f66acfd9f2
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
313 lines
6.2 KiB
Plaintext
313 lines
6.2 KiB
Plaintext
## <summary>Name service cache daemon</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send generic signals to NSCD.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_signal',`
|
|
gen_require(`
|
|
type nscd_t;
|
|
')
|
|
|
|
allow $1 nscd_t:process signal;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send NSCD the kill signal.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_kill',`
|
|
gen_require(`
|
|
type nscd_t;
|
|
')
|
|
|
|
allow $1 nscd_t:process sigkill;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Send signulls to NSCD.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_signull',`
|
|
gen_require(`
|
|
type nscd_t;
|
|
')
|
|
|
|
allow $1 nscd_t:process signull;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute NSCD in the nscd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_domtrans',`
|
|
gen_require(`
|
|
type nscd_t, nscd_exec_t;
|
|
')
|
|
|
|
corecmd_search_bin($1)
|
|
domtrans_pattern($1, nscd_exec_t, nscd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Allow the specified domain to execute nscd
|
|
## in the caller domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_exec',`
|
|
gen_require(`
|
|
type nscd_exec_t;
|
|
')
|
|
|
|
can_exec($1, nscd_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use NSCD services by connecting using
|
|
## a unix stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_socket_use',`
|
|
gen_require(`
|
|
type nscd_t, nscd_var_run_t;
|
|
class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
|
|
')
|
|
|
|
allow $1 self:unix_stream_socket create_socket_perms;
|
|
|
|
allow $1 nscd_t:nscd { getpwd getgrp gethost };
|
|
dontaudit $1 nscd_t:fd use;
|
|
dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
|
dontaudit $1 nscd_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use nscd services
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_use',`
|
|
tunable_policy(`nscd_use_shm',`
|
|
nscd_shm_use($1)
|
|
',`
|
|
nscd_socket_use($1)
|
|
')
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Use NSCD services by mapping the database from
|
|
## an inherited NSCD file descriptor.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_shm_use',`
|
|
gen_require(`
|
|
type nscd_t, nscd_var_run_t;
|
|
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
|
|
')
|
|
|
|
allow $1 nscd_var_run_t:dir list_dir_perms;
|
|
allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
|
|
|
|
# Receive fd from nscd and map the backing file with read access.
|
|
allow $1 nscd_t:fd use;
|
|
|
|
# cjp: these were originally inherited from the
|
|
# nscd_socket_domain macro. need to investigate
|
|
# if they are all actually required
|
|
allow $1 self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
# dg: This may not be required.
|
|
allow $1 nscd_var_run_t:sock_file read_sock_file_perms;
|
|
|
|
stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
|
|
files_search_pids($1)
|
|
allow $1 nscd_t:nscd { getpwd getgrp gethost };
|
|
dontaudit $1 nscd_var_run_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Do not audit attempts to search the NSCD pid directory.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain to not audit.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_dontaudit_search_pid',`
|
|
gen_require(`
|
|
type nscd_var_run_t;
|
|
')
|
|
|
|
dontaudit $1 nscd_var_run_t:dir search_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read NSCD pid file.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_read_pid',`
|
|
gen_require(`
|
|
type nscd_var_run_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Unconfined access to NSCD services.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_unconfined',`
|
|
gen_require(`
|
|
type nscd_t;
|
|
class nscd all_nscd_perms;
|
|
')
|
|
|
|
allow $1 nscd_t:nscd *;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute nscd in the nscd domain, and
|
|
## allow the specified role the nscd domain.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_run',`
|
|
gen_require(`
|
|
type nscd_t;
|
|
')
|
|
|
|
nscd_domtrans($1)
|
|
role $2 types nscd_t;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Execute the nscd server init script.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed to transition.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`nscd_initrc_domtrans',`
|
|
gen_require(`
|
|
type nscd_initrc_exec_t;
|
|
')
|
|
|
|
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to administrate
|
|
## an nscd environment
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## The role to be allowed to manage the nscd domain.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`nscd_admin',`
|
|
gen_require(`
|
|
type nscd_t, nscd_log_t, nscd_var_run_t;
|
|
type nscd_initrc_exec_t;
|
|
')
|
|
|
|
allow $1 nscd_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, nscd_t)
|
|
|
|
init_labeled_script_domtrans($1, nscd_initrc_exec_t)
|
|
domain_system_change_exemption($1)
|
|
role_transition $2 nscd_initrc_exec_t system_r;
|
|
allow $2 system_r;
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, nscd_log_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, nscd_var_run_t)
|
|
')
|