[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 34, Issue 24
Rich Megginson
rmeggins at redhat.com
Wed Mar 12 19:50:17 UTC 2008
Steve Burt wrote:
> Hi Rich,
>
> Ok so I think I have to create an ldif file
>
> There is a workaround - if the fqdn is host.example.com, you just have to create
> the following entries:
>
> dn: cn=host.example.com, ou=example.com, o=NetscapeRoot
> objectclass: top
> objectclass: nsHost
> objectclass: groupOfUniqueNames
> cn: host.example.com
> nsosversion: output of uname -a on the machine
> nshardwareplatform: arch e.g. i386 or x86_64 or ...
> serverHostName: host.example.com
>
> dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot
> objectclass: top
> objectclass: nsAdminGroup
> objectclass: nsDirectoryInfo
> objectclass: groupOfUniqueNames
> nsAdminGroupName: Server Group
> nsDirectoryInfoRef: cn=User Directory, ou=Global Preferences, ou=example.com,
> o=NetscapeRoot
>
> Is that correct
>
Yes, I think so. I think that's what was reported as the workaround in
the bug.
> On 12/03/2008, fedora-directory-users-request at redhat.com
> <fedora-directory-users-request at redhat.com> wrote:
>
>> Send Fedora-directory-users mailing list submissions to
>> fedora-directory-users at redhat.com
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> or, via email, send a message with subject or body 'help' to
>> fedora-directory-users-request at redhat.com
>>
>> You can reach the person managing the list at
>> fedora-directory-users-owner at redhat.com
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of Fedora-directory-users digest..."
>>
>>
>> Today's Topics:
>>
>> 1. SELinux policy for Fedora Directory Server 1.1.0 (P?r Aronsson)
>> 2. Problems in adding a second server into a new (Steve Burt)
>> 3. Re: Problems in adding a second server into a new (Rich Megginson)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Tue, 11 Mar 2008 17:34:09 +0100
>> From: P?r Aronsson <par.aronsson at telia.com>
>> Subject: [Fedora-directory-users] SELinux policy for Fedora Directory
>> Server 1.1.0
>> To: selinux at tycho.nsa.gov, fedora-directory-users at redhat.com
>> Message-ID: <200803111734.10289.par.aronsson at telia.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hello,
>>
>> Attached is a SELinux policy for the Fedora Directory Server 1.1.0.
>> It is composed of three parts.
>> * dirsrv - directory server and setup programs
>> * dirsrv-admin - administration server and setup programs
>> * fedora-idm-console - java based console for administration
>>
>> The policies were developed on a CentOS 5.1 with the following packages:
>> fedora-ds-base-1.1.0-3.fc6
>> fedora-ds-admin-1.1.1-1.fc6
>> fedora-ds-console-1.1.0-5.fc6
>> selinux-policy-2.4.6-106.el5_1.3
>> kernel-2.6.18-53.1.4.el5
>>
>> I've succesfully tested the policies in targeted and strict mode.
>>
>> The dirsrv-admin policy requires that the apache policy module is loaded.
>> Also run:
>> setsebool -P httpd_enable_cgi on
>>
>> Comment out the following in /usr/sbin/start-ds-admin (line 63-65):
>> if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
>> SELINUX_CMD="runcon -t unconfined_t --"
>> fi
>>
>> I had trouble with the replication plugin so I haven't been able to do any
>> testing with replication.
>>
>> Any comments are welcome.
>>
>> // Pär Aronsson
>> -------------- next part --------------
>> ## <summary>Administration application for Fedora Directory Server, dirsrv-admin.</summary>
>>
>> ########################################
>> ## <summary>
>> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain
>> ## and the system_r role. Strict policy.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Prefix of the domain performing this action.
