diff options
-rw-r--r-- | ldap/admin/src/scripts/DSCreate.pm.in | 16 | ||||
-rw-r--r-- | selinux/dirsrv.if | 153 |
2 files changed, 168 insertions, 1 deletions
diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in index 96930dfd..43fd1d9d 100644 --- a/ldap/admin/src/scripts/DSCreate.pm.in +++ b/ldap/admin/src/scripts/DSCreate.pm.in @@ -903,7 +903,21 @@ sub updateSelinuxPolicy { # if selinux is not available, do nothing if ("@with_selinux@") { - # run restorecon on all directories we created + my $localstatedir = $inf->{slapd}->{localstatedir}; + + # run restorecon on all of the parent directories we + # may have created (this only happens if this is the + # first instance created). + if ("@with_fhs_opt@") { + system("restorecon -R $localstatedir/@PACKAGE_NAME@"); + } else { + system("restorecon -R $localstatedir/lock/@PACKAGE_NAME@"); + system("restorecon -R $localstatedir/log/@PACKAGE_NAME@"); + system("restorecon -R $localstatedir/run/@PACKAGE_NAME@"); + system("restorecon -R $localstatedir/lib/@PACKAGE_NAME@"); + } + + # run restorecon on all instance directories we created for my $kw (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir cert_dir db_dir ldif_dir bak_dir)) { my $dir = $inf->{slapd}->{$kw}; diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index d3851bad..17035293 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -21,3 +21,156 @@ interface(`dirsrv_domtrans',` allow dirsrv_t $1:fifo_file rw_file_perms; allow dirsrv_t $1:process sigchld; ') + + +######################################## +## <summary> +## Allow caller to signal dirsrv. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_signal',` + gen_require(` + type dirsrv_t; + ') + + allow $1 dirsrv_t:process signal; +') + + +######################################## +## <summary> +## Send a null signal to dirsrv. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_signull',` + gen_require(` + type dirsrv_t; + ') + + allow $1 dirsrv_t:process signull; +') + +####################################### +## <summary> +## Allow a domain to manage dirsrv logs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_log',` + gen_require(` + type dirsrv_var_log_t; + ') + + allow $1 dirsrv_var_log_t:dir manage_dir_perms; + allow $1 dirsrv_var_log_t:file manage_file_perms; +') + +####################################### +## <summary> +## Allow a domain to manage dirsrv /var/lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_var_lib',` + gen_require(` + type dirsrv_var_lib_t; + ') + allow $1 dirsrv_var_lib_t:dir manage_dir_perms; + allow $1 dirsrv_var_lib_t:file manage_file_perms; +') + +####################################### +## <summary> +## Allow a domain to manage dirsrv /var/run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_var_run',` + gen_require(` + type dirsrv_var_run_t; + ') + allow $1 dirsrv_var_run_t:dir manage_dir_perms; + allow $1 dirsrv_var_run_t:file manage_file_perms; + allow $1 dirsrv_var_run_t:sock_file manage_file_perms; + # Allow creating a dir in /var/run with this type + files_pid_filetrans($1, dirsrv_var_run_t, dir) +') + +######################################## +## <summary> +## Manage dirsrv configuration files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_manage_config',` + gen_require(` + type dirsrv_config_t; + ') + + allow $1 dirsrv_config_t:dir manage_dir_perms; + allow $1 dirsrv_config_t:file manage_file_perms; +') + +######################################## +## <summary> +## Read and exec dirsrv lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_exec_lib',` + gen_require(` + type dirsrv_lib_t; + ') + + allow $1 dirsrv_lib_t:dir { search getattr }; + allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl}; +') + +######################################## +## <summary> +## Read dirsrv share files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_read_share',` + gen_require(` + type dirsrv_share_t; + ') + + allow $1 dirsrv_share_t:dir { search getattr }; + allow $1 dirsrv_share_t:file { read getattr open }; +') |