#DESC OpenCA - Open Certificate Authority # # Author: Brian May <bam@snoopy.apana.org.au> # X-Debian-Packages: # Depends: apache.te # ################################# # # domain for openCA cgi-bin scripts. # # Type that system CGI scripts run as # type openca_ca_t, domain; role system_r types openca_ca_t; uses_shlib(openca_ca_t) # Types that system CGI scripts on the disk are # labeled with # type openca_ca_exec_t, file_type, sysadmfile; # When the server starts the script it needs to get the proper context # domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t) # # Allow httpd daemon to search /usr/share/openca # allow httpd_t openca_usr_share_t:dir { getattr search }; ################################################################ # Allow the web server to run scripts and serve pages ############################################################## allow httpd_t bin_t:file { read execute }; # execute perl allow httpd_t openca_ca_exec_t:file {execute getattr read}; allow httpd_t openca_ca_t:process {signal sigkill sigstop}; allow httpd_t openca_ca_t:process transition; allow httpd_t openca_ca_exec_t:dir r_dir_perms; ################################################################## # Allow the script to get the file descriptor from the http deamon # and send sigchild to http deamon ################################################################# allow openca_ca_t httpd_t:process sigchld; allow openca_ca_t httpd_t:fd use; allow openca_ca_t httpd_t:fifo_file {getattr write}; ############################################ # Allow scripts to append to http logs ######################################### allow openca_ca_t httpd_log_t:file { append getattr }; ############################################################# # Allow the script access to the library files so it can run ############################################################# can_exec(openca_ca_t, lib_t) ######################################################################## # The script needs to inherit the file descriptor and find the script it # needs to run ######################################################################## allow openca_ca_t initrc_t:fd use; allow openca_ca_t init_t:fd use; allow openca_ca_t default_t:dir r_dir_perms; allow openca_ca_t random_device_t:chr_file r_file_perms; ####################################################################### # Allow the script to return its output ###################################################################### #allow openca_ca_t httpd_var_run_t: file rw_file_perms; allow openca_ca_t null_device_t: chr_file rw_file_perms; allow openca_ca_t httpd_cache_t: file rw_file_perms; ########################################################################### # Allow the script interpreters to run the scripts. So # the perl executable will be able to run a perl script ######################################################################### can_exec(openca_ca_t, bin_t) ############################################################################ # Allow the script process to search the cgi directory, and users directory ############################################################################## allow openca_ca_t openca_ca_exec_t:dir search; # # Allow access to writeable files under /etc/openca # allow openca_ca_t openca_etc_writeable_t:file create_file_perms; allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms; # # Allow access to other files under /etc/openca # allow openca_ca_t openca_etc_t:file r_file_perms; allow openca_ca_t openca_etc_t:dir r_dir_perms; # # Allow access to private CA key # allow openca_ca_t openca_var_lib_keys_t:file create_file_perms; allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms; # # Allow access to other /var/lib/openca files # allow openca_ca_t openca_var_lib_t:file create_file_perms; allow openca_ca_t openca_var_lib_t:dir create_dir_perms; # # Allow access to other /usr/share/openca files # allow openca_ca_t openca_usr_share_t:file r_file_perms; allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms; allow openca_ca_t openca_usr_share_t:dir r_dir_perms; # /etc/openca standard files type openca_etc_t, file_type, sysadmfile; # /etc/openca template files type openca_etc_in_t, file_type, sysadmfile; # /etc/openca writeable (from CGI script) files type openca_etc_writeable_t, file_type, sysadmfile; # /var/lib/openca type openca_var_lib_t, file_type, sysadmfile; # /var/lib/openca/crypto/keys type openca_var_lib_keys_t, file_type, sysadmfile; # /usr/share/openca/crypto/keys type openca_usr_share_t, file_type, sysadmfile;