>> ## </summary>
>> ## </param>
>> ## <param name="role">
>> ## <summary>
>> ## The role to allow the domain.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_setup_domtrans_strict',`
>> gen_require(`
>> type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t;
>> type $1_t, $1_devpts_t;
>> ')
>>
>> domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t)
>> allow dirsrvadmin_setup_t $1_t:fd use;
>> allow dirsrvadmin_setup_t $1_t:process sigchld;
>> allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms;
>> role $2 types dirsrvadmin_setup_t;
>> role system_r types dirsrvadmin_setup_t;
>> role_transition $2 dirsrvadmin_setupexec_t system_r;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain
>> ## and the system_r role. Targeted policy.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Prefix of the domain performing this action.
>> ## </summary>
>> ## </param>
>> ## <param name="role">
>> ## <summary>
>> ## The role to allow the domain.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_setup_domtrans_targeted',`
>> gen_require(`
>> type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t;
>> ')
>>
>> domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read setup log files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_read_setuplog',`
>> gen_require(`
>> type dirsrvadmin_setuplog_t;
>> ')
>>
>> files_search_tmp($1)
>> allow $1 dirsrvadmin_setuplog_t:file r_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage setup log files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_manage_setuplog',`
>> gen_require(`
>> type dirsrvadmin_setuplog_t;
>> ')
>>
>> files_search_tmp($1)
>> allow $1 dirsrvadmin_setuplog_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Extend httpd domain for dirsrv-admin.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_extend_httpd',`
>> gen_require(`
>> type httpd_t;
>> ')
>>
>> # Allow httpd domain to interact with dirsrv
>> dirsrv_manage_config(httpd_t)
>> dirsrv_manage_log(httpd_t)
>> dirsrv_manage_var_run(httpd_t)
>> dirsrvadmin_manage_setuplog(httpd_t)
>> dirsrvadmin_manage_config(httpd_t)
>> dirsrv_signal(httpd_t)
>> dirsrv_signull(httpd_t)
>> dirsrv_run_helper_exec(httpd_t)
>> files_exec_usr_files(httpd_t)
>> corenet_tcp_bind_generic_port(httpd_t)
>> corenet_tcp_connect_generic_port(httpd_t)
>>
>> # Strict policy
>> ifdef(`strict_policy',`
>> userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
>> ')
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Extend httpd domain for dirsrv-admin cgi.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_script_extend_httpd',`
>> gen_require(`
>> type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t;
>> ')
>>
>> allow $1 httpd_exec_t:file { read getattr execute_no_trans };
>> allow $1 httpd_suexec_exec_t:file getattr;
>> allow $1 httpd_tmp_t:file { read write };
>> allow $1 httpd_t:udp_socket { read write };
>> allow $1 httpd_t:unix_stream_socket { ioctl getattr read write };
>> allow $1 httpd_t:netlink_route_socket { read write };
>> allow $1 httpd_t:fifo_file { write read };
>> allow $1 httpd_var_run_t:file { read getattr };
>> apache_list_modules($1)
>> apache_exec_modules($1)
>> apache_use_fds($1)
>> dirsrvadmin_run_httpd_script_exec(httpd_t)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Extend init domain for dirsrv-admin.
