policy_module(openca,1.0.0) ######################################## # # Declarations # type openca_ca_t; type openca_ca_exec_t; domain_type(openca_ca_t) domain_entry_file(openca_ca_t,openca_ca_exec_t) role system_r types openca_ca_t; # cjp: seems like some of these types # can be removed and replaced with generic # etc or usr files. # /etc/openca standard files type openca_etc_t; files_type(openca_etc_t) # /etc/openca template files type openca_etc_in_t; files_type(openca_etc_in_t) # /etc/openca writeable (from CGI script) files type openca_etc_writeable_t; files_type(openca_etc_writeable_t) # /usr/share/openca/crypto/keys type openca_usr_share_t; files_type(openca_usr_share_t) # /var/lib/openca type openca_var_lib_t; files_type(openca_var_lib_t) # /var/lib/openca/crypto/keys type openca_var_lib_keys_t; files_type(openca_var_lib_keys_t) ######################################## # # Local policy # # Allow access to other files under /etc/openca allow openca_ca_t openca_etc_t:file read_file_perms; allow openca_ca_t openca_etc_t:dir list_dir_perms; # Allow access to writeable files under /etc/openca manage_dirs_pattern(openca_ca_t,openca_etc_writeable_t,openca_etc_writeable_t) manage_files_pattern(openca_ca_t,openca_etc_writeable_t,openca_etc_writeable_t) # Allow access to other /var/lib/openca files manage_dirs_pattern(openca_ca_t,openca_var_lib_t,openca_var_lib_t) manage_files_pattern(openca_ca_t,openca_var_lib_t,openca_var_lib_t) # Allow access to private CA key manage_dirs_pattern(openca_ca_t,openca_var_lib_keys_t,openca_var_lib_keys_t) manage_files_pattern(openca_ca_t,openca_var_lib_keys_t,openca_var_lib_keys_t) # Allow access to other /usr/share/openca files read_files_pattern(openca_ca_t,openca_usr_share_t,openca_usr_share_t) read_lnk_files_pattern(openca_ca_t,openca_usr_share_t,openca_usr_share_t) allow openca_ca_t openca_usr_share_t:dir list_dir_perms; # the perl executable will be able to run a perl script corecmd_exec_bin(openca_ca_t) dev_read_rand(openca_ca_t) files_list_default(openca_ca_t) init_use_fds(openca_ca_t) init_use_script_fds(openca_ca_t) libs_use_ld_so(openca_ca_t) libs_use_shared_libs(openca_ca_t) libs_exec_lib_files(openca_ca_t) apache_append_log(openca_ca_t) # Allow the script to return its output apache_rw_cache_files(openca_ca_t)