[people/stevee/selinux-policy.git] / policy / modules / services / likewise.te

policy_module(likewise, 1.1.1)

#################################
#
# Declarations
#

attribute likewise_domains;

type likewise_etc_t;
files_config_file(likewise_etc_t)

type likewise_initrc_exec_t;
init_script_file(likewise_initrc_exec_t)

type likewise_var_lib_t;
files_type(likewise_var_lib_t)

type likewise_pstore_lock_t;
files_lock_file(likewise_pstore_lock_t)

type likewise_krb5_ad_t;
files_type(likewise_krb5_ad_t)

likewise_domain_template(dcerpcd)

likewise_domain_template(eventlogd)

likewise_domain_template(lsassd)

type lsassd_tmp_t;
files_tmp_file(lsassd_tmp_t)

likewise_domain_template(lwiod)

likewise_domain_template(lwregd)

likewise_domain_template(lwsmd)

likewise_domain_template(netlogond)

likewise_domain_template(srvsvcd)

#################################
#
# Likewise dcerpcd personal policy
#

stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)

corenet_all_recvfrom_netlabel(dcerpcd_t)
corenet_all_recvfrom_unlabeled(dcerpcd_t)
corenet_sendrecv_generic_client_packets(dcerpcd_t)
corenet_sendrecv_generic_server_packets(dcerpcd_t)
corenet_tcp_sendrecv_generic_if(dcerpcd_t)
corenet_tcp_sendrecv_generic_node(dcerpcd_t)
corenet_tcp_sendrecv_generic_port(dcerpcd_t)
corenet_tcp_bind_generic_node(dcerpcd_t)
corenet_tcp_bind_epmap_port(dcerpcd_t)
corenet_tcp_connect_generic_port(dcerpcd_t)
corenet_udp_bind_generic_node(dcerpcd_t)
corenet_udp_bind_epmap_port(dcerpcd_t)
corenet_udp_sendrecv_generic_if(dcerpcd_t)
corenet_udp_sendrecv_generic_node(dcerpcd_t)
corenet_udp_sendrecv_generic_port(dcerpcd_t)

#################################
#
# Likewise Auditing and Logging service policy
#

stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)

corenet_all_recvfrom_netlabel(eventlogd_t)
corenet_all_recvfrom_unlabeled(eventlogd_t)
corenet_sendrecv_generic_server_packets(eventlogd_t)
corenet_tcp_sendrecv_generic_if(eventlogd_t)
corenet_tcp_sendrecv_generic_node(eventlogd_t)
corenet_tcp_sendrecv_generic_port(eventlogd_t)
corenet_tcp_bind_generic_node(eventlogd_t)
corenet_udp_bind_generic_node(eventlogd_t)
corenet_udp_sendrecv_generic_if(eventlogd_t)
corenet_udp_sendrecv_generic_node(eventlogd_t)
corenet_udp_sendrecv_generic_port(eventlogd_t)

#################################
#
# Likewise Authentication service local policy
#

allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;

allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
allow lsassd_t netlogond_var_lib_t:file read_file_perms;

manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)

manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t)
files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)

stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)

kernel_read_system_state(lsassd_t)
kernel_getattr_proc_files(lsassd_t)
kernel_list_all_proc(lsassd_t)
kernel_list_proc(lsassd_t)

corecmd_exec_bin(lsassd_t)
corecmd_exec_shell(lsassd_t)

corenet_all_recvfrom_netlabel(lsassd_t)
corenet_all_recvfrom_unlabeled(lsassd_t)
corenet_tcp_sendrecv_generic_if(lsassd_t)
corenet_tcp_sendrecv_generic_node(lsassd_t)
corenet_tcp_sendrecv_generic_port(lsassd_t)
corenet_tcp_bind_generic_node(lsassd_t)
corenet_tcp_connect_epmap_port(lsassd_t)
corenet_tcp_sendrecv_epmap_port(lsassd_t)

domain_obj_id_change_exemption(lsassd_t)

files_manage_etc_files(lsassd_t)
files_manage_etc_symlinks(lsassd_t)
files_manage_etc_runtime_files(lsassd_t)
files_relabelto_home(lsassd_t)

