From b7a4380491cace9b7579e5f1c47de1f310c45488 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@fedoraproject.org>
Date: Nov 13 2008 19:26:55 +0000
Subject: - Add pki policy


---

diff --git a/modules-targeted.conf b/modules-targeted.conf
index 208e679..b38bced 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1584,3 +1584,9 @@ prelude = module
 # openoffice executable
 # 
 openoffice = base
+
+# Layer: services
+# Module: pki
+#
+# 
+pki = module
diff --git a/policy-20070703.patch b/policy-20070703.patch
index 8baff44..9dbc5a1 100644
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@@ -4968,7 +4968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2008-06-12 23:37:56.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2008-10-20 16:22:16.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2008-11-13 14:23:10.000000000 -0500
 @@ -55,6 +55,11 @@
  type reserved_port_t, port_type, reserved_port_type;
  
@@ -5031,10 +5031,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(nessus, tcp,1241,s0)
  network_port(netsupport, tcp,5405,s0, udp,5405,s0)
  network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -122,10 +136,12 @@
+@@ -122,10 +136,18 @@
  network_port(openvpn, tcp,1194,s0, udp,1194,s0)
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
++network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
++network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
++network_port(pki_ospc, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
++network_port(pki_tks, tcp, 13180, s0, tcp, 13701, s0, tcp, 13443, s0, tcp, 13444, s0, tcp, 13445, s0)
++network_port(pki_ra, tcp, 12888, s0, tcp, 12889, s0)
++network_port(pki_tps, tcp, 7888, s0, tcp, 7889, s0)
 +network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
  network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
  network_port(portmap, udp,111,s0, tcp,111,s0)
@@ -5044,7 +5050,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  network_port(printer, tcp,515,s0)
  network_port(ptal, tcp,5703,s0)
  network_port(pxe, udp,4011,s0)
-@@ -137,16 +153,16 @@
+@@ -137,16 +159,16 @@
  network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
  network_port(rlogind, tcp,513,s0)
  network_port(rndc, tcp,953,s0)
@@ -5064,7 +5070,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
  network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -154,19 +170,26 @@
+@@ -154,19 +176,26 @@
  network_port(syslogd, udp,514,s0)
  network_port(telnetd, tcp,23,s0)
  network_port(tftp, udp,69,s0)
@@ -15218,6 +15224,818 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pega
  	rpm_exec(pegasus_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.0.8/policy/modules/services/pki.fc
+--- nsaserefpolicy/policy/modules/services/pki.fc	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/pki.fc	2008-11-13 14:23:53.000000000 -0500
+@@ -0,0 +1,66 @@
++
++/usr/bin/dtomcat5-pki-ca	--	gen_context(system_u:object_r:pki_ca_exec_t,s0)
++
++/etc/init.d/pki-ca		--	gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
++
++/etc/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
++/etc/pki-ca/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ca_tomcat_exec_t,s0)
++
++/var/lib/pki-ca(/.*)?		        gen_context(system_u:object_r:pki_ca_var_lib_t,s0)
++
++/var/run/pki-ca.pid			gen_context(system_u:object_r:pki_ca_var_run_t,s0)
++
++/var/log/pki-ca(/.*)?			gen_context(system_u:object_r:pki_ca_log_t,s0)
++
++/usr/bin/dtomcat5-pki-kra	--	gen_context(system_u:object_r:pki_kra_exec_t,s0)
++
++/etc/init.d/pki-kra		--	gen_context(system_u:object_r:pki_kra_script_exec_t,s0)
++
++/etc/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_etc_rw_t,s0)
++/etc/pki-kra/tomcat5.conf  	--      gen_context(system_u:object_r:pki_kra_tomcat_exec_t,s0)
++
++/var/lib/pki-kra(/.*)?		        gen_context(system_u:object_r:pki_kra_var_lib_t,s0)
++
