summaryrefslogtreecommitdiffstats
path: root/selinux
diff options
context:
space:
mode:
authorNathan Kinder <nkinder@redhat.com>2009-09-09 09:59:07 -0700
committerNathan Kinder <nkinder@redhat.com>2009-09-09 09:59:07 -0700
commit39869a77cbeb1967acfa1354092c81d05dd79be7 (patch)
treedc4cc882f80cd3d5bb7344af4d0703d0665316f3 /selinux
parent01b9f5e3b023ef19608bb017560adcca13271e1f (diff)
downloadds-39869a77cbeb1967acfa1354092c81d05dd79be7.tar.gz
ds-39869a77cbeb1967acfa1354092c81d05dd79be7.tar.xz
ds-39869a77cbeb1967acfa1354092c81d05dd79be7.zip
Add selinux policy for ns-slapd
This adds a "dirsrv" selinux policy module to confine the ns-slapd daemon. The setup and migration perl modules were changed to take care of any relabeling of installed files if selinux support was compiled in. The build system now takes a "--with-selinux" option that will compile the dirsrv policy module and enable any selinux specific setup code. To use the dirsrv policy module, the module will need to be loaded using the semodule utility. It is also necessary to relabel the installed files using restorecon after performing a make install. All of this will be taken care of in the spec file when in the case of using a RPM package.
Diffstat (limited to 'selinux')
-rw-r--r--selinux/Makefile17
-rw-r--r--selinux/dirsrv.fc.in22
-rw-r--r--selinux/dirsrv.if23
-rw-r--r--selinux/dirsrv.te127
4 files changed, 189 insertions, 0 deletions
diff --git a/selinux/Makefile b/selinux/Makefile
new file mode 100644
index 00000000..bc8e6a73
--- /dev/null
+++ b/selinux/Makefile
@@ -0,0 +1,17 @@
+POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
+POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
+
+all:
+ if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux policy development tools (selinux-policy)" && exit 1; fi
+
+ $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1;
+
+clean:
+ $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1;
+
+install: all
+ install -d $(POLICY_DIR)
+ install -m 644 dirsrv.pp $(POLICY_DIR)
+
+load:
+ /usr/sbin/semodule -i dirsrv.pp
diff --git a/selinux/dirsrv.fc.in b/selinux/dirsrv.fc.in
new file mode 100644
index 00000000..ae768b1b
--- /dev/null
+++ b/selinux/dirsrv.fc.in
@@ -0,0 +1,22 @@
+# dirsrv executable will have:
+# label: system_u:object_r:dirsrv_exec_t
+# MLS sensitivity: s0
+# MCS categories: <none>
+
+@sbindir@/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
+@sbindir@/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+@sbindir@/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0)
+@serverdir@ gen_context(system_u:object_r:dirsrv_lib_t,s0)
+@serverdir@(/.*) gen_context(system_u:object_r:dirsrv_lib_t,s0)
+@localstatedir@/run/@package_name@ gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+@localstatedir@/run/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0)
+@localstatedir@/log/@package_name@ gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+@localstatedir@/log/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0)
+@localstatedir@/lock/@package_name@ gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+@localstatedir@/lock/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0)
+@localstatedir@/lib/@package_name@ gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+@localstatedir@/lib/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
+@sysconfdir@/@package_name@ gen_context(system_u:object_r:dirsrv_config_t,s0)
+@sysconfdir@/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0)
+@datadir@/@package_name@ gen_context(system_u:object_r:dirsrv_share_t,s0)
+@datadir@/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0)
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
new file mode 100644
index 00000000..d3851bad
--- /dev/null
+++ b/selinux/dirsrv.if
@@ -0,0 +1,23 @@
