#DESC OpenCA - Open Certificate Authority
#
# Author: Brian May <bam@snoopy.apana.org.au>
# X-Debian-Packages:
# Depends: apache.te
#
#################################
#
# domain for openCA cgi-bin scripts.
#
# Type that system CGI scripts run as
#
type openca_ca_t, domain;
role system_r types openca_ca_t;
uses_shlib(openca_ca_t)
# Types that system CGI scripts on the disk are
# labeled with
#
type openca_ca_exec_t, file_type, sysadmfile;
# When the server starts the script it needs to get the proper context
#
domain_auto_trans(httpd_t, openca_ca_exec_t, openca_ca_t)
#
# Allow httpd daemon to search /usr/share/openca
#
allow httpd_t openca_usr_share_t:dir { getattr search };
################################################################
# Allow the web server to run scripts and serve pages
##############################################################
allow httpd_t bin_t:file { read execute }; # execute perl
allow httpd_t openca_ca_exec_t:file {execute getattr read};
allow httpd_t openca_ca_t:process {signal sigkill sigstop};
allow httpd_t openca_ca_t:process transition;
allow httpd_t openca_ca_exec_t:dir r_dir_perms;
##################################################################
# Allow the script to get the file descriptor from the http deamon
# and send sigchild to http deamon
#################################################################
allow openca_ca_t httpd_t:process sigchld;
allow openca_ca_t httpd_t:fd use;
allow openca_ca_t httpd_t:fifo_file {getattr write};
############################################
# Allow scripts to append to http logs
#########################################
allow openca_ca_t httpd_log_t:file { append getattr };
#############################################################
# Allow the script access to the library files so it can run
#############################################################
can_exec(openca_ca_t, lib_t)
########################################################################
# The script needs to inherit the file descriptor and find the script it
# needs to run
########################################################################
allow openca_ca_t initrc_t:fd use;
allow openca_ca_t init_t:fd use;
allow openca_ca_t default_t:dir r_dir_perms;
allow openca_ca_t random_device_t:chr_file r_file_perms;
#######################################################################
# Allow the script to return its output
######################################################################
#allow openca_ca_t httpd_var_run_t: file rw_file_perms;
allow openca_ca_t null_device_t: chr_file rw_file_perms;
allow openca_ca_t httpd_cache_t: file rw_file_perms;
###########################################################################
# Allow the script interpreters to run the scripts. So
# the perl executable will be able to run a perl script
#########################################################################
can_exec(openca_ca_t, bin_t)
############################################################################
# Allow the script process to search the cgi directory, and users directory
##############################################################################
allow openca_ca_t openca_ca_exec_t:dir search;
#
# Allow access to writeable files under /etc/openca
#
allow openca_ca_t openca_etc_writeable_t:file create_file_perms;
allow openca_ca_t openca_etc_writeable_t:dir create_dir_perms;
#
# Allow access to other files under /etc/openca
#
allow openca_ca_t openca_etc_t:file r_file_perms;
allow openca_ca_t openca_etc_t:dir r_dir_perms;
#
# Allow access to private CA key
#
allow openca_ca_t openca_var_lib_keys_t:file create_file_perms;
allow openca_ca_t openca_var_lib_keys_t:dir create_dir_perms;
#
# Allow access to other /var/lib/openca files
#
allow openca_ca_t openca_var_lib_t:file create_file_perms;
allow openca_ca_t openca_var_lib_t:dir create_dir_perms;
#
# Allow access to other /usr/share/openca files
#
allow openca_ca_t openca_usr_share_t:file r_file_perms;
allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms;
allow openca_ca_t openca_usr_share_t:dir r_dir_perms;
# /etc/openca standard files
type openca_etc_t, file_type, sysadmfile;
# /etc/openca template files
type openca_etc_in_t, file_type, sysadmfile;
# /etc/openca writeable (from CGI script) files
type openca_etc_writeable_t, file_type, sysadmfile;
# /var/lib/openca
type openca_var_lib_t, file_type, sysadmfile;
# /var/lib/openca/crypto/keys
type openca_var_lib_keys_t, file_type, sysadmfile;
# /usr/share/openca/crypto/keys
type openca_usr_share_t, file_type, sysadmfile;