policy/modules/services/dirsrv.if

   1 ## <summary>policy for dirsrv</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Execute a domain transition to run dirsrv.
   6 ## </summary>
   7 ## <param name="domain">
   8 ## <summary>
   9 ##      Domain allowed to transition.
  10 ## </summary>
  11 ## </param>
  12 #
  13 interface(`dirsrv_domtrans',`
  14         gen_require(`
  15                 type dirsrv_t, dirsrv_exec_t;
  16         ')
  17
  18         domtrans_pattern($1, dirsrv_exec_t,dirsrv_t)
  19 ')
  20
  21
  22 ########################################
  23 ## <summary>
  24 ##  Allow caller to signal dirsrv.
  25 ## </summary>
  26 ## <param name="domain">
  27 ##      <summary>
  28 ##      Domain allowed access.
  29 ##      </summary>
  30 ## </param>
  31 #
  32 interface(`dirsrv_signal',`
  33         gen_require(`
  34                 type dirsrv_t;
  35         ')
  36
  37         allow $1 dirsrv_t:process signal;
  38 ')
  39
  40
  41 ########################################
  42 ## <summary>
  43 ##      Send a null signal to dirsrv.
  44 ## </summary>
  45 ## <param name="domain">
  46 ##      <summary>
  47 ##      Domain allowed access.
  48 ##      </summary>
  49 ## </param>
  50 #
  51 interface(`dirsrv_signull',`
  52         gen_require(`
  53                 type dirsrv_t;
  54         ')
  55
  56         allow $1 dirsrv_t:process signull;
  57 ')
  58
  59 #######################################
  60 ## <summary>
  61 ##      Allow a domain to manage dirsrv logs.
  62 ## </summary>
  63 ## <param name="domain">
  64 ## <summary>
  65 ##      Domain allowed access.
  66 ## </summary>
  67 ## </param>
  68 #
  69 interface(`dirsrv_manage_log',`
  70         gen_require(`
  71                 type dirsrv_var_log_t;
  72         ')
  73
  74         allow $1 dirsrv_var_log_t:dir manage_dir_perms;
  75         allow $1 dirsrv_var_log_t:file manage_file_perms;
  76         allow $1 dirsrv_var_log_t:fifo_file manage_fifo_file_perms;
  77 ')
  78
  79 #######################################
  80 ## <summary>
  81 ##      Allow a domain to manage dirsrv /var/lib files.
  82 ## </summary>
  83 ## <param name="domain">
  84 ##      <summary>
  85 ##              Domain allowed access.
  86 ##      </summary>
  87 ## </param>
  88 #
  89 interface(`dirsrv_manage_var_lib',`
  90         gen_require(`
  91                 type dirsrv_var_lib_t;
  92         ')
  93         allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
  94         allow $1 dirsrv_var_lib_t:file manage_file_perms;
  95 ')
  96
  97 ########################################
  98 ## <summary>
  99 ##      Connect to dirsrv over an unix stream socket.
 100 ## </summary>
 101 ## <param name="domain">
 102 ##      <summary>
 103 ##      Domain allowed access.
 104 ##      </summary>
 105 ## </param>
 106 #
 107 interface(`dirsrv_stream_connect',`
 108         gen_require(`
 109                 type dirsrv_t, dirsrv_var_run_t;
 110         ')
 111
 112         files_search_pids($1)
 113         stream_connect_pattern($1, dirsrv_var_run_t, dirsrv_var_run_t, dirsrv_t)
 114 ')
 115
 116 #######################################
 117 ## <summary>
 118 ##      Allow a domain to manage dirsrv /var/run files.
 119 ## </summary>
 120 ## <param name="domain">
 121 ## <summary>
 122 ##      Domain allowed access.
 123 ## </summary>
 124 ## </param>
 125 #
 126 interface(`dirsrv_manage_var_run',`
 127         gen_require(`
 128                 type dirsrv_var_run_t;
 129         ')
 130         allow $1 dirsrv_var_run_t:dir manage_dir_perms;
 131         allow $1 dirsrv_var_run_t:file manage_file_perms;
 132         allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
 133 ')
 134
 135 ######################################
 136 ## <summary>
 137 ##      Allow a domain to create dirsrv pid directories.
 138 ## </summary>
 139 ## <param name="domain">
 140 ## <summary>
 141 ##      Domain allowed access.
 142 ## </summary>
 143 ## </param>
 144 #
 145 interface(`dirsrv_pid_filetrans',`
 146         gen_require(`
 147                 type dirsrv_var_run_t;
 148         ')
 149         # Allow creating a dir in /var/run with this type
 150         files_pid_filetrans($1, dirsrv_var_run_t, dir)
 151 ')
 152
 153 #######################################
 154 ## <summary>
 155 ##      Allow a domain to read dirsrv /var/run files.
 156 ## </summary>
 157 ## <param name="domain">
 158 ## <summary>
 159 ##      Domain allowed access.
 160 ## </summary>
 161 ## </param>
 162 #
 163 interface(`dirsrv_read_var_run',`
 164         gen_require(`
 165                 type dirsrv_var_run_t;
 166         ')
 167         allow $1 dirsrv_var_run_t:dir list_dir_perms;
 168         allow $1 dirsrv_var_run_t:file read_file_perms;
 169 ')
 170
 171 ########################################
 172 ## <summary>
 173 ##      Manage dirsrv configuration files.
 174 ## </summary>
 175 ## <param name="domain">
 176 ##      <summary>
 177 ##      Domain allowed access.
 178 ##      </summary>
 179 ## </param>
 180 #
 181 interface(`dirsrv_manage_config',`
 182         gen_require(`
 183                 type dirsrv_config_t;
 184         ')
 185
 186         allow $1 dirsrv_config_t:dir manage_dir_perms;
 187         allow $1 dirsrv_config_t:file manage_file_perms;
 188 ')
 189
 190 ########################################
 191 ## <summary>
 192 ##      Read dirsrv share files.
 193 ## </summary>
 194 ## <param name="domain">
 195 ##      <summary>
 196 ##      Domain allowed access.
 197 ##      </summary>
 198 ## </param>
 199 #
 200 interface(`dirsrv_read_share',`
 201         gen_require(`
 202                 type dirsrv_share_t;
 203         ')
 204
 205         allow $1 dirsrv_share_t:dir list_dir_perms;
 206         allow $1 dirsrv_share_t:file read_file_perms;
 207         allow $1 dirsrv_share_t:lnk_file read;
 208 ')