>> ## The initscript searches in a config file.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_extend_init',`
>> gen_require(`
>> type initrc_t;
>> ')
>>
>> allow initrc_t dirsrvadmin_config_t:file read;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Exec dirsrv-admin programs.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_run_exec',`
>> gen_require(`
>> type dirsrvadmin_exec_t;
>> ')
>>
>> allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
>> can_exec($1,dirsrvadmin_exec_t)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Exec cgi programs.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_run_httpd_script_exec',`
>> gen_require(`
>> type httpd_dirsrvadmin_script_exec_t;
>> ')
>>
>> allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
>> can_exec($1, httpd_dirsrvadmin_script_exec_t)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage cgi programs.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_manage_httpd_script_exec',`
>> gen_require(`
>> type httpd_dirsrvadmin_script_exec_t;
>> ')
>>
>> allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms;
>> allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read tmp files created by cgi programs.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_read_httpd_script_tmpfile',`
>> gen_require(`
>> type httpd_dirsrvadmin_script_rw_t;
>> ')
>>
>> allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage tmp files created by cgi programs.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_manage_httpd_script_tmpfile',`
>> gen_require(`
>> type httpd_dirsrvadmin_script_rw_t;
>> ')
>>
>> allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read dirsrv-adminserver configuration files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_read_config',`
>> gen_require(`
>> type dirsrvadmin_config_t;
>> ')
>>
>> allow $1 dirsrvadmin_config_t:dir r_dir_perms;
>> allow $1 dirsrvadmin_config_t:file r_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage dirsrv-adminserver configuration files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_manage_config',`
>> gen_require(`
>> type dirsrvadmin_config_t;
>> ')
>>
>> allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
>> allow $1 dirsrvadmin_config_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read and write to cgi program over an unix stream socket.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_script_stream_rw',`
>> gen_require(`
>> type httpd_dirsrvadmin_script_t;
>> ')
>>
>> allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write };
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read migration inf file in sysadm home dir.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrvadmin_read_inffile',`
>> ifdef(`targeted_policy',`
>> gen_require(`
>> type user_home_t, user_home_dir_t;
>> ')
>>
>> userdom_list_user_home_dirs(user, $1)
>> allow $1 user_home_t:file r_file_perms;
>> ',`
>> gen_require(`
>> type sysadm_home_t;
>> ')
>>
>> userdom_list_sysadm_home_dirs($1)
>> allow $1 sysadm_home_t:file r_file_perms;
>> ')
>> ')
>>
>> -------------- next part --------------
>> # Start script for daemon (domain entry point)
>> /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
>> /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
>> /usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
>> # Configuration
>> /etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
>> # Log dir
>> /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
>> # Pid
>> /var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0)
>> # cgi
>> /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
>> # Setup applications
>> /usr/sbin/migrate-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0)
>> /usr/sbin/setup-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0)
>> -------------- next part --------------
>> # Daemon (domain entry point)
>> /usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0)
>> # Setup applications
>> /usr/sbin/migrate-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0)
>> /usr/sbin/setup-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0)
>> # Helper scripts
>> /usr/lib/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_helper_exec_t,s0)
>> # Configuration
>> /etc/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_config_t,s0)
>> # Db files
>> /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_db_t,s0)
>> # Lock files
>> /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_lock_t,s0)
>> # Log files
>> /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_log_t,s0)
>> # var_run
>> /var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0)
>> -------------- next part --------------
>> ## <summary>Fedora Directory server, dirsrv</summary>
>>
>> ########################################
>> ## <summary>
>> ## Execute dirsrv programs in the dirsrv_t domain.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## The type of the process performing this action.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_domtrans',`
>> gen_require(`
>> type dirsrv_t, dirsrv_exec_t;
>> ')
>>
>> allow $1 dirsrv_t:process signull;
>> domain_auto_trans($1, dirsrv_exec_t, dirsrv_t)
>> allow dirsrv_t $1:fd use;
>> allow dirsrv_t $1:fifo_file rw_file_perms;
>> allow dirsrv_t $1:process sigchld;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Execute dirsrv setup programs in the dirsrv_setup_t domain
>> ## and the system_r role. Strict policy.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Prefix of the domain performing this action.
>> ## </summary>
>> ## </param>
>> ## <param name="role">
>> ## <summary>
>> ## The role to allow the domain.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_setup_domtrans_strict',`
>> gen_require(`
>> type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t;
>> type $1_t, $1_devpts_t;
>> ')
>>
>> domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t)
>> allow dirsrv_setup_t $1_t:fd use;
>> allow dirsrv_setup_t $1_t:process sigchld;
>> allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms;
>> role $2 types dirsrv_setup_t;
>> role_transition $2 dirsrv_setupexec_t system_r;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Execute dirsrv setup programs in the dirsrv_setup_t domain
>> ## and the system_r role. Targeted policy.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Prefix of the domain performing this action.