+## <summary>policy for dirsrv</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`dirsrv_domtrans',`
+ gen_require(`
+ type dirsrv_t, dirsrv_exec_t;
+ ')
+
+ domain_auto_trans($1,dirsrv_exec_t,dirsrv_t)
+
+ allow dirsrv_t $1:fd use;
+ allow dirsrv_t $1:fifo_file rw_file_perms;
+ allow dirsrv_t $1:process sigchld;
+')
diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te
new file mode 100644
index 00000000..ea103557
--- /dev/null
+++ b/selinux/dirsrv.te
@@ -0,0 +1,127 @@
+policy_module(dirsrv,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+# main daemon
+type dirsrv_t;
+type dirsrv_exec_t;
+domain_type(dirsrv_t)
+init_daemon_domain(dirsrv_t, dirsrv_exec_t)
+
+# dynamic libraries
+type dirsrv_lib_t;
+files_type(dirsrv_lib_t)
+
+# var/lib files
+type dirsrv_var_lib_t;
+files_type(dirsrv_var_lib_t)
+
+# log files
+type dirsrv_var_log_t;
+logging_log_file(dirsrv_var_log_t)
+
+# pid files
+type dirsrv_var_run_t;
+files_pid_file(dirsrv_var_run_t)
+
+# lock files
+type dirsrv_var_lock_t;
+files_lock_file(dirsrv_var_lock_t)
+
+# config files
+type dirsrv_config_t;
+files_type(dirsrv_config_t)
+
+# tmp files
+type dirsrv_tmp_t;
+files_tmp_file(dirsrv_tmp_t)
+
+# semaphores
+type dirsrv_tmpfs_t;
+files_tmpfs_file(dirsrv_tmpfs_t)
+
+# shared files
+type dirsrv_share_t;
+files_type(dirsrv_share_t);
+
+########################################
+#
+# dirsrv local policy
+#
+
+# Some common macros
+files_read_etc_files(dirsrv_t)
+corecmd_search_sbin(dirsrv_t)
+files_read_usr_symlinks(dirsrv_t)
+miscfiles_read_localization(dirsrv_t)
+dev_read_urand(dirsrv_t)
+libs_use_ld_so(dirsrv_t)
+libs_use_shared_libs(dirsrv_t)
+allow dirsrv_t self:fifo_file { read write };
+
+# process stuff
+allow dirsrv_t self:process { getsched setsched signal_perms};
+allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override };
+
+# semaphores
+allow dirsrv_t self:sem all_sem_perms;
+manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
+fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
+
+# dynamic libraries
+allow dirsrv_t dirsrv_lib_t:file exec_file_perms;
+allow dirsrv_t dirsrv_lib_t:lnk_file read_lnk_file_perms;
+allow dirsrv_t dirsrv_lib_t:dir search_dir_perms;
+
+# var/lib files for dirsrv
+manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
+files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
+
+# log files
+manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
+allow dirsrv_t dirsrv_var_log_t:dir { setattr };
+logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
+
+# pid files
+manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
+files_pid_filetrans(dirsrv_t,dirsrv_var_run_t, { file sock_file })
+
+#lock files
+manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
+files_lock_filetrans(dirsrv_t,dirsrv_var_lock_t, { file })
+
+# config files
+manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
+
+# tmp files
+manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
+files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
+
+# system state
+fs_getattr_all_fs(dirsrv_t)
+kernel_read_system_state(dirsrv_t)
+
+# Networking basics
+sysnet_dns_name_resolve(dirsrv_t)
+corenet_all_recvfrom_unlabeled(dirsrv_t)
+corenet_all_recvfrom_netlabel(dirsrv_t)
+corenet_tcp_sendrecv_generic_if(dirsrv_t)
+corenet_tcp_sendrecv_generic_node(dirsrv_t)
+corenet_tcp_sendrecv_all_ports(dirsrv_t)
+corenet_tcp_bind_all_nodes(dirsrv_t)
+corenet_tcp_bind_ldap_port(dirsrv_t)
+corenet_tcp_connect_all_ports(dirsrv_t)
+corenet_sendrecv_ldap_server_packets(dirsrv_t)
+corenet_sendrecv_all_client_packets(dirsrv_t)
+allow dirsrv_t self:tcp_socket { create_stream_socket_perms };
+
+# Init script handling
+init_use_fds(dirsrv_t)
+init_use_script_ptys(dirsrv_t)
+domain_use_interactive_fds(dirsrv_t)
generated by cgit (git 2.34.1) at 2024-05-03 10:49:57 +0000