++/var/run/pki-kra.pid			gen_context(system_u:object_r:pki_kra_var_run_t,s0)
++
++/var/log/pki-kra(/.*)?			gen_context(system_u:object_r:pki_kra_log_t,s0)
++
++/usr/bin/dtomcat5-pki-ocsp	--	gen_context(system_u:object_r:pki_ocsp_exec_t,s0)
++
++/etc/init.d/pki-ocsp		--	gen_context(system_u:object_r:pki_ocsp_script_exec_t,s0)
++
++/etc/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_etc_rw_t,s0)
++/etc/pki-ocsp/tomcat5.conf  	--      gen_context(system_u:object_r:pki_ocsp_tomcat_exec_t,s0)
++
++/var/lib/pki-ocsp(/.*)?		        gen_context(system_u:object_r:pki_ocsp_var_lib_t,s0)
++
++/var/run/pki-ocsp.pid			gen_context(system_u:object_r:pki_ocsp_var_run_t,s0)
++
++/var/log/pki-ocsp(/.*)?			gen_context(system_u:object_r:pki_ocsp_log_t,s0)
++
++/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
++/etc/init.d/pki-ra      --      gen_context(system_u:object_r:pki_ra_script_exec_t,s0)
++/etc/pki-ra(/.*)?               gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
++/var/lib/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
++/var/log/pki-ra(/.*)?           gen_context(system_u:object_r:pki_ra_log_t,s0)
++
++
++/usr/bin/dtomcat5-pki-tks	--	gen_context(system_u:object_r:pki_tks_exec_t,s0)
++
++/etc/init.d/pki-tks		--	gen_context(system_u:object_r:pki_tks_script_exec_t,s0)
++
++/etc/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_etc_rw_t,s0)
++/etc/pki-tks/tomcat5.conf  	--      gen_context(system_u:object_r:pki_tks_tomcat_exec_t,s0)
++
++/var/lib/pki-tks(/.*)?		gen_context(system_u:object_r:pki_tks_var_lib_t,s0)
++
++/var/run/pki-tks.pid			gen_context(system_u:object_r:pki_tks_var_run_t,s0)
++
++/var/log/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_log_t,s0)
++
++/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
++/etc/init.d/pki-tps     --      gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
++/etc/pki-tps(/.*)?              gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
++/var/lib/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
++/var/log/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_log_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.if serefpolicy-3.0.8/policy/modules/services/pki.if
+--- nsaserefpolicy/policy/modules/services/pki.if	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/pki.if	2008-11-13 14:23:53.000000000 -0500
+@@ -0,0 +1,643 @@
++
++## <summary>policy for pki</summary>
++
++########################################
++## <summary>
++##	Execute pki_ca server in the pki_ca domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_ca_script_domtrans',`
++	gen_require(`
++		attribute pki_ca_script;
++	')
++
++	init_script_domtrans_spec($1,pki_ca_script)
++')
++
++########################################
++## <summary>
++##	Create a set of derived types for apache
++##	web content.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving type names.
++##	</summary>
++## </param>
++#
++template(`pki_ca_template',`
++	gen_require(`
++		attribute pki_ca_process;
++		attribute pki_ca_config, pki_ca_var_lib, pki_ca_var_run;
++		attribute pki_ca_executable, pki_ca_script, pki_ca_var_log;
++		type pki_ca_tomcat_exec_t;
++		type $1_port_t;
++	')
++	########################################
++	#
++	# Declarations
++	#
++
++	type $1_t, pki_ca_process;
++	type $1_exec_t, pki_ca_executable;
++	domain_type($1_t)
++	init_daemon_domain($1_t, $1_exec_t)
++
++	type $1_script_exec_t, pki_ca_script;
++	init_script_file($1_script_exec_t)
++
++	type $1_etc_rw_t, pki_ca_config;
++	files_type($1_etc_rw_t)
++
++	type $1_var_run_t, pki_ca_var_run;
++	files_pid_file($1_var_run_t)
++
++	type $1_var_lib_t, pki_ca_var_lib;
++	files_type($1_var_lib_t)
++
++	type $1_log_t, pki_ca_var_log;
++	logging_log_file($1_log_t)
++
++	########################################
++	#
++	# $1 local policy
++	#
++
++	# Execstack/execmem caused by java app.
