policy_module(ldap,1.3.1) ######################################## # # Declarations # type slapd_t; type slapd_exec_t; init_daemon_domain(slapd_t,slapd_exec_t) type slapd_cert_t; files_type(slapd_cert_t) type slapd_db_t; files_type(slapd_db_t) type slapd_etc_t; files_config_file(slapd_etc_t) type slapd_lock_t; files_lock_file(slapd_lock_t) type slapd_replog_t; files_type(slapd_replog_t) type slapd_tmp_t; files_tmp_file(slapd_tmp_t) type slapd_var_run_t; files_pid_file(slapd_var_run_t) ######################################## # # Local policy # # should not need kill # cjp: why net_raw? allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search }; dontaudit slapd_t self:capability sys_tty_config; allow slapd_t self:process setsched; allow slapd_t self:fifo_file { read write }; allow slapd_t self:netlink_route_socket r_netlink_socket_perms; allow slapd_t self:udp_socket create_socket_perms; #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) allow slapd_t self:tcp_socket create_stream_socket_perms; allow slapd_t slapd_cert_t:dir list_dir_perms; read_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t) read_lnk_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t) # Allow access to the slapd databases manage_dirs_pattern(slapd_t,slapd_db_t,slapd_db_t) manage_files_pattern(slapd_t,slapd_db_t,slapd_db_t) manage_lnk_files_pattern(slapd_t,slapd_db_t,slapd_db_t) allow slapd_t slapd_etc_t:file { getattr read }; allow slapd_t slapd_lock_t:file manage_file_perms; files_lock_filetrans(slapd_t,slapd_lock_t,file) # Allow access to write the replication log (should tighten this) manage_dirs_pattern(slapd_t,slapd_replog_t,slapd_replog_t) manage_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t) manage_lnk_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t) manage_dirs_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t) manage_files_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t) files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir }) manage_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t) manage_sock_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t) files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file }) kernel_read_system_state(slapd_t) kernel_read_kernel_sysctls(slapd_t) corenet_non_ipsec_sendrecv(slapd_t) corenet_tcp_sendrecv_all_if(slapd_t) corenet_udp_sendrecv_all_if(slapd_t) corenet_tcp_sendrecv_all_nodes(slapd_t) corenet_udp_sendrecv_all_nodes(slapd_t) corenet_tcp_sendrecv_all_ports(slapd_t) corenet_udp_sendrecv_all_ports(slapd_t) corenet_tcp_bind_all_nodes(slapd_t) corenet_tcp_bind_ldap_port(slapd_t) corenet_tcp_connect_all_ports(slapd_t) corenet_sendrecv_ldap_server_packets(slapd_t) corenet_sendrecv_all_client_packets(slapd_t) dev_read_urand(slapd_t) dev_read_sysfs(slapd_t) fs_getattr_all_fs(slapd_t) fs_search_auto_mountpoints(slapd_t) domain_use_interactive_fds(slapd_t) files_read_etc_files(slapd_t) files_read_etc_runtime_files(slapd_t) files_read_usr_files(slapd_t) files_list_var_lib(slapd_t) libs_use_ld_so(slapd_t) libs_use_shared_libs(slapd_t) logging_send_syslog_msg(slapd_t) miscfiles_read_certs(slapd_t) miscfiles_read_localization(slapd_t) sysnet_read_config(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_sysadm_home_dirs(slapd_t) ifdef(`targeted_policy',` #reh slapcat will want to talk to the terminal term_use_generic_ptys(slapd_t) term_use_unallocated_ttys(slapd_t) userdom_search_generic_user_home_dirs(slapd_t) #need to be able to read ldif files created by root # cjp: fix to not use templated interface: userdom_read_user_home_content_files(user,slapd_t) term_dontaudit_use_unallocated_ttys(slapd_t) term_dontaudit_use_generic_ptys(slapd_t) files_dontaudit_read_root_files(slapd_t) ') optional_policy(` kerberos_use(slapd_t) ') optional_policy(` nis_use_ypbind(slapd_t) ') optional_policy(` seutil_sigchld_newrole(slapd_t) ') optional_policy(` udev_read_db(slapd_t) ')