>> ## </summary>
>> ## </param>
>> ## <param name="role">
>> ## <summary>
>> ## The role to allow the domain.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_setup_domtrans_targeted',`
>> gen_require(`
>> type dirsrv_setupexec_t, dirsrv_setup_t;
>> ')
>>
>> domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Extend httpd domain for dirsrv.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_extend_httpd',`
>> gen_require(`
>> type httpd_t, httpd_tmp_t;
>> ')
>>
>> allow $1 httpd_t:fifo_file { write read };
>> allow $1 httpd_t:unix_stream_socket { ioctl getattr read write };
>> allow $1 httpd_tmp_t:file { read write };
>> apache_use_fds($1)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read setup log files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_read_setuplog',`
>> gen_require(`
>> type dirsrv_setuplog_t;
>> ')
>>
>> files_search_tmp($1)
>> allow $1 dirsrv_setuplog_t:file r_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read the contents of Directory server
>> ## database directories.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_list_db',`
>> gen_require(`
>> type dirsrv_db_t;
>> ')
>>
>> allow $1 dirsrv_db_t:dir r_dir_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage the contents of Directory server
>> ## database directories.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_manage_db',`
>> gen_require(`
>> type dirsrv_db_t;
>> ')
>>
>> allow $1 dirsrv_db_t:dir manage_dir_perms;
>> allow $1 dirsrv_db_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read Directory server configuration files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_read_config',`
>> gen_require(`
>> type dirsrv_config_t;
>> ')
>>
>> allow $1 dirsrv_config_t:dir r_dir_perms;
>> allow $1 dirsrv_config_t:file r_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage Directory server configuration files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_manage_config',`
>> gen_require(`
>> type dirsrv_config_t;
>> ')
>>
>> allow $1 dirsrv_config_t:dir manage_dir_perms;
>> allow $1 dirsrv_config_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read Directory server log files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_list_log',`
>> gen_require(`
>> type dirsrv_log_t;
>> ')
>>
>> allow $1 dirsrv_log_t:dir r_dir_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage Directory server log files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_manage_log',`
>> gen_require(`
>> type dirsrv_log_t;
>> ')
>>
>> allow $1 dirsrv_log_t:dir manage_dir_perms;
>> allow $1 dirsrv_log_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read Directory server lock files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_list_lock',`
>> gen_require(`
>> type dirsrv_lock_t;
>> ')
>>
>> allow $1 dirsrv_lock_t:dir r_dir_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage Directory server lock files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_manage_lock',`
>> gen_require(`
>> type dirsrv_lock_t;
>> ')
>>
>> allow $1 dirsrv_lock_t:dir manage_dir_perms;
>> allow $1 dirsrv_lock_t:file manage_file_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Read Directory server var_run files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_list_var_run',`
>> gen_require(`
>> type dirsrv_var_run_t;
>> ')
>>
>> allow $1 dirsrv_var_run_t:dir r_dir_perms;
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage Directory server var_run files.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_manage_var_run',`
>> gen_require(`
>> type dirsrv_var_run_t;
>> ')
>>
>> allow $1 dirsrv_var_run_t:dir manage_dir_perms;
>> allow $1 dirsrv_var_run_t:file manage_file_perms;
>> allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
>> # Allow creating a dir in /var/run with this type
>> files_pid_filetrans($1, dirsrv_var_run_t, dir)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Exec Directory server helper programs.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_run_helper_exec',`
>> gen_require(`
>> type dirsrv_helper_exec_t;
>> ')
>>
>> allow $1 dirsrv_helper_exec_t:dir search_dir_perms;
>> can_exec($1,dirsrv_helper_exec_t)
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Manage Directory server helper programs.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_manage_helper_exec',`
>> gen_require(`
>> type dirsrv_helper_exec_t;
>> ')
>>
>> allow $1 dirsrv_helper_exec_t:dir manage_dir_perms;
>> allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms };
>> ')
>>
>> ########################################
>> ## <summary>
>> ## Allow caller to signal dirsrv.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain to not audit.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_signal',`
>> gen_require(`
>> type dirsrv_t;
>> ')
>>
>> allow $1 dirsrv_t:process signal;
>> ')
>>
>>
>> ########################################
>> ## <summary>
>> ## Send a null signal to dirsrv.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`dirsrv_signull',`
>> gen_require(`
>> type dirsrv_t;
>> ')
>>
>> allow $1 dirsrv_t:process signull;
>> ')
>> -------------- next part --------------
>> policy_module(dirsrv,1.0.0)
>>
>> ########################################
>> #
>> # Declarations for daemon
>> #
>>
>> ## Create domain for daemon
>> type dirsrv_t;
>> domain_type(dirsrv_t)
>>
>> ## Type for the daemon
>> type dirsrv_exec_t;
>> files_type(dirsrv_exec_t)
>> # Start from initrc
>> init_domain(dirsrv_t, dirsrv_exec_t)
>> init_daemon_domain(dirsrv_t, dirsrv_exec_t)
>> role system_r types dirsrv_t;
>>
>> ## Type for helper programs
>> type dirsrv_helper_exec_t;
>> files_type(dirsrv_helper_exec_t);
>>
>> ## Type for configuration files
>> type dirsrv_config_t;
>> files_config_file(dirsrv_config_t)
>>
>> ## Type for db files
>> type dirsrv_db_t;
>> files_type(dirsrv_db_t)
>>
>> ## Type for lock files
>> type dirsrv_lock_t;
>> files_lock_file(dirsrv_lock_t)
>> files_lock_filetrans(dirsrv_t, dirsrv_lock_t, {file dir})
>>
>> ## Type for log files
>> type dirsrv_log_t;
>> logging_log_file(dirsrv_log_t)
>>
>> ## Type for var_run file
>> type dirsrv_var_run_t;
>> files_pid_file(dirsrv_var_run_t)
>> files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, {file dir})
>>
>> ########################################
>> #
>> # Declarations for setup programs
>> #
>>
>> ## Domain for setup program
>> type dirsrv_setup_t;
>> domain_type(dirsrv_setup_t)
>> role sysadm_r types dirsrv_setup_t;
>>
>> ## Type for setup program
>> type dirsrv_setupexec_t;
>> files_type(dirsrv_setupexec_t)
>> domain_entry_file(dirsrv_setup_t, dirsrv_setupexec_t)
>>
>> ## Type for tmp files setup creates
>> type dirsrv_setuplog_t;
>> files_tmp_file(dirsrv_setuplog_t)
>> files_tmp_filetrans(dirsrv_setup_t, dirsrv_setuplog_t, file)
>> files_tmp_filetrans(dirsrv_t, dirsrv_setuplog_t, file)
>>
>> ########################################
>> #
>> # Local policy for the daemon
>> #
>>
>> ## Executable
>> allow dirsrv_t self:capability { chown dac_override fowner setuid sys_nice setgid };
>> allow dirsrv_t self:process { setsched getsched signull };
