diff options
author | Nathan Kinder <nkinder@redhat.com> | 2009-10-22 14:56:06 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2009-10-22 14:56:06 -0700 |
commit | 41fa124aeec3b6bc86f28d69aeccb0e02f382aeb (patch) | |
tree | 3f52adca24b656fb804cc82238c5fb07423d1564 | |
parent | d7b1c99abd516b54e302acb775c9e01295fc616a (diff) | |
download | ds-41fa124aeec3b6bc86f28d69aeccb0e02f382aeb.tar.gz ds-41fa124aeec3b6bc86f28d69aeccb0e02f382aeb.tar.xz ds-41fa124aeec3b6bc86f28d69aeccb0e02f382aeb.zip |
Extend dirsrv SELinux policy interface.
The dirsrv SELinux policy interface needed to be extended to
allow the confined Admin Server the proper permissions to
interact with the Directory Server.
-rw-r--r-- | selinux/dirsrv.if | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index 17035293..80b478f1 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -118,6 +118,24 @@ interface(`dirsrv_manage_var_run',` files_pid_filetrans($1, dirsrv_var_run_t, dir) ') +####################################### +## <summary> +## Allow a domain to read dirsrv /var/run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_read_var_run',` + gen_require(` + type dirsrv_var_run_t; + ') + allow $1 dirsrv_var_run_t:dir list_dir_perms; + allow $1 dirsrv_var_run_t:file read_file_perms; +') + ######################################## ## <summary> ## Manage dirsrv configuration files. @@ -152,8 +170,10 @@ interface(`dirsrv_exec_lib',` type dirsrv_lib_t; ') - allow $1 dirsrv_lib_t:dir { search getattr }; - allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl}; + allow $1 dirsrv_lib_t:dir search_dir_perms; + allow $1 dirsrv_lib_t:file exec_file_perms; + # Not all platforms include ioctl in exec_file_perms + allow $1 dirsrv_lib_t:file ioctl; ') ######################################## @@ -171,6 +191,7 @@ interface(`dirsrv_read_share',` type dirsrv_share_t; ') - allow $1 dirsrv_share_t:dir { search getattr }; - allow $1 dirsrv_share_t:file { read getattr open }; + allow $1 dirsrv_share_t:dir list_dir_perms; + allow $1 dirsrv_share_t:file read_file_perms; + allow $1 dirsrv_share_t:lnk_file read; ') |