From 5bd9fd7bc218f27769657116c680357542c43ead Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 2 May 2006 17:42:41 +0000
Subject: [PATCH] add openca, bug 1660

---
 refpolicy/Changelog                         |  1 +
 refpolicy/policy/modules/services/apache.fc |  1 +
 refpolicy/policy/modules/services/apache.if | 19 +++++
 refpolicy/policy/modules/services/apache.te |  7 ++
 refpolicy/policy/modules/services/openca.fc |  9 +++
 refpolicy/policy/modules/services/openca.if | 80 +++++++++++++++++++
 refpolicy/policy/modules/services/openca.te | 85 +++++++++++++++++++++
 7 files changed, 202 insertions(+)
 create mode 100644 refpolicy/policy/modules/services/openca.fc
 create mode 100644 refpolicy/policy/modules/services/openca.if
 create mode 100644 refpolicy/policy/modules/services/openca.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index eb8fe18f..6b828eb6 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -64,6 +64,7 @@
 	nessus
 	nsd
 	ntop
+	openca
 	openvpn (Petre Rodan)
 	perdition
 	postgrey
diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc
index 7cdaf0bc..82e51537 100644
--- a/refpolicy/policy/modules/services/apache.fc
+++ b/refpolicy/policy/modules/services/apache.fc
@@ -37,6 +37,7 @@ ifdef(`distro_suse', `
 /usr/sbin/suexec			--	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 
 /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if
index 62280498..4d17f490 100644
--- a/refpolicy/policy/modules/services/apache.if
+++ b/refpolicy/policy/modules/services/apache.if
@@ -470,6 +470,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',`
 	dontaudit $1 httpd_t:tcp_socket { read write };
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write Apache cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_rw_cache_files',`
+	gen_require(`
+		type httpd_cache_t;
+	')
+
+	allow $1 httpd_cache_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index 8f1bdd57..f0129172 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -430,6 +430,13 @@ optional_policy(`
 	nscd_socket_use(httpd_t)
 ')
 
+optional_policy(`
+	openca_domtrans(httpd_t)
+	openca_signal(httpd_t)
+	openca_sigstop(httpd_t)
+	openca_kill(httpd_t)
+')
+
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
diff --git a/refpolicy/policy/modules/services/openca.fc b/refpolicy/policy/modules/services/openca.fc
new file mode 100644
index 00000000..dc360b93
--- /dev/null
+++ b/refpolicy/policy/modules/services/openca.fc
@@ -0,0 +1,9 @@
+/etc/openca(/.*)?			gen_context(system_u:object_r:openca_etc_t,s0)
+/etc/openca/*.\.in(/.*)?		gen_context(system_u:object_r:openca_etc_in_t,s0)
+/etc/openca/rbac(/.*)?			gen_context(system_u:object_r:openca_etc_writeable_t,s0)
+
+/usr/share/openca(/.*)?			gen_context(system_u:object_r:openca_usr_share_t,s0)
+/usr/share/openca/cgi-bin/ca/.+ --	gen_context(system_u:object_r:openca_ca_exec_t,s0)
+
+/var/lib/openca(/.*)?			gen_context(system_u:object_r:openca_var_lib_t,s0)
+/var/lib/openca/crypto/keys(/.*)?	gen_context(system_u:object_r:openca_var_lib_keys_t,s0)
diff --git a/refpolicy/policy/modules/services/openca.if b/refpolicy/policy/modules/services/openca.if
new file mode 100644
index 00000000..d84d2edd
--- /dev/null
+++ b/refpolicy/policy/modules/services/openca.if
@@ -0,0 +1,80 @@
+## <summary>OpenCA - Open Certificate Authority</summary>
+
+########################################
+## <summary>
+##	Execute the OpenCA program with
+##	a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openca_domtrans',`
+	gen_require(`
