[people/stevee/selinux-policy.git] / policy / modules / services / nscd.if

## <summary>Name service cache daemon</summary>

########################################
## <summary>
##	Send generic signals to NSCD.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_signal',`
	gen_require(`
		type nscd_t;
	')

	allow $1 nscd_t:process signal;
')

########################################
## <summary>
##	Send NSCD the kill signal.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_kill',`
	gen_require(`
		type nscd_t;
	')

	allow $1 nscd_t:process sigkill;
')

########################################
## <summary>
##	Send signulls to NSCD.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_signull',`
	gen_require(`
		type nscd_t;
	')

	allow $1 nscd_t:process signull;
')

########################################
## <summary>
##	Execute NSCD in the nscd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`nscd_domtrans',`
	gen_require(`
		type nscd_t, nscd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, nscd_exec_t, nscd_t)
')

########################################
## <summary>
##	Allow the specified domain to execute nscd
##	in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_exec',`
	gen_require(`
		type nscd_exec_t;
	')

	can_exec($1, nscd_exec_t)
')

########################################
## <summary>
##	Use NSCD services by connecting using
##	a unix stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_socket_use',`
	gen_require(`
		type nscd_t, nscd_var_run_t;
		class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
	')

	allow $1 self:unix_stream_socket create_socket_perms;

	allow $1 nscd_t:nscd { getpwd getgrp gethost };
	dontaudit $1 nscd_t:fd use;
	dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
	files_search_pids($1)
	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
	dontaudit $1 nscd_var_run_t:file { getattr read };
')

########################################
## <summary>
##	Use nscd services
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_use',`
	tunable_policy(`nscd_use_shm',`
		nscd_shm_use($1)
	',`
		nscd_socket_use($1)
	')
')

########################################
## <summary>
##	Use NSCD services by mapping the database from
##	an inherited NSCD file descriptor.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_shm_use',`
	gen_require(`
		type nscd_t, nscd_var_run_t;
		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
	')

	allow $1 nscd_var_run_t:dir list_dir_perms;
	allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };

	# Receive fd from nscd and map the backing file with read access.
	allow $1 nscd_t:fd use;

	# cjp: these were originally inherited from the
	# nscd_socket_domain macro. need to investigate
	# if they are all actually required
	allow $1 self:unix_stream_socket create_stream_socket_perms;
	allow $1 nscd_t:unix_stream_socket connectto;
	allow $1 nscd_var_run_t:sock_file rw_file_perms;
	files_search_pids($1)
	allow $1 nscd_t:nscd { getpwd getgrp gethost };
	dontaudit $1 nscd_var_run_t:file { getattr read };
')

########################################
## <summary>
##	Do not audit attempts to search the NSCD pid directory.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`nscd_dontaudit_search_pid',`
	gen_require(`
		type nscd_var_run_t;
	')

	dontaudit $1 nscd_var_run_t:dir search_dir_perms;
')

########################################
## <summary>
##	Read NSCD pid file.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_read_pid',`
	gen_require(`
		type nscd_var_run_t;
	')

	files_search_pids($1)
	read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
')

########################################
## <summary>
##	Unconfined access to NSCD services.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`nscd_unconfined',`
	gen_require(`
		type nscd_t;
		class nscd all_nscd_perms;
	')

	allow $1 nscd_t:nscd *;
')

########################################
## <summary>
##	Execute nscd in the nscd domain, and
##	allow the specified role the nscd domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
#
interface(`nscd_run',`
	gen_require(`
		type nscd_t;
	')

	nscd_domtrans($1)
	role $2 types nscd_t;
')

########################################
## <summary>
##	Execute the nscd server init script.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`nscd_initrc_domtrans',`
	gen_require(`
		type nscd_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
')

########################################
## <summary>
##	All of the rules required to administrate 
##	an nscd environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the nscd domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`nscd_admin',`
	gen_require(`
		type nscd_t, nscd_log_t, nscd_var_run_t;
		type nscd_initrc_exec_t;
	')

	allow $1 nscd_t:process { ptrace signal_perms };
	ps_process_pattern($1, nscd_t)

	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 nscd_initrc_exec_t system_r;
	allow $2 system_r;

	logging_list_logs($1)
	admin_pattern($1, nscd_log_t)

