diff options
author | Nathan Kinder <nkinder@redhat.com> | 2009-10-22 14:56:06 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2009-10-22 14:56:06 -0700 |
commit | 41fa124aeec3b6bc86f28d69aeccb0e02f382aeb (patch) | |
tree | 3f52adca24b656fb804cc82238c5fb07423d1564 /selinux | |
parent | d7b1c99abd516b54e302acb775c9e01295fc616a (diff) | |
download | ds-41fa124aeec3b6bc86f28d69aeccb0e02f382aeb.tar.gz ds-41fa124aeec3b6bc86f28d69aeccb0e02f382aeb.tar.xz ds-41fa124aeec3b6bc86f28d69aeccb0e02f382aeb.zip |
Extend dirsrv SELinux policy interface.
The dirsrv SELinux policy interface needed to be extended to
allow the confined Admin Server the proper permissions to
interact with the Directory Server.
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/dirsrv.if | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index 17035293..80b478f1 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -118,6 +118,24 @@ interface(`dirsrv_manage_var_run',` files_pid_filetrans($1, dirsrv_var_run_t, dir) ') +####################################### +## <summary> +## Allow a domain to read dirsrv /var/run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_read_var_run',` + gen_require(` + type dirsrv_var_run_t; + ') + allow $1 dirsrv_var_run_t:dir list_dir_perms; + allow $1 dirsrv_var_run_t:file read_file_perms; +') + ######################################## ## <summary> ## Manage dirsrv configuration files. @@ -152,8 +170,10 @@ interface(`dirsrv_exec_lib',` type dirsrv_lib_t; ') - allow $1 dirsrv_lib_t:dir { search getattr }; - allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl}; + allow $1 dirsrv_lib_t:dir search_dir_perms; + allow $1 dirsrv_lib_t:file exec_file_perms; + # Not all platforms include ioctl in exec_file_perms + allow $1 dirsrv_lib_t:file ioctl; ') ######################################## @@ -171,6 +191,7 @@ interface(`dirsrv_read_share',` type dirsrv_share_t; ') - allow $1 dirsrv_share_t:dir { search getattr }; - allow $1 dirsrv_share_t:file { read getattr open }; + allow $1 dirsrv_share_t:dir list_dir_perms; + allow $1 dirsrv_share_t:file read_file_perms; + allow $1 dirsrv_share_t:lnk_file read; ') |