## <summary>Administration application for Fedora Directory Server, dirsrv-admin.</summary>

########################################
## <summary>
##	Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain
##	and the system_r role. Strict policy.
## </summary>
## <param name="domain">
##	<summary>
##	Prefix of the domain performing this action.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to allow the domain.
##	</summary>
## </param>
#
interface(`dirsrvadmin_setup_domtrans_strict',`
	gen_require(`
		type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t;
		type $1_t, $1_devpts_t;
	')

	domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t)
	allow dirsrvadmin_setup_t $1_t:fd use;
	allow dirsrvadmin_setup_t $1_t:process sigchld;
	allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms;
	role $2 types dirsrvadmin_setup_t;
	role system_r types dirsrvadmin_setup_t;
	role_transition $2 dirsrvadmin_setupexec_t system_r;
')

########################################
## <summary>
##	Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain
##	and the system_r role. Targeted policy.
## </summary>
## <param name="domain">
##	<summary>
##	Prefix of the domain performing this action.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to allow the domain.
##	</summary>
## </param>
#
interface(`dirsrvadmin_setup_domtrans_targeted',`
	gen_require(`
		type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t;
	')

	domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t)
')

########################################
## <summary>
##	Read setup log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_read_setuplog',`
	gen_require(`
		type dirsrvadmin_setuplog_t;
	')

	files_search_tmp($1)
	allow $1 dirsrvadmin_setuplog_t:file r_file_perms;
')

########################################
## <summary>
##	Manage setup log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_manage_setuplog',`
	gen_require(`
		type dirsrvadmin_setuplog_t;
	')

	files_search_tmp($1)
	allow $1 dirsrvadmin_setuplog_t:file manage_file_perms;
')

########################################
## <summary>
##	Extend httpd domain for dirsrv-admin.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_extend_httpd',`
	gen_require(`
		type httpd_t;
	')

	# Allow httpd domain to interact with dirsrv
	dirsrv_manage_config(httpd_t)
	dirsrv_manage_log(httpd_t)
	dirsrv_manage_var_run(httpd_t)
	dirsrvadmin_manage_setuplog(httpd_t)
	dirsrvadmin_manage_config(httpd_t)
	dirsrv_signal(httpd_t)
	dirsrv_signull(httpd_t)
	dirsrv_run_helper_exec(httpd_t)
	files_exec_usr_files(httpd_t)
	corenet_tcp_bind_generic_port(httpd_t)
	corenet_tcp_connect_generic_port(httpd_t)

	# Strict policy
	ifdef(`strict_policy',`
		userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
	')
')

########################################
## <summary>
##	Extend httpd domain for dirsrv-admin cgi.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_script_extend_httpd',`
	gen_require(`
		type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t;
	')

	allow $1 httpd_exec_t:file { read getattr execute_no_trans };
	allow $1 httpd_suexec_exec_t:file getattr;
	allow $1 httpd_tmp_t:file { read write };
	allow $1 httpd_t:udp_socket { read write };
	allow $1 httpd_t:unix_stream_socket { ioctl getattr read write };
	allow $1 httpd_t:netlink_route_socket { read write };
	allow $1 httpd_t:fifo_file { write read };
	allow $1 httpd_var_run_t:file { read getattr };
	apache_list_modules($1)
	apache_exec_modules($1)
	apache_use_fds($1)
	dirsrvadmin_run_httpd_script_exec(httpd_t)
')

########################################
## <summary>
##	Extend init domain for dirsrv-admin.
##	The initscript searches in a config file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_extend_init',`
	gen_require(`
		type initrc_t;
	')

	allow initrc_t dirsrvadmin_config_t:file read;
')

########################################
## <summary>
##	Exec dirsrv-admin programs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_run_exec',`
	gen_require(`
		type dirsrvadmin_exec_t;
	')

	allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
	can_exec($1,dirsrvadmin_exec_t)
')

########################################
## <summary>
##	Exec cgi programs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_run_httpd_script_exec',`
	gen_require(`
		type httpd_dirsrvadmin_script_exec_t;
	')

	allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
	can_exec($1, httpd_dirsrvadmin_script_exec_t)
')

########################################
## <summary>
##	Manage cgi programs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_manage_httpd_script_exec',`
	gen_require(`
		type httpd_dirsrvadmin_script_exec_t;
	')

	allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms;
	allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms;
')

########################################
## <summary>
##	Read tmp files created by cgi programs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_read_httpd_script_tmpfile',`
	gen_require(`
		type httpd_dirsrvadmin_script_rw_t;
	')

	allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms;
')

########################################
## <summary>
##	Manage tmp files created by cgi programs.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_manage_httpd_script_tmpfile',`
	gen_require(`
		type httpd_dirsrvadmin_script_rw_t;
	')

	allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms;
')

########################################
## <summary>
##	Read dirsrv-adminserver configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_read_config',`
	gen_require(`
		type dirsrvadmin_config_t;
	')

	allow $1 dirsrvadmin_config_t:dir r_dir_perms;
	allow $1 dirsrvadmin_config_t:file r_file_perms;
')

########################################
## <summary>
##	Manage dirsrv-adminserver configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_manage_config',`
	gen_require(`
		type dirsrvadmin_config_t;
	')

	allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
	allow $1 dirsrvadmin_config_t:file manage_file_perms;
')

########################################
## <summary>
##  Read and write to cgi program over an unix stream socket.
## </summary>
## <param name="domain">
##  <summary>
##  Domain allowed access.
##  </summary>
## </param>
#
interface(`dirsrvadmin_script_stream_rw',`
	gen_require(`
		type httpd_dirsrvadmin_script_t;
	')

	allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write };
')

########################################
## <summary>
##	Read migration inf file in sysadm home dir.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`dirsrvadmin_read_inffile',`
	ifdef(`targeted_policy',`
		gen_require(`
			type user_home_t, user_home_dir_t;
		')

		userdom_list_user_home_dirs(user, $1)
		allow $1 user_home_t:file r_file_perms;
	',`
		gen_require(`
			type sysadm_home_t;
		')

		userdom_list_sysadm_home_dirs($1)
		allow $1 sysadm_home_t:file r_file_perms;
	')
')