diff --git a/refpolicy/Changelog b/refpolicy/Changelog index eb8fe18..6b828eb 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -64,6 +64,7 @@ nessus nsd ntop + openca openvpn (Petre Rodan) perdition postgrey diff --git a/refpolicy/policy/modules/services/apache.fc b/refpolicy/policy/modules/services/apache.fc index 7cdaf0b..82e5153 100644 --- a/refpolicy/policy/modules/services/apache.fc +++ b/refpolicy/policy/modules/services/apache.fc @@ -37,6 +37,7 @@ ifdef(`distro_suse', ` /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 6228049..4d17f49 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -473,6 +473,25 @@ interface(`apache_dontaudit_rw_tcp_sockets',` ######################################## ## ## Allow the specified domain to read +## and write Apache cache files. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_rw_cache_files',` + gen_require(` + type httpd_cache_t; + ') + + allow $1 httpd_cache_t:file rw_file_perms; +') + +######################################## +## +## Allow the specified domain to read ## apache configuration files. ## ## diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 8f1bdd5..f012917 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -431,6 +431,13 @@ optional_policy(` ') optional_policy(` + openca_domtrans(httpd_t) + openca_signal(httpd_t) + openca_sigstop(httpd_t) + openca_kill(httpd_t) +') + +optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) ') diff --git a/refpolicy/policy/modules/services/openca.fc b/refpolicy/policy/modules/services/openca.fc new file mode 100644 index 0000000..dc360b9 --- /dev/null +++ b/refpolicy/policy/modules/services/openca.fc @@ -0,0 +1,9 @@ +/etc/openca(/.*)? gen_context(system_u:object_r:openca_etc_t,s0) +/etc/openca/*.\.in(/.*)? gen_context(system_u:object_r:openca_etc_in_t,s0) +/etc/openca/rbac(/.*)? gen_context(system_u:object_r:openca_etc_writeable_t,s0) + +/usr/share/openca(/.*)? gen_context(system_u:object_r:openca_usr_share_t,s0) +/usr/share/openca/cgi-bin/ca/.+ -- gen_context(system_u:object_r:openca_ca_exec_t,s0) + +/var/lib/openca(/.*)? gen_context(system_u:object_r:openca_var_lib_t,s0) +/var/lib/openca/crypto/keys(/.*)? gen_context(system_u:object_r:openca_var_lib_keys_t,s0) diff --git a/refpolicy/policy/modules/services/openca.if b/refpolicy/policy/modules/services/openca.if new file mode 100644 index 0000000..d84d2ed --- /dev/null +++ b/refpolicy/policy/modules/services/openca.if @@ -0,0 +1,80 @@ +## OpenCA - Open Certificate Authority + +######################################## +## +## Execute the OpenCA program with +## a domain transition. +## +## +## +## Domain allowed access. +## +## +# +interface(`openca_domtrans',` + gen_require(` + type openca_ca_t, openca_ca_exec_t, openca_usr_share_t; + ') + + domain_auto_trans($1,openca_ca_exec_t,openca_ca_t) + allow httpd_t openca_usr_share_t:dir search_dir_perms; + files_search_usr(httpd_t) + + allow openca_ca_t $1:fd use; + allow openca_ca_t $1:fifo_file rw_file_perms; + allow openca_ca_t $1:process sigchld; +') + +######################################## +## +## Send OpenCA generic signals. +## +## +## +## Domain allowed access. +## +## +# +interface(`openca_signal',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process signal; +') + +######################################## +## +## Send OpenCA stop signals. +## +## +## +## Domain allowed access. +## +## +# +interface(`openca_sigstop',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process sigstop; +') + +######################################## +## +## Kill OpenCA. +## +## +## +## Domain allowed access. +## +## +# +interface(`openca_kill',` + gen_require(` + type openca_ca_t; + ') + + allow $1 openca_ca_t:process sigkill; +') diff --git a/refpolicy/policy/modules/services/openca.te b/refpolicy/policy/modules/services/openca.te new file mode 100644 index 0000000..04fc293 --- /dev/null +++ b/refpolicy/policy/modules/services/openca.te @@ -0,0 +1,85 @@ + +policy_module(openca,1.0.0) + +######################################## +# +# Declarations +# + +type openca_ca_t; +type openca_ca_exec_t; +domain_type(openca_ca_t) +domain_entry_file(openca_ca_t,openca_ca_exec_t) +role system_r types openca_ca_t; + +# cjp: seems like some of these types +# can be removed and replaced with generic +# etc or usr files. + +# /etc/openca standard files +type openca_etc_t; +files_type(openca_etc_t) + +# /etc/openca template files +type openca_etc_in_t; +files_type(openca_etc_in_t) + +# /etc/openca writeable (from CGI script) files +type openca_etc_writeable_t; +files_type(openca_etc_writeable_t) + +# /usr/share/openca/crypto/keys +type openca_usr_share_t; +files_type(openca_usr_share_t) + +# /var/lib/openca +type openca_var_lib_t; +files_type(openca_var_lib_t) + +# /var/lib/openca/crypto/keys +type openca_var_lib_keys_t; +files_type(openca_var_lib_keys_t) + +######################################## +# +# Local policy +# + +# Allow access to other files under /etc/openca +allow openca_ca_t openca_etc_t:file r_file_perms; +allow openca_ca_t openca_etc_t:dir r_dir_perms; + +# Allow access to writeable files under /etc/openca +allow openca_ca_t openca_etc_writeable_t:file manage_file_perms; +allow openca_ca_t openca_etc_writeable_t:dir manage_dir_perms; + +# Allow access to other /var/lib/openca files +allow openca_ca_t openca_var_lib_t:file manage_file_perms; +allow openca_ca_t openca_var_lib_t:dir manage_dir_perms; + +# Allow access to private CA key +allow openca_ca_t openca_var_lib_keys_t:file manage_file_perms; +allow openca_ca_t openca_var_lib_keys_t:dir manage_dir_perms; + +# Allow access to other /usr/share/openca files +allow openca_ca_t openca_usr_share_t:file r_file_perms; +allow openca_ca_t openca_usr_share_t:lnk_file r_file_perms; +allow openca_ca_t openca_usr_share_t:dir r_dir_perms; + +# the perl executable will be able to run a perl script +corecmd_exec_bin(openca_ca_t) + +dev_read_rand(openca_ca_t) + +files_list_default(openca_ca_t) + +init_use_fds(openca_ca_t) +init_use_script_fds(openca_ca_t) + +libs_use_ld_so(openca_ca_t) +libs_use_shared_libs(openca_ca_t) +libs_exec_lib_files(openca_ca_t) + +apache_append_log(openca_ca_t) +# Allow the script to return its output +apache_rw_cache_files(openca_ca_t)