>> allow dirsrv_t self:fifo_file { write read };
>> allow dirsrv_t self:sem { create getattr associate unix_read unix_write };
>> ## Config
>> allow dirsrv_t dirsrv_config_t:file { getattr read create_file_perms };
>> allow dirsrv_t dirsrv_config_t:dir create_dir_perms;
>> ## Database files
>> allow dirsrv_t dirsrv_db_t:dir manage_dir_perms;
>> allow dirsrv_t dirsrv_db_t:file manage_file_perms;
>> # Allow search in /var/lib
>> files_list_var_lib(dirsrv_t)
>> ## Manage locks
>> allow dirsrv_t dirsrv_lock_t:dir manage_dir_perms;
>> allow dirsrv_t dirsrv_lock_t:file manage_file_perms;
>> ## Logging
>> allow dirsrv_t dirsrv_log_t:file { create rename setattr manage_file_perms };
>> allow dirsrv_t dirsrv_log_t:dir { setattr rw_dir_perms };
>> allow dirsrv_t self:unix_dgram_socket create_socket_perms;
>> # Allow search in /var/log
>> logging_search_logs(dirsrv_t)
>> ## var_run
>> allow dirsrv_t dirsrv_var_run_t:file manage_file_perms;
>> allow dirsrv_t dirsrv_var_run_t:dir rw_dir_perms;
>> ## Helper programs
>> dirsrv_run_helper_exec(dirsrv_t)
>> ## Setup log
>> dirsrv_read_setuplog(dirsrv_t)
>> dirsrvadmin_read_setuplog(dirsrv_t)
>> ## Files in /tmp, created by setup app
>> allow dirsrv_t dirsrv_setuplog_t:file manage_file_perms;
>>
>> ## When restarted from cgi script the dirsrv need to communicate back
>> dirsrvadmin_script_stream_rw(dirsrv_t)
>> # dirsrv need some permissions that has no interface in the apache policy
>> dirsrv_extend_httpd(dirsrv_t)
>> dirsrvadmin_manage_httpd_script_tmpfile(dirsrv_t)
>>
>> ## Allow networking
>> corenet_tcp_bind_ldap_port(dirsrv_t)
>> corenet_tcp_sendrecv_ldap_port(dirsrv_t)
>> corenet_sendrecv_ldap_server_packets(dirsrv_t)
>> corenet_tcp_bind_unspec_node(dirsrv_t)
>> corenet_tcp_bind_inaddr_any_node(dirsrv_t)
>> kernel_sendrecv_unlabeled_packets(dirsrv_t)
>> allow dirsrv_t self:tcp_socket create_stream_socket_perms;
>> allow dirsrv_t self:udp_socket create_socket_perms;
>>
>> ## Misc interfaces
>> # Access to shared libraries
>> libs_use_ld_so(dirsrv_t)
>> libs_use_shared_libs(dirsrv_t)
>> files_exec_usr_files(dirsrv_t)
>> # Read locale
>> miscfiles_read_localization(dirsrv_t)
>> # Read etc
>> files_read_etc_files(dirsrv_t)
>> sysnet_read_config(dirsrv_t)
>> # Allow using syslog
>> logging_send_syslog_msg(dirsrv_t)
>> # Search sbin
>> corecmd_search_sbin(dirsrv_t)
>> # Allow read urandom
>> dev_read_urand(dirsrv_t)
>> # Allow listing /tmp
>> files_list_tmp(dirsrv_t)
>> # Allow read /usr/tmp
>> files_read_usr_symlinks(dirsrv_t)
>> # Allow stat file system
>> fs_getattr_xattr_fs(dirsrv_t)
>> # Allow read proc
>> kernel_read_system_state(dirsrv_t)
>>
>> # Strict policy
>> ifdef(`strict_policy',`
>> # Daemon search for plugins in cwd
>> userdom_dontaudit_search_sysadm_home_dirs(dirsrv_t)
>> ')
>>
>> # In targeted policy
>> ifdef(`targeted_policy',`
>> files_read_generic_tmp_files(dirsrv_t)
>> userdom_dontaudit_search_generic_user_home_dirs(dirsrv_t)
>> ')
>>
>> ########################################
>> #
>> # Local policy for setup programs
>> #
>>
>> ## Transtion into dirsrv domain when running setup
>> # Should be in userdomain
>> ifdef(`strict_policy',`
>> dirsrv_setup_domtrans_strict(sysadm, sysadm_r)
>> ')
>> # A similar policy should be in unconfined
>> ifdef(`targeted_policy',`
>> dirsrv_setup_domtrans_targeted(unconfined_t)
>> ')
>> seutil_use_newrole_fds(dirsrv_setup_t)
>>
>> ## Executable
>> allow dirsrv_setup_t self:capability { sys_nice chown fsetid fowner kill net_bind_service dac_override };
