1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
policy_module(dirsrv,1.0.0)
########################################
#
# Declarations
#
# NGK - this can go away when bz 478629, bz 523548,
# and bz 523771 are addressed. See the notes below
# where we work around those issues.
require {
type snmpd_var_lib_t;
type snmpd_t;
}
# main daemon
type dirsrv_t;
type dirsrv_exec_t;
domain_type(dirsrv_t)
init_daemon_domain(dirsrv_t, dirsrv_exec_t)
# snmp subagent daemon
type dirsrv_snmp_t;
type dirsrv_snmp_exec_t;
domain_type(dirsrv_snmp_t)
init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
# var/lib files
type dirsrv_var_lib_t;
files_type(dirsrv_var_lib_t)
# log files
type dirsrv_var_log_t;
logging_log_file(dirsrv_var_log_t)
# snmp log file
type dirsrv_snmp_var_log_t;
logging_log_file(dirsrv_snmp_var_log_t)
# pid files
type dirsrv_var_run_t;
files_pid_file(dirsrv_var_run_t)
# snmp pid file
type dirsrv_snmp_var_run_t;
files_pid_file(dirsrv_snmp_var_run_t)
# lock files
type dirsrv_var_lock_t;
files_lock_file(dirsrv_var_lock_t)
# config files
type dirsrv_config_t;
files_type(dirsrv_config_t)
# tmp files
type dirsrv_tmp_t;
files_tmp_file(dirsrv_tmp_t)
# semaphores
type dirsrv_tmpfs_t;
files_tmpfs_file(dirsrv_tmpfs_t)
# shared files
type dirsrv_share_t;
files_type(dirsrv_share_t);
########################################
#
# dirsrv local policy
#
# Some common macros
files_read_etc_files(dirsrv_t)
corecmd_search_sbin(dirsrv_t)
files_read_usr_symlinks(dirsrv_t)
miscfiles_read_localization(dirsrv_t)
dev_read_urand(dirsrv_t)
libs_use_ld_so(dirsrv_t)
libs_use_shared_libs(dirsrv_t)
allow dirsrv_t self:fifo_file { read write };
# process stuff
allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
# semaphores
allow dirsrv_t self:sem all_sem_perms;
manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
# var/lib files for dirsrv
manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
# log files
manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
allow dirsrv_t dirsrv_var_log_t:dir { setattr };
logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
# pid files
manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file })
# ldapi socket
manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
# lock files
manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })
# config files
manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
# tmp files
manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
# system state
fs_getattr_all_fs(dirsrv_t)
kernel_read_system_state(dirsrv_t)
# kerberos config for SASL GSSAPI
kerberos_read_config(dirsrv_t)
kerberos_dontaudit_write_config(dirsrv_t)
# Networking basics
sysnet_dns_name_resolve(dirsrv_t)
corenet_all_recvfrom_unlabeled(dirsrv_t)
corenet_all_recvfrom_netlabel(dirsrv_t)
corenet_tcp_sendrecv_generic_if(dirsrv_t)
corenet_tcp_sendrecv_generic_node(dirsrv_t)
corenet_tcp_sendrecv_all_ports(dirsrv_t)
corenet_tcp_bind_all_nodes(dirsrv_t)
corenet_tcp_bind_ldap_port(dirsrv_t)
corenet_tcp_bind_all_rpc_ports(dirsrv_t)
corenet_udp_bind_all_rpc_ports(dirsrv_t)
corenet_tcp_connect_all_ports(dirsrv_t)
corenet_sendrecv_ldap_server_packets(dirsrv_t)
corenet_sendrecv_all_client_packets(dirsrv_t)
allow dirsrv_t self:tcp_socket { create_stream_socket_perms };
# Init script handling
init_use_fds(dirsrv_t)
init_use_script_ptys(dirsrv_t)
domain_use_interactive_fds(dirsrv_t)
########################################
#
# dirsrv-snmp local policy
#
# Some common macros
files_read_etc_files(dirsrv_snmp_t)
miscfiles_read_localization(dirsrv_snmp_t)
libs_use_ld_so(dirsrv_snmp_t)
libs_use_shared_libs(dirsrv_snmp_t)
dev_read_rand(dirsrv_snmp_t)
dev_read_urand(dirsrv_snmp_t)
files_read_usr_files(dirsrv_snmp_t)
fs_getattr_tmpfs(dirsrv_snmp_t)
fs_search_tmpfs(dirsrv_snmp_t)
allow dirsrv_snmp_t self:fifo_file { read write };
sysnet_read_config(dirsrv_snmp_t)
sysnet_dns_name_resolve(dirsrv_snmp_t)
# Net-SNMP /var/lib files (includes agentx unix domain socket)
snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
# NGK - there really should be a macro for this. (see bz 523771)
allow dirsrv_snmp_t snmpd_var_lib_t:file append;
# NGK - use snmp_stream_connect(dirsrv_snmp_t) when it is made
# available on all platforms we build on (see bz 478629 and bz 523548)
stream_connect_pattern(dirsrv_snmp_t, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)
# Net-SNMP agentx tcp socket
corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
# Net-SNMP persistent data file
files_manage_var_files(dirsrv_snmp_t)
# stats file semaphore
rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
# stats file
read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
# process stuff
allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
# config file
read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
# pid file
manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
# log file
manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
# Init script handling
init_use_fds(dirsrv_snmp_t)
init_use_script_ptys(dirsrv_snmp_t)
domain_use_interactive_fds(dirsrv_snmp_t)
|
