]>
Commit | Line | Data |
---|---|---|
508df21f | 1 | policy_module(likewise, 1.1.1) |
38fc1bd1 DG |
2 | |
3 | ################################# | |
4 | # | |
827060cb | 5 | # Declarations |
38fc1bd1 DG |
6 | # |
7 | ||
8 | attribute likewise_domains; | |
9 | ||
10 | type likewise_etc_t; | |
11 | files_config_file(likewise_etc_t) | |
12 | ||
13 | type likewise_initrc_exec_t; | |
14 | init_script_file(likewise_initrc_exec_t) | |
15 | ||
16 | type likewise_var_lib_t; | |
17 | files_type(likewise_var_lib_t) | |
18 | ||
19 | type likewise_pstore_lock_t; | |
f673c046 | 20 | files_lock_file(likewise_pstore_lock_t) |
38fc1bd1 DG |
21 | |
22 | type likewise_krb5_ad_t; | |
23 | files_type(likewise_krb5_ad_t) | |
24 | ||
38fc1bd1 DG |
25 | likewise_domain_template(dcerpcd) |
26 | ||
38fc1bd1 DG |
27 | likewise_domain_template(eventlogd) |
28 | ||
38fc1bd1 DG |
29 | likewise_domain_template(lsassd) |
30 | ||
31 | type lsassd_tmp_t; | |
32 | files_tmp_file(lsassd_tmp_t) | |
33 | ||
38fc1bd1 DG |
34 | likewise_domain_template(lwiod) |
35 | ||
38fc1bd1 DG |
36 | likewise_domain_template(lwregd) |
37 | ||
38fc1bd1 DG |
38 | likewise_domain_template(lwsmd) |
39 | ||
38fc1bd1 DG |
40 | likewise_domain_template(netlogond) |
41 | ||
38fc1bd1 DG |
42 | likewise_domain_template(srvsvcd) |
43 | ||
38fc1bd1 DG |
44 | ################################# |
45 | # | |
46 | # Likewise dcerpcd personal policy | |
47 | # | |
48 | ||
49 | stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) | |
50 | ||
51 | corenet_all_recvfrom_netlabel(dcerpcd_t) | |
52 | corenet_all_recvfrom_unlabeled(dcerpcd_t) | |
53 | corenet_sendrecv_generic_client_packets(dcerpcd_t) | |
54 | corenet_sendrecv_generic_server_packets(dcerpcd_t) | |
55 | corenet_tcp_sendrecv_generic_if(dcerpcd_t) | |
56 | corenet_tcp_sendrecv_generic_node(dcerpcd_t) | |
57 | corenet_tcp_sendrecv_generic_port(dcerpcd_t) | |
58 | corenet_tcp_bind_generic_node(dcerpcd_t) | |
59 | corenet_tcp_bind_epmap_port(dcerpcd_t) | |
60 | corenet_tcp_connect_generic_port(dcerpcd_t) | |
61 | corenet_udp_bind_generic_node(dcerpcd_t) | |
62 | corenet_udp_bind_epmap_port(dcerpcd_t) | |
63 | corenet_udp_sendrecv_generic_if(dcerpcd_t) | |
64 | corenet_udp_sendrecv_generic_node(dcerpcd_t) | |
65 | corenet_udp_sendrecv_generic_port(dcerpcd_t) | |
66 | ||
67 | ################################# | |
68 | # | |
69 | # Likewise Auditing and Logging service policy | |
70 | # | |
71 | ||
72 | stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) | |
73 | stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) | |
74 | ||
75 | corenet_all_recvfrom_netlabel(eventlogd_t) | |
76 | corenet_all_recvfrom_unlabeled(eventlogd_t) | |
77 | corenet_sendrecv_generic_server_packets(eventlogd_t) | |
78 | corenet_tcp_sendrecv_generic_if(eventlogd_t) | |
79 | corenet_tcp_sendrecv_generic_node(eventlogd_t) | |
80 | corenet_tcp_sendrecv_generic_port(eventlogd_t) | |
81 | corenet_tcp_bind_generic_node(eventlogd_t) | |
82 | corenet_udp_bind_generic_node(eventlogd_t) | |
83 | corenet_udp_sendrecv_generic_if(eventlogd_t) | |
84 | corenet_udp_sendrecv_generic_node(eventlogd_t) | |
85 | corenet_udp_sendrecv_generic_port(eventlogd_t) | |
86 | ||
87 | ################################# | |
88 | # | |
89 | # Likewise Authentication service local policy | |
90 | # | |
91 | ||
827060cb CP |
92 | allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time }; |
93 | allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
38fc1bd1 DG |
94 | allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; |
95 | ||
96 | allow lsassd_t likewise_krb5_ad_t:file read_file_perms; | |
97 | allow lsassd_t netlogond_var_lib_t:file read_file_perms; | |
98 | ||
99 | manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t) | |
100 | ||
52ddc470 | 101 | manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t) |
38fc1bd1 DG |
102 | files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file) |
103 | ||
104 | stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) | |
105 | stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) | |
106 | stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) | |
107 | stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) | |
108 | stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) | |
109 | ||
827060cb CP |
110 | kernel_read_system_state(lsassd_t) |
111 | kernel_getattr_proc_files(lsassd_t) | |
112 | kernel_list_all_proc(lsassd_t) | |
113 | kernel_list_proc(lsassd_t) | |
114 | ||
38fc1bd1 DG |
115 | corecmd_exec_bin(lsassd_t) |
116 | corecmd_exec_shell(lsassd_t) | |
117 | ||
118 | corenet_all_recvfrom_netlabel(lsassd_t) | |
119 | corenet_all_recvfrom_unlabeled(lsassd_t) | |
120 | corenet_tcp_sendrecv_generic_if(lsassd_t) | |
