>From d7b1c99abd516b54e302acb775c9e01295fc616a Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Thu, 15 Oct 2009 09:31:52 -0700
Subject: [PATCH] Expose dirsrv SELinux policy interface.
This adds a number of interface macros to the dirsrv SELinux policy
module. These macros are intended for use by the Administration
Server SELinux policy that is currently being developed.
I also made some changes to the setup code that labels newly created
directories. When the first instance is created, some top-level
directories are created that were not being labeled properly.
---
ldap/admin/src/scripts/DSCreate.pm.in | 16 +++-
selinux/dirsrv.if | 153 +++++++++++++++++++++++++++++++++
2 files changed, 168 insertions(+), 1 deletions(-)
diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in
index 96930df..43fd1d9 100644
--- a/ldap/admin/src/scripts/DSCreate.pm.in
+++ b/ldap/admin/src/scripts/DSCreate.pm.in
@@ -903,7 +903,21 @@ sub updateSelinuxPolicy {
# if selinux is not available, do nothing
if ("@with_selinux@") {
- # run restorecon on all directories we created
+ my $localstatedir = $inf->{slapd}->{localstatedir};
+
+ # run restorecon on all of the parent directories we
+ # may have created (this only happens if this is the
+ # first instance created).
+ if ("@with_fhs_opt@") {
+ system("restorecon -R $localstatedir/@PACKAGE_NAME@");
+ } else {
+ system("restorecon -R $localstatedir/lock/@PACKAGE_NAME@");
+ system("restorecon -R $localstatedir/log/@PACKAGE_NAME@");
+ system("restorecon -R $localstatedir/run/@PACKAGE_NAME@");
+ system("restorecon -R $localstatedir/lib/@PACKAGE_NAME@");
+ }
+
+ # run restorecon on all instance directories we created
for my $kw (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir
cert_dir db_dir ldif_dir bak_dir)) {
my $dir = $inf->{slapd}->{$kw};
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
index d3851ba..1703529 100644
--- a/selinux/dirsrv.if
+++ b/selinux/dirsrv.if
@@ -21,3 +21,156 @@ interface(`dirsrv_domtrans',`
allow dirsrv_t $1:fifo_file rw_file_perms;
allow dirsrv_t $1:process sigchld;
')
+
+
+########################################
+## <summary>
+## Allow caller to signal dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_signal',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signal;
+')
+
+
+########################################
+## <summary>
+## Send a null signal to dirsrv.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_signull',`
+ gen_require(`
+ type dirsrv_t;
+ ')
+
+ allow $1 dirsrv_t:process signull;
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_log',`
+ gen_require(`
+ type dirsrv_var_log_t;
+ ')
+
+ allow $1 dirsrv_var_log_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_log_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv /var/lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_lib',`
+ gen_require(`
+ type dirsrv_var_lib_t;
+ ')
+ allow $1 dirsrv_var_lib_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_lib_t:file manage_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow a domain to manage dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_var_run',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ allow $1 dirsrv_var_run_t:dir manage_dir_perms;
+ allow $1 dirsrv_var_run_t:file manage_file_perms;
+ allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
+ # Allow creating a dir in /var/run with this type
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+########################################
+## <summary>
+## Manage dirsrv configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_manage_config',`
+ gen_require(`
+ type dirsrv_config_t;
+ ')
+
+ allow $1 dirsrv_config_t:dir manage_dir_perms;
+ allow $1 dirsrv_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read and exec dirsrv lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_exec_lib',`
+ gen_require(`
+ type dirsrv_lib_t;
+ ')
+
+ allow $1 dirsrv_lib_t:dir { search getattr };
+ allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl};
+')
+
+########################################
+## <summary>
+## Read dirsrv share files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_share',`
+ gen_require(`
+ type dirsrv_share_t;
+ ')
+
+ allow $1 dirsrv_share_t:dir { search getattr };
+ allow $1 dirsrv_share_t:file { read getattr open };
+')
--
1.6.2.5
--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