selinux_get_fs_mount(lsassd_t)
selinux_validate_context(lsassd_t)

seutil_read_config(lsassd_t)
seutil_read_default_contexts(lsassd_t)
seutil_read_file_contexts(lsassd_t)
seutil_run_semanage(lsassd_t, system_r)

sysnet_use_ldap(lsassd_t)
sysnet_read_config(lsassd_t)

userdom_home_filetrans_user_home_dir(lsassd_t)
userdom_manage_user_home_content_files(lsassd_t)

optional_policy(`
	kerberos_rw_keytab(lsassd_t)
	kerberos_use(lsassd_t)
')

#################################
#
# Likewise I/O service local policy
#

allow lwiod_t self:capability { fowner chown fsetid dac_override };
allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;

allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
allow lwiod_t netlogond_var_lib_t:file read_file_perms;

stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)

corenet_all_recvfrom_netlabel(lwiod_t)
corenet_all_recvfrom_unlabeled(lwiod_t)
corenet_sendrecv_smbd_server_packets(lwiod_t)
corenet_sendrecv_smbd_client_packets(lwiod_t)
corenet_tcp_sendrecv_generic_if(lwiod_t)
corenet_tcp_sendrecv_generic_node(lwiod_t)
corenet_tcp_sendrecv_generic_port(lwiod_t)
corenet_tcp_bind_generic_node(lwiod_t)
corenet_tcp_bind_smbd_port(lwiod_t)
corenet_tcp_connect_smbd_port(lwiod_t)

sysnet_read_config(lwiod_t)

optional_policy(`
	kerberos_rw_config(lwiod_t)
	kerberos_use(lwiod_t)
')

#################################
#
# Likewise Service Manager service local policy
#

allow lwsmd_t likewise_domains:process signal;

domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)

stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)

#################################
#
# Likewise DC location service local policy
#

allow netlogond_t self:capability dac_override;

manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)

stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)

sysnet_dns_name_resolve(netlogond_t)
sysnet_use_ldap(netlogond_t)

#################################
#
# Likewise Srv service local policy
#

allow srvsvcd_t likewise_etc_t:dir search_dir_perms;

stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)

corenet_all_recvfrom_netlabel(srvsvcd_t)
corenet_all_recvfrom_unlabeled(srvsvcd_t)
corenet_sendrecv_generic_server_packets(srvsvcd_t)
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
corenet_tcp_sendrecv_generic_port(srvsvcd_t)
corenet_tcp_bind_generic_node(srvsvcd_t)

