Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Expose dirsrv SELinux policy interface.

This adds a number of interface macros to the dirsrv SELinux policy
module.  These macros are intended for use by the Administration
Server SELinux policy that is currently being developed.

I also made some changes to the setup code that labels newly created
directories.  When the first instance is created, some top-level
directories are created that were not being labeled properly.
Nathan Kinder 16 years ago
parent
d1214317ca
commit
d7b1c99abd
2 changed files with 168 additions and 1 deletions
Split View Show Diff Stats
  1. 15 1
      ldap/admin/src/scripts/DSCreate.pm.in
  2. 153 0
      selinux/dirsrv.if

+ 15 - 1
ldap/admin/src/scripts/DSCreate.pm.in
View File 

@@ -903,7 +903,21 @@ sub updateSelinuxPolicy {
 
 
     # if selinux is not available, do nothing
 
     if ("@with_selinux@") {
 
-        # run restorecon on all directories we created
 
+        my $localstatedir = $inf->{slapd}->{localstatedir};
 
+
 
+        # run restorecon on all of the parent directories we
 
+        # may have created (this only happens if this is the
 
+        # first instance created).
 
+        if ("@with_fhs_opt@") {
 
+            system("restorecon -R $localstatedir/@PACKAGE_NAME@");
 
+        } else {
 
+            system("restorecon -R $localstatedir/lock/@PACKAGE_NAME@");
 
+            system("restorecon -R $localstatedir/log/@PACKAGE_NAME@");
 
+            system("restorecon -R $localstatedir/run/@PACKAGE_NAME@");
 
+            system("restorecon -R $localstatedir/lib/@PACKAGE_NAME@");
 
+        }
 
+
 
+        # run restorecon on all instance directories we created
 
         for my $kw (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir
 
                 cert_dir db_dir ldif_dir bak_dir)) {
 
             my $dir = $inf->{slapd}->{$kw};

+ 153 - 0
selinux/dirsrv.if
View File 

@@ -21,3 +21,156 @@ interface(`dirsrv_domtrans',`
 
 	allow dirsrv_t $1:fifo_file rw_file_perms;
 
 	allow dirsrv_t $1:process sigchld;
 
 ')
 
+
 
+
 
+########################################
 
+## <summary>
 
+##  Allow caller to signal dirsrv.
 
+## </summary>
 
+## <param name="domain">
 
+##      <summary>
 
+##      Domain allowed access.
 
+##      </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_signal',`
 
+	gen_require(`
 
+		type dirsrv_t;
 
+	')
 
+
 
+	allow $1 dirsrv_t:process signal;
 
+')
 
+
 
+
 
+########################################
 
+## <summary>
 
+##      Send a null signal to dirsrv.
 
+## </summary>
 
+## <param name="domain">
 
+##      <summary>
 
+##      Domain allowed access.
 
+##      </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_signull',`
 
+	gen_require(`
 
+		type dirsrv_t;
 
+	')
 
+
 
+	allow $1 dirsrv_t:process signull;
 
+')
 
+
 
+#######################################
 
+## <summary>
 
+##      Allow a domain to manage dirsrv logs.
 
+## </summary>
 
+## <param name="domain">
 
+## <summary>
 
+##      Domain allowed access.
 
+## </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_manage_log',`
 
+	gen_require(`
 
+		type dirsrv_var_log_t;
 
+	')
 
+
 
+	allow $1 dirsrv_var_log_t:dir manage_dir_perms;
 
+	allow $1 dirsrv_var_log_t:file manage_file_perms;
 
+')
 
+
 
+#######################################
 
+## <summary>
 
+##      Allow a domain to manage dirsrv /var/lib files.
 
+## </summary>
 
+## <param name="domain">
 
+## <summary>
 
+##      Domain allowed access.
 
+## </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_manage_var_lib',`
 
+        gen_require(`
 
+                type dirsrv_var_lib_t;
 
+        ')
 
+        allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
 
+        allow $1 dirsrv_var_lib_t:file manage_file_perms;
 
+')
 
+
 
+#######################################
 
+## <summary>
 
+##      Allow a domain to manage dirsrv /var/run files.
 
+## </summary>
 
+## <param name="domain">
 
+## <summary>
 
+##      Domain allowed access.
 
+## </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_manage_var_run',`
 
+	gen_require(`
 
+		type dirsrv_var_run_t;
 
+	')
 
+	allow $1 dirsrv_var_run_t:dir manage_dir_perms;
 
+	allow $1 dirsrv_var_run_t:file manage_file_perms;
 
+	allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
 
+	# Allow creating a dir in /var/run with this type
 
+	files_pid_filetrans($1, dirsrv_var_run_t, dir)
 
+')
 
+
 
+########################################
 
+## <summary>
 
+##      Manage dirsrv configuration files.
 
+## </summary>
 
+## <param name="domain">
 
+##      <summary>
 
+##      Domain allowed access.
 
+##      </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_manage_config',`
 
+	gen_require(`
 
+		type dirsrv_config_t;
 
+	')
 
+
 
+	allow $1 dirsrv_config_t:dir manage_dir_perms;
 
+	allow $1 dirsrv_config_t:file manage_file_perms;
 
+')
 
+
 
+########################################
 
+## <summary>
 
+##      Read and exec dirsrv lib files.
 
+## </summary>
 
+## <param name="domain">
 
+##      <summary>
 
+##      Domain allowed access.
 
+##      </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_exec_lib',`
 
+	gen_require(`
 
+		type dirsrv_lib_t;
 
+	')
 
+
 
+	allow $1 dirsrv_lib_t:dir { search getattr };
 
+	allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl};
 
+')
 
+
 
+########################################
 
+## <summary>
 
+##      Read dirsrv share files.
 
+## </summary>
 
+## <param name="domain">
 
+##      <summary>
 
+##      Domain allowed access.
 
+##      </summary>
 
+## </param>
 
+#
 
+interface(`dirsrv_read_share',`
 
+	gen_require(`
 
+		type dirsrv_share_t;
 
+	')
 
+
 
+	allow $1 dirsrv_share_t:dir { search getattr };
 
+	allow $1 dirsrv_share_t:file { read getattr open };
 
+')