++	allow $1_t self:process { execstack execmem getsched setsched };
++
++	## internal communication is often done using fifo and unix sockets.
++	allow $1_t self:fifo_file rw_file_perms;
++	allow $1_t self:unix_stream_socket create_stream_socket_perms;
++	allow $1_t self:tcp_socket create_stream_socket_perms;
++	allow $1_t self:process signull;
++
++	allow $1_t $1_port_t:tcp_socket {name_bind name_connect};
++
++	corenet_all_recvfrom_unlabeled($1_t)
++	corenet_tcp_sendrecv_all_if($1_t)
++	corenet_tcp_sendrecv_all_nodes($1_t)
++	corenet_tcp_sendrecv_all_ports($1_t)
++
++	corenet_tcp_bind_all_nodes($1_t)
++	corenet_tcp_bind_ocsp_port($1_t)
++	corenet_tcp_connect_ocsp_port($1_t)
++
++	# This is for /etc/$1/tomcat.conf:
++	can_exec($1_t, pki_ca_tomcat_exec_t)
++
++	# Init script handling
++	domain_use_interactive_fds($1_t)
++
++	files_read_etc_files($1_t)
++
++	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++	manage_dirs_pattern($1_t, $1_var_run_t,  $1_var_run_t)
++	manage_files_pattern($1_t, $1_var_run_t,  $1_var_run_t)
++	files_pid_filetrans($1_t,$1_var_run_t, { file dir })
++
++	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
++	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
++	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
++	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
++	logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++	corecmd_exec_bin($1_t)
++	corecmd_read_bin_symlinks($1_t)
++	corecmd_exec_shell($1_t)
++
++	dev_list_sysfs($1_t)
++	dev_read_rand($1_t)
++	dev_read_urand($1_t)
++
++	# Java is looking in /tmp for some reason...:
++	files_manage_generic_tmp_dirs($1_t)
++	files_manage_generic_tmp_files($1_t)
++	files_read_usr_files($1_t)
++	files_read_usr_symlinks($1_t)
++	# These are used to read tomcat class files in /var/lib/tomcat
++	files_read_var_lib_files($1_t)
++	files_read_var_lib_symlinks($1_t)
++
++	kernel_read_network_state($1_t)
++	kernel_read_system_state($1_t)
++	kernel_search_network_state($1_t)
++	# audit2allow
++        kernel_signull_unlabeled($1_t)
++
++	auth_use_nsswitch($1_t)
++
++	init_dontaudit_write_utmp($1_t)
++
++	libs_use_ld_so($1_t)
++	libs_use_shared_libs($1_t)
++
++	miscfiles_read_localization($1_t)
++
++	ifdef(`targeted_policy',`
++		term_dontaudit_use_unallocated_ttys($1_t)
++		term_dontaudit_use_generic_ptys($1_t)
++	')
++
++#This is broken in selinux-policy we need java_exec defined, Will add to policy
++	gen_require(`
++		type java_exec_t;
++	')
++	can_exec($1_t, java_exec_t)
++
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_ca environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ca_admin',`
++	gen_require(`
++		type pki_ca_tomcat_exec_t;
++		attribute pki_ca_process;
++		attribute pki_ca_config;
++		attribute pki_ca_executable;
++		attribute pki_ca_var_lib;
++		attribute pki_ca_var_log;
++		attribute pki_ca_var_run;
++		attribute pki_ca_pidfiles;
++		attribute pki_ca_script;
++	')
++
++	allow $1 pki_ca_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_ca_t)
++
++	# Allow pki_ca_t to restart the service
++	pki_ca_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_ca_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_ca_config)
++	manage_all_pattern($1, pki_ca_var_run)
++	manage_all_pattern($1, pki_ca_var_lib)
++	manage_all_pattern($1, pki_ca_var_log)
++	manage_all_pattern($1, pki_ca_config)
++	manage_all_pattern($1, pki_ca_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++##	Execute pki_kra server in the pki_kra domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_kra_script_domtrans',`
++	gen_require(`
