[selinux-policy: 2132/3172] trunk: add sssd from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:09:10 UTC 2010 

commit c017ee17ab3b65bbac7c67bc406b07806de057c1
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Jun 22 15:33:21 2009 +0000

    trunk: add sssd from dan.

 Changelog                       |    1 +
 policy/modules/services/sssd.fc |    6 +
 policy/modules/services/sssd.if |  200 +++++++++++++++++++++++++++++++++++++++
 policy/modules/services/sssd.te |   64 +++++++++++++
 4 files changed, 271 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index 6a80952..0cc52d0 100644
--- a/Changelog
+++ b/Changelog
@@ -29,6 +29,7 @@
 	pingd (Dan Walsh)
 	psad (Dan Walsh)
 	portreserve (Dan Walsh)
+	sssd (Dan Walsh)
 	ulogd (Dan Walsh)
 	webadm (Dan Walsh)
 	xguest (Dan Walsh)
diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
new file mode 100644
index 0000000..f2b7dbf
--- /dev/null
+++ b/policy/modules/services/sssd.fc
@@ -0,0 +1,6 @@
+/etc/rc.d/init.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+
+/usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
+
+/var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
new file mode 100644
index 0000000..62d8b99
--- /dev/null
+++ b/policy/modules/services/sssd.if
@@ -0,0 +1,200 @@
+## <summary>System Security Services Daemon</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run sssd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`sssd_domtrans',`
+	gen_require(`
+		type sssd_t, sssd_exec_t;
+	')
+
+	domtrans_pattern($1, sssd_exec_t, sssd_t)
+')
+
+########################################
+## <summary>
+##	Read sssd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_pid_files',`
+	gen_require(`
+		type sssd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 sssd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage sssd var_run files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_manage_pids',`
+	gen_require(`
+		type sssd_var_run_t;
+	')
+
+	manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
+	manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
+')
+
+########################################
+## <summary>
+##	Search sssd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_search_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	allow $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read sssd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_lib_files',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	sssd lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_manage_lib_files',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	sssd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_dbus_chat',`
+	gen_require(`
+		type sssd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 sssd_t:dbus send_msg;
+	allow sssd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Connect to sssd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_stream_connect',`
+	gen_require(`
+		type sssd_t, sssd_var_lib_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an sssd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the sssd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sssd_admin',`
+	gen_require(`
+		type sssd_t;
+	')
+
+	allow $1 sssd_t:process { ptrace signal_perms getattr };
+	read_files_pattern($1, sssd_t, sssd_t)
+
+	gen_require(`
+		type sssd_initrc_exec_t;
+	')
+
+	# Allow sssd_t to restart the apache service
+	sssd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 sssd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	sssd_manage_pids($1)
+
+	sssd_manage_lib_files($1)
+')
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
new file mode 100644
index 0000000..59777c9
--- /dev/null
+++ b/policy/modules/services/sssd.te
@@ -0,0 +1,64 @@
+
+policy_module(sssd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type sssd_t;
+type sssd_exec_t;
+init_daemon_domain(sssd_t, sssd_exec_t)
+
+type sssd_initrc_exec_t;
+init_script_file(sssd_initrc_exec_t)
+
+type sssd_var_lib_t;
+files_type(sssd_var_lib_t)
+
+type sssd_var_run_t;
+files_pid_file(sssd_var_run_t)
+
+########################################
+#
+# sssd local policy
+#
+allow sssd_t self:capability { sys_nice setuid };
+allow sssd_t self:process { setsched signal getsched };
+allow sssd_t self:fifo_file rw_file_perms;
+allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+
+manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
+files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+
+kernel_read_system_state(sssd_t)
+
+corecmd_exec_bin(sssd_t)
+
+dev_read_urand(sssd_t)
+
+files_list_tmp(sssd_t)
+files_read_etc_files(sssd_t)
+files_read_usr_files(sssd_t)
+
+auth_use_nsswitch(sssd_t)
+auth_domtrans_chk_passwd(sssd_t)
+auth_domtrans_upd_passwd(sssd_t)
+
+init_read_utmp(sssd_t)
+
+logging_send_syslog_msg(sssd_t)
+logging_send_audit_msgs(sssd_t)
+
+miscfiles_read_localization(sssd_t)
+
+optional_policy(`
+	dbus_system_bus_client(sssd_t)
+	dbus_connect_system_bus(sssd_t)
+')

More information about the scm-commits mailing list