]>
Commit | Line | Data |
---|---|---|
493d6c4a CP |
1 | ## <summary>Name service cache daemon</summary> |
2 | ||
8cfa5a00 CP |
3 | ######################################## |
4 | ## <summary> | |
5 | ## Send generic signals to NSCD. | |
6 | ## </summary> | |
7 | ## <param name="domain"> | |
8 | ## <summary> | |
9 | ## Domain allowed access. | |
10 | ## </summary> | |
11 | ## </param> | |
12 | # | |
13 | interface(`nscd_signal',` | |
14 | gen_require(` | |
15 | type nscd_t; | |
16 | ') | |
17 | ||
18 | allow $1 nscd_t:process signal; | |
19 | ') | |
20 | ||
bb881612 CP |
21 | ######################################## |
22 | ## <summary> | |
23 | ## Send NSCD the kill signal. | |
24 | ## </summary> | |
25 | ## <param name="domain"> | |
26 | ## <summary> | |
27 | ## Domain allowed access. | |
28 | ## </summary> | |
29 | ## </param> | |
30 | # | |
31 | interface(`nscd_kill',` | |
32 | gen_require(` | |
33 | type nscd_t; | |
34 | ') | |
35 | ||
36 | allow $1 nscd_t:process sigkill; | |
37 | ') | |
38 | ||
39 | ######################################## | |
40 | ## <summary> | |
41 | ## Send signulls to NSCD. | |
42 | ## </summary> | |
43 | ## <param name="domain"> | |
44 | ## <summary> | |
45 | ## Domain allowed access. | |
46 | ## </summary> | |
47 | ## </param> | |
48 | # | |
49 | interface(`nscd_signull',` | |
50 | gen_require(` | |
51 | type nscd_t; | |
52 | ') | |
53 | ||
54 | allow $1 nscd_t:process signull; | |
55 | ') | |
56 | ||
493d6c4a CP |
57 | ######################################## |
58 | ## <summary> | |
59 | ## Execute NSCD in the nscd domain. | |
60 | ## </summary> | |
61 | ## <param name="domain"> | |
885b83ec | 62 | ## <summary> |
288845a6 | 63 | ## Domain allowed to transition. |
885b83ec | 64 | ## </summary> |
493d6c4a CP |
65 | ## </param> |
66 | # | |
67 | interface(`nscd_domtrans',` | |
68 | gen_require(` | |
69 | type nscd_t, nscd_exec_t; | |
493d6c4a CP |
70 | ') |
71 | ||
8021cb4f | 72 | corecmd_search_bin($1) |
0bfccda4 | 73 | domtrans_pattern($1, nscd_exec_t, nscd_t) |
493d6c4a CP |
74 | ') |
75 | ||
46551033 CP |
76 | ######################################## |
77 | ## <summary> | |
78 | ## Allow the specified domain to execute nscd | |
79 | ## in the caller domain. | |
80 | ## </summary> | |
81 | ## <param name="domain"> | |
82 | ## <summary> | |
83 | ## Domain allowed access. | |
84 | ## </summary> | |
85 | ## </param> | |
86 | # | |
87 | interface(`nscd_exec',` | |
88 | gen_require(` | |
89 | type nscd_exec_t; | |
90 | ') | |
91 | ||
0bfccda4 | 92 | can_exec($1, nscd_exec_t) |
46551033 CP |
93 | ') |
94 | ||
493d6c4a CP |
95 | ######################################## |
96 | ## <summary> | |
97 | ## Use NSCD services by connecting using | |
98 | ## a unix stream socket. | |
99 | ## </summary> | |
100 | ## <param name="domain"> | |
885b83ec | 101 | ## <summary> |
493d6c4a | 102 | ## Domain allowed access. |
885b83ec | 103 | ## </summary> |
493d6c4a CP |
104 | ## </param> |
105 | # | |
1815bad1 | 106 | interface(`nscd_socket_use',` |
493d6c4a CP |
107 | gen_require(` |
108 | type nscd_t, nscd_var_run_t; | |
bb881612 | 109 | class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; |
493d6c4a CP |
110 | ') |
111 | ||
6e61566d | 112 | allow $1 self:unix_stream_socket create_socket_perms; |
493d6c4a | 113 | |
