## Administration application for Fedora Directory Server, dirsrv-admin.
########################################
##
## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain
## and the system_r role. Strict policy.
##
##
##
## Prefix of the domain performing this action.
##
##
##
##
## The role to allow the domain.
##
##
#
interface(`dirsrvadmin_setup_domtrans_strict',`
gen_require(`
type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t;
type $1_t, $1_devpts_t;
')
domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t)
allow dirsrvadmin_setup_t $1_t:fd use;
allow dirsrvadmin_setup_t $1_t:process sigchld;
allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms;
role $2 types dirsrvadmin_setup_t;
role system_r types dirsrvadmin_setup_t;
role_transition $2 dirsrvadmin_setupexec_t system_r;
')
########################################
##
## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain
## and the system_r role. Targeted policy.
##
##
##
## Prefix of the domain performing this action.
##
##
##
##
## The role to allow the domain.
##
##
#
interface(`dirsrvadmin_setup_domtrans_targeted',`
gen_require(`
type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t;
')
domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t)
')
########################################
##
## Read setup log files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_read_setuplog',`
gen_require(`
type dirsrvadmin_setuplog_t;
')
files_search_tmp($1)
allow $1 dirsrvadmin_setuplog_t:file r_file_perms;
')
########################################
##
## Manage setup log files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_manage_setuplog',`
gen_require(`
type dirsrvadmin_setuplog_t;
')
files_search_tmp($1)
allow $1 dirsrvadmin_setuplog_t:file manage_file_perms;
')
########################################
##
## Extend httpd domain for dirsrv-admin.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_extend_httpd',`
gen_require(`
type httpd_t;
')
# Allow httpd domain to interact with dirsrv
dirsrv_manage_config(httpd_t)
dirsrv_manage_log(httpd_t)
dirsrv_manage_var_run(httpd_t)
dirsrvadmin_manage_setuplog(httpd_t)
dirsrvadmin_manage_config(httpd_t)
dirsrv_signal(httpd_t)
dirsrv_signull(httpd_t)
dirsrv_run_helper_exec(httpd_t)
files_exec_usr_files(httpd_t)
corenet_tcp_bind_generic_port(httpd_t)
corenet_tcp_connect_generic_port(httpd_t)
# Strict policy
ifdef(`strict_policy',`
userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
')
')
########################################
##
## Extend httpd domain for dirsrv-admin cgi.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_script_extend_httpd',`
gen_require(`
type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t;
')
allow $1 httpd_exec_t:file { read getattr execute_no_trans };
allow $1 httpd_suexec_exec_t:file getattr;
allow $1 httpd_tmp_t:file { read write };
allow $1 httpd_t:udp_socket { read write };
allow $1 httpd_t:unix_stream_socket { ioctl getattr read write };
allow $1 httpd_t:netlink_route_socket { read write };
allow $1 httpd_t:fifo_file { write read };
allow $1 httpd_var_run_t:file { read getattr };
apache_list_modules($1)
apache_exec_modules($1)
apache_use_fds($1)
dirsrvadmin_run_httpd_script_exec(httpd_t)
')
########################################
##
## Extend init domain for dirsrv-admin.
## The initscript searches in a config file.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_extend_init',`
gen_require(`
type initrc_t;
')
allow initrc_t dirsrvadmin_config_t:file read;
')
########################################
##
## Exec dirsrv-admin programs.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_run_exec',`
gen_require(`
type dirsrvadmin_exec_t;
')
allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
can_exec($1,dirsrvadmin_exec_t)
')
########################################
##
## Exec cgi programs.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_run_httpd_script_exec',`
gen_require(`
type httpd_dirsrvadmin_script_exec_t;
')
allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
can_exec($1, httpd_dirsrvadmin_script_exec_t)
')
########################################
##
## Manage cgi programs.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_manage_httpd_script_exec',`
gen_require(`
type httpd_dirsrvadmin_script_exec_t;
')
allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms;
allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms;
')
########################################
##
## Read tmp files created by cgi programs.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_read_httpd_script_tmpfile',`
gen_require(`
type httpd_dirsrvadmin_script_rw_t;
')
allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms;
')
########################################
##
## Manage tmp files created by cgi programs.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_manage_httpd_script_tmpfile',`
gen_require(`
type httpd_dirsrvadmin_script_rw_t;
')
allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms;
')
########################################
##
## Read dirsrv-adminserver configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_read_config',`
gen_require(`
type dirsrvadmin_config_t;
')
allow $1 dirsrvadmin_config_t:dir r_dir_perms;
allow $1 dirsrvadmin_config_t:file r_file_perms;
')
########################################
##
## Manage dirsrv-adminserver configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_manage_config',`
gen_require(`
type dirsrvadmin_config_t;
')
allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
allow $1 dirsrvadmin_config_t:file manage_file_perms;
')
########################################
##
## Read and write to cgi program over an unix stream socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_script_stream_rw',`
gen_require(`
type httpd_dirsrvadmin_script_t;
')
allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write };
')
########################################
##
## Read migration inf file in sysadm home dir.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrvadmin_read_inffile',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_t, user_home_dir_t;
')
userdom_list_user_home_dirs(user, $1)
allow $1 user_home_t:file r_file_perms;
',`
gen_require(`
type sysadm_home_t;
')
userdom_list_sysadm_home_dirs($1)
allow $1 sysadm_home_t:file r_file_perms;
')
')