1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
policy_module(ldap, 1.8.1)
########################################
#
# Declarations
#
type slapd_t;
type slapd_exec_t;
init_daemon_domain(slapd_t, slapd_exec_t)
type slapd_cert_t;
files_type(slapd_cert_t)
type slapd_db_t;
files_type(slapd_db_t)
type slapd_etc_t;
files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
type slapd_lock_t;
files_lock_file(slapd_lock_t)
type slapd_replog_t;
files_type(slapd_replog_t)
type slapd_tmp_t;
files_tmp_file(slapd_tmp_t)
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
########################################
#
# Local policy
#
# should not need kill
# cjp: why net_raw?
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process setsched;
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:udp_socket create_socket_perms;
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
allow slapd_t self:tcp_socket create_stream_socket_perms;
allow slapd_t slapd_cert_t:dir list_dir_perms;
read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
# Allow access to the slapd databases
manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
allow slapd_t slapd_etc_t:file read_file_perms;
allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t,slapd_lock_t,file)
# Allow access to write the replication log (should tighten this)
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
corenet_all_recvfrom_unlabeled(slapd_t)
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t)
corenet_tcp_sendrecv_all_nodes(slapd_t)
corenet_udp_sendrecv_all_nodes(slapd_t)
corenet_tcp_sendrecv_all_ports(slapd_t)
corenet_udp_sendrecv_all_ports(slapd_t)
corenet_tcp_bind_all_nodes(slapd_t)
corenet_tcp_bind_ldap_port(slapd_t)
corenet_tcp_connect_all_ports(slapd_t)
corenet_sendrecv_ldap_server_packets(slapd_t)
corenet_sendrecv_all_client_packets(slapd_t)
dev_read_urand(slapd_t)
dev_read_sysfs(slapd_t)
fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
domain_use_interactive_fds(slapd_t)
files_read_etc_files(slapd_t)
files_read_etc_runtime_files(slapd_t)
files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
auth_use_nsswitch(slapd_t)
logging_send_syslog_msg(slapd_t)
miscfiles_read_certs(slapd_t)
miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
optional_policy(`
kerberos_use(slapd_t)
')
optional_policy(`
seutil_sigchld_newrole(slapd_t)
')
optional_policy(`
udev_read_db(slapd_t)
')
|
