policy_module(ipa, 1.0.0) ######################################## # # Declarations # attribute ipa_domain; attribute_role ipa_helper_roles; roleattribute system_r ipa_helper_roles; type ipa_otpd_t, ipa_domain; type ipa_otpd_exec_t; init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t) # for oidc_child communication with IdPs corenet_tcp_connect_http_port(ipa_otpd_t) kernel_dgram_send(ipa_otpd_t) allow ipa_otpd_t self:unix_dgram_socket { create getopt setopt }; allow ipa_otpd_t ipa_otpd_exec_t:file execute_no_trans; type ipa_dnskey_t, ipa_domain; type ipa_dnskey_exec_t; init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t) type ipa_ods_exporter_t, ipa_domain; type ipa_ods_exporter_exec_t; init_daemon_domain(ipa_ods_exporter_t, ipa_ods_exporter_exec_t) type ipa_otpd_unit_file_t; systemd_unit_file(ipa_otpd_unit_file_t) type ipa_dnskey_unit_file_t; systemd_unit_file(ipa_dnskey_unit_file_t) type ipa_ods_exporter_unit_file_t; systemd_unit_file(ipa_ods_exporter_unit_file_t) type ipa_log_t; logging_log_file(ipa_log_t) type ipa_var_lib_t; files_type(ipa_var_lib_t) type ipa_var_run_t; files_pid_file(ipa_var_run_t) type ipa_helper_t; type ipa_helper_exec_t; domain_type(ipa_helper_t) domain_obj_id_change_exemption(ipa_helper_t) init_system_domain(ipa_helper_t, ipa_helper_exec_t) role ipa_helper_roles types ipa_helper_t; type ipa_cert_t; miscfiles_cert_type(ipa_cert_t) type ipa_tmp_t; files_tmp_file(ipa_tmp_t) type ipa_custodia_t; type ipa_custodia_exec_t; init_daemon_domain(ipa_custodia_t, ipa_custodia_exec_t) type ipa_custodia_dmldap_exec_t; init_script_file(ipa_custodia_dmldap_exec_t) type ipa_custodia_pki_tomcat_exec_t; init_script_file(ipa_custodia_pki_tomcat_exec_t) type ipa_custodia_pki_tomcat_t; type ipa_custodia_ra_agent_exec_t; init_script_file(ipa_custodia_ra_agent_exec_t) type ipa_custodia_log_t; logging_log_file(ipa_custodia_log_t) type ipa_custodia_tmp_t; files_tmp_file(ipa_custodia_tmp_t) type ipa_pki_retrieve_key_exec_t; type ipa_pki_retrieve_key_t; domain_type(ipa_pki_retrieve_key_t) init_script_file(ipa_pki_retrieve_key_exec_t) ######################################## # # ipa_otpd local policy # allow ipa_otpd_t self:capability2 block_suspend; allow ipa_otpd_t self:fifo_file rw_fifo_file_perms; allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms; read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t) read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t) manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t) manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t) files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file) corenet_tcp_connect_radius_port(ipa_otpd_t) dev_read_urand(ipa_otpd_t) dev_read_rand(ipa_otpd_t) sysnet_dns_name_resolve(ipa_otpd_t) optional_policy(` dirsrv_stream_connect(ipa_otpd_t) ') optional_policy(` kerberos_use(ipa_otpd_t) ') optional_policy(` sssd_stream_connect(ipa_otpd_t) ') logging_send_syslog_msg(ipa_otpd_t) ######################################## # # password policy local policy # optional_policy(` gen_require(` type kadmind_t; type crack_db_t; class file getattr; class file open; class file read; class dir search; ') allow kadmind_t crack_db_t:file { getattr open read }; allow kadmind_t crack_db_t:dir search; ') ######################################## # # ipa-helper local policy # allow ipa_helper_t self:capability { chown dac_override dac_read_search net_admin }; seutil_read_config(ipa_helper_t) #kernel bug dontaudit ipa_helper_t self:capability2 block_suspend; allow ipa_helper_t self:process setfscreate; allow ipa_helper_t self:fifo_file rw_fifo_file_perms; allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms; manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t) logging_log_filetrans(ipa_helper_t, ipa_log_t, file) manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t) manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t) files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file }) manage_files_pattern(ipa_helper_t, ipa_tmp_t, ipa_tmp_t) files_tmp_filetrans(ipa_helper_t, ipa_tmp_t, { file }) kernel_read_system_state(ipa_helper_t) kernel_read_network_state(ipa_helper_t) corenet_tcp_connect_ldap_port(ipa_helper_t) corenet_tcp_connect_smbd_port(ipa_helper_t) corenet_tcp_connect_http_port(ipa_helper_t) corenet_tcp_connect_kerberos_password_port(ipa_helper_t) corecmd_exec_bin(ipa_helper_t) corecmd_exec_shell(ipa_helper_t) dev_read_urand(ipa_helper_t) auth_use_nsswitch(ipa_helper_t) files_list_tmp(ipa_helper_t) init_read_state(ipa_helper_t) init_stream_connect(ipa_helper_t) ipa_manage_pid_files(ipa_helper_t) ipa_read_lib(ipa_helper_t) logging_send_syslog_msg(ipa_helper_t) optional_policy(` dirsrv_stream_connect(ipa_helper_t) ') optional_policy(` dirsrv_systemctl(ipa_helper_t) ') optional_policy(` ldap_stream_connect(ipa_helper_t) ') optional_policy(` libs_exec_ldconfig(ipa_helper_t) ') optional_policy(` kerberos_read_keytab(ipa_helper_t) ') optional_policy(` oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t) ') optional_policy(` rpm_read_db(ipa_helper_t) ') optional_policy(` samba_read_config(ipa_helper_t) ') optional_policy(` sssd_manage_lib_files(ipa_helper_t) sssd_systemctl(ipa_helper_t) ') ######################################## # # ipa-dnskey local policy # allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms; allow ipa_dnskey_t self:udp_socket create_socket_perms; allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms; allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read }; read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t) read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t) manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t) manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t) files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file }) kernel_dgram_send(ipa_dnskey_t) kernel_read_system_state(ipa_dnskey_t) kernel_read_network_state(ipa_dnskey_t) auth_use_nsswitch(ipa_dnskey_t) corecmd_exec_bin(ipa_dnskey_t) corecmd_exec_shell(ipa_dnskey_t) corenet_tcp_bind_generic_node(ipa_dnskey_t) corenet_tcp_connect_kerberos_port(ipa_dnskey_t) corenet_tcp_connect_rndc_port(ipa_dnskey_t) dev_read_rand(ipa_dnskey_t) can_exec(ipa_dnskey_t,ipa_dnskey_exec_t) libs_exec_ldconfig(ipa_dnskey_t) logging_send_syslog_msg(ipa_dnskey_t) miscfiles_read_generic_certs(ipa_dnskey_t) sysnet_read_config(ipa_dnskey_t) optional_policy(` apache_search_config(ipa_dnskey_t) ') optional_policy(` bind_domtrans_ndc(ipa_dnskey_t) bind_read_dnssec_keys(ipa_dnskey_t) bind_manage_zone(ipa_dnskey_t) bind_manage_zone_dirs(ipa_dnskey_t) bind_search_cache(ipa_dnskey_t) ') optional_policy(` dirsrv_stream_connect(ipa_dnskey_t) ') optional_policy(` kerberos_read_keytab(ipa_dnskey_t) ') optional_policy(` opendnssec_domtrans(ipa_dnskey_t) opendnssec_manage_config(ipa_dnskey_t) opendnssec_manage_var_files(ipa_dnskey_t) opendnssec_filetrans_etc_content(ipa_dnskey_t) opendnssec_stream_connect(ipa_dnskey_t) ') ######################################## # # ipa-ods-exporter local policy # allow ipa_ods_exporter_t self:netlink_route_socket { bind create getattr nlmsg_read }; allow ipa_ods_exporter_t self:udp_socket { connect create getattr }; allow ipa_ods_exporter_t self:unix_dgram_socket { create getopt setopt }; manage_files_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t) list_dirs_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t) manage_files_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t) manage_dirs_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t) files_tmp_filetrans(ipa_ods_exporter_t, ipa_tmp_t, { dir file }) kernel_dgram_send(ipa_ods_exporter_t) auth_use_nsswitch(ipa_ods_exporter_t) corecmd_exec_bin(ipa_ods_exporter_t) corecmd_exec_shell(ipa_ods_exporter_t) libs_exec_ldconfig(ipa_ods_exporter_t) logging_send_syslog_msg(ipa_ods_exporter_t) miscfiles_read_generic_certs(ipa_ods_exporter_t) sysnet_read_config(ipa_ods_exporter_t) optional_policy(` bind_search_cache(ipa_ods_exporter_t) ') optional_policy(` dirsrv_stream_connect(ipa_ods_exporter_t) ') optional_policy(` kerberos_read_keytab(ipa_ods_exporter_t) ') optional_policy(` opendnssec_manage_var_files(ipa_ods_exporter_t) opendnssec_stream_connect(ipa_ods_exporter_t) ') optional_policy(` ldap_stream_connect(ipa_ods_exporter_t) ') ######################################## # # ipa_custodia local policy # allow ipa_custodia_t self:capability { setgid setuid }; allow ipa_custodia_t self:fifo_file rw_fifo_file_perms; allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read }; allow ipa_custodia_t self:process execmem; allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms; allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t self:udp_socket create_socket_perms; manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t) manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t) logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file }) manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) kernel_dgram_send(ipa_custodia_t) kernel_read_network_state(ipa_custodia_t) kernel_read_system_state(ipa_custodia_t) auth_read_passwd(ipa_custodia_t) can_exec(ipa_custodia_t, ipa_custodia_dmldap_exec_t) can_exec(ipa_custodia_t, ipa_custodia_pki_tomcat_exec_t) can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t) corecmd_exec_bin(ipa_custodia_t) corecmd_mmap_bin_files(ipa_custodia_t) dev_read_urand(ipa_custodia_t) dev_read_rand(ipa_custodia_t) dev_read_sysfs(ipa_custodia_t) domain_use_interactive_fds(ipa_custodia_t) files_mmap_usr_files(ipa_custodia_t) fs_getattr_xattr_fs(ipa_custodia_t) files_read_etc_files(ipa_custodia_t) libs_exec_ldconfig(ipa_custodia_t) libs_ldconfig_exec_entry_type(ipa_custodia_t) logging_send_syslog_msg(ipa_custodia_t) miscfiles_read_generic_certs(ipa_custodia_t) miscfiles_read_localization(ipa_custodia_t) sysnet_read_config(ipa_custodia_t) optional_policy(` apache_search_config(ipa_custodia_t) apache_systemctl(ipa_custodia_t) apache_manage_pid_files(ipa_custodia_t) ') optional_policy(` dirsrv_manage_var_run(ipa_custodia_t) dirsrv_stream_connect(ipa_custodia_t) ') optional_policy(` ipa_read_lib(ipa_custodia_t) ipa_search_lib(ipa_custodia_t) ') optional_policy(` gen_require(` #selint-disable:S-001 type httpd_t; ') ipa_custodia_stream_connect(httpd_t) ') optional_policy(` pki_manage_tomcat_etc_rw(ipa_custodia_t) pki_read_tomcat_cert(ipa_custodia_t) pki_rw_tomcat_cert(ipa_custodia_t) ') optional_policy(` sssd_read_public_files(ipa_custodia_t) sssd_run_stream_connect(ipa_custodia_t) sssd_search_lib(ipa_custodia_t) sssd_stream_connect(ipa_custodia_t) ') optional_policy(` systemd_private_tmp(ipa_custodia_tmp_t) ') optional_policy(` gen_require(` #selint-disable:S-001 type tomcat_t; ') can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t) pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t) ') optional_policy(` gen_require(` #selint-disable:S-001 type devlog_t; ') dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms; ') optional_policy(` java_exec(ipa_custodia_pki_tomcat_t) # allow Java to read system status and RNG ') optional_policy(` gen_require(` #selint-disable:S-001 type tomcat_t; ') kerberos_read_config(tomcat_t) kerberos_read_keytab(tomcat_t) ') optional_policy(` gen_require(` #selint-disable:S-001 type node_t; ') allow ipa_custodia_t node_t:tcp_socket node_bind; ') optional_policy(` gen_require(` #selint-disable:S-001 type pki_tomcat_cert_t; ') allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; allow ipa_custodia_t pki_tomcat_cert_t:file create; allow ipa_custodia_t pki_tomcat_cert_t:file unlink; ') optional_policy(` gen_require(` #selint-disable:S-001 type oddjob_t; ') ipa_helper_noatsecure(oddjob_t) ')