2 files changed, 168 insertions, 1 deletions

diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in
index 96930dfd..43fd1d9d 100644
--- a/ldap/admin/src/scripts/DSCreate.pm.in
+++ b/ldap/admin/src/scripts/DSCreate.pm.in
@@ -903,7 +903,21 @@ sub updateSelinuxPolicy {
 
     # if selinux is not available, do nothing
     if ("@with_selinux@") {
-        # run restorecon on all directories we created
+        my $localstatedir = $inf->{slapd}->{localstatedir};
+
+        # run restorecon on all of the parent directories we
+        # may have created (this only happens if this is the
+        # first instance created).
+        if ("@with_fhs_opt@") {
+            system("restorecon -R $localstatedir/@PACKAGE_NAME@");
+        } else {
+            system("restorecon -R $localstatedir/lock/@PACKAGE_NAME@");
+            system("restorecon -R $localstatedir/log/@PACKAGE_NAME@");
+            system("restorecon -R $localstatedir/run/@PACKAGE_NAME@");
+            system("restorecon -R $localstatedir/lib/@PACKAGE_NAME@");
+        }
+
+        # run restorecon on all instance directories we created
         for my $kw (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir
                 cert_dir db_dir ldif_dir bak_dir)) {
             my $dir = $inf->{slapd}->{$kw};
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
index d3851bad..17035293 100644
--- a/selinux/dirsrv.if
+++ b/selinux/dirsrv.if
@@ -21,3 +21,156 @@ interface(`dirsrv_domtrans',`
 	allow dirsrv_t $1:fifo_file rw_file_perms;
 	allow dirsrv_t $1:process sigchld;
 ')
+
+
+########################################
+## <summary>
+##  Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+##      Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+	gen_require(`
+		type dirsrv_t;
+	')
+
+	allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+	gen_require(`
+		type dirsrv_var_log_t;
+	')
+
+	allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_log_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+        gen_require(`
+                type dirsrv_var_lib_t;
+        ')
+        allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+        allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+##      Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+	gen_require(`
+		type dirsrv_var_run_t;
+	')
+	allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+	allow $1 dirsrv_var_run_t:file manage_file_perms;
+	allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+	# Allow creating a dir in /var/run with this type
+	files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+########################################
+## <summary>
+##      Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+	gen_require(`
+		type dirsrv_config_t;
+	')
+
+	allow $1 dirsrv_config_t:dir manage_dir_perms;
+	allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##      Read and exec dirsrv lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_exec_lib',`
+	gen_require(`
+		type dirsrv_lib_t;
+	')
+
+	allow $1 dirsrv_lib_t:dir { search getattr };
+	allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl};
+')
+
+########################################
+## <summary>
+##      Read dirsrv share files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+	gen_require(`
+		type dirsrv_share_t;
+	')
+
+	allow $1 dirsrv_share_t:dir { search getattr };
+	allow $1 dirsrv_share_t:file { read getattr open };
+')