## Fedora Directory server, dirsrv ######################################## ## ## Execute dirsrv programs in the dirsrv_t domain. ## ## ## ## The type of the process performing this action. ## ## # interface(`dirsrv_domtrans',` gen_require(` type dirsrv_t, dirsrv_exec_t; ') allow $1 dirsrv_t:process signull; domain_auto_trans($1, dirsrv_exec_t, dirsrv_t) allow dirsrv_t $1:fd use; allow dirsrv_t $1:fifo_file rw_file_perms; allow dirsrv_t $1:process sigchld; ') ######################################## ## ## Execute dirsrv setup programs in the dirsrv_setup_t domain ## and the system_r role. Strict policy. ## ## ## ## Prefix of the domain performing this action. ## ## ## ## ## The role to allow the domain. ## ## # interface(`dirsrv_setup_domtrans_strict',` gen_require(` type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t; type $1_t, $1_devpts_t; ') domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t) allow dirsrv_setup_t $1_t:fd use; allow dirsrv_setup_t $1_t:process sigchld; allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms; role $2 types dirsrv_setup_t; role_transition $2 dirsrv_setupexec_t system_r; ') ######################################## ## ## Execute dirsrv setup programs in the dirsrv_setup_t domain ## and the system_r role. Targeted policy. ## ## ## ## Prefix of the domain performing this action. ## ## ## ## ## The role to allow the domain. ## ## # interface(`dirsrv_setup_domtrans_targeted',` gen_require(` type dirsrv_setupexec_t, dirsrv_setup_t; ') domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t) ') ######################################## ## ## Extend httpd domain for dirsrv. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_extend_httpd',` gen_require(` type httpd_t, httpd_tmp_t; ') allow $1 httpd_t:fifo_file { write read }; allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; allow $1 httpd_tmp_t:file { read write }; apache_use_fds($1) ') ######################################## ## ## Read setup log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_read_setuplog',` gen_require(` type dirsrv_setuplog_t; ') files_search_tmp($1) allow $1 dirsrv_setuplog_t:file r_file_perms; ') ######################################## ## ## Read the contents of Directory server ## database directories. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_db',` gen_require(` type dirsrv_db_t; ') allow $1 dirsrv_db_t:dir r_dir_perms; ') ######################################## ## ## Manage the contents of Directory server ## database directories. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_db',` gen_require(` type dirsrv_db_t; ') allow $1 dirsrv_db_t:dir manage_dir_perms; allow $1 dirsrv_db_t:file manage_file_perms; ') ######################################## ## ## Read Directory server configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_read_config',` gen_require(` type dirsrv_config_t; ') allow $1 dirsrv_config_t:dir r_dir_perms; allow $1 dirsrv_config_t:file r_file_perms; ') ######################################## ## ## Manage Directory server configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_config',` gen_require(` type dirsrv_config_t; ') allow $1 dirsrv_config_t:dir manage_dir_perms; allow $1 dirsrv_config_t:file manage_file_perms; ') ######################################## ## ## Read Directory server log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_log',` gen_require(` type dirsrv_log_t; ') allow $1 dirsrv_log_t:dir r_dir_perms; ') ######################################## ## ## Manage Directory server log files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_log',` gen_require(` type dirsrv_log_t; ') allow $1 dirsrv_log_t:dir manage_dir_perms; allow $1 dirsrv_log_t:file manage_file_perms; ') ######################################## ## ## Read Directory server lock files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_lock',` gen_require(` type dirsrv_lock_t; ') allow $1 dirsrv_lock_t:dir r_dir_perms; ') ######################################## ## ## Manage Directory server lock files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_lock',` gen_require(` type dirsrv_lock_t; ') allow $1 dirsrv_lock_t:dir manage_dir_perms; allow $1 dirsrv_lock_t:file manage_file_perms; ') ######################################## ## ## Read Directory server var_run files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_list_var_run',` gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir r_dir_perms; ') ######################################## ## ## Manage Directory server var_run files. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_var_run',` gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir manage_dir_perms; allow $1 dirsrv_var_run_t:file manage_file_perms; allow $1 dirsrv_var_run_t:sock_file manage_file_perms; # Allow creating a dir in /var/run with this type files_pid_filetrans($1, dirsrv_var_run_t, dir) ') ######################################## ## ## Exec Directory server helper programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_run_helper_exec',` gen_require(` type dirsrv_helper_exec_t; ') allow $1 dirsrv_helper_exec_t:dir search_dir_perms; can_exec($1,dirsrv_helper_exec_t) ') ######################################## ## ## Manage Directory server helper programs. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_manage_helper_exec',` gen_require(` type dirsrv_helper_exec_t; ') allow $1 dirsrv_helper_exec_t:dir manage_dir_perms; allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms }; ') ######################################## ## ## Allow caller to signal dirsrv. ## ## ## ## Domain to not audit. ## ## # interface(`dirsrv_signal',` gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signal; ') ######################################## ## ## Send a null signal to dirsrv. ## ## ## ## Domain allowed access. ## ## # interface(`dirsrv_signull',` gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signull; ')