++		attribute pki_kra_script;
++	')
++
++	init_script_domtrans_spec($1,pki_kra_script)
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_kra environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_kra_admin',`
++	gen_require(`
++		type pki_kra_tomcat_exec_t;
++		attribute pki_kra_process;
++		attribute pki_kra_config;
++		attribute pki_kra_executable;
++		attribute pki_kra_var_lib;
++		attribute pki_kra_var_log;
++		attribute pki_kra_var_run;
++		attribute pki_kra_pidfiles;
++		attribute pki_kra_script;
++	')
++
++	allow $1 pki_kra_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_kra_t)
++
++	# Allow pki_kra_t to restart the service
++	pki_kra_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_kra_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_kra_config)
++	manage_all_pattern($1, pki_kra_var_run)
++	manage_all_pattern($1, pki_kra_var_lib)
++	manage_all_pattern($1, pki_kra_var_log)
++	manage_all_pattern($1, pki_kra_config)
++	manage_all_pattern($1, pki_kra_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++##	Execute pki_ocsp server in the pki_ocsp domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_ocsp_script_domtrans',`
++	gen_require(`
++		attribute pki_ocsp_script;
++	')
++
++	init_script_domtrans_spec($1,pki_ocsp_script)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_ocsp environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ocsp_admin',`
++	gen_require(`
++		type pki_ocsp_tomcat_exec_t;
++		attribute pki_ocsp_process;
++		attribute pki_ocsp_config;
++		attribute pki_ocsp_executable;
++		attribute pki_ocsp_var_lib;
++		attribute pki_ocsp_var_log;
++		attribute pki_ocsp_var_run;
++		attribute pki_ocsp_pidfiles;
++		attribute pki_ocsp_script;
++	')
++
++	allow $1 pki_ocsp_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_ocsp_t)
++
++	# Allow pki_ocsp_t to restart the service
++	pki_ocsp_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_ocsp_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_ocsp_config)
++	manage_all_pattern($1, pki_ocsp_var_run)
++	manage_all_pattern($1, pki_ocsp_var_lib)
++	manage_all_pattern($1, pki_ocsp_var_log)
++	manage_all_pattern($1, pki_ocsp_config)
++	manage_all_pattern($1, pki_ocsp_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++##	Execute pki_ra server in the pki_ra domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_ra_script_domtrans',`
++	gen_require(`
++		attribute pki_ra_script;
++	')
++
++	init_script_domtrans_spec($1,pki_ra_script)
++')
++
++########################################
++## <summary>
++##	Create a set of derived types for apache
++##	web content.
++## </summary>
++## <param name="prefix">
++##	<summary>
++##	The prefix to be used for deriving type names.
++##	</summary>
++## </param>
++#
++template(`pki_ra_template',`
++	gen_require(`
++		attribute pki_ra_process;
++		attribute pki_ra_config, pki_ra_var_lib;
++		attribute pki_ra_executable, pki_ra_script, pki_ra_var_log;
++	')
++	########################################
++	#
++	# Declarations
++	#
++
++	type $1_t, pki_ra_process;
++	type $1_exec_t, pki_ra_executable;
++	domain_type($1_t)
++	init_daemon_domain($1_t, $1_exec_t)
++
++	type $1_script_exec_t, pki_ra_script;
++	init_script_file($1_script_exec_t)
++
++	type $1_etc_rw_t, pki_ra_config;
++	files_type($1_etc_rw_t)
++
++	type $1_var_lib_t, pki_ra_var_lib;
++	files_type($1_var_lib_t)
++
++	type $1_log_t, pki_ra_var_log;
++	logging_log_file($1_log_t)
++
++	########################################
++	#
++	# $1 local policy
++	#
++
++	## internal communication is often done using fifo and unix sockets.
