From 2bcdbd8ca3fa80f2f80bde8586da332f228eb540 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 18 Jan 2006 19:09:48 +0000
Subject: [PATCH] add certwatch

---
 refpolicy/Changelog                           |  1 +
 refpolicy/policy/modules/services/apache.if   | 19 +++++++
 .../policy/modules/services/certwatch.fc      |  1 +
 .../policy/modules/services/certwatch.if      | 51 +++++++++++++++++++
 .../policy/modules/services/certwatch.te      | 34 +++++++++++++
 refpolicy/policy/modules/system/userdomain.te |  4 ++
 6 files changed, 110 insertions(+)
 create mode 100644 refpolicy/policy/modules/services/certwatch.fc
 create mode 100644 refpolicy/policy/modules/services/certwatch.if
 create mode 100644 refpolicy/policy/modules/services/certwatch.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 66bd9d5f..0ac2365f 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,7 @@
 - Change initrc_var_run_t interface noun from script_pid to utmp,
   for greater clarity.
 - Added modules:
+	certwatch
 	portage
 	userhelper
 	usernetctl
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 93d0da3e..cc018ae2 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -566,6 +566,25 @@ interface(`apache_list_modules',`
 	allow $1 httpd_modules_t:dir r_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to execute
+##	apache modules.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`apache_exec_modules',`
+	gen_require(`
+		type httpd_modules_t;
+	')
+
+	allow $1 httpd_modules_t:dir r_dir_perms;
+	allow $1 httpd_modules_t:lnk_file r_file_perms;
+	can_exec($1,httpd_modules_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
diff --git a/refpolicy/policy/modules/services/certwatch.fc b/refpolicy/policy/modules/services/certwatch.fc
new file mode 100644
index 00000000..b8a3414b
--- /dev/null
+++ b/refpolicy/policy/modules/services/certwatch.fc
@@ -0,0 +1 @@
+/usr/bin/certwatch	-- gen_context(system_u:object_r:certwatch_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/certwatch.if b/refpolicy/policy/modules/services/certwatch.if
new file mode 100644
index 00000000..bebb19e9
--- /dev/null
+++ b/refpolicy/policy/modules/services/certwatch.if
@@ -0,0 +1,51 @@
+## <summary>Digital Certificate Tracking</summary>
+
+########################################
+## <summary>
+##	Domain transition to certwatch.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`certwatch_domtrans',`
+	gen_require(`
+		type certwatch_exec_t, certwatch_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,certwatch_exec_t,certwatch_t)
+
+	allow $1 certwatch_t:fd use;
+	allow certwatch_t $1:fd use;
+	allow certwatch_t $1:fifo_file rw_file_perms;
+	allow certwatch_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute certwatch in the certwatch domain, and
+##	allow the specified role the certwatch domain,
+##	and use the caller's terminal. Has a sigchld
+##	backchannel.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the certwatch domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the certwatch domain to use.
+## </param>
+#
+interface(`certwatach_run',`
+	gen_require(`
+		type certwatch_t;
+	')
+
+	certwatch_domtrans($1)
+	role $2 types certwatch_t;
+	allow certwatch_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/services/certwatch.te b/refpolicy/policy/modules/services/certwatch.te
new file mode 100644
index 00000000..8087765c
--- /dev/null
+++ b/refpolicy/policy/modules/services/certwatch.te
@@ -0,0 +1,34 @@
+
+policy_module(certwatch,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type certwatch_t;
+type certwatch_exec_t;
+domain_type(certwatch_t)
+domain_entry_file(certwatch_t,certwatch_exec_t)
+role system_r types certwatch_t;
+
+########################################
+#
+# Local policy
+#
+
+files_read_etc_files(certwatch_t)
+
+libs_use_ld_so(certwatch_t)
+libs_use_shared_libs(certwatch_t)
+
+logging_send_syslog_msg(certwatch_t)
+
+miscfiles_read_certs(certwatch_t)
+miscfiles_read_localization(certwatch_t)
+
+apache_exec_modules(certwatch_t)
+
+optional_policy(`cron',`
+	cron_system_entry(certwatch_t,certwatch_exec_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 9abab874..5431df0f 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -187,6 +187,10 @@ ifdef(`targeted_policy',`
 		clock_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`certwatch',`
+		certwatach_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`ddcprobe',`
 		ddcprobe_run(sysadm_t,sysadm_r,admin_terminal)
 	')