From d7b1c99abd516b54e302acb775c9e01295fc616a Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Thu, 15 Oct 2009 09:31:52 -0700 Subject: Expose dirsrv SELinux policy interface. This adds a number of interface macros to the dirsrv SELinux policy module. These macros are intended for use by the Administration Server SELinux policy that is currently being developed. I also made some changes to the setup code that labels newly created directories. When the first instance is created, some top-level directories are created that were not being labeled properly. --- selinux/dirsrv.if | 153 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) (limited to 'selinux') diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index d3851bad..17035293 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -21,3 +21,156 @@ interface(`dirsrv_domtrans',` allow dirsrv_t $1:fifo_file rw_file_perms; allow dirsrv_t $1:process sigchld; ') + + +######################################## +## +## Allow caller to signal dirsrv. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_signal',` + gen_require(` + type dirsrv_t; + ') + + allow $1 dirsrv_t:process signal; +') + + +######################################## +## +## Send a null signal to dirsrv. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_signull',` + gen_require(` + type dirsrv_t; + ') + + allow $1 dirsrv_t:process signull; +') + +####################################### +## +## Allow a domain to manage dirsrv logs. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_manage_log',` + gen_require(` + type dirsrv_var_log_t; + ') + + allow $1 dirsrv_var_log_t:dir manage_dir_perms; + allow $1 dirsrv_var_log_t:file manage_file_perms; +') + +####################################### +## +## Allow a domain to manage dirsrv /var/lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_manage_var_lib',` + gen_require(` + type dirsrv_var_lib_t; + ') + allow $1 dirsrv_var_lib_t:dir manage_dir_perms; + allow $1 dirsrv_var_lib_t:file manage_file_perms; +') + +####################################### +## +## Allow a domain to manage dirsrv /var/run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_manage_var_run',` + gen_require(` + type dirsrv_var_run_t; + ') + allow $1 dirsrv_var_run_t:dir manage_dir_perms; + allow $1 dirsrv_var_run_t:file manage_file_perms; + allow $1 dirsrv_var_run_t:sock_file manage_file_perms; + # Allow creating a dir in /var/run with this type + files_pid_filetrans($1, dirsrv_var_run_t, dir) +') + +######################################## +## +## Manage dirsrv configuration files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_manage_config',` + gen_require(` + type dirsrv_config_t; + ') + + allow $1 dirsrv_config_t:dir manage_dir_perms; + allow $1 dirsrv_config_t:file manage_file_perms; +') + +######################################## +## +## Read and exec dirsrv lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_exec_lib',` + gen_require(` + type dirsrv_lib_t; + ') + + allow $1 dirsrv_lib_t:dir { search getattr }; + allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl}; +') + +######################################## +## +## Read dirsrv share files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirsrv_read_share',` + gen_require(` + type dirsrv_share_t; + ') + + allow $1 dirsrv_share_t:dir { search getattr }; + allow $1 dirsrv_share_t:file { read getattr open }; +') -- cgit