selinux-policy/refpolicy/policy/modules/services/ldap.if

60 lines
1.1 KiB
Plaintext

## <summary>OpenLDAP directory server</summary>
########################################
## <summary>
## Read the contents of the OpenLDAP
## database directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ldap_list_db',`
gen_require(`
type slapd_db_t;
')
allow $1 slapd_db_t:dir r_dir_perms;
')
########################################
## <summary>
## Read the OpenLDAP configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ldap_read_config',`
gen_require(`
type slapd_etc_t;
')
files_search_etc($1)
allow $1 slapd_etc_t:file { getattr read };
')
########################################
## <summary>
## Use LDAP over TCP connection.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ldap_use',`
gen_require(`
type slapd_t;
')
allow $1 slapd_t:tcp_socket { connectto recvfrom };
allow slapd_t $1:tcp_socket { acceptfrom recvfrom };
kernel_tcp_recvfrom($1)
')