1 ## <summary>Certificate status monitor and PKI enrollment client</summary>
3 ########################################
5 ## Execute a domain transition to run certmonger.
7 ## <param name="domain">
9 ## Domain allowed to transition.
13 interface(`certmonger_domtrans',`
15 type certmonger_t, certmonger_exec_t;
18 domtrans_pattern($1, certmonger_exec_t, certmonger_t)
21 ########################################
23 ## Send and receive messages from
24 ## certmonger over dbus.
26 ## <param name="domain">
28 ## Domain allowed access.
32 interface(`certmonger_dbus_chat',`
38 allow $1 certmonger_t:dbus send_msg;
39 allow certmonger_t $1:dbus send_msg;
42 ########################################
44 ## Execute certmonger server in the certmonger domain.
46 ## <param name="domain">
48 ## Domain allowed to transition.
52 interface(`certmonger_initrc_domtrans',`
54 type certmonger_initrc_exec_t;
57 init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
60 ########################################
62 ## Read certmonger PID files.
64 ## <param name="domain">
66 ## Domain allowed access.
70 interface(`certmonger_read_pid_files',`
72 type certmonger_var_run_t;
76 allow $1 certmonger_var_run_t:file read_file_perms;
79 ########################################
81 ## Search certmonger lib directories.
83 ## <param name="domain">
85 ## Domain allowed access.
89 interface(`certmonger_search_lib',`
91 type certmonger_var_lib_t;
94 allow $1 certmonger_var_lib_t:dir search_dir_perms;
95 files_search_var_lib($1)
98 ########################################
100 ## Read certmonger lib files.
102 ## <param name="domain">
104 ## Domain allowed access.
108 interface(`certmonger_read_lib_files',`
110 type certmonger_var_lib_t;
113 files_search_var_lib($1)
114 read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
117 ########################################
119 ## Create, read, write, and delete
120 ## certmonger lib files.
122 ## <param name="domain">
124 ## Domain allowed access.
128 interface(`certmonger_manage_lib_files',`
130 type certmonger_var_lib_t;
133 files_search_var_lib($1)
134 manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
137 ########################################
139 ## All of the rules required to administrate
140 ## an certmonger environment
142 ## <param name="domain">
144 ## Domain allowed access.
147 ## <param name="role">
149 ## Role allowed access.
154 interface(`certmonger_admin',`
156 type certmonger_t, certmonger_initrc_exec_t;
157 type certmonger_var_lib_t, certmonger_var_run_t;
160 ps_process_pattern($1, certmonger_t)
161 allow $1 certmonger_t:process signal_perms;
163 tunable_policy(`deny_ptrace',`',`
164 allow $1 certmonger_t:process ptrace;
167 # Allow certmonger_t to restart the apache service
168 certmonger_initrc_domtrans($1)
169 domain_system_change_exemption($1)
170 role_transition $2 certmonger_initrc_exec_t system_r;
173 files_list_var_lib($1)
174 admin_pattern($1, certmonger_var_lib_t)
177 admin_pattern($1, certmonger_var_run_t)