121 | corenet_tcp_sendrecv_generic_node(lsassd_t) | |
122 | corenet_tcp_sendrecv_generic_port(lsassd_t) | |
123 | corenet_tcp_bind_generic_node(lsassd_t) | |
124 | corenet_tcp_connect_epmap_port(lsassd_t) | |
125 | corenet_tcp_sendrecv_epmap_port(lsassd_t) | |
126 | ||
827060cb CP |
127 | domain_obj_id_change_exemption(lsassd_t) |
128 | ||
38fc1bd1 DG |
129 | files_manage_etc_files(lsassd_t) |
130 | files_manage_etc_symlinks(lsassd_t) | |
131 | files_manage_etc_runtime_files(lsassd_t) | |
38fc1bd1 DG |
132 | files_relabelto_home(lsassd_t) |
133 | ||
38fc1bd1 DG |
134 | selinux_get_fs_mount(lsassd_t) |
135 | selinux_validate_context(lsassd_t) | |
136 | ||
137 | seutil_read_config(lsassd_t) | |
138 | seutil_read_default_contexts(lsassd_t) | |
139 | seutil_read_file_contexts(lsassd_t) | |
18667140 | 140 | seutil_run_semanage(lsassd_t, system_r) |
38fc1bd1 DG |
141 | |
142 | sysnet_use_ldap(lsassd_t) | |
143 | sysnet_read_config(lsassd_t) | |
144 | ||
145 | userdom_home_filetrans_user_home_dir(lsassd_t) | |
1db1836a | 146 | userdom_manage_user_home_content_files(lsassd_t) |
38fc1bd1 DG |
147 | |
148 | optional_policy(` | |
149 | kerberos_rw_keytab(lsassd_t) | |
150 | kerberos_use(lsassd_t) | |
151 | ') | |
152 | ||
153 | ################################# | |
154 | # | |
155 | # Likewise I/O service local policy | |
156 | # | |
157 | ||
827060cb | 158 | allow lwiod_t self:capability { fowner chown fsetid dac_override }; |
38fc1bd1 DG |
159 | allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; |
160 | ||
161 | allow lwiod_t likewise_krb5_ad_t:file read_file_perms; | |
162 | allow lwiod_t netlogond_var_lib_t:file read_file_perms; | |
163 | ||
164 | stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) | |
165 | stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) | |
166 | ||
167 | corenet_all_recvfrom_netlabel(lwiod_t) | |
168 | corenet_all_recvfrom_unlabeled(lwiod_t) | |
169 | corenet_sendrecv_smbd_server_packets(lwiod_t) | |
170 | corenet_sendrecv_smbd_client_packets(lwiod_t) | |
171 | corenet_tcp_sendrecv_generic_if(lwiod_t) | |
172 | corenet_tcp_sendrecv_generic_node(lwiod_t) | |
173 | corenet_tcp_sendrecv_generic_port(lwiod_t) | |
174 | corenet_tcp_bind_generic_node(lwiod_t) | |
175 | corenet_tcp_bind_smbd_port(lwiod_t) | |
176 | corenet_tcp_connect_smbd_port(lwiod_t) | |
177 | ||
178 | sysnet_read_config(lwiod_t) | |
179 | ||
180 | optional_policy(` | |
181 | kerberos_rw_config(lwiod_t) | |
182 | kerberos_use(lwiod_t) | |
183 | ') | |
184 | ||
38fc1bd1 DG |
185 | ################################# |
186 | # | |
187 | # Likewise Service Manager service local policy | |
188 | # | |
189 | ||
190 | allow lwsmd_t likewise_domains:process signal; | |
191 | ||
192 | domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t) | |
193 | domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t) | |
194 | domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t) | |
195 | domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t) | |
196 | domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t) | |
197 | domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t) | |
198 | domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t) | |
199 | ||
200 | stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) | |
201 | stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) | |
202 | ||
203 | ################################# | |
204 | # | |
205 | # Likewise DC location service local policy | |
206 | # | |
207 | ||
8bde5ef6 | 208 | allow netlogond_t self:capability dac_override; |
38fc1bd1 DG |
209 | |
210 | manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t) | |
211 | ||
212 | stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) | |
213 | ||
214 | sysnet_dns_name_resolve(netlogond_t) | |
215 | sysnet_use_ldap(netlogond_t) | |
216 | ||
217 | ################################# | |
218 | # | |
219 | # Likewise Srv service local policy | |
220 | # | |
221 | ||
222 | allow srvsvcd_t likewise_etc_t:dir search_dir_perms; | |
223 | ||
224 | stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) | |
225 | stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) | |
226 | stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) | |
227 | ||
228 | corenet_all_recvfrom_netlabel(srvsvcd_t) | |
229 | corenet_all_recvfrom_unlabeled(srvsvcd_t) | |
230 | corenet_sendrecv_generic_server_packets(srvsvcd_t) | |
231 | corenet_tcp_sendrecv_generic_if(srvsvcd_t) | |
232 | corenet_tcp_sendrecv_generic_node(srvsvcd_t) | |
233 | corenet_tcp_sendrecv_generic_port(srvsvcd_t) | |
234 | corenet_tcp_bind_generic_node(srvsvcd_t) | |
235 | ||
236 | optional_policy(` | |
237 | kerberos_use(srvsvcd_t) | |
238 | ') |