optional_policy(`
	kerberos_use(srvsvcd_t)
')
Commit	Line	Data
508df21f	1	policy_module(likewise, 1.1.1)
38fc1bd1 DG	2
	3	#################################
	4	#
827060cb	5	# Declarations
38fc1bd1 DG	6	#
	7
	8	attribute likewise_domains;
	9
	10	type likewise_etc_t;
	11	files_config_file(likewise_etc_t)
	12
	13	type likewise_initrc_exec_t;
	14	init_script_file(likewise_initrc_exec_t)
	15
	16	type likewise_var_lib_t;
	17	files_type(likewise_var_lib_t)
	18
	19	type likewise_pstore_lock_t;
f673c046	20	files_lock_file(likewise_pstore_lock_t)
38fc1bd1 DG	21
	22	type likewise_krb5_ad_t;
	23	files_type(likewise_krb5_ad_t)
	24
38fc1bd1 DG	25	likewise_domain_template(dcerpcd)
38fc1bd1 DG	26
38fc1bd1 DG	27	likewise_domain_template(eventlogd)
38fc1bd1 DG	28
38fc1bd1 DG	29	likewise_domain_template(lsassd)
	30
	31	type lsassd_tmp_t;
	32	files_tmp_file(lsassd_tmp_t)
	33
38fc1bd1 DG	34	likewise_domain_template(lwiod)
38fc1bd1 DG	35
38fc1bd1 DG	36	likewise_domain_template(lwregd)
38fc1bd1 DG	37
38fc1bd1 DG	38	likewise_domain_template(lwsmd)
38fc1bd1 DG	39
38fc1bd1 DG	40	likewise_domain_template(netlogond)
38fc1bd1 DG	41
38fc1bd1 DG	42	likewise_domain_template(srvsvcd)
38fc1bd1 DG	43
38fc1bd1 DG	44	#################################
	45	#
	46	# Likewise dcerpcd personal policy
	47	#
	48
	49	stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
	50
	51	corenet_all_recvfrom_netlabel(dcerpcd_t)
	52	corenet_all_recvfrom_unlabeled(dcerpcd_t)
	53	corenet_sendrecv_generic_client_packets(dcerpcd_t)
	54	corenet_sendrecv_generic_server_packets(dcerpcd_t)
	55	corenet_tcp_sendrecv_generic_if(dcerpcd_t)
	56	corenet_tcp_sendrecv_generic_node(dcerpcd_t)
	57	corenet_tcp_sendrecv_generic_port(dcerpcd_t)
	58	corenet_tcp_bind_generic_node(dcerpcd_t)
	59	corenet_tcp_bind_epmap_port(dcerpcd_t)
	60	corenet_tcp_connect_generic_port(dcerpcd_t)
	61	corenet_udp_bind_generic_node(dcerpcd_t)
	62	corenet_udp_bind_epmap_port(dcerpcd_t)
	63	corenet_udp_sendrecv_generic_if(dcerpcd_t)
	64	corenet_udp_sendrecv_generic_node(dcerpcd_t)
	65	corenet_udp_sendrecv_generic_port(dcerpcd_t)
	66
	67	#################################
	68	#
	69	# Likewise Auditing and Logging service policy
	70	#
	71
	72	stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
	73	stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
	74
	75	corenet_all_recvfrom_netlabel(eventlogd_t)
	76	corenet_all_recvfrom_unlabeled(eventlogd_t)
	77	corenet_sendrecv_generic_server_packets(eventlogd_t)
	78	corenet_tcp_sendrecv_generic_if(eventlogd_t)
	79	corenet_tcp_sendrecv_generic_node(eventlogd_t)
	80	corenet_tcp_sendrecv_generic_port(eventlogd_t)
	81	corenet_tcp_bind_generic_node(eventlogd_t)
	82	corenet_udp_bind_generic_node(eventlogd_t)
	83	corenet_udp_sendrecv_generic_if(eventlogd_t)
	84	corenet_udp_sendrecv_generic_node(eventlogd_t)
	85	corenet_udp_sendrecv_generic_port(eventlogd_t)
	86
	87	#################################
	88	#
	89	# Likewise Authentication service local policy
	90	#
	91
827060cb CP	92	allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
827060cb CP	93	allow lsassd_t self:unix_stream_socket { create_stream_socket_perms connectto };
38fc1bd1 DG	94	allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
	95
	96	allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
	97	allow lsassd_t netlogond_var_lib_t:file read_file_perms;
	98
	99	manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)
	100
52ddc470	101	manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t)
38fc1bd1 DG	102	files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)
	103
	104	stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
	105	stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
	106	stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
	107	stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
	108	stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
	109
827060cb CP	110	kernel_read_system_state(lsassd_t)
	111	kernel_getattr_proc_files(lsassd_t)
	112	kernel_list_all_proc(lsassd_t)
	113	kernel_list_proc(lsassd_t)
	114
38fc1bd1 DG	115	corecmd_exec_bin(lsassd_t)
	116	corecmd_exec_shell(lsassd_t)
	117
	118	corenet_all_recvfrom_netlabel(lsassd_t)
	119	corenet_all_recvfrom_unlabeled(lsassd_t)
