diff --git a/apache.te b/apache.te index c8a2f1a20e..12abe42b50 100644 --- a/apache.te +++ b/apache.te @@ -301,6 +301,13 @@ gen_tunable(httpd_use_sasl, false) ## gen_tunable(httpd_use_nfs, false) +## +##

+## Allow httpd to use opencryptoki +##

+## +gen_tunable(httpd_use_opencryptoki, false) + ## ##

## Allow apache scripts to write to public content, directories/files must be labeled public_rw_content_t. @@ -1820,3 +1827,11 @@ optional_policy(` ') ') +optional_policy(` + tunable_policy(`httpd_use_opencryptoki',` + dev_rw_crypto(httpd_passwd_t) + pkcs_manage_lock(httpd_passwd_t) + + pkcs_use_opencryptoki(httpd_t) + ') +') diff --git a/pkcs.if b/pkcs.if index 2d7b3f656c..c420ac1ce7 100644 --- a/pkcs.if +++ b/pkcs.if @@ -1,5 +1,154 @@ ##

Implementations of the Cryptoki specification. +######################################## +## +## Read pkcs lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pkcs_read_lock',` + gen_require(` + type pkcs_slotd_lock_t; + ') + + files_search_locks($1) + list_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) + read_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) +') + +######################################## +## +## Create, read, write, and delete +## pkcs lock files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pkcs_manage_lock',` + gen_require(` + type pkcs_slotd_lock_t; + ') + + files_search_locks($1) + manage_files_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) + manage_dirs_pattern($1, pkcs_slotd_lock_t, pkcs_slotd_lock_t) +') + +######################################## +## +## Read and write pkcs Shared +## memory segments. +## +## +## +## Domain allowed access. +## +## +# +interface(`pkcs_rw_shm',` + gen_require(` + type pkcs_t; + ') + + allow $1 pkcs_slotd_t:shm rw_shm_perms; +') + +######################################## +## +## Connect to pkcs using a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`pkcs_stream_connect',` + gen_require(` + type pkcs_slotd_t, pkcs_slotd_var_run_t; + ') + + files_search_var_lib($1) + stream_connect_pattern($1, pkcs_slotd_var_run_t, pkcs_slotd_var_run_t, pkcs_slotd_t) +') + +######################################## +## +## Manage pkcs var_lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pkcs_manage_var_lib',` + gen_require(` + type pkcs_slotd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) + manage_files_pattern($1, pkcs_slotd_var_lib_t, pkcs_slotd_var_lib_t) +') + +######################################## +## +## Get attributes of pkcs executable files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pkcs_getattr_exec_files',` + gen_require(` + type pkcs_slotd_exec_t; + ') + + allow $1 pkcs_slotd_exec_t:file getattr_file_perms; +') + +######################################## +## +## Use opencryptoki services +## +## +## +## Domain allowed access. +## +## +# +interface(`pkcs_use_opencryptoki',` + gen_require(` + type pkcs_slotd_t; + ') + + allow $1 self:capability fsetid; + allow pkcs_slotd_t $1:process signull; + + kernel_search_proc($1) + ps_process_pattern(pkcs_slotd_t, $1) + + dev_rw_crypto($1) + + pkcs_getattr_exec_files($1) + pkcs_manage_lock($1) + pkcs_rw_shm($1) + pkcs_stream_connect($1) + pkcs_manage_var_lib($1) + +') + ######################################## ## ## All of the rules required to diff --git a/sssd.te b/sssd.te index a819998045..f03841b6c2 100644 --- a/sssd.te +++ b/sssd.te @@ -177,6 +177,10 @@ optional_policy(` ldap_read_certs(sssd_t) ') +optional_policy(` + pkcs_read_lock(sssd_t) +') + optional_policy(` samba_manage_var_dirs(sssd_t) samba_manage_var_files(sssd_t)