++	allow $1_t self:fifo_file rw_file_perms;
++	allow $1_t self:unix_stream_socket create_stream_socket_perms;
++
++	# Init script handling
++	domain_use_interactive_fds($1_t)
++
++	files_read_etc_files($1_t)
++
++	manage_dirs_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
++	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
++
++	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
++	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
++	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
++	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
++
++	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
++	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
++	logging_log_filetrans($1_t, $1_log_t, { file dir } )
++
++	init_dontaudit_write_utmp($1_t)
++
++	libs_use_ld_so($1_t)
++	libs_use_shared_libs($1_t)
++
++	miscfiles_read_localization($1_t)
++
++	ifdef(`targeted_policy',`
++		term_dontaudit_use_unallocated_ttys($1_t)
++		term_dontaudit_use_generic_ptys($1_t)
++	')
++
++	gen_require(`
++		type httpd_t;
++	')
++
++	allow httpd_t pki_ra_etc_rw_t:file { read getattr };
++	allow httpd_t pki_ra_log_t:file read;
++	allow httpd_t pki_ra_var_lib_t:lnk_file read;
++
++
++')
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_ra environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_ra_admin',`
++	gen_require(`
++		attribute pki_ra_process;
++		attribute pki_ra_config;
++		attribute pki_ra_executable;
++		attribute pki_ra_var_lib;
++		attribute pki_ra_var_log;
++		attribute pki_ra_script;
++	')
++
++	allow $1 pki_ra_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_ra_t)
++
++	# Allow pki_ra_t to restart the service
++	pki_ra_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_ra_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_ra_config)
++	manage_all_pattern($1, pki_ra_var_lib)
++	manage_all_pattern($1, pki_ra_var_log)
++	manage_all_pattern($1, pki_ra_config)
++')
++
++########################################
++## <summary>
++##	Execute pki_tks server in the pki_tks domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_tks_script_domtrans',`
++	gen_require(`
++		attribute pki_tks_script;
++	')
++
++	init_script_domtrans_spec($1,pki_tks_script)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_tks environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_tks_admin',`
++	gen_require(`
++		type pki_tks_tomcat_exec_t;
++		attribute pki_tks_process;
++		attribute pki_tks_config;
++		attribute pki_tks_executable;
++		attribute pki_tks_var_lib;
++		attribute pki_tks_var_log;
++		attribute pki_tks_var_run;
++		attribute pki_tks_pidfiles;
++		attribute pki_tks_script;
++	')
++
++	allow $1 pki_tks_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_tks_t)
++
++	# Allow pki_tks_t to restart the service
++	pki_tks_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_tks_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_tks_config)
++	manage_all_pattern($1, pki_tks_var_run)
++	manage_all_pattern($1, pki_tks_var_lib)
++	manage_all_pattern($1, pki_tks_var_log)
++	manage_all_pattern($1, pki_tks_config)
++	manage_all_pattern($1, pki_tks_tomcat_exec_t)
++')
++
++########################################
++## <summary>
++##	Execute pki_tps server in the pki_tps domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	The type of the process performing this action.
++##	</summary>
++## </param>
++#
++interface(`pki_tps_script_domtrans',`
++	gen_require(`
++		attribute pki_tps_script;
++	')
++
++	init_script_domtrans_spec($1,pki_tps_script)
++')
++
++
++########################################
++## <summary>
++##	All of the rules required to administrate 
++##	an pki_tps environment
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	The role to be allowed to manage the syslog domain.
