From 33793ec2ce002a8268ce2a2f835488a32adf2763 Mon Sep 17 00:00:00 2001
From: Jeremy Solt <jsolt@tresys.com>
Date: Apr 19 2010 14:07:17 +0000
Subject: certmonger policy from Dan Walsh


Removed manage_var_run and manage_var_lib interfaces
Added missing requires to admin interface
Removed permissive line
Fixed some spacing / style issues

---

diff --git a/policy/modules/services/certmonger.fc b/policy/modules/services/certmonger.fc
new file mode 100644
index 0000000..e3449bb
--- /dev/null
+++ b/policy/modules/services/certmonger.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/certmonger	--	gen_context(system_u:object_r:certmonger_initrc_exec_t,s0)
+
+/usr/sbin/certmonger	--	gen_context(system_u:object_r:certmonger_exec_t,s0)
+
+/var/lib/certmonger(/.*)?			gen_context(system_u:object_r:certmonger_var_lib_t,s0)
+/var/run/certmonger.pid		--	gen_context(system_u:object_r:certmonger_var_run_t,s0)
diff --git a/policy/modules/services/certmonger.if b/policy/modules/services/certmonger.if
new file mode 100644
index 0000000..aeee5d6
--- /dev/null
+++ b/policy/modules/services/certmonger.if
@@ -0,0 +1,174 @@
+## <summary>Certificate status monitor and PKI enrollment client</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run certmonger.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certmonger_domtrans',`
+	gen_require(`
+		type certmonger_t, certmonger_exec_t;
+	')
+
+	domtrans_pattern($1, certmonger_exec_t, certmonger_t)
+')
+
+########################################
+## <summary>
+##	Execute certmonger server in the certmonger domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`certmonger_initrc_domtrans',`
+	gen_require(`
+		type certmonger_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, certmonger_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read certmonger PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_read_pid_files',`
+	gen_require(`
+		type certmonger_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 certmonger_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Search certmonger lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_search_lib',`
+	gen_require(`
+		type certmonger_var_lib_t;
+	')
+
+	allow $1 certmonger_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read certmonger lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_read_lib_files',`
+	gen_require(`
+		type certmonger_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, certmonger_var_lib_t, certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	certmonger lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_manage_lib_files',`
+	gen_require(`
+		type certmonger_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, certmonger_var_lib_t,  certmonger_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	certmonger over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certmonger_dbus_chat',`
+	gen_require(`
+		type certmonger_t;
+		class dbus send_msg;
+	')
+
+	allow $1 certmonger_t:dbus send_msg;
+	allow certmonger_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an certmonger environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`certmonger_admin',`
+	gen_require(`
+		type certmonger_t, certmonger_initrc_exec_t;
+		type certmonger_var_lib_t, certmonger_var_run_t;
+	')
+
+	allow $1 certmonger_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, certmonger_t, certmonger_t)
+
+	# Allow certmonger_t to restart the apache service
+	certmonger_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 certmonger_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_var_lib($1)
+	admin_pattern($1, cermonger_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, cermonger_var_run_t)
+')
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
new file mode 100644
index 0000000..f72ce9c
--- /dev/null
+++ b/policy/modules/services/certmonger.te
@@ -0,0 +1,72 @@
+policy_module(certmonger,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type certmonger_t;
+type certmonger_exec_t;
+init_daemon_domain(certmonger_t, certmonger_exec_t)
+
+type certmonger_initrc_exec_t;
+init_script_file(certmonger_initrc_exec_t)
+
+type certmonger_var_run_t;
+files_pid_file(certmonger_var_run_t)
+
+type certmonger_var_lib_t;
+files_type(certmonger_var_lib_t)
+
+########################################
+#
+# certmonger local policy
+#
+
+allow certmonger_t self:capability { kill sys_nice };
+allow certmonger_t self:process { getsched setsched sigkill };
+allow certmonger_t self:fifo_file rw_file_perms;
+allow certmonger_t self:unix_stream_socket create_stream_socket_perms;
+allow certmonger_t self:tcp_socket create_stream_socket_perms;
+allow certmonger_t self:netlink_route_socket r_netlink_socket_perms;
+
+manage_dirs_pattern(certmonger_t, certmonger_var_run_t,  certmonger_var_run_t)
+manage_files_pattern(certmonger_t, certmonger_var_run_t,  certmonger_var_run_t)
+files_pid_filetrans(certmonger_t, certmonger_var_run_t, { file dir })
+
+manage_dirs_pattern(certmonger_t, certmonger_var_lib_t,  certmonger_var_lib_t)
+manage_files_pattern(certmonger_t, certmonger_var_lib_t,  certmonger_var_lib_t)
+files_var_lib_filetrans(certmonger_t, certmonger_var_lib_t, { file dir } )
+
+domain_use_interactive_fds(certmonger_t)
+
+corenet_tcp_sendrecv_generic_if(certmonger_t)
+corenet_tcp_sendrecv_generic_node(certmonger_t)
+corenet_tcp_sendrecv_all_ports(certmonger_t)
+corenet_tcp_connect_certmaster_port(certmonger_t)
+
+dev_read_urand(certmonger_t)
+
+files_read_etc_files(certmonger_t)
+files_read_usr_files(certmonger_t)
+files_list_tmp(certmonger_t)
+
+logging_send_syslog_msg(certmonger_t)
+
+miscfiles_read_localization(certmonger_t)
+miscfiles_manage_cert_files(certmonger_t)
+
+sysnet_dns_name_resolve(certmonger_t)
+
+optional_policy(`
+	dbus_system_bus_client(certmonger_t)
+	dbus_connect_system_bus(certmonger_t)
+')
+
+optional_policy(`
+	kerberos_use(certmonger_t)
+')
+
+optional_policy(`
+	unconfined_dbus_send(certmonger_t)
+')