	files_list_pids($1)
	admin_pattern($1, nscd_var_run_t)
')
Commit	Line	Data
493d6c4a CP	1	## <summary>Name service cache daemon</summary>
493d6c4a CP	2
8cfa5a00 CP	3	########################################
	4	## <summary>
	5	## Send generic signals to NSCD.
	6	## </summary>
	7	## <param name="domain">
	8	## <summary>
	9	## Domain allowed access.
	10	## </summary>
	11	## </param>
	12	#
	13	interface(`nscd_signal',`
	14	gen_require(`
	15	type nscd_t;
	16	')
	17
	18	allow $1 nscd_t:process signal;
	19	')
	20
bb881612 CP	21	########################################
	22	## <summary>
	23	## Send NSCD the kill signal.
	24	## </summary>
	25	## <param name="domain">
	26	## <summary>
	27	## Domain allowed access.
	28	## </summary>
	29	## </param>
	30	#
	31	interface(`nscd_kill',`
	32	gen_require(`
	33	type nscd_t;
	34	')
	35
	36	allow $1 nscd_t:process sigkill;
	37	')
	38
	39	########################################
	40	## <summary>
	41	## Send signulls to NSCD.
	42	## </summary>
	43	## <param name="domain">
	44	## <summary>
	45	## Domain allowed access.
	46	## </summary>
	47	## </param>
	48	#
	49	interface(`nscd_signull',`
	50	gen_require(`
	51	type nscd_t;
	52	')
	53
	54	allow $1 nscd_t:process signull;
	55	')
	56
493d6c4a CP	57	########################################
	58	## <summary>
	59	## Execute NSCD in the nscd domain.
	60	## </summary>
	61	## <param name="domain">
885b83ec	62	## <summary>
288845a6	63	## Domain allowed to transition.
885b83ec	64	## </summary>
493d6c4a CP	65	## </param>
	66	#
	67	interface(`nscd_domtrans',`
	68	gen_require(`
	69	type nscd_t, nscd_exec_t;
493d6c4a CP	70	')
493d6c4a CP	71
8021cb4f	72	corecmd_search_bin($1)
0bfccda4	73	domtrans_pattern($1, nscd_exec_t, nscd_t)
493d6c4a CP	74	')
493d6c4a CP	75
46551033 CP	76	########################################
	77	## <summary>
	78	## Allow the specified domain to execute nscd
	79	## in the caller domain.
	80	## </summary>
	81	## <param name="domain">
	82	## <summary>
	83	## Domain allowed access.
	84	## </summary>
	85	## </param>
	86	#
	87	interface(`nscd_exec',`
	88	gen_require(`
	89	type nscd_exec_t;
	90	')
	91
0bfccda4	92	can_exec($1, nscd_exec_t)
46551033 CP	93	')
46551033 CP	94
493d6c4a CP	95	########################################
	96	## <summary>
	97	## Use NSCD services by connecting using
	98	## a unix stream socket.
	99	## </summary>
	100	## <param name="domain">
885b83ec	101	## <summary>
493d6c4a	102	## Domain allowed access.
885b83ec	103	## </summary>
493d6c4a CP	104	## </param>
493d6c4a CP	105	#
1815bad1	106	interface(`nscd_socket_use',`
493d6c4a CP	107	gen_require(`
493d6c4a CP	108	type nscd_t, nscd_var_run_t;
bb881612	109	class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
493d6c4a CP	110	')
493d6c4a CP	111
6e61566d	112	allow $1 self:unix_stream_socket create_socket_perms;
493d6c4a	113
493d6c4a CP	114	allow $1 nscd_t:nscd { getpwd getgrp gethost };
493d6c4a CP	115	dontaudit $1 nscd_t:fd use;
bb881612	116	dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
493d6c4a	117	files_search_pids($1)
0bfccda4	118	stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
493d6c4a CP	119	dontaudit $1 nscd_var_run_t:file { getattr read };
	120	')
	121
3eaa9939 DW	122	########################################
	123	## <summary>
	124	## Use nscd services
	125	## </summary>
	126	## <param name="domain">
	127	## <summary>
	128	## Domain allowed access.
	129	## </summary>
	130	## </param>
	131	#
	132	interface(`nscd_use',`
	133	tunable_policy(`nscd_use_shm',`
	134	nscd_shm_use($1)
	135	',`
	136	nscd_socket_use($1)
	137	')
	138	')
	139
493d6c4a CP	140	########################################
	141	## <summary>
	142	## Use NSCD services by mapping the database from
	143	## an inherited NSCD file descriptor.
	144	## </summary>
	145	## <param name="domain">
885b83ec	146	## <summary>
493d6c4a	147	## Domain allowed access.
885b83ec	148	## </summary>
493d6c4a CP	149	## </param>
493d6c4a CP	150	#
1815bad1	151	interface(`nscd_shm_use',`
493d6c4a CP	152	gen_require(`
493d6c4a CP	153	type nscd_t, nscd_var_run_t;
25c67461	154	class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
493d6c4a CP	155	')
493d6c4a CP	156
c0868a7a	157	allow $1 nscd_var_run_t:dir list_dir_perms;
