selinux-policy/policy/modules/services/certmaster.te

policy_module(certmaster, 1.1.2)

########################################
#
# Declarations
#

type certmaster_t;
type certmaster_exec_t;
init_daemon_domain(certmaster_t, certmaster_exec_t)

type certmaster_initrc_exec_t;
init_script_file(certmaster_initrc_exec_t)

type certmaster_etc_rw_t;
files_type(certmaster_etc_rw_t)

type certmaster_var_lib_t;
files_type(certmaster_var_lib_t)

type certmaster_var_log_t;
logging_log_file(certmaster_var_log_t)

type certmaster_var_run_t;
files_pid_file(certmaster_var_run_t)

###########################################
#
# certmaster local policy
#

allow certmaster_t self:capability { dac_read_search dac_override sys_tty_config };
allow certmaster_t self:tcp_socket create_stream_socket_perms;

# config files
list_dirs_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)
manage_files_pattern(certmaster_t, certmaster_etc_rw_t, certmaster_etc_rw_t)

# var/lib files for certmaster
manage_files_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
manage_dirs_pattern(certmaster_t, certmaster_var_lib_t, certmaster_var_lib_t)
files_var_lib_filetrans(certmaster_t, certmaster_var_lib_t, { file dir })

# log files
manage_files_pattern(certmaster_t, certmaster_var_log_t, certmaster_var_log_t)
logging_log_filetrans(certmaster_t, certmaster_var_log_t, file)

# pid file
manage_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
manage_sock_files_pattern(certmaster_t, certmaster_var_run_t, certmaster_var_run_t)
files_pid_filetrans(certmaster_t, certmaster_var_run_t, { file sock_file })

# read meminfo
kernel_read_system_state(certmaster_t)

corecmd_search_bin(certmaster_t)
corecmd_getattr_bin_files(certmaster_t)

corenet_tcp_bind_generic_node(certmaster_t)
corenet_tcp_bind_certmaster_port(certmaster_t)

files_search_etc(certmaster_t)
files_read_usr_files(certmaster_t)
files_list_var(certmaster_t)
files_search_var_lib(certmaster_t)

auth_use_nsswitch(certmaster_t)

miscfiles_read_localization(certmaster_t)

miscfiles_manage_generic_cert_dirs(certmaster_t)
miscfiles_manage_generic_cert_files(certmaster_t)