+		type openca_ca_t, openca_ca_exec_t, openca_usr_share_t;
+	')
+
+	domain_auto_trans($1,openca_ca_exec_t,openca_ca_t)
+	allow httpd_t openca_usr_share_t:dir search_dir_perms;
+	files_search_usr(httpd_t)
+
+	allow openca_ca_t $1:fd use;
+	allow openca_ca_t $1:fifo_file rw_file_perms;
+	allow openca_ca_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Send OpenCA generic signals.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openca_signal',`
+	gen_require(`
+		type openca_ca_t;
+	')
+
+	allow $1 openca_ca_t:process signal;
+')
+
+########################################
+## <summary>
+##	Send OpenCA stop signals.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openca_sigstop',`
+	gen_require(`
+		type openca_ca_t;
+	')
+
+	allow $1 openca_ca_t:process sigstop;
+')
+
+########################################
+## <summary>
+##	Kill OpenCA.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`openca_kill',`
+	gen_require(`
+		type openca_ca_t;
+	')
+
+	allow $1 openca_ca_t:process sigkill;
+')
diff --git a/refpolicy/policy/modules/services/openca.te b/refpolicy/policy/modules/services/openca.te
new file mode 100644
index 00000000..04fc293a
--- /dev/null
+++ b/refpolicy/policy/modules/services/openca.te
@@ -0,0 +1,85 @@
+
+policy_module(openca,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type openca_ca_t;
+type openca_ca_exec_t;
+domain_type(openca_ca_t)
+domain_entry_file(openca_ca_t,openca_ca_exec_t)
+role system_r types openca_ca_t;
+
+# cjp: seems like some of these types
+# can be removed and replaced with generic
+# etc or usr files.
+
+# /etc/openca standard files
+type openca_etc_t;
+files_type(openca_etc_t)
+
+# /etc/openca template files
+type openca_etc_in_t;
+files_type(openca_etc_in_t)
+
+# /etc/openca writeable (from CGI script) files
+type openca_etc_writeable_t;
+files_type(openca_etc_writeable_t)
+
+# /usr/share/openca/crypto/keys
+type openca_usr_share_t;
+files_type(openca_usr_share_t)
+
+# /var/lib/openca
+type openca_var_lib_t;
+files_type(openca_var_lib_t)
+
+# /var/lib/openca/crypto/keys
+type openca_var_lib_keys_t;
+files_type(openca_var_lib_keys_t)
+
+########################################
+#
+# Local policy
+#
+
+# Allow access to other files under /etc/openca
+allow openca_ca_t openca_etc_t:file r_file_perms;
+allow openca_ca_t openca_etc_t:dir r_dir_perms;
+
+# Allow access to writeable files under /etc/openca
+allow openca_ca_t openca_etc_writeable_t:file manage_file_perms;
+allow openca_ca_t openca_etc_writeable_t:dir manage_dir_perms;
+
+# Allow access to other /var/lib/openca files
+allow openca_ca_t openca_var_lib_t:file manage_file_perms;
+allow openca_ca_t openca_var_lib_t:dir manage_dir_perms;
+
+# Allow access to private CA key
+allow openca_ca_t openca_var_lib_keys_t:file manage_file_perms;
+allow openca_ca_t openca_var_lib_keys_t:dir manage_dir_perms;
+
+# Allow access to other /usr/share/openca files
+allow openca_ca_t openca_usr_share_t:file r_file_perms;
+allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
+allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
+
+# the perl executable will be able to run a perl script
+corecmd_exec_bin(openca_ca_t)
+
+dev_read_rand(openca_ca_t)
+
+files_list_default(openca_ca_t)
+
+init_use_fds(openca_ca_t)
+init_use_script_fds(openca_ca_t)
+
+libs_use_ld_so(openca_ca_t)
+libs_use_shared_libs(openca_ca_t)
+libs_exec_lib_files(openca_ca_t)
+
+apache_append_log(openca_ca_t)
+# Allow the script to return its output
+apache_rw_cache_files(openca_ca_t)