diff options
author | Nathan Kinder <nkinder@redhat.com> | 2009-10-15 09:31:52 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2009-10-15 09:31:52 -0700 |
commit | d7b1c99abd516b54e302acb775c9e01295fc616a (patch) | |
tree | e39ec88e9180620ec1694c26c55ee24c42c53926 /selinux | |
parent | d1214317ca2bcefd18db4e1a7414ac2a8408e5a9 (diff) | |
download | ds-d7b1c99abd516b54e302acb775c9e01295fc616a.tar.gz ds-d7b1c99abd516b54e302acb775c9e01295fc616a.tar.xz ds-d7b1c99abd516b54e302acb775c9e01295fc616a.zip |
Expose dirsrv SELinux policy interface.
This adds a number of interface macros to the dirsrv SELinux policy
module. These macros are intended for use by the Administration
Server SELinux policy that is currently being developed.
I also made some changes to the setup code that labels newly created
directories. When the first instance is created, some top-level
directories are created that were not being labeled properly.
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/dirsrv.if | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index d3851bad..17035293 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -21,3 +21,156 @@ interface(`dirsrv_domtrans',` allow dirsrv_t $1:fifo_file rw_file_perms; allow dirsrv_t $1:process sigchld; ') + + +######################################## +## <summary> +## Allow caller to signal dirsrv. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_signal',` + gen_require(` + type dirsrv_t; + ') + + allow $1 dirsrv_t:process signal; +') + + +######################################## +## <summary> +## Send a null signal to dirsrv. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_signull',` + gen_require(` + type dirsrv_t; + ') + + allow $1 dirsrv_t:process signull; +') + +####################################### +## <summary> +## Allow a domain to manage dirsrv logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_log',` + gen_require(` + type dirsrv_var_log_t; + ') + + allow $1 dirsrv_var_log_t:dir manage_dir_perms; + allow $1 dirsrv_var_log_t:file manage_file_perms; +') + +####################################### +## <summary> +## Allow a domain to manage dirsrv /var/lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_var_lib',` + gen_require(` + type dirsrv_var_lib_t; + ') + allow $1 dirsrv_var_lib_t:dir manage_dir_perms; + allow $1 dirsrv_var_lib_t:file manage_file_perms; +') + +####################################### +## <summary> +## Allow a domain to manage dirsrv /var/run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_var_run',` + gen_require(` + type dirsrv_var_run_t; + ') + allow $1 dirsrv_var_run_t:dir manage_dir_perms; + allow $1 dirsrv_var_run_t:file manage_file_perms; + allow $1 dirsrv_var_run_t:sock_file manage_file_perms; + # Allow creating a dir in /var/run with this type + files_pid_filetrans($1, dirsrv_var_run_t, dir) +') + +######################################## +## <summary> +## Manage dirsrv configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_config',` + gen_require(` + type dirsrv_config_t; + ') + + allow $1 dirsrv_config_t:dir manage_dir_perms; + allow $1 dirsrv_config_t:file manage_file_perms; +') + +######################################## +## <summary> +## Read and exec dirsrv lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_exec_lib',` + gen_require(` + type dirsrv_lib_t; + ') + + allow $1 dirsrv_lib_t:dir { search getattr }; + allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl}; +') + +######################################## +## <summary> +## Read dirsrv share files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_read_share',` + gen_require(` + type dirsrv_share_t; + ') + + allow $1 dirsrv_share_t:dir { search getattr }; + allow $1 dirsrv_share_t:file { read getattr open }; +') |