diff options
| author | Chris PeBenito <cpebenito@tresys.com> | 2009-09-08 10:31:19 -0400 |
|---|---|---|
| committer | Chris PeBenito <cpebenito@tresys.com> | 2009-09-08 10:31:19 -0400 |
| commit | 81bca10b2888e28292a1ba2b18d5c10b5dbf9e3d (patch) | |
| tree | 5cb8133bfb0682e315775d75cd427529d0234dd7 | |
| parent | f67bc918d441699e199fcfaf54f16529111dc877 (diff) | |
nslcd policy from dan.
| -rw-r--r-- | Changelog | 1 | ||||
| -rw-r--r-- | policy/modules/services/nslcd.fc | 4 | ||||
| -rw-r--r-- | policy/modules/services/nslcd.if | 109 | ||||
| -rw-r--r-- | policy/modules/services/nslcd.te | 44 |
4 files changed, 158 insertions, 0 deletions
@@ -12,6 +12,7 @@ gitosis (Miroslav Grepl) hddtemp (Dan Walsh) kdump (Dan Walsh) + nslcd (Dan Walsh) shorewall (Dan Walsh) * Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730 diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc new file mode 100644 index 00000000..ce913b24 --- /dev/null +++ b/policy/modules/services/nslcd.fc @@ -0,0 +1,4 @@ +/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0) +/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0) +/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0) +/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0) diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if new file mode 100644 index 00000000..85089773 --- /dev/null +++ b/policy/modules/services/nslcd.if @@ -0,0 +1,109 @@ +## <summary>nslcd - local LDAP name service daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run nslcd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`nslcd_domtrans',` + gen_require(` + type nslcd_t, nslcd_exec_t; + ') + + domtrans_pattern($1, nslcd_exec_t, nslcd_t) +') + +######################################## +## <summary> +## Execute nslcd server in the nslcd domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`nslcd_initrc_domtrans',` + gen_require(` + type nslcd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, nslcd_initrc_exec_t) +') + +######################################## +## <summary> +## Read nslcd PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`nslcd_read_pid_files',` + gen_require(` + type nslcd_var_run_t; + ') + + files_search_pids($1) + allow $1 nslcd_var_run_t:file read_file_perms; +') + +######################################## +## <summary> +## Connect to nslcd over an unix stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to connect. +## </summary> +## </param> +# +interface(`nslcd_stream_connect',` + gen_require(` + type nslcd_t, nslcd_var_run_t; + ') + + stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t) + files_search_pids($1) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an nslcd environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`nslcd_admin',` + gen_require(` + type nslcd_t, nslcd_initrc_exec_t; + ') + + ps_process_pattern($1, nslcd_t) + allow $1 nslcd_t:process { ptrace signal_perms }; + + # Allow nslcd_t to restart the apache service + nslcd_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 nslcd_initrc_exec_t system_r; + allow $2 system_r; + + allow $1 nslcd_conf_t:file read_file_perms; +') diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te new file mode 100644 index 00000000..e93e1dfd --- /dev/null +++ b/policy/modules/services/nslcd.te @@ -0,0 +1,44 @@ + +policy_module(nslcd, 1.0.0) + +######################################## +# +# Declarations +# + +type nslcd_t; +type nslcd_exec_t; +init_daemon_domain(nslcd_t, nslcd_exec_t) + +type nslcd_initrc_exec_t; +init_script_file(nslcd_initrc_exec_t) + +type nslcd_var_run_t; +files_pid_file(nslcd_var_run_t) + +type nslcd_conf_t; +files_type(nslcd_conf_t) + +######################################## +# +# nslcd local policy +# + +allow nslcd_t self:capability { setgid setuid dac_override }; +allow nslcd_t self:process signal; +allow nslcd_t self:unix_stream_socket create_stream_socket_perms; + +allow nslcd_t nslcd_conf_t:file read_file_perms; + +manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t) +files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir }) + +files_read_etc_files(nslcd_t) + +auth_use_nsswitch(nslcd_t) + +logging_send_syslog_msg(nslcd_t) + +miscfiles_read_localization(nslcd_t) |