################
  61 ## <summary>
  62 ##      Read certmonger PID files.
  63 ## </summary>
  64 ## <param name="domain">
  65 ##      <summary>
  66 ##      Domain allowed access.
  67 ##      </summary>
  68 ## </param>
  69 #
  70 interface(`certmonger_read_pid_files',`
  71         gen_require(`
  72                 type certmonger_var_run_t;
  73         ')
  74
  75         files_search_pids($1)
  76         allow $1 certmonger_var_run_t:file read_file_perms;
  77 ')
  78
  79 ########################################
  80 ## <summary>
  81 ##      Search certmonger lib directories.
  82 ## </summary>
  83 ## <param name="domain">
  84 ##      <summary>
  85 ##      Domain allowed access.
  86 ##      </summary>
  87 ## </param>
  88 #
  89 interface(`certmonger_search_lib',`
  90         gen_require(`
  91                 type certmonger_var_lib_t;
  92         ')
  93
  94         allow $1 certmonger_var_lib_t:dir search_dir_perms;
  95         files_search_var_lib($1)
  96 ')
  97
  98 ########################################
  99 ## <summary>
 100 ##      Read certmonger lib files.
 101 ## </summary>
 102 ## <param name="domain">
 103 ##      <summary>
 104 ##      Domain allowed access.
 105 ##      </summary>
 106 ## </param>
 107 #
 108 interface(`certmonger_read_lib_files',`
 109         gen_require(`
 110                 type certmonger_var_lib_t;
 111         ')
 112
 113         files_search_var_lib($1)
 114         read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
 115 ')
 116
 117 ########################################
 118 ## <summary>
 119 ##      Create, read, write, and delete
 120 ##      certmonger lib files.
 121 ## </summary>
 122 ## <param name="domain">
 123 ##      <summary>
 124 ##      Domain allowed access.
 125 ##      </summary>
 126 ## </param>
 127 #
 128 interface(`certmonger_manage_lib_files',`
 129         gen_require(`
 130                 type certmonger_var_lib_t;
 131         ')
 132
 133         files_search_var_lib($1)
 134         manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
 135 ')
 136
 137 ########################################
 138 ## <summary>
 139 ##      All of the rules required to administrate
 140 ##      an certmonger environment
 141 ## </summary>
 142 ## <param name="domain">
 143 ##      <summary>
 144 ##      Domain allowed access.
 145 ##      </summary>
 146 ## </param>
 147 ## <param name="role">
 148 ##      <summary>
 149 ##      Role allowed access.
 150 ##      </summary>
 151 ## </param>
 152 ## <rolecap/>
 153 #
 154 interface(`certmonger_admin',`
 155         gen_require(`
 156                 type certmonger_t, certmonger_initrc_exec_t;
 157                 type certmonger_var_lib_t, certmonger_var_run_t;
 158         ')
 159
 160         ps_process_pattern($1, certmonger_t)
 161         allow $1 certmonger_t:process signal_perms;
 162
 163         tunable_policy(`deny_ptrace',`',`
 164                 allow $1 certmonger_t:process ptrace;
 165         ')
 166
 167         # Allow certmonger_t to restart the apache service
 168         certmonger_initrc_domtrans($1)
 169         domain_system_change_exemption($1)
 170         role_transition $2 certmonger_initrc_exec_t system_r;
 171         allow $2 system_r;
 172
 173         files_list_var_lib($1)
 174         admin_pattern($1, certmonger_var_lib_t)
 175
 176         files_list_pids($1)
 177         admin_pattern($1, certmonger_var_run_t)
 178 ')