[389-devel] Please Review: Extend dirsrv SELinux policy interface

Nathan Kinder <nkinder@xxxxxxxxxx> · Thu, 22 Oct 2009 14:57:59 -0700

>From 41fa124aeec3b6bc86f28d69aeccb0e02f382aeb Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Thu, 22 Oct 2009 14:56:06 -0700
Subject: [PATCH] Extend dirsrv SELinux policy interface.

The dirsrv SELinux policy interface needed to be extended to
allow the confined Admin Server the proper permissions to
interact with the Directory Server.
---
 selinux/dirsrv.if |   29 +++++++++++++++++++++++++----
 1 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
index 1703529..80b478f 100644
--- a/selinux/dirsrv.if
+++ b/selinux/dirsrv.if
@@ -118,6 +118,24 @@ interface(`dirsrv_manage_var_run',`
 	files_pid_filetrans($1, dirsrv_var_run_t, dir)
 ')
 
+#######################################
+## <summary>
+##      Allow a domain to read dirsrv /var/run files.
+## </summary>
+## <param name="domain">
+## <summary>
+##      Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrv_read_var_run',`
+        gen_require(`
+                type dirsrv_var_run_t;
+        ')
+        allow $1 dirsrv_var_run_t:dir list_dir_perms;
+        allow $1 dirsrv_var_run_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##      Manage dirsrv configuration files.
@@ -152,8 +170,10 @@ interface(`dirsrv_exec_lib',`
 		type dirsrv_lib_t;
 	')
 
-	allow $1 dirsrv_lib_t:dir { search getattr };
-	allow $1 dirsrv_lib_t:file { read getattr open execute execute_no_trans ioctl};
+	allow $1 dirsrv_lib_t:dir search_dir_perms;
+	allow $1 dirsrv_lib_t:file exec_file_perms;
+	# Not all platforms include ioctl in exec_file_perms
+	allow $1 dirsrv_lib_t:file ioctl;
 ')
 
 ########################################
@@ -171,6 +191,7 @@ interface(`dirsrv_read_share',`
 		type dirsrv_share_t;
 	')
 
-	allow $1 dirsrv_share_t:dir { search getattr };
-	allow $1 dirsrv_share_t:file { read getattr open };
+	allow $1 dirsrv_share_t:dir list_dir_perms;
+	allow $1 dirsrv_share_t:file read_file_perms;
+	allow $1 dirsrv_share_t:lnk_file read;
 ')
-- 
1.6.2.5

--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel




