[people/stevee/selinux-policy.git] / policy / modules / services / dirsrv.te

policy_module(dirsrv,1.0.0)

########################################
#
# Declarations
#

# main daemon
type dirsrv_t;
type dirsrv_exec_t;
domain_type(dirsrv_t)
init_daemon_domain(dirsrv_t, dirsrv_exec_t)

type dirsrv_snmp_t;
type dirsrv_snmp_exec_t;
domain_type(dirsrv_snmp_t)
init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)

type dirsrv_var_lib_t;
files_type(dirsrv_var_lib_t)

type dirsrv_var_log_t;
logging_log_file(dirsrv_var_log_t)

type dirsrv_snmp_var_log_t;
logging_log_file(dirsrv_snmp_var_log_t)

type dirsrv_var_run_t;
files_pid_file(dirsrv_var_run_t)

type dirsrv_snmp_var_run_t;
files_pid_file(dirsrv_snmp_var_run_t)

type dirsrv_var_lock_t;
files_lock_file(dirsrv_var_lock_t)

type dirsrv_config_t;
files_type(dirsrv_config_t)

type dirsrv_tmp_t;
files_tmp_file(dirsrv_tmp_t)

type dirsrv_tmpfs_t;
files_tmpfs_file(dirsrv_tmpfs_t)

type dirsrv_share_t;
files_type(dirsrv_share_t);

########################################
#
# dirsrv local policy
#
allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
allow dirsrv_t self:fifo_file rw_fifo_file_perms;
allow dirsrv_t self:sem create_sem_perms;
allow dirsrv_t self:tcp_socket create_stream_socket_perms;
allow dirsrv_t self:netlink_route_socket r_netlink_socket_perms;

manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)

manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })

manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
allow dirsrv_t dirsrv_var_log_t:dir { setattr };
logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })

manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })

manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
files_setattr_lock_dirs(dirsrv_t)

manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)

manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })

kernel_read_system_state(dirsrv_t)

corecmd_search_bin(dirsrv_t)

corenet_all_recvfrom_unlabeled(dirsrv_t)
corenet_all_recvfrom_netlabel(dirsrv_t)
corenet_tcp_sendrecv_generic_if(dirsrv_t)
corenet_tcp_sendrecv_generic_node(dirsrv_t)
corenet_tcp_sendrecv_all_ports(dirsrv_t)
corenet_tcp_bind_generic_node(dirsrv_t)
corenet_tcp_bind_ldap_port(dirsrv_t)
corenet_tcp_bind_dogtag_port(dirsrv_t)
corenet_tcp_bind_all_rpc_ports(dirsrv_t)
corenet_udp_bind_all_rpc_ports(dirsrv_t)
corenet_tcp_connect_all_ports(dirsrv_t)
corenet_sendrecv_ldap_server_packets(dirsrv_t)
corenet_sendrecv_all_client_packets(dirsrv_t)

dev_read_sysfs(dirsrv_t)
dev_read_urand(dirsrv_t)

files_read_etc_files(dirsrv_t)
files_read_usr_symlinks(dirsrv_t)

fs_getattr_all_fs(dirsrv_t)

auth_use_pam(dirsrv_t)

logging_send_syslog_msg(dirsrv_t)

miscfiles_read_localization(dirsrv_t)

sysnet_dns_name_resolve(dirsrv_t)

optional_policy(`
	apache_dontaudit_leaks(dirsrv_t)
')

optional_policy(`
	dirsrvadmin_read_tmp(dirsrv_t)
')


optional_policy(`
	kerberos_use(dirsrv_t)
')

optional_policy(`
	rpcbind_stream_connect(dirsrv_t)
')

########################################
#
# dirsrv-snmp local policy
#
allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;

rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)

read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)

read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)

manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)

manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)

corenet_tcp_connect_agentx_port(dirsrv_snmp_t)

dev_read_rand(dirsrv_snmp_t)
dev_read_urand(dirsrv_snmp_t)

domain_use_interactive_fds(dirsrv_snmp_t)

#files_manage_var_files(dirsrv_snmp_t)
files_read_etc_files(dirsrv_snmp_t)
files_read_usr_files(dirsrv_snmp_t)

fs_getattr_tmpfs(dirsrv_snmp_t)
fs_search_tmpfs(dirsrv_snmp_t)

miscfiles_read_localization(dirsrv_snmp_t)

sysnet_read_config(dirsrv_snmp_t)
sysnet_dns_name_resolve(dirsrv_snmp_t)

optional_policy(`
	snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
	snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
	snmp_manage_var_lib_dirs(dirsrv_snmp_t)
	snmp_manage_var_lib_files(dirsrv_snmp_t)
	snmp_stream_connect(dirsrv_snmp_t)
')
Commit	Line	Data
97ec2391 DW	1	policy_module(dirsrv,1.0.0)
	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	# main daemon
	9	type dirsrv_t;
	10	type dirsrv_exec_t;
	11	domain_type(dirsrv_t)
	12	init_daemon_domain(dirsrv_t, dirsrv_exec_t)
	13
	14	type dirsrv_snmp_t;
	15	type dirsrv_snmp_exec_t;
	16	domain_type(dirsrv_snmp_t)
	17	init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)
	18
	19	type dirsrv_var_lib_t;
	20	files_type(dirsrv_var_lib_t)
	21
	22	type dirsrv_var_log_t;
	23	logging_log_file(dirsrv_var_log_t)
	24
	25	type dirsrv_snmp_var_log_t;
	26	logging_log_file(dirsrv_snmp_var_log_t)
	27
	28	type dirsrv_var_run_t;
	29	files_pid_file(dirsrv_var_run_t)
	30
	31	type dirsrv_snmp_var_run_t;
	32	files_pid_file(dirsrv_snmp_var_run_t)
	33
	34	type dirsrv_var_lock_t;
	35	files_lock_file(dirsrv_var_lock_t)
	36
	37	type dirsrv_config_t;
	38	files_type(dirsrv_config_t)
	39
	40	type dirsrv_tmp_t;
	41	files_tmp_file(dirsrv_tmp_t)
	42
	43	type dirsrv_tmpfs_t;
	44	files_tmpfs_file(dirsrv_tmpfs_t)
	45
	46	type dirsrv_share_t;
	47	files_type(dirsrv_share_t);
	48
	49	########################################
	50	#
	51	# dirsrv local policy
	52	#
	53	allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
	54	allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
	55	allow dirsrv_t self:fifo_file rw_fifo_file_perms;
	56	allow dirsrv_t self:sem create_sem_perms;
	57	allow dirsrv_t self:tcp_socket create_stream_socket_perms;
556c293a	58	allow dirsrv_t self:netlink_route_socket r_netlink_socket_perms;
97ec2391 DW	59
	60	manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
	61	fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)
	62
97ec2391	63	manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
86cfdcd3	64	manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
5c06e11e	65	manage_sock_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
97ec2391 DW	66	files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })
97ec2391 DW	67
86cfdcd3	68	manage_dirs_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
97ec2391 DW	69	manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
	70	manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
	71	allow dirsrv_t dirsrv_var_log_t:dir { setattr };
	72	logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })
	73
86cfdcd3	74	manage_dirs_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
97ec2391	75	manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
97ec2391	76	manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
86cfdcd3	77	files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file dir sock_file })
97ec2391 DW	78
	79	manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
	80	manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
01dc656c DW	81	files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, file)
01dc656c DW	82	files_setattr_lock_dirs(dirsrv_t)
97ec2391 DW	83
	84	manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
