Red Hat CERTIFICATE SYSTEM 8 - DEPLOYMENT Deployment Manual page 63

Security-Enhanced Linux Support
• Any access not specified in the SELinux policy is denied to the Certificate System instance.
For Certificate System, each subsystem is treated as an SELinux object, and each subsystem has
unique rules assigned to it. The defined SELinux policies allow Certificate System objects run with
SELinux set in enforcing mode.
Every time pkicreate is run, new SELinux policies are automatically configured for the instance.
All SELinux policies are updated every time a subsystem is added with pkicreate or removed with
pkiremove.
The central definition for each instance is its SELinux domain. Each Certificate System subsystem
runs in a single subsystem-specific SELinux domain, no matter how many subsystems are installed
on a host. For example, if there are three CAs installed on a server, all three belong to the pki_ca_t
SELinux domain.
Each SELinux policy sets rules on what actions the instance is allowed to perform on the system,
based on the domain to which the instance belongs. For example, instances in the CA domain
(pki_ca_t) are limited to write access for files with the CA context (pki_ca_var_log_t) and
to access ports that match the CA type (pki_ca_port). When each Certificate System process
is started, it initially runs in an unconfined domain (unconfined_t) and then transitions into the
appropriate subsystem-specific domain.
The SELinux mode can be changed from enforcing to permissive, or even off, though this is not
recommended.
53