#DESC OpenCA - Open Certificate Authority

#

# Author:  Brian May <bam@snoopy.apana.org.au>

# X-Debian-Packages:

# Depends: apache.te

#

#################################

#

# domain for openCA cgi-bin scripts.

#

# Type that system CGI scripts run as

#

type openca_ca_t, domain;

role system_r types openca_ca_t;

uses_shlib(openca_ca_t)

# Types that system CGI scripts on the disk are 

# labeled with

#

type openca_ca_exec_t, file_type, sysadmfile;

# When the server starts the script it needs to get the proper context

#

domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t)

#

# Allow httpd daemon to search /usr/share/openca

#

allow httpd_t openca_usr_share_t:dir { getattr search };

################################################################

# Allow the web server to run scripts and serve pages

##############################################################

allow httpd_t bin_t:file { read execute }; # execute perl

allow httpd_t openca_ca_exec_t:file {execute getattr read};

allow httpd_t openca_ca_t:process {signal sigkill sigstop};

allow httpd_t openca_ca_t:process transition;

allow httpd_t openca_ca_exec_t:dir r_dir_perms;

##################################################################

# Allow the script to get the file descriptor from the http deamon

# and send sigchild to http deamon

#################################################################

allow openca_ca_t httpd_t:process sigchld;

allow openca_ca_t httpd_t:fd use;

allow openca_ca_t httpd_t:fifo_file {getattr write};

############################################

# Allow scripts to append to http logs

#########################################

allow openca_ca_t httpd_log_t:file { append getattr };

#############################################################

# Allow the script access to the library files so it can run

#############################################################

can_exec(openca_ca_t, lib_t)

########################################################################

# The script needs to inherit the file descriptor and find the script it

# needs to run

########################################################################

allow openca_ca_t initrc_t:fd use;

allow openca_ca_t init_t:fd use;

allow openca_ca_t default_t:dir r_dir_perms;

allow openca_ca_t random_device_t:chr_file r_file_perms;

#######################################################################

# Allow the script to return its output

######################################################################

#allow openca_ca_t httpd_var_run_t: file rw_file_perms;

allow openca_ca_t null_device_t: chr_file rw_file_perms;

allow openca_ca_t httpd_cache_t: file rw_file_perms;

###########################################################################

# Allow the script interpreters to run the scripts.  So

# the perl executable will be able to run a perl script

#########################################################################

can_exec(openca_ca_t, bin_t)

############################################################################

# Allow the script process to search the cgi directory, and users directory

##############################################################################

allow openca_ca_t openca_ca_exec_t:dir search;

#

# Allow access to writeable files under /etc/openca

#

allow openca_ca_t openca_etc_writeable_t:file create_file_perms;

allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms;

#

# Allow access to other files under /etc/openca

#

allow openca_ca_t openca_etc_t:file r_file_perms;

allow openca_ca_t openca_etc_t:dir r_dir_perms;

#

# Allow access to private CA key

#

allow openca_ca_t openca_var_lib_keys_t:file create_file_perms;

allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms;

#

# Allow access to other /var/lib/openca files

#

allow openca_ca_t openca_var_lib_t:file create_file_perms;

allow openca_ca_t openca_var_lib_t:dir create_dir_perms;

#

# Allow access to other /usr/share/openca files

#

allow openca_ca_t openca_usr_share_t:file r_file_perms;

allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;

allow openca_ca_t openca_usr_share_t:dir r_dir_perms;

# /etc/openca standard files

type openca_etc_t, file_type, sysadmfile;

# /etc/openca template files

type openca_etc_in_t, file_type, sysadmfile;

# /etc/openca writeable (from CGI script) files

type openca_etc_writeable_t, file_type, sysadmfile;

# /var/lib/openca

type openca_var_lib_t, file_type, sysadmfile;

# /var/lib/openca/crypto/keys

type openca_var_lib_keys_t, file_type, sysadmfile;

# /usr/share/openca/crypto/keys

type openca_usr_share_t, file_type, sysadmfile;