7d1f5642b0
Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible. Use permission sets where possible.
96 lines
2.3 KiB
Plaintext
96 lines
2.3 KiB
Plaintext
policy_module(sssd, 1.1.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type sssd_t;
|
|
type sssd_exec_t;
|
|
init_daemon_domain(sssd_t, sssd_exec_t)
|
|
|
|
type sssd_initrc_exec_t;
|
|
init_script_file(sssd_initrc_exec_t)
|
|
|
|
type sssd_public_t;
|
|
files_pid_file(sssd_public_t)
|
|
|
|
type sssd_var_lib_t;
|
|
files_type(sssd_var_lib_t)
|
|
|
|
type sssd_var_log_t;
|
|
logging_log_file(sssd_var_log_t)
|
|
|
|
type sssd_var_run_t;
|
|
files_pid_file(sssd_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# sssd local policy
|
|
#
|
|
|
|
allow sssd_t self:capability { chown dac_read_search dac_override kill sys_nice setgid setuid };
|
|
allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
|
|
allow sssd_t self:fifo_file rw_fifo_file_perms;
|
|
allow sssd_t self:key manage_key_perms;
|
|
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
|
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
|
|
|
|
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
|
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
|
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
|
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
|
|
|
|
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
|
|
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
|
|
|
|
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
|
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
|
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
|
|
|
kernel_read_network_state(sssd_t)
|
|
kernel_read_system_state(sssd_t)
|
|
|
|
corecmd_exec_bin(sssd_t)
|
|
|
|
dev_read_urand(sssd_t)
|
|
|
|
domain_read_all_domains_state(sssd_t)
|
|
domain_obj_id_change_exemption(sssd_t)
|
|
|
|
files_list_tmp(sssd_t)
|
|
files_read_etc_files(sssd_t)
|
|
files_read_usr_files(sssd_t)
|
|
|
|
fs_list_inotifyfs(sssd_t)
|
|
|
|
selinux_validate_context(sssd_t)
|
|
|
|
seutil_read_file_contexts(sssd_t)
|
|
|
|
mls_file_read_to_clearance(sssd_t)
|
|
|
|
auth_use_nsswitch(sssd_t)
|
|
auth_domtrans_chk_passwd(sssd_t)
|
|
auth_domtrans_upd_passwd(sssd_t)
|
|
|
|
init_read_utmp(sssd_t)
|
|
|
|
logging_send_syslog_msg(sssd_t)
|
|
logging_send_audit_msgs(sssd_t)
|
|
|
|
miscfiles_read_localization(sssd_t)
|
|
|
|
userdom_manage_tmp_role(system_r, sssd_t)
|
|
|
|
optional_policy(`
|
|
dbus_system_bus_client(sssd_t)
|
|
dbus_connect_system_bus(sssd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_manage_host_rcache(sssd_t)
|
|
')
|