493d6c4a CP |
114 | allow $1 nscd_t:nscd { getpwd getgrp gethost }; |
115 | dontaudit $1 nscd_t:fd use; | |
bb881612 | 116 | dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; |
493d6c4a | 117 | files_search_pids($1) |
0bfccda4 | 118 | stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t) |
493d6c4a CP |
119 | dontaudit $1 nscd_var_run_t:file { getattr read }; |
120 | ') | |
121 | ||
3eaa9939 DW |
122 | ######################################## |
123 | ## <summary> | |
124 | ## Use nscd services | |
125 | ## </summary> | |
126 | ## <param name="domain"> | |
127 | ## <summary> | |
128 | ## Domain allowed access. | |
129 | ## </summary> | |
130 | ## </param> | |
131 | # | |
132 | interface(`nscd_use',` | |
133 | tunable_policy(`nscd_use_shm',` | |
134 | nscd_shm_use($1) | |
135 | ',` | |
136 | nscd_socket_use($1) | |
137 | ') | |
138 | ') | |
139 | ||
493d6c4a CP |
140 | ######################################## |
141 | ## <summary> | |
142 | ## Use NSCD services by mapping the database from | |
143 | ## an inherited NSCD file descriptor. | |
144 | ## </summary> | |
145 | ## <param name="domain"> | |
885b83ec | 146 | ## <summary> |
493d6c4a | 147 | ## Domain allowed access. |
885b83ec | 148 | ## </summary> |
493d6c4a CP |
149 | ## </param> |
150 | # | |
1815bad1 | 151 | interface(`nscd_shm_use',` |
493d6c4a CP |
152 | gen_require(` |
153 | type nscd_t, nscd_var_run_t; | |
25c67461 | 154 | class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; |
493d6c4a CP |
155 | ') |
156 | ||
c0868a7a | 157 | allow $1 nscd_var_run_t:dir list_dir_perms; |
493d6c4a CP |
158 | allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; |
159 | ||
160 | # Receive fd from nscd and map the backing file with read access. | |
161 | allow $1 nscd_t:fd use; | |
162 | ||
163 | # cjp: these were originally inherited from the | |
ff8f0a63 | 164 | # nscd_socket_domain macro. need to investigate |
493d6c4a CP |
165 | # if they are all actually required |
166 | allow $1 self:unix_stream_socket create_stream_socket_perms; | |
167 | allow $1 nscd_t:unix_stream_socket connectto; | |
168 | allow $1 nscd_var_run_t:sock_file rw_file_perms; | |
169 | files_search_pids($1) | |
170 | allow $1 nscd_t:nscd { getpwd getgrp gethost }; | |
171 | dontaudit $1 nscd_var_run_t:file { getattr read }; | |
172 | ') | |
173 | ||
4846dc8a CP |
174 | ######################################## |
175 | ## <summary> | |
176 | ## Do not audit attempts to search the NSCD pid directory. | |
177 | ## </summary> | |
178 | ## <param name="domain"> | |
179 | ## <summary> | |
288845a6 | 180 | ## Domain to not audit. |
4846dc8a CP |
181 | ## </summary> |
182 | ## </param> | |
183 | # | |
184 | interface(`nscd_dontaudit_search_pid',` | |
185 | gen_require(` | |
186 | type nscd_var_run_t; | |
187 | ') | |
188 | ||
3eaa9939 | 189 | dontaudit $1 nscd_var_run_t:dir search_dir_perms; |
4846dc8a CP |
190 | ') |
191 | ||
689f6ddb CP |
192 | ######################################## |
193 | ## <summary> | |
194 | ## Read NSCD pid file. | |
195 | ## </summary> | |
196 | ## <param name="domain"> | |
885b83ec | 197 | ## <summary> |
689f6ddb | 198 | ## Domain allowed access. |
885b83ec | 199 | ## </summary> |
689f6ddb CP |
200 | ## </param> |
201 | # | |
202 | interface(`nscd_read_pid',` | |
203 | gen_require(` | |
