diff options
| -rw-r--r-- | selinux/dirsrv.if | 29 |
1 files changed, 25 insertions, 4 deletions
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index 17035293..80b478f1 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -118,6 +118,24 @@ interface(`dirsrv_manage_var_run',` files_pid_filetrans($1, dirsrv_var_run_t, dir) ') +####################################### +## <summary> +## Allow a domain to read dirsrv /var/run files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dirsrv_read_var_run',` + gen_require(` + type dirsrv_var_run_t; + ') + allow $1 dirsrv_var_run_t:dir list_dir_perms; + allow $1 dirsrv_var_run_t:file read_file_perms; +') + ######################################## ## <summary> ## Manage dirsrv configuration files. @@ -152,8 +170,10 @@ interface(`dirsrv_exec_lib',` type dirsrv_lib_t; ') - allow $1 dirsrv_lib_t:dir { search getattr }; - allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl}; + allow $1 dirsrv_lib_t:dir search_dir_perms; + allow $1 dirsrv_lib_t:file exec_file_perms; + # Not all platforms include ioctl in exec_file_perms + allow $1 dirsrv_lib_t:file ioctl; ') ######################################## @@ -171,6 +191,7 @@ interface(`dirsrv_read_share',` type dirsrv_share_t; ') - allow $1 dirsrv_share_t:dir { search getattr }; - allow $1 dirsrv_share_t:file { read getattr open }; + allow $1 dirsrv_share_t:dir list_dir_perms; + allow $1 dirsrv_share_t:file read_file_perms; + allow $1 dirsrv_share_t:lnk_file read; ') |