## Fedora Directory server, dirsrv
########################################
##
## Execute dirsrv programs in the dirsrv_t domain.
##
##
##
## The type of the process performing this action.
##
##
#
interface(`dirsrv_domtrans',`
gen_require(`
type dirsrv_t, dirsrv_exec_t;
')
allow $1 dirsrv_t:process signull;
domain_auto_trans($1, dirsrv_exec_t, dirsrv_t)
allow dirsrv_t $1:fd use;
allow dirsrv_t $1:fifo_file rw_file_perms;
allow dirsrv_t $1:process sigchld;
')
########################################
##
## Execute dirsrv setup programs in the dirsrv_setup_t domain
## and the system_r role. Strict policy.
##
##
##
## Prefix of the domain performing this action.
##
##
##
##
## The role to allow the domain.
##
##
#
interface(`dirsrv_setup_domtrans_strict',`
gen_require(`
type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t;
type $1_t, $1_devpts_t;
')
domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t)
allow dirsrv_setup_t $1_t:fd use;
allow dirsrv_setup_t $1_t:process sigchld;
allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms;
role $2 types dirsrv_setup_t;
role_transition $2 dirsrv_setupexec_t system_r;
')
########################################
##
## Execute dirsrv setup programs in the dirsrv_setup_t domain
## and the system_r role. Targeted policy.
##
##
##
## Prefix of the domain performing this action.
##
##
##
##
## The role to allow the domain.
##
##
#
interface(`dirsrv_setup_domtrans_targeted',`
gen_require(`
type dirsrv_setupexec_t, dirsrv_setup_t;
')
domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t)
')
########################################
##
## Extend httpd domain for dirsrv.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_extend_httpd',`
gen_require(`
type httpd_t, httpd_tmp_t;
')
allow $1 httpd_t:fifo_file { write read };
allow $1 httpd_t:unix_stream_socket { ioctl getattr read write };
allow $1 httpd_tmp_t:file { read write };
apache_use_fds($1)
')
########################################
##
## Read setup log files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_read_setuplog',`
gen_require(`
type dirsrv_setuplog_t;
')
files_search_tmp($1)
allow $1 dirsrv_setuplog_t:file r_file_perms;
')
########################################
##
## Read the contents of Directory server
## database directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_list_db',`
gen_require(`
type dirsrv_db_t;
')
allow $1 dirsrv_db_t:dir r_dir_perms;
')
########################################
##
## Manage the contents of Directory server
## database directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_manage_db',`
gen_require(`
type dirsrv_db_t;
')
allow $1 dirsrv_db_t:dir manage_dir_perms;
allow $1 dirsrv_db_t:file manage_file_perms;
')
########################################
##
## Read Directory server configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_read_config',`
gen_require(`
type dirsrv_config_t;
')
allow $1 dirsrv_config_t:dir r_dir_perms;
allow $1 dirsrv_config_t:file r_file_perms;
')
########################################
##
## Manage Directory server configuration files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_manage_config',`
gen_require(`
type dirsrv_config_t;
')
allow $1 dirsrv_config_t:dir manage_dir_perms;
allow $1 dirsrv_config_t:file manage_file_perms;
')
########################################
##
## Read Directory server log files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_list_log',`
gen_require(`
type dirsrv_log_t;
')
allow $1 dirsrv_log_t:dir r_dir_perms;
')
########################################
##
## Manage Directory server log files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_manage_log',`
gen_require(`
type dirsrv_log_t;
')
allow $1 dirsrv_log_t:dir manage_dir_perms;
allow $1 dirsrv_log_t:file manage_file_perms;
')
########################################
##
## Read Directory server lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_list_lock',`
gen_require(`
type dirsrv_lock_t;
')
allow $1 dirsrv_lock_t:dir r_dir_perms;
')
########################################
##
## Manage Directory server lock files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_manage_lock',`
gen_require(`
type dirsrv_lock_t;
')
allow $1 dirsrv_lock_t:dir manage_dir_perms;
allow $1 dirsrv_lock_t:file manage_file_perms;
')
########################################
##
## Read Directory server var_run files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_list_var_run',`
gen_require(`
type dirsrv_var_run_t;
')
allow $1 dirsrv_var_run_t:dir r_dir_perms;
')
########################################
##
## Manage Directory server var_run files.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_manage_var_run',`
gen_require(`
type dirsrv_var_run_t;
')
allow $1 dirsrv_var_run_t:dir manage_dir_perms;
allow $1 dirsrv_var_run_t:file manage_file_perms;
allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
# Allow creating a dir in /var/run with this type
files_pid_filetrans($1, dirsrv_var_run_t, dir)
')
########################################
##
## Exec Directory server helper programs.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_run_helper_exec',`
gen_require(`
type dirsrv_helper_exec_t;
')
allow $1 dirsrv_helper_exec_t:dir search_dir_perms;
can_exec($1,dirsrv_helper_exec_t)
')
########################################
##
## Manage Directory server helper programs.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_manage_helper_exec',`
gen_require(`
type dirsrv_helper_exec_t;
')
allow $1 dirsrv_helper_exec_t:dir manage_dir_perms;
allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms };
')
########################################
##
## Allow caller to signal dirsrv.
##
##
##
## Domain to not audit.
##
##
#
interface(`dirsrv_signal',`
gen_require(`
type dirsrv_t;
')
allow $1 dirsrv_t:process signal;
')
########################################
##
## Send a null signal to dirsrv.
##
##
##
## Domain allowed access.
##
##
#
interface(`dirsrv_signull',`
gen_require(`
type dirsrv_t;
')
allow $1 dirsrv_t:process signull;
')