204 | type nscd_var_run_t; | |
689f6ddb CP |
205 | ') |
206 | ||
207 | files_search_pids($1) | |
0bfccda4 | 208 | read_files_pattern($1, nscd_var_run_t, nscd_var_run_t) |
689f6ddb CP |
209 | ') |
210 | ||
493d6c4a CP |
211 | ######################################## |
212 | ## <summary> | |
213 | ## Unconfined access to NSCD services. | |
214 | ## </summary> | |
215 | ## <param name="domain"> | |
885b83ec | 216 | ## <summary> |
493d6c4a | 217 | ## Domain allowed access. |
885b83ec | 218 | ## </summary> |
493d6c4a CP |
219 | ## </param> |
220 | # | |
221 | interface(`nscd_unconfined',` | |
222 | gen_require(` | |
223 | type nscd_t; | |
41c4800d | 224 | class nscd all_nscd_perms; |
493d6c4a CP |
225 | ') |
226 | ||
227 | allow $1 nscd_t:nscd *; | |
228 | ') | |
cdc91b9a CP |
229 | |
230 | ######################################## | |
231 | ## <summary> | |
232 | ## Execute nscd in the nscd domain, and | |
233 | ## allow the specified role the nscd domain. | |
234 | ## </summary> | |
235 | ## <param name="domain"> | |
236 | ## <summary> | |
288845a6 | 237 | ## Domain allowed to transition. |
cdc91b9a CP |
238 | ## </summary> |
239 | ## </param> | |
240 | ## <param name="role"> | |
241 | ## <summary> | |
a7ee7f81 | 242 | ## Role allowed access. |
cdc91b9a CP |
243 | ## </summary> |
244 | ## </param> | |
cdc91b9a CP |
245 | # |
246 | interface(`nscd_run',` | |
247 | gen_require(` | |
248 | type nscd_t; | |
249 | ') | |
250 | ||
251 | nscd_domtrans($1) | |
252 | role $2 types nscd_t; | |
cdc91b9a | 253 | ') |
bb881612 | 254 | |
937b2c4d CP |
255 | ######################################## |
256 | ## <summary> | |
257 | ## Execute the nscd server init script. | |
258 | ## </summary> | |
259 | ## <param name="domain"> | |
260 | ## <summary> | |
288845a6 | 261 | ## Domain allowed to transition. |
937b2c4d CP |
262 | ## </summary> |
263 | ## </param> | |
264 | # | |
265 | interface(`nscd_initrc_domtrans',` | |
266 | gen_require(` | |
267 | type nscd_initrc_exec_t; | |
268 | ') | |
269 | ||
270 | init_labeled_script_domtrans($1, nscd_initrc_exec_t) | |
271 | ') | |
272 | ||
bb881612 CP |
273 | ######################################## |
274 | ## <summary> | |
275 | ## All of the rules required to administrate | |
276 | ## an nscd environment | |
277 | ## </summary> | |
278 | ## <param name="domain"> | |
279 | ## <summary> | |
280 | ## Domain allowed access. | |
281 | ## </summary> | |
282 | ## </param> | |
283 | ## <param name="role"> | |
284 | ## <summary> | |
285 | ## The role to be allowed to manage the nscd domain. | |
286 | ## </summary> | |
287 | ## </param> | |
288 | ## <rolecap/> | |
289 | # | |
290 | interface(`nscd_admin',` | |
291 | gen_require(` | |
292 | type nscd_t, nscd_log_t, nscd_var_run_t; | |
293 | type nscd_initrc_exec_t; | |
294 | ') | |
295 | ||
296 | allow $1 nscd_t:process { ptrace signal_perms }; | |
297 | ps_process_pattern($1, nscd_t) | |
298 | ||
299 | init_labeled_script_domtrans($1, nscd_initrc_exec_t) | |
300 | domain_system_change_exemption($1) | |
301 | role_transition $2 nscd_initrc_exec_t system_r; | |
302 | allow $2 system_r; | |
303 | ||
304 | logging_list_logs($1) | |
305 | admin_pattern($1, nscd_log_t) | |
306 | ||
307 | files_list_pids($1) | |
308 | admin_pattern($1, nscd_var_run_t) | |
309 | ') |