]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/sssd.if
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge upstream
[people/stevee/selinux-policy.git] / policy / modules / services / sssd.if
1 ## <summary>System Security Services Daemon</summary>
2
3 ########################################
4 ## <summary>
5 ## Execute a domain transition to run sssd.
6 ## </summary>
7 ## <param name="domain">
8 ## <summary>
9 ## Domain allowed to transition.
10 ## </summary>
11 ## </param>
12 #
13 interface(`sssd_domtrans',`
14 gen_require(`
15 type sssd_t, sssd_exec_t;
16 ')
17
18 domtrans_pattern($1, sssd_exec_t, sssd_t)
19 ')
20
21 ########################################
22 ## <summary>
23 ## Execute sssd server in the sssd domain.
24 ## </summary>
25 ## <param name="domain">
26 ## <summary>
27 ## Domain allowed to transition.
28 ## </summary>
29 ## </param>
30 #
31 interface(`sssd_initrc_domtrans',`
32 gen_require(`
33 type sssd_initrc_exec_t;
34 ')
35
36 init_labeled_script_domtrans($1, sssd_initrc_exec_t)
37 ')
38
39 ########################################
40 ## <summary>
41 ## Read sssd public files.
42 ## </summary>
43 ## <param name="domain">
44 ## <summary>
45 ## Domain allowed access.
46 ## </summary>
47 ## </param>
48 #
49 interface(`sssd_read_public_files',`
50 gen_require(`
51 type sssd_public_t;
52 ')
53
54 sssd_search_lib($1)
55 read_files_pattern($1, sssd_public_t, sssd_public_t)
56 ')
57
58 ########################################
59 ## <summary>
60 ## Read sssd PID files.
61 ## </summary>
62 ## <param name="domain">
63 ## <summary>
64 ## Domain allowed access.
65 ## </summary>
66 ## </param>
67 #
68 interface(`sssd_read_pid_files',`
69 gen_require(`
70 type sssd_var_run_t;
71 ')
72
73 files_search_pids($1)
74 allow $1 sssd_var_run_t:file read_file_perms;
75 ')
76
77 ########################################
78 ## <summary>
79 ## Manage sssd var_run files.
80 ## </summary>
81 ## <param name="domain">
82 ## <summary>
83 ## Domain allowed access.
84 ## </summary>
85 ## </param>
86 #
87 interface(`sssd_manage_pids',`
88 gen_require(`
89 type sssd_var_run_t;
90 ')
91
92 files_search_pids($1)
93 manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
94 manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
95 ')
96
97 ########################################
98 ## <summary>
99 ## Search sssd lib directories.
100 ## </summary>
101 ## <param name="domain">
102 ## <summary>
103 ## Domain allowed access.
104 ## </summary>
105 ## </param>
106 #
107 interface(`sssd_search_lib',`
108 gen_require(`
109 type sssd_var_lib_t;
110 ')
111
112 allow $1 sssd_var_lib_t:dir search_dir_perms;
113 files_search_var_lib($1)
114 ')
115
116 ########################################
117 ## <summary>
118 ## Do not audit attempts to search sssd lib directories.
119 ## </summary>
120 ## <param name="domain">
121 ## <summary>
122 ## Domain to not audit.
123 ## </summary>
124 ## </param>
125 #
126 interface(`sssd_dontaudit_search_lib',`
127 gen_require(`
128 type sssd_var_lib_t;
129 ')
130
131 dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
132 ')
133
134 ########################################
135 ## <summary>
136 ## Read sssd lib files.
137 ## </summary>
138 ## <param name="domain">
139 ## <summary>
140 ## Domain allowed access.
141 ## </summary>
142 ## </param>
143 #
144 interface(`sssd_read_lib_files',`
145 gen_require(`
146 type sssd_var_lib_t;
147 ')
148
149 files_search_var_lib($1)
150 read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
151 ')
152
153 ########################################
154 ## <summary>
155 ## Create, read, write, and delete
156 ## sssd lib files.
157 ## </summary>
158 ## <param name="domain">
159 ## <summary>
160 ## Domain allowed access.
161 ## </summary>
162 ## </param>
163 #
164 interface(`sssd_manage_lib_files',`
165 gen_require(`
166 type sssd_var_lib_t;
167 ')
168
169 files_search_var_lib($1)
170 manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
171 ')
172
173 ########################################
174 ## <summary>
175 ## Send and receive messages from
176 ## sssd over dbus.
177 ## </summary>
178 ## <param name="domain">
179 ## <summary>
180 ## Domain allowed access.
181 ## </summary>
182 ## </param>
183 #
184 interface(`sssd_dbus_chat',`
185 gen_require(`
186 type sssd_t;
187 class dbus send_msg;
188 ')
189
190 allow $1 sssd_t:dbus send_msg;
191 allow sssd_t $1:dbus send_msg;
192 ')
193
194 ########################################
195 ## <summary>
196 ## Connect to sssd over an unix stream socket.
197 ## </summary>
198 ## <param name="domain">
199 ## <summary>
200 ## Domain allowed access.
201 ## </summary>
202 ## </param>
203 #
204 interface(`sssd_stream_connect',`
205 gen_require(`
206 type sssd_t, sssd_var_lib_t;
207 ')
208
209 files_search_pids($1)
210 stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
211 ')
212
213 ########################################
214 ## <summary>
215 ## All of the rules required to administrate
216 ## an sssd environment
217 ## </summary>
218 ## <param name="domain">
219 ## <summary>
220 ## Domain allowed access.
221 ## </summary>
222 ## </param>
223 ## <param name="role">
224 ## <summary>
225 ## The role to be allowed to manage the sssd domain.
226 ## </summary>
227 ## </param>
228 ## <rolecap/>
229 #
230 interface(`sssd_admin',`
231 gen_require(`
232 type sssd_t, sssd_public_t, sssd_initrc_exec_t;
233 ')
234
235 allow $1 sssd_t:process { ptrace signal_perms };
236 ps_process_pattern($1, sssd_t)
237
238 # Allow sssd_t to restart the apache service
239 sssd_initrc_domtrans($1)
240 domain_system_change_exemption($1)
241 role_transition $2 sssd_initrc_exec_t system_r;
242 allow $2 system_r;
243
244 sssd_manage_pids($1)
245
246 sssd_manage_lib_files($1)
247
248 admin_pattern($1, sssd_public_t)
249 ')
The IPFire selinux policy.