Extend dirsrv SELinux policy interface.

The dirsrv SELinux policy interface needed to be extended to
allow the confined Admin Server the proper permissions to
interact with the Directory Server.

1 files changed, 25 insertions, 4 deletions

diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
index 17035293..80b478f1 100644
--- a/selinux/dirsrv.if
+++ b/selinux/dirsrv.if
@@ -118,6 +118,24 @@ interface(`dirsrv_manage_var_run',`
 	files_pid_filetrans($1, dirsrv_var_run_t, dir)
 ')
 
+#######################################
+## <summary>
+##      Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_var_run',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        allow $1 dirsrv_var_run_t:dir list_dir_perms;
+        allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      Manage dirsrv configuration files.
@@ -152,8 +170,10 @@ interface(`dirsrv_exec_lib',`
 		type dirsrv_lib_t;
 	')
 
-	allow $1 dirsrv_lib_t:dir { search getattr };
-	allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl};
+	allow $1 dirsrv_lib_t:dir search_dir_perms;
+	allow $1 dirsrv_lib_t:file exec_file_perms;
+	# Not all platforms include ioctl in exec_file_perms
+	allow $1 dirsrv_lib_t:file ioctl;
 ')
 
 ########################################
@@ -171,6 +191,7 @@ interface(`dirsrv_read_share',`
 		type dirsrv_share_t;
 	')
 
-	allow $1 dirsrv_share_t:dir { search getattr };
-	allow $1 dirsrv_share_t:file { read getattr open };
+	allow $1 dirsrv_share_t:dir list_dir_perms;
+	allow $1 dirsrv_share_t:file read_file_perms;
+	allow $1 dirsrv_share_t:lnk_file read;
 ')