>> allow dirsrv_setup_t self:fifo_file { read write getattr ioctl };
>> allow dirsrv_setup_t self:process { setsched getsched };
>> allow dirsrv_setup_t self:tcp_socket { bind create ioctl };
>>
>> # Start daemon from setup program
>> dirsrv_domtrans(dirsrv_setup_t)
>> ## Manage db dir
>> dirsrv_manage_db(dirsrv_setup_t)
>> ## Manage configuration
>> dirsrv_manage_config(dirsrv_setup_t)
>> ## Manage log dir
>> dirsrv_manage_log(dirsrv_setup_t)
>> ## Manage lock dir
>> dirsrv_manage_lock(dirsrv_setup_t)
>> ## Manage var_run files
>> dirsrv_manage_var_run(dirsrv_setup_t)
>> ## Manage helper programs
>> dirsrv_manage_helper_exec(dirsrv_setup_t)
>> dirsrv_run_helper_exec(dirsrv_setup_t)
>> ## Files in /tmp
>> allow dirsrv_setup_t dirsrv_setuplog_t:file manage_file_perms;
>>
>> ## Networking
>> # Connect server using ldap
>> corenet_tcp_bind_inaddr_any_node(dirsrv_setup_t)
>> corenet_tcp_bind_ldap_port(dirsrv_setup_t)
>>
>> ## Misc interfaces
>> # Access to shared libraries
>> libs_use_ld_so(dirsrv_setup_t)
>> libs_use_shared_libs(dirsrv_setup_t)
>> # Read locale
>> miscfiles_read_localization(dirsrv_setup_t)
>> # mtab
>> files_dontaudit_read_etc_runtime_files(dirsrv_setup_t)
>> # Execute
>> corecmd_exec_bin(dirsrv_setup_t)
>> corecmd_exec_sbin(dirsrv_setup_t)
>> corecmd_exec_shell(dirsrv_setup_t)
>> # Read /usr/share
>> files_read_usr_files(dirsrv_setup_t)
>> # Allow read urandom
>> dev_read_urand(dirsrv_setup_t)
>> # Read proc
>> kernel_read_net_sysctls(dirsrv_setup_t)
>> kernel_read_sysctl(dirsrv_setup_t)
>> kernel_read_system_state(dirsrv_setup_t)
>> kernel_search_network_sysctl(dirsrv_setup_t)
>> # Stat shadow
>> auth_read_shadow(dirsrv_setup_t)
>> # Exec nsswitch.conf
>> files_exec_etc_files(dirsrv_setup_t)
>> # Find dirsrv dirs
>> files_search_locks(dirsrv_setup_t)
>> files_search_var_lib(dirsrv_setup_t)
>> logging_search_logs(dirsrv_setup_t)
>> # Allow stat file system
>> fs_getattr_xattr_fs(dirsrv_setup_t)
>> sysnet_read_config(dirsrv_setup_t)
>> term_search_ptys(dirsrv_setup_t)
>>
>> optional_policy(`
>> nscd_read_pid(dirsrv_setup_t)
>> ')
>>
>> # Strict policy
>> ifdef(`strict_policy',`
>> # Read cwd (/root)
>> userdom_list_sysadm_home_dirs(dirsrv_setup_t)
>> ')
>>
>> # In targeted policy
>> ifdef(`targeted_policy',`
>> term_use_generic_ptys(dirsrv_setup_t)
>> # Read cwd (/root)
>> userdom_list_user_home_dirs(user,dirsrv_setup_t)
>> userdom_search_generic_user_home_dirs(dirsrv_setup_t)
>> ')
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: dirsrv-admin.te
>> Type: text/x-java
>> Size: 8756 bytes
>> Desc: not available
>> Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080311/b721a4c9/dirsrv-admin.bin
>> -------------- next part --------------
>>
>> -------------- next part --------------
>> policy_module(fedora-idm-console,1.0.0)
>>
>> ########################################
>> #
>> # Declarations
>> #
>>
>> type fedora-idm-console_t;
>> domain_type(fedora-idm-console_t)
>>
>> ########################################
>> #
>> # Local policy
>> #
>>
>> # In strict policy we need to extend the java domain
>> ifdef(`strict_policy',`
>> fedoraidmconsole_extend_java(user)
>> ## Misc interfaces
>> # Access to shared libraries
>> libs_use_ld_so(fedora-idm-console_t)
>> libs_use_shared_libs(fedora-idm-console_t)
>> # Read locale
>> miscfiles_read_localization(fedora-idm-console_t)
>> ')
>> -------------- next part --------------
>> ## <summary>Java based fedora-idm-console</summary>
>>
>> ########################################
>> ## <summary>
>> ## Extend java domain for fedora-idm-console.