++##	</summary>
++## </param>
++## <param name="terminal">
++##	<summary>
++##	The type of the user terminal.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`pki_tps_admin',`
++	gen_require(`
++		attribute pki_tps_process;
++		attribute pki_tps_config;
++		attribute pki_tps_executable;
++		attribute pki_tps_var_lib;
++		attribute pki_tps_var_log;
++		attribute pki_tps_script;
++	')
++
++	allow $1 pki_tps_process:process { ptrace signal_perms };
++	ps_process_pattern($1, pki_tps_t)
++
++	# Allow pki_tps_t to restart the service
++	pki_tps_script_domtrans($1)
++	domain_system_change_exemption($1)
++	role_transition $2 pki_tps_script system_r;
++	allow $2 system_r;
++
++	manage_all_pattern($1, pki_tps_config)
++	manage_all_pattern($1, pki_tps_var_lib)
++	manage_all_pattern($1, pki_tps_var_log)
++	manage_all_pattern($1, pki_tps_config)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.te serefpolicy-3.0.8/policy/modules/services/pki.te
+--- nsaserefpolicy/policy/modules/services/pki.te	1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/pki.te	2008-11-13 14:23:53.000000000 -0500
+@@ -0,0 +1,91 @@
++policy_module(pki,1.0.0)
++
++attribute pki_ca_config;
++attribute pki_ca_executable;
++attribute pki_ca_var_lib;
++attribute pki_ca_var_log;
++attribute pki_ca_var_run;
++attribute pki_ca_pidfiles;
++attribute pki_ca_script;
++attribute pki_ca_process;
++
++type pki_ca_tomcat_exec_t;
++files_type(pki_ca_tomcat_exec_t)
++
++pki_ca_template(pki_ca)
++
++attribute pki_kra_config;
++attribute pki_kra_executable;
++attribute pki_kra_var_lib;
++attribute pki_kra_var_log;
++attribute pki_kra_var_run;
++attribute pki_kra_pidfiles;
++attribute pki_kra_script;
++attribute pki_kra_process;
++
++type pki_kra_tomcat_exec_t;
++files_type(pki_kra_tomcat_exec_t)
++
++pki_ca_template(pki_kra)
++
++
++attribute pki_ocsp_config;
++attribute pki_ocsp_executable;
++attribute pki_ocsp_var_lib;
++attribute pki_ocsp_var_log;
++attribute pki_ocsp_var_run;
++attribute pki_ocsp_pidfiles;
++attribute pki_ocsp_script;
++attribute pki_ocsp_process;
++
++type pki_ocsp_tomcat_exec_t;
++files_type(pki_ocsp_tomcat_exec_t)
++
++pki_ca_template(pki_ocsp)
++
++
++attribute pki_ra_config;
++attribute pki_ra_executable;
++attribute pki_ra_var_lib;
++attribute pki_ra_var_log;
++attribute pki_ra_var_run;
++attribute pki_ra_pidfiles;
++attribute pki_ra_script;
++attribute pki_ra_process;
++
++type pki_ra_tomcat_exec_t;
++files_type(pki_ra_tomcat_exec_t)
++
++pki_ra_template(pki_ra)
++
++
++attribute pki_tks_config;
++attribute pki_tks_executable;
++attribute pki_tks_var_lib;
++attribute pki_tks_var_log;
++attribute pki_tks_var_run;
++attribute pki_tks_pidfiles;
++attribute pki_tks_script;
++attribute pki_tks_process;
++
++type pki_tks_tomcat_exec_t;
++files_type(pki_tks_tomcat_exec_t)
++
++pki_ca_template(pki_tks)
++
++
++attribute pki_tps_config;
++attribute pki_tps_executable;
++attribute pki_tps_var_lib;
++attribute pki_tps_var_log;
++attribute pki_tps_var_run;
++attribute pki_tps_pidfiles;
++attribute pki_tps_script;
++attribute pki_tps_process;
++
++type pki_tps_tomcat_exec_t;
++files_type(pki_tps_tomcat_exec_t)
++
++pki_ra_template(pki_tps)
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.fc serefpolicy-3.0.8/policy/modules/services/polkit.fc
 --- nsaserefpolicy/policy/modules/services/polkit.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/policy/modules/services/polkit.fc	2008-10-20 16:22:16.000000000 -0400
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 955fbb0..d96b19a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 124%{?dist}
+Release: 125%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -382,6 +382,9 @@ exit 0
 %endif
 
 %changelog
+* Thu Nov 13 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-125
+- Add pki policy
+
 * Thu Nov 13 2008 Dan Walsh <dwalsh@redhat.com> 3.0.8-124
 - More fixes for NetworkManager/dnsmasq