493d6c4a CP	158	allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
	159
	160	# Receive fd from nscd and map the backing file with read access.
	161	allow $1 nscd_t:fd use;
	162
	163	# cjp: these were originally inherited from the
ff8f0a63	164	# nscd_socket_domain macro. need to investigate
493d6c4a CP	165	# if they are all actually required
	166	allow $1 self:unix_stream_socket create_stream_socket_perms;
	167	allow $1 nscd_t:unix_stream_socket connectto;
	168	allow $1 nscd_var_run_t:sock_file rw_file_perms;
	169	files_search_pids($1)
	170	allow $1 nscd_t:nscd { getpwd getgrp gethost };
	171	dontaudit $1 nscd_var_run_t:file { getattr read };
	172	')
	173
4846dc8a CP	174	########################################
	175	## <summary>
	176	## Do not audit attempts to search the NSCD pid directory.
	177	## </summary>
	178	## <param name="domain">
	179	## <summary>
288845a6	180	## Domain to not audit.
4846dc8a CP	181	## </summary>
	182	## </param>
	183	#
	184	interface(`nscd_dontaudit_search_pid',`
	185	gen_require(`
	186	type nscd_var_run_t;
	187	')
	188
3eaa9939	189	dontaudit $1 nscd_var_run_t:dir search_dir_perms;
4846dc8a CP	190	')
4846dc8a CP	191
689f6ddb CP	192	########################################
	193	## <summary>
	194	## Read NSCD pid file.
	195	## </summary>
	196	## <param name="domain">
885b83ec	197	## <summary>
689f6ddb	198	## Domain allowed access.
885b83ec	199	## </summary>
689f6ddb CP	200	## </param>
	201	#
	202	interface(`nscd_read_pid',`
	203	gen_require(`
	204	type nscd_var_run_t;
689f6ddb CP	205	')
	206
	207	files_search_pids($1)
0bfccda4	208	read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
689f6ddb CP	209	')
689f6ddb CP	210
493d6c4a CP	211	########################################
	212	## <summary>
	213	## Unconfined access to NSCD services.
	214	## </summary>
	215	## <param name="domain">
885b83ec	216	## <summary>
493d6c4a	217	## Domain allowed access.
885b83ec	218	## </summary>
493d6c4a CP	219	## </param>
	220	#
	221	interface(`nscd_unconfined',`
	222	gen_require(`
	223	type nscd_t;
41c4800d	224	class nscd all_nscd_perms;
493d6c4a CP	225	')
	226
	227	allow $1 nscd_t:nscd *;
	228	')
cdc91b9a CP	229
	230	########################################
	231	## <summary>
	232	## Execute nscd in the nscd domain, and
	233	## allow the specified role the nscd domain.
	234	## </summary>
	235	## <param name="domain">
	236	## <summary>
288845a6	237	## Domain allowed to transition.
cdc91b9a CP	238	## </summary>
	239	## </param>
	240	## <param name="role">
	241	## <summary>
a7ee7f81	242	## Role allowed access.
cdc91b9a CP	243	## </summary>
cdc91b9a CP	244	## </param>
cdc91b9a CP	245	#
	246	interface(`nscd_run',`
	247	gen_require(`
	248	type nscd_t;
	249	')
	250
	251	nscd_domtrans($1)
	252	role $2 types nscd_t;
cdc91b9a	253	')
bb881612	254
937b2c4d CP	255	########################################
	256	## <summary>
	257	## Execute the nscd server init script.
	258	## </summary>
	259	## <param name="domain">
	260	## <summary>
288845a6	261	## Domain allowed to transition.
937b2c4d CP	262	## </summary>
	263	## </param>
	264	#
	265	interface(`nscd_initrc_domtrans',`
	266	gen_require(`
	267	type nscd_initrc_exec_t;
	268	')
	269
	270	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
	271	')
	272
bb881612 CP	273	########################################
	274	## <summary>
	275	## All of the rules required to administrate
	276	## an nscd environment
	277	## </summary>
	278	## <param name="domain">
	279	## <summary>
	280	## Domain allowed access.
	281	## </summary>
	282	## </param>
	283	## <param name="role">
	284	## <summary>
	285	## The role to be allowed to manage the nscd domain.
	286	## </summary>
	287	## </param>
	288	## <rolecap/>
	289	#
	290	interface(`nscd_admin',`
	291	gen_require(`
	292	type nscd_t, nscd_log_t, nscd_var_run_t;
	293	type nscd_initrc_exec_t;
	294	')
	295
	296	allow $1 nscd_t:process { ptrace signal_perms };
	297	ps_process_pattern($1, nscd_t)
	298
	299	init_labeled_script_domtrans($1, nscd_initrc_exec_t)
	300	domain_system_change_exemption($1)
	301	role_transition $2 nscd_initrc_exec_t system_r;
	302	allow $2 system_r;
	303
	304	logging_list_logs($1)
	305	admin_pattern($1, nscd_log_t)
	306
	307	files_list_pids($1)
	308	admin_pattern($1, nscd_var_run_t)
	309	')