/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
init_labeled_script_domtrans($1, sssd_initrc_exec_t)
')
+########################################
+## <summary>
+## Read sssd public files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
########################################
## <summary>
## Read sssd PID files.
files_search_var_lib($1)
')
+########################################
+## <summary>
+## Do not audit attempts to search sssd lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sssd_dontaudit_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
########################################
## <summary>
## Read sssd lib files.
#
interface(`sssd_admin',`
gen_require(`
- type sssd_t;
+ type sssd_t, sssd_public_t;
+ type sssd_initrc_exec_t;
')
allow $1 sssd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sssd_t, sssd_t)
- gen_require(`
- type sssd_initrc_exec_t;
- ')
-
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
domain_system_change_exemption($1)
sssd_manage_pids($1)
sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
')
-policy_module(sssd, 1.0.1)
+policy_module(sssd, 1.0.2)
########################################
#
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
#
# sssd local policy
#
-allow sssd_t self:capability { sys_nice setgid setuid };
-allow sssd_t self:process { setsched signal getsched };
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
dev_read_urand(sssd_t)
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
fs_list_inotifyfs(sssd_t)
+selinux_validate_context(sssd_t)
+
+seutil_read_file_contexts(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
')
+
+optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
+')