Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212
							policy_module(dirsrv,1.0.0)

########################################
#
# Declarations
#

# NGK - this can go away when bz 478629, bz 523548,
# and bz 523771 are addressed.  See the notes below
# where we work around those issues.
require {
    type snmpd_var_lib_t;
    type snmpd_t;
}

# main daemon
type dirsrv_t;
type dirsrv_exec_t;
domain_type(dirsrv_t)
init_daemon_domain(dirsrv_t, dirsrv_exec_t)

# snmp subagent daemon
type dirsrv_snmp_t;
type dirsrv_snmp_exec_t;
domain_type(dirsrv_snmp_t)
init_daemon_domain(dirsrv_snmp_t, dirsrv_snmp_exec_t)

# var/lib files
type dirsrv_var_lib_t;
files_type(dirsrv_var_lib_t)

# log files
type dirsrv_var_log_t;
logging_log_file(dirsrv_var_log_t)

# snmp log file
type dirsrv_snmp_var_log_t;
logging_log_file(dirsrv_snmp_var_log_t)

# pid files
type dirsrv_var_run_t;
files_pid_file(dirsrv_var_run_t)

# snmp pid file
type dirsrv_snmp_var_run_t;
files_pid_file(dirsrv_snmp_var_run_t)

# lock files
type dirsrv_var_lock_t;
files_lock_file(dirsrv_var_lock_t)

# config files
type dirsrv_config_t;
files_type(dirsrv_config_t)

# tmp files
type dirsrv_tmp_t;
files_tmp_file(dirsrv_tmp_t)

# semaphores
type dirsrv_tmpfs_t;
files_tmpfs_file(dirsrv_tmpfs_t)

# shared files
type dirsrv_share_t;
files_type(dirsrv_share_t);

########################################
#
# dirsrv local policy
#

# Some common macros
files_read_etc_files(dirsrv_t)
corecmd_search_sbin(dirsrv_t)
files_read_usr_symlinks(dirsrv_t)
miscfiles_read_localization(dirsrv_t)
dev_read_urand(dirsrv_t)
libs_use_ld_so(dirsrv_t)
libs_use_shared_libs(dirsrv_t)
allow dirsrv_t self:fifo_file { read write };

# process stuff
allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };

# semaphores
allow dirsrv_t self:sem all_sem_perms;
manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)
fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file)

# var/lib files for dirsrv
manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t)
files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file })

# log files
manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
manage_fifo_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t)
allow dirsrv_t dirsrv_var_log_t:dir { setattr };
logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir })

# pid files
manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)
files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, { file sock_file })

# ldapi socket
manage_sock_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t)

# lock files
manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t)
files_lock_filetrans(dirsrv_t, dirsrv_var_lock_t, { file })

# config files
manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)
manage_dirs_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t)

# tmp files
manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t)
files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir })

# system state
fs_getattr_all_fs(dirsrv_t)
kernel_read_system_state(dirsrv_t)

# kerberos config for SASL GSSAPI
kerberos_read_config(dirsrv_t)
kerberos_dontaudit_write_config(dirsrv_t)

# Networking basics
sysnet_dns_name_resolve(dirsrv_t)
corenet_all_recvfrom_unlabeled(dirsrv_t)
corenet_all_recvfrom_netlabel(dirsrv_t)
corenet_tcp_sendrecv_generic_if(dirsrv_t)
corenet_tcp_sendrecv_generic_node(dirsrv_t)
corenet_tcp_sendrecv_all_ports(dirsrv_t)
corenet_tcp_bind_all_nodes(dirsrv_t)
corenet_tcp_bind_ldap_port(dirsrv_t)
corenet_tcp_bind_all_rpc_ports(dirsrv_t)
corenet_udp_bind_all_rpc_ports(dirsrv_t)
corenet_tcp_connect_all_ports(dirsrv_t)
corenet_sendrecv_ldap_server_packets(dirsrv_t)
corenet_sendrecv_all_client_packets(dirsrv_t)
allow dirsrv_t self:tcp_socket { create_stream_socket_perms };

# Init script handling
init_use_fds(dirsrv_t)
init_use_script_ptys(dirsrv_t)
domain_use_interactive_fds(dirsrv_t)


########################################
#
# dirsrv-snmp local policy
#

# Some common macros
files_read_etc_files(dirsrv_snmp_t)
miscfiles_read_localization(dirsrv_snmp_t)
libs_use_ld_so(dirsrv_snmp_t)
libs_use_shared_libs(dirsrv_snmp_t)
dev_read_rand(dirsrv_snmp_t)
dev_read_urand(dirsrv_snmp_t)
files_read_usr_files(dirsrv_snmp_t)
fs_getattr_tmpfs(dirsrv_snmp_t)
fs_search_tmpfs(dirsrv_snmp_t)
allow dirsrv_snmp_t self:fifo_file { read write };
sysnet_read_config(dirsrv_snmp_t)
sysnet_dns_name_resolve(dirsrv_snmp_t)

# Net-SNMP /var/lib files (includes agentx unix domain socket)
snmp_dontaudit_read_snmp_var_lib_files(dirsrv_snmp_t)
snmp_dontaudit_write_snmp_var_lib_files(dirsrv_snmp_t)
# NGK - there really should be a macro for this. (see bz 523771)
allow dirsrv_snmp_t snmpd_var_lib_t:file append;
# NGK - use snmp_stream_connect(dirsrv_snmp_t) when it is made
# available on all platforms we build on (see bz 478629 and bz 523548)
stream_connect_pattern(dirsrv_snmp_t, snmpd_var_lib_t, snmpd_var_lib_t, snmpd_t)

# Net-SNMP agentx tcp socket
corenet_tcp_connect_agentx_port(dirsrv_snmp_t)

# Net-SNMP persistent data file
files_manage_var_files(dirsrv_snmp_t)

# stats file semaphore
rw_files_pattern(dirsrv_snmp_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t)

# stats file
read_files_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)

# process stuff
allow dirsrv_snmp_t self:capability { dac_override dac_read_search };

# config file
read_files_pattern(dirsrv_snmp_t, dirsrv_config_t, dirsrv_config_t)

# pid file
manage_files_pattern(dirsrv_snmp_t, dirsrv_snmp_var_run_t, dirsrv_snmp_var_run_t)
files_pid_filetrans(dirsrv_snmp_t, dirsrv_snmp_var_run_t, { file sock_file })
search_dirs_pattern(dirsrv_snmp_t, dirsrv_var_run_t, dirsrv_var_run_t)

# log file
manage_files_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t);
filetrans_pattern(dirsrv_snmp_t, dirsrv_var_log_t, dirsrv_snmp_var_log_t, file)

# Init script handling
init_use_fds(dirsrv_snmp_t)
init_use_script_ptys(dirsrv_snmp_t)
domain_use_interactive_fds(dirsrv_snmp_t)