Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 62

Chapter 4. Major Features in Certificate System
Each object is then mapped to a security context, which defines the type of object and how it is
allowed to function on the Linux server.
Objects can be grouped into domains, and then each domain is assigned the proper rules. Each
security context has rules which set restrictions on what operations it can perform, what resources it
can access, and what permissions it has.
The Certificate System has a separate RPM of SELinux policies installed by default. These SELinux
policies apply to every subsystem and service used by Certificate System. By running Certificate
System with SELinux in enforcing mode, the security of the information created and maintained by
Certificate System is enhanced.
Figure 4.1. CA SELinux Port Policy
The Certificate System SELinux policies define the SELinux configuration for every subsystem
instance:
• Files and directories for each subsystem instance are labeled with a specific SELinux context.
• The ports for each subsystem instance are labeled with a specific SELinux context.
• All Certificate System processes are constrained within a subsystem-specific domain.
• Each domain has specific rules that define what actions that are authorized for the domain.
52