Expose dirsrv SELinux policy interface.

This adds a number of interface macros to the dirsrv SELinux policy module. These macros are intended for use by the Administration Server SELinux policy that is currently being developed. I also made some changes to the setup code that labels newly created directories. When the first instance is created, some top-level directories are created that were not being labeled properly.
author: Nathan Kinder <nkinder@redhat.com> 2009-10-15 09:31:52 -0700
committer: Nathan Kinder <nkinder@redhat.com> 2009-10-15 09:31:52 -0700
commit: d7b1c99abd516b54e302acb775c9e01295fc616a (patch)
tree: e39ec88e9180620ec1694c26c55ee24c42c53926 /selinux
parent: d1214317ca2bcefd18db4e1a7414ac2a8408e5a9 (diff)
download: ds-d7b1c99abd516b54e302acb775c9e01295fc616a.tar.gz
ds-d7b1c99abd516b54e302acb775c9e01295fc616a.tar.xz
ds-d7b1c99abd516b54e302acb775c9e01295fc616a.zip
1 files changed, 153 insertions, 0 deletions
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
index d3851bad..17035293 100644
--- a/selinux/dirsrv.if
+++ b/selinux/dirsrv.if
@@ -21,3 +21,156 @@ interface(`dirsrv_domtrans',`
 	allow dirsrv_t $1:fifo_file rw_file_perms;
 	allow dirsrv_t $1:process sigchld;
 ')
+
+
+########################################
+## <summary>
+##  Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+##      Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+	gen_require(`
+		type dirsrv_var_log_t;
+	')
+
+	allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_log_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+        gen_require(`
+                type dirsrv_var_lib_t;
+        ')
+        allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+        allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+	gen_require(`
+		type dirsrv_var_run_t;
+	')
+	allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_run_t:file manage_file_perms;
+	allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+	# Allow creating a dir in /var/run with this type
+	files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+########################################
+## <summary>
+##      Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+	gen_require(`
+		type dirsrv_config_t;
+	')
+
+	allow $1 dirsrv_config_t:dir manage_dir_perms;
+	allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##      Read and exec dirsrv lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_exec_lib',`
+	gen_require(`
+		type dirsrv_lib_t;
+	')
+
+	allow $1 dirsrv_lib_t:dir { search getattr };
+	allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl};
+')
+
+########################################
+## <summary>
+##      Read dirsrv share files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+	gen_require(`
+		type dirsrv_share_t;
+	')
+
+	allow $1 dirsrv_share_t:dir { search getattr };
+	allow $1 dirsrv_share_t:file { read getattr open };
+')
author	Nathan Kinder <nkinder@redhat.com>	2009-10-15 09:31:52 -0700
committer	Nathan Kinder <nkinder@redhat.com>	2009-10-15 09:31:52 -0700
commit	d7b1c99abd516b54e302acb775c9e01295fc616a (patch)
tree	e39ec88e9180620ec1694c26c55ee24c42c53926 /selinux
parent	d1214317ca2bcefd18db4e1a7414ac2a8408e5a9 (diff)
download	ds-d7b1c99abd516b54e302acb775c9e01295fc616a.tar.gz ds-d7b1c99abd516b54e302acb775c9e01295fc616a.tar.xz ds-d7b1c99abd516b54e302acb775c9e01295fc616a.zip