>> ## </summary>
>> ## <param name="domain">
>> ## <summary>
>> ## Prefix of domain allowed access.
>> ## </summary>
>> ## </param>
>> #
>> interface(`fedoraidmconsole_extend_java',`
>> gen_require(`
>> type $1_javaplugin_t;
>> type $1_t, $1_xserver_tmp_t, $1_gconf_home_t, $1_home_ssh_t, $1_mozilla_home_t;
>> ')
>>
>> allow $1_javaplugin_t $1_t:process sigchld;
>> allow $1_t $1_javaplugin_t:process { signal ptrace };
>> allow $1_javaplugin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
>> allow $1_javaplugin_t self:tcp_socket { accept listen };
>> allow $1_javaplugin_t $1_xserver_tmp_t:dir search;
>> allow $1_javaplugin_t $1_xserver_tmp_t:sock_file write;
>> dirsrv_list_db($1_javaplugin_t)
>> corecmd_exec_bin($1_javaplugin_t)
>> corenet_tcp_bind_inaddr_any_node($1_javaplugin_t)
>> files_read_var_files($1_javaplugin_t)
>>
>> # Sun java check out some dirs, there is probably more than this
>> dontaudit $1_javaplugin_t $1_gconf_home_t:dir getattr;
>> dontaudit $1_javaplugin_t $1_home_ssh_t:dir getattr;
>> dontaudit $1_javaplugin_t $1_mozilla_home_t:dir getattr;
>> ')
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Wed, 12 Mar 2008 11:44:32 +0000
>> From: "Steve Burt" <burt.s.e at gmail.com>
>> Subject: [Fedora-directory-users] Problems in adding a second server
>> into a new
>> To: fedora-directory-users at redhat.com
>> Message-ID:
>> <dbef0ac20803120444s12cbfbb1o526ff972ddba65b6 at mail.gmail.com>
>> Content-Type: text/plain; charset=ISO-8859-1
>>
>> Greetings Folks
>>
>> I am very new to Fedora-DS and have I think Sucessfully installed a
>> Directory Server and a server group with a admin server and 1
>> Directory Server.
>>
>> My Aim is to Install a second directory server, I think this is
>> basically running the setup-ds-admin.pl on the second server...
>>
>> Could anyone help..
>>
>> Yours Humbly
>>
>> Steve
>>
>>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Wed, 12 Mar 2008 07:52:09 -0600
>> From: Rich Megginson <rmeggins at redhat.com>
>> Subject: Re: [Fedora-directory-users] Problems in adding a second
>> server into a new
>> To: "General discussion list for the Fedora Directory server project."
>> <fedora-directory-users at redhat.com>
>> Message-ID: <47D7E009.9060605 at redhat.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Steve Burt wrote:
>> > Greetings Folks
>> >
>> > I am very new to Fedora-DS and have I think Sucessfully installed a
>> > Directory Server and a server group with a admin server and 1
>> > Directory Server.
>> >
>> > My Aim is to Install a second directory server, I think this is
>> > basically running the setup-ds-admin.pl on the second server...
>> >
>> Yes. But read about this bug first -
>> https://bugzilla.redhat.com/show_bug.cgi?id=431103
>> > Could anyone help..
>> >
>> > Yours Humbly
>> >
>> > Steve
>> >
>> > --
>> > Fedora-directory-users mailing list
>> > Fedora-directory-users at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> >
>>
>> -------------- next part --------------
>> A non-text attachment was scrubbed...
>> Name: smime.p7s
>> Type: application/x-pkcs7-signature
>> Size: 3245 bytes
>> Desc: S/MIME Cryptographic Signature
>> Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080312/c35d1379/smime.bin
>>
>> ------------------------------
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> End of Fedora-directory-users Digest, Vol 34, Issue 24
>> ******************************************************
>>
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20080312/0f0786a1/attachment.bin>
More information about the 389-users
mailing list