[selinux-policy: 573/3172] add ldap
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:54:07 UTC 2010
commit 2961e79b556b8693058eb892f47875a51b039536
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Aug 17 18:33:43 2005 +0000
add ldap
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/ldap.fc | 10 ++
refpolicy/policy/modules/services/ldap.if | 37 ++++++++
refpolicy/policy/modules/services/ldap.te | 129 +++++++++++++++++++++++++++++
refpolicy/policy/modules/system/files.if | 18 ++++
refpolicy/policy/modules/system/init.te | 5 +
6 files changed, 200 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 7273d43..49caf6c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -11,6 +11,7 @@
* Added policies:
acct
firstboot
+ ldap
loadkeys
mysql
quota
diff --git a/refpolicy/policy/modules/services/ldap.fc b/refpolicy/policy/modules/services/ldap.fc
new file mode 100644
index 0000000..98022a5
--- /dev/null
+++ b/refpolicy/policy/modules/services/ldap.fc
@@ -0,0 +1,10 @@
+
+/etc/ldap/slapd\.conf -- context_template(system_u:object_r:slapd_etc_t,s0)
+
+/usr/sbin/slapd -- context_template(system_u:object_r:slapd_exec_t,s0)
+
+/var/lib/ldap(/.*)? context_template(system_u:object_r:slapd_db_t,s0)
+/var/lib/ldap/replog(/.*)? context_template(system_u:object_r:slapd_replog_t,s0)
+
+/var/run/slapd\.args -- context_template(system_u:object_r:slapd_var_run_t,s0)
+/var/run/slapd\.pid -- context_template(system_u:object_r:slapd_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/ldap.if b/refpolicy/policy/modules/services/ldap.if
new file mode 100644
index 0000000..833e02c
--- /dev/null
+++ b/refpolicy/policy/modules/services/ldap.if
@@ -0,0 +1,37 @@
+## <summary>OpenLDAP directory server</summary>
+
+########################################
+## <summary>
+## Read the contents of the OpenLDAP
+## database directories.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`ldap_list_db_dir',`
+ gen_require(`
+ type slapd_db_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 slapd_db_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
+## Read the OpenLDAP configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`ldap_read_config',`
+ gen_require(`
+ type slapd_etc_t;
+ class file { getattr read };
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_etc_t:file { getattr read };
+')
diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te
new file mode 100644
index 0000000..a7ffb9c
--- /dev/null
+++ b/refpolicy/policy/modules/services/ldap.te
@@ -0,0 +1,129 @@
+
+policy_module(ldap,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type slapd_t;
+type slapd_exec_t;
+init_daemon_domain(slapd_t,slapd_exec_t)
+
+type slapd_db_t;
+files_type(slapd_db_t)
+
+type slapd_etc_t; #, usercanread;
+files_type(slapd_etc_t)
+
+type slapd_replog_t;
+files_type(slapd_replog_t)
+
+type slapd_tmp_t;
+files_tmp_file(slapd_tmp_t)
+
+type slapd_var_run_t;
+files_pid_file(slapd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+# should not need kill
+# cjp: why net_raw?
+allow slapd_t self:capability { kill setgid setuid net_raw };
+dontaudit slapd_t self:capability sys_tty_config;
+allow slapd_t self:process setsched;
+allow slapd_t self:fifo_file { read write };
+allow slapd_t self:netlink_route_socket r_netlink_socket_perms;
+
+# Allow access to the slapd databases
+allow slapd_t slapd_db_t:dir create_dir_perms;
+allow slapd_t slapd_db_t:file create_file_perms;
+allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
+
+allow slapd_t slapd_etc_t:file { getattr read };
+
+# Allow access to write the replication log (should tighten this)
+allow slapd_t slapd_replog_t:dir create_dir_perms;
+allow slapd_t slapd_replog_t:file create_file_perms;
+allow slapd_t slapd_replog_t:lnk_file create_lnk_perms;
+
+allow slapd_t slapd_tmp_t:dir create_dir_perms;
+allow slapd_t slapd_tmp_t:file create_file_perms;
+files_create_tmp_files(slapd_t, slapd_tmp_t, { file dir })
+
+allow slapd_t slapd_var_run_t:file create_file_perms;
+files_create_pid(slapd_t,slapd_var_run_t)
+
+kernel_read_system_state(slapd_t)
+kernel_read_kernel_sysctl(slapd_t)
+
+corenet_tcp_sendrecv_all_if(slapd_t)
+corenet_udp_sendrecv_all_if(slapd_t)
+corenet_raw_sendrecv_all_if(slapd_t)
+corenet_tcp_sendrecv_all_nodes(slapd_t)
+corenet_udp_sendrecv_all_nodes(slapd_t)
+corenet_raw_sendrecv_all_nodes(slapd_t)
+corenet_tcp_sendrecv_all_ports(slapd_t)
+corenet_udp_sendrecv_all_ports(slapd_t)
+corenet_tcp_bind_all_nodes(slapd_t)
+corenet_udp_bind_all_nodes(slapd_t)
+corenet_tcp_bind_ldap_port(slapd_t)
+
+dev_read_urand(slapd_t)
+dev_read_sysfs(slapd_t)
+
+fs_getattr_all_fs(slapd_t)
+fs_search_auto_mountpoints(slapd_t)
+
+term_dontaudit_use_console(slapd_t)
+
+domain_use_wide_inherit_fd(slapd_t)
+
+files_read_etc_files(slapd_t)
+files_read_etc_runtime_files(slapd_t)
+files_read_usr_files(slapd_t)
+files_list_var_lib(slapd_t)
+
+init_use_fd(slapd_t)
+init_use_script_pty(slapd_t)
+
+libs_use_ld_so(slapd_t)
+libs_use_shared_libs(slapd_t)
+
+logging_send_syslog_msg(slapd_t)
+
+miscfiles_read_localization(slapd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(slapd_t)
+userdom_dontaudit_search_sysadm_home_dir(slapd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(slapd_t)
+ term_dontaudit_use_generic_pty(slapd_t)
+ files_dontaudit_read_root_file(slapd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(slapd_t)
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(slapd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(slapd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(slapd_t)
+')
+
+ifdef(`TODO',`
+# allow any domain to connect to the LDAP server
+# cjp: how does this relate to the old can_ldap() macro?
+can_tcp_connect(domain, slapd_t)
+') dnl end TODO
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 980b8e3..d21f063 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1818,6 +1818,24 @@ interface(`files_search_var_lib',`
########################################
## <summary>
+## List the contents of the /var/lib directory.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_list_var_lib',`
+ gen_require(`
+ type var_t, var_lib_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 var_t:dir search;
+ allow $1 var_lib_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 6c39e70..e9980fa 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -381,6 +381,11 @@ optional_policy(`kerberos.te',`
kerberos_use(initrc_t)
')
+optional_policy(`ldap.te',`
+ ldap_read_config(initrc_t)
+ ldap_list_db_dir(initrc_t)
+')
+
optional_policy(`loadkeys.te',`
loadkeys_exec(initrc_t)
')
More information about the scm-commits
mailing list