1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
150 lines
3.9 KiB
Plaintext
150 lines
3.9 KiB
Plaintext
|
|
policy_module(ldap,1.4.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type slapd_t;
|
|
type slapd_exec_t;
|
|
init_daemon_domain(slapd_t,slapd_exec_t)
|
|
|
|
type slapd_cert_t;
|
|
files_type(slapd_cert_t)
|
|
|
|
type slapd_db_t;
|
|
files_type(slapd_db_t)
|
|
|
|
type slapd_etc_t;
|
|
files_config_file(slapd_etc_t)
|
|
|
|
type slapd_lock_t;
|
|
files_lock_file(slapd_lock_t)
|
|
|
|
type slapd_replog_t;
|
|
files_type(slapd_replog_t)
|
|
|
|
type slapd_tmp_t;
|
|
files_tmp_file(slapd_tmp_t)
|
|
|
|
type slapd_var_run_t;
|
|
files_pid_file(slapd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
# should not need kill
|
|
# cjp: why net_raw?
|
|
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
|
|
dontaudit slapd_t self:capability sys_tty_config;
|
|
allow slapd_t self:process setsched;
|
|
allow slapd_t self:fifo_file { read write };
|
|
allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow slapd_t self:udp_socket create_socket_perms;
|
|
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
|
|
allow slapd_t self:tcp_socket create_stream_socket_perms;
|
|
|
|
allow slapd_t slapd_cert_t:dir list_dir_perms;
|
|
read_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t)
|
|
read_lnk_files_pattern(slapd_t,slapd_cert_t,slapd_cert_t)
|
|
|
|
# Allow access to the slapd databases
|
|
manage_dirs_pattern(slapd_t,slapd_db_t,slapd_db_t)
|
|
manage_files_pattern(slapd_t,slapd_db_t,slapd_db_t)
|
|
manage_lnk_files_pattern(slapd_t,slapd_db_t,slapd_db_t)
|
|
|
|
allow slapd_t slapd_etc_t:file { getattr read };
|
|
|
|
allow slapd_t slapd_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(slapd_t,slapd_lock_t,file)
|
|
|
|
# Allow access to write the replication log (should tighten this)
|
|
manage_dirs_pattern(slapd_t,slapd_replog_t,slapd_replog_t)
|
|
manage_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t)
|
|
manage_lnk_files_pattern(slapd_t,slapd_replog_t,slapd_replog_t)
|
|
|
|
manage_dirs_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t)
|
|
manage_files_pattern(slapd_t,slapd_tmp_t,slapd_tmp_t)
|
|
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t)
|
|
manage_sock_files_pattern(slapd_t,slapd_var_run_t,slapd_var_run_t)
|
|
files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
|
|
|
|
kernel_read_system_state(slapd_t)
|
|
kernel_read_kernel_sysctls(slapd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(slapd_t)
|
|
corenet_all_recvfrom_netlabel(slapd_t)
|
|
corenet_tcp_sendrecv_all_if(slapd_t)
|
|
corenet_udp_sendrecv_all_if(slapd_t)
|
|
corenet_tcp_sendrecv_all_nodes(slapd_t)
|
|
corenet_udp_sendrecv_all_nodes(slapd_t)
|
|
corenet_tcp_sendrecv_all_ports(slapd_t)
|
|
corenet_udp_sendrecv_all_ports(slapd_t)
|
|
corenet_tcp_bind_all_nodes(slapd_t)
|
|
corenet_tcp_bind_ldap_port(slapd_t)
|
|
corenet_tcp_connect_all_ports(slapd_t)
|
|
corenet_sendrecv_ldap_server_packets(slapd_t)
|
|
corenet_sendrecv_all_client_packets(slapd_t)
|
|
|
|
dev_read_urand(slapd_t)
|
|
dev_read_sysfs(slapd_t)
|
|
|
|
fs_getattr_all_fs(slapd_t)
|
|
fs_search_auto_mountpoints(slapd_t)
|
|
|
|
domain_use_interactive_fds(slapd_t)
|
|
|
|
files_read_etc_files(slapd_t)
|
|
files_read_etc_runtime_files(slapd_t)
|
|
files_read_usr_files(slapd_t)
|
|
files_list_var_lib(slapd_t)
|
|
|
|
libs_use_ld_so(slapd_t)
|
|
libs_use_shared_libs(slapd_t)
|
|
|
|
logging_send_syslog_msg(slapd_t)
|
|
|
|
miscfiles_read_certs(slapd_t)
|
|
miscfiles_read_localization(slapd_t)
|
|
|
|
sysnet_read_config(slapd_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(slapd_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
#reh slapcat will want to talk to the terminal
|
|
term_use_generic_ptys(slapd_t)
|
|
term_use_unallocated_ttys(slapd_t)
|
|
|
|
userdom_search_generic_user_home_dirs(slapd_t)
|
|
#need to be able to read ldif files created by root
|
|
# cjp: fix to not use templated interface:
|
|
userdom_read_user_home_content_files(user,slapd_t)
|
|
|
|
term_dontaudit_use_unallocated_ttys(slapd_t)
|
|
term_dontaudit_use_generic_ptys(slapd_t)
|
|
files_dontaudit_read_root_files(slapd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(slapd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(slapd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(slapd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(slapd_t)
|
|
')
|