	120	corenet_tcp_sendrecv_generic_if(lsassd_t)
	121	corenet_tcp_sendrecv_generic_node(lsassd_t)
	122	corenet_tcp_sendrecv_generic_port(lsassd_t)
	123	corenet_tcp_bind_generic_node(lsassd_t)
	124	corenet_tcp_connect_epmap_port(lsassd_t)
	125	corenet_tcp_sendrecv_epmap_port(lsassd_t)
	126
827060cb CP	127	domain_obj_id_change_exemption(lsassd_t)
827060cb CP	128
38fc1bd1 DG	129	files_manage_etc_files(lsassd_t)
	130	files_manage_etc_symlinks(lsassd_t)
	131	files_manage_etc_runtime_files(lsassd_t)
38fc1bd1 DG	132	files_relabelto_home(lsassd_t)
38fc1bd1 DG	133
38fc1bd1 DG	134	selinux_get_fs_mount(lsassd_t)
	135	selinux_validate_context(lsassd_t)
	136
	137	seutil_read_config(lsassd_t)
	138	seutil_read_default_contexts(lsassd_t)
	139	seutil_read_file_contexts(lsassd_t)
18667140	140	seutil_run_semanage(lsassd_t, system_r)
38fc1bd1 DG	141
	142	sysnet_use_ldap(lsassd_t)
	143	sysnet_read_config(lsassd_t)
	144
	145	userdom_home_filetrans_user_home_dir(lsassd_t)
1db1836a	146	userdom_manage_user_home_content_files(lsassd_t)
38fc1bd1 DG	147
	148	optional_policy(`
	149	kerberos_rw_keytab(lsassd_t)
	150	kerberos_use(lsassd_t)
	151	')
	152
	153	#################################
	154	#
	155	# Likewise I/O service local policy
	156	#
	157
827060cb	158	allow lwiod_t self:capability { fowner chown fsetid dac_override };
38fc1bd1 DG	159	allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
	160
	161	allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
	162	allow lwiod_t netlogond_var_lib_t:file read_file_perms;
	163
	164	stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
	165	stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
	166
	167	corenet_all_recvfrom_netlabel(lwiod_t)
	168	corenet_all_recvfrom_unlabeled(lwiod_t)
	169	corenet_sendrecv_smbd_server_packets(lwiod_t)
	170	corenet_sendrecv_smbd_client_packets(lwiod_t)
	171	corenet_tcp_sendrecv_generic_if(lwiod_t)
	172	corenet_tcp_sendrecv_generic_node(lwiod_t)
	173	corenet_tcp_sendrecv_generic_port(lwiod_t)
	174	corenet_tcp_bind_generic_node(lwiod_t)
	175	corenet_tcp_bind_smbd_port(lwiod_t)
	176	corenet_tcp_connect_smbd_port(lwiod_t)
	177
	178	sysnet_read_config(lwiod_t)
	179
	180	optional_policy(`
	181	kerberos_rw_config(lwiod_t)
	182	kerberos_use(lwiod_t)
	183	')
	184
38fc1bd1 DG	185	#################################
	186	#
	187	# Likewise Service Manager service local policy
	188	#
	189
	190	allow lwsmd_t likewise_domains:process signal;
	191
	192	domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
	193	domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
	194	domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
	195	domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
	196	domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
	197	domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
	198	domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)
	199
	200	stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
	201	stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
	202
	203	#################################
	204	#
	205	# Likewise DC location service local policy
	206	#
	207
8bde5ef6	208	allow netlogond_t self:capability dac_override;
38fc1bd1 DG	209
	210	manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
	211
	212	stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
	213
	214	sysnet_dns_name_resolve(netlogond_t)
	215	sysnet_use_ldap(netlogond_t)
	216
	217	#################################
	218	#
	219	# Likewise Srv service local policy
	220	#
	221
	222	allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
	223
	224	stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
	225	stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
	226	stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
	227
	228	corenet_all_recvfrom_netlabel(srvsvcd_t)
	229	corenet_all_recvfrom_unlabeled(srvsvcd_t)
	230	corenet_sendrecv_generic_server_packets(srvsvcd_t)
	231	corenet_tcp_sendrecv_generic_if(srvsvcd_t)
	232	corenet_tcp_sendrecv_generic_node(srvsvcd_t)
	233	corenet_tcp_sendrecv_generic_port(srvsvcd_t)
	234	corenet_tcp_bind_generic_node(srvsvcd_t)
	235
	236	optional_policy(`
	237	kerberos_use(srvsvcd_t)
	238	')