diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc
index e3449bb0..5ad1a526 100644
--- a/policy/modules/services/certmonger.fc
+++ b/policy/modules/services/certmonger.fc
@@ -1,6 +1,6 @@
/etc/rc\.d/init\.d/certmonger -- gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
-/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
+/usr/sbin/certmonger -- gen_context(system_u:object_r:certmonger_exec_t,s0)
-/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+/var/lib/certmonger(/.*)? gen_context(system_u:object_r:certmonger_var_lib_t,s0)
/var/run/certmonger.pid -- gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
index aeee5d64..ce8f4336 100644
--- a/policy/modules/services/certmonger.if
+++ b/policy/modules/services/certmonger.if
@@ -18,6 +18,27 @@ interface(`certmonger_domtrans',`
domtrans_pattern($1, certmonger_exec_t, certmonger_t)
')
+########################################
+##
+## Send and receive messages from
+## certmonger over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`certmonger_dbus_chat',`
+ gen_require(`
+ type certmonger_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 certmonger_t:dbus send_msg;
+ allow certmonger_t $1:dbus send_msg;
+')
+
########################################
##
## Execute certmonger server in the certmonger domain.
@@ -113,27 +134,6 @@ interface(`certmonger_manage_lib_files',`
manage_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
')
-########################################
-##
-## Send and receive messages from
-## certmonger over dbus.
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`certmonger_dbus_chat',`
- gen_require(`
- type certmonger_t;
- class dbus send_msg;
- ')
-
- allow $1 certmonger_t:dbus send_msg;
- allow certmonger_t $1:dbus send_msg;
-')
-
########################################
##
## All of the rules required to administrate
@@ -157,8 +157,8 @@ interface(`certmonger_admin',`
type certmonger_var_lib_t, certmonger_var_run_t;
')
- allow $1 certmonger_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, certmonger_t, certmonger_t)
+ ps_process_pattern($1, certmonger_t)
+ allow $1 certmonger_t:process { ptrace signal_perms };
# Allow certmonger_t to restart the apache service
certmonger_initrc_domtrans($1)
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index f72ce9cf..36a3a7a6 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -30,15 +30,13 @@ allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
allow certmonger_t self:tcp_socket create_stream_socket_perms;
allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
-manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
-manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
-files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
-
manage_dirs_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
manage_files_pattern(certmonger_t, certmonger_var_lib_t, certmonger_var_lib_t)
files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
-domain_use_interactive_fds(certmonger_t)
+manage_dirs_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+manage_files_pattern(certmonger_t, certmonger_var_run_t, certmonger_var_run_t)
+files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
corenet_tcp_sendrecv_generic_if(certmonger_t)
corenet_tcp_sendrecv_generic_node(certmonger_t)
@@ -47,6 +45,8 @@ corenet_tcp_connect_certmaster_port(certmonger_t)
dev_read_urand(certmonger_t)
+domain_use_interactive_fds(certmonger_t)
+
files_read_etc_files(certmonger_t)
files_read_usr_files(certmonger_t)
files_list_tmp(certmonger_t)