	85	manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
ab75801f	86	manage_lnk_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
97ec2391 DW	87
	88	manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
	89	manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
	90	files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })
	91
	92	kernel_read_system_state(dirsrv_t)
	93
43719d22	94	corecmd_search_bin(dirsrv_t)
97ec2391 DW	95
	96	corenet_all_recvfrom_unlabeled(dirsrv_t)
	97	corenet_all_recvfrom_netlabel(dirsrv_t)
	98	corenet_tcp_sendrecv_generic_if(dirsrv_t)
	99	corenet_tcp_sendrecv_generic_node(dirsrv_t)
	100	corenet_tcp_sendrecv_all_ports(dirsrv_t)
a90706ef	101	corenet_tcp_bind_generic_node(dirsrv_t)
97ec2391	102	corenet_tcp_bind_ldap_port(dirsrv_t)
19fa5a91	103	corenet_tcp_bind_dogtag_port(dirsrv_t)
97ec2391 DW	104	corenet_tcp_bind_all_rpc_ports(dirsrv_t)
	105	corenet_udp_bind_all_rpc_ports(dirsrv_t)
	106	corenet_tcp_connect_all_ports(dirsrv_t)
	107	corenet_sendrecv_ldap_server_packets(dirsrv_t)
	108	corenet_sendrecv_all_client_packets(dirsrv_t)
	109
a04426c1	110	dev_read_sysfs(dirsrv_t)
97ec2391 DW	111	dev_read_urand(dirsrv_t)
	112
	113	files_read_etc_files(dirsrv_t)
	114	files_read_usr_symlinks(dirsrv_t)
	115
	116	fs_getattr_all_fs(dirsrv_t)
	117
cfa9fc01 MG	118	auth_use_pam(dirsrv_t)
cfa9fc01 MG	119
8f0266f6 DW	120	logging_send_syslog_msg(dirsrv_t)
8f0266f6 DW	121
97ec2391 DW	122	miscfiles_read_localization(dirsrv_t)
	123
	124	sysnet_dns_name_resolve(dirsrv_t)
	125
ab29591c DW	126	optional_policy(`
	127	apache_dontaudit_leaks(dirsrv_t)
	128	')
	129
d248b945 MG	130	optional_policy(`
	131	dirsrvadmin_read_tmp(dirsrv_t)
	132	')
	133
	134
97ec2391	135	optional_policy(`
ddbed3e6	136	kerberos_use(dirsrv_t)
97ec2391 DW	137	')
97ec2391 DW	138
4b7fe5b4 DW	139	optional_policy(`
	140	rpcbind_stream_connect(dirsrv_t)
	141	')
	142
97ec2391 DW	143	########################################
	144	#
	145	# dirsrv-snmp local policy
	146	#
	147	allow dirsrv_snmp_t self:capability { dac_override dac_read_search };
	148	allow dirsrv_snmp_t self:fifo_file rw_fifo_file_perms;
	149
	150	rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
	151
	152	read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
	153
	154	read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)
	155
	156	manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
	157	files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
	158	search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)
	159
	160	manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
	161	filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)
	162
	163	corenet_tcp_connect_agentx_port(dirsrv_snmp_t)
	164
	165	dev_read_rand(dirsrv_snmp_t)
	166	dev_read_urand(dirsrv_snmp_t)
	167
	168	domain_use_interactive_fds(dirsrv_snmp_t)
	169
	170	#files_manage_var_files(dirsrv_snmp_t)
	171	files_read_etc_files(dirsrv_snmp_t)
	172	files_read_usr_files(dirsrv_snmp_t)
	173
	174	fs_getattr_tmpfs(dirsrv_snmp_t)
	175	fs_search_tmpfs(dirsrv_snmp_t)
	176
	177	miscfiles_read_localization(dirsrv_snmp_t)
	178
	179	sysnet_read_config(dirsrv_snmp_t)
	180	sysnet_dns_name_resolve(dirsrv_snmp_t)
	181
	182	optional_policy(`
	183	snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
	184	snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
263b3246 DW	185	snmp_manage_var_lib_dirs(dirsrv_snmp_t)
263b3246 DW	186	snmp_manage_var_lib_files(dirsrv_snmp_t)
97ec2391 DW	187	snmp_stream_connect(dirsrv_snmp_t)
97ec2391 DW	188	')