>From 1b00a7030a64c9e916cebae8e69b94774572bf0b Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Thu, 22 Oct 2009 14:50:08 -0700
Subject: [PATCH] Add SELinux policy module for Admin Server.
This adds a SELinux policy module for Admin Server named
dirsrv-admin. The build system has been updated to have a
--with-selinux configure option, which generates the policy
.fc file with the proper paths and enables some SELinux
specific setup code. The actual policy module will be build
by the specfile or by hand in the build area.
One thing to note is that the service command must be used
when starting (or restarting) the dirsrv-admin server in order
for the process to be properly confined. It may be wise to
deprecate the start/stop/restart commands in the future (or
move them to a program private area to discourage their use).
---
Makefile.am | 21 +++-
admserv/cfgstuff/start-ds-admin.in | 6 +-
admserv/newinst/src/AdminServer.pm.in | 99 +++++++++++++++-
admserv/newinst/src/setup-ds-admin.res.in | 2 +
configure.ac | 4 +
m4/selinux.m4 | 34 ++++++
selinux/dirsrv-admin.fc.in | 16 +++
selinux/dirsrv-admin.if | 181 +++++++++++++++++++++++++++++
selinux/dirsrv-admin.te | 130 +++++++++++++++++++++
9 files changed, 484 insertions(+), 9 deletions(-)
create mode 100644 m4/selinux.m4
create mode 100644 selinux/dirsrv-admin.fc.in
create mode 100644 selinux/dirsrv-admin.if
create mode 100644 selinux/dirsrv-admin.te
diff --git a/Makefile.am b/Makefile.am
index c5b16f3..cc93062 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -141,6 +141,21 @@ else
MYLINK = $(LINK)
endif
+if SELINUX
+POLICY_FC = selinux-built/dirsrv-admin.fc
+endif
+
+BUILT_SOURCES = $(POLICY_FC)
+
+clean-local:
+ -rm -rf selinux-built
+
+selinux-built:
+ cp -r $(srcdir)/selinux $@
+
+selinux-built/dirsrv-admin.fc: selinux-built
+ $(fixupcmd) selinux-built/dirsrv-admin.fc.in > $@
+
init_SCRIPTS = wrappers/$(PACKAGE_NAME)
initconfig_DATA = admserv/cfgstuff/$(PACKAGE_NAME)
@@ -503,7 +518,8 @@ fixupcmd = sed \
-e 's,@ldifdir\@,$(ldifdir),g' \
-e 's,@adminutilpath\@,$(adminutilpath),g' \
-e 's,@initconfigdir\@,$(initconfigdir),g' \
- -e 's,@updatedir\@,$(updatedir),g'
+ -e 's,@updatedir\@,$(updatedir),g' \
+ -e 's,@with_selinux\@,@with_selinux@,g'
else
fixupcmd = sed \
-e 's,@ECHO_C\@,$(ECHO_C),g' \
@@ -556,7 +572,8 @@ fixupcmd = sed \
-e 's,@ldifdir\@,$(ldifdir),g' \
-e 's,@adminutilpath\@,$(adminutilpath),g' \
-e 's,@initconfigdir\@,$(initconfigdir),g' \
- -e 's,@updatedir\@,$(updatedir),g'
+ -e 's,@updatedir\@,$(updatedir),g' \
+ -e 's,@with_selinux\@,@with_selinux@,g'
endif
# because the source may be either httpd.conf.in or httpd-2.2.conf.in
diff --git a/admserv/cfgstuff/start-ds-admin.in b/admserv/cfgstuff/start-ds-admin.in
index 06a720c..6ed6db8 100644
--- a/admserv/cfgstuff/start-ds-admin.in
+++ b/admserv/cfgstuff/start-ds-admin.in
@@ -58,8 +58,4 @@ fi
# source env. for admin server
[ -f @initconfigdir@/@package_name@ ] && . @initconfigdir@/@package_name@
-if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
- SELINUX_CMD="runcon -t unconfined_t --"
-fi
-
-$SELINUX_CMD $HTTPD $OMIT_DEFLATE -k start -f @configdir@/httpd.conf "$@"
+$HTTPD $OMIT_DEFLATE -k start -f @configdir@/httpd.conf "$@"
diff --git a/admserv/newinst/src/AdminServer.pm.in b/admserv/newinst/src/AdminServer.pm.in
index a91aadd..a082975 100644
--- a/admserv/newinst/src/AdminServer.pm.in
+++ b/admserv/newinst/src/AdminServer.pm.in
@@ -434,12 +434,23 @@ sub startAdminServer {
SUFFIX => ".log", DIR => File::Spec->tmpdir);
close($fh);
my $rc;
+ my $selinux_cmd = "";
+
+ # If we're using selinux, start the server with the proper context
+ # to allow the process to transition to the proper domain.
+ if ("@with_selinux@") {
+ $rc = system("/usr/sbin/selinuxenabled");
+ if ($rc == 0) {
+ $selinux_cmd = "runcon -u system_u -r system_r -t initrc_t";
+ }
+ }
+
if ($isrunning) {
$setup->msg('restarting_adminserver');
- $rc = system("@cmdbindir@/restart-ds-admin > $filename 2>&1");
+ $rc = system("$selinux_cmd @cmdbindir@/restart-ds-admin > $filename 2>&1");
} else {
$setup->msg('starting_adminserver');
- $rc = system("@cmdbindir@/start-ds-admin > $filename 2>&1");
+ $rc = system("$selinux_cmd @cmdbindir@/start-ds-admin > $filename 2>&1");
}
open(STARTLOG, "$filename");
@@ -524,6 +535,9 @@ sub createAdminServer {
return 0;
}
+ # Update SELinux policy if needed
+ updateSelinuxPolicy($setup, $configdir, $securitydir, $logdir, $rundir);
+
if (!startAdminServer($setup, $configdir, $logdir, $rundir)) {
return 0;
}
@@ -583,6 +597,52 @@ sub removeAdminServer {
my $rundir = $ENV{ADMSERV_PID_DIR} || "@piddir@";
+ # Need to unlabel the port if we're using SELinux.
+ if ("@with_selinux@") {
+ my $port;
+
+ # Read the console.conf file to find the port number.
+ if (!open(CONSOLECONF, "$configdir/console.conf")) {
+ if ($force) {
+ debug(1, "Warning: Could not open $configdir/console.conf: $!");
+ } else {
+ debug(1, "Error: Could not open $configdir/console.conf: $!");
+ return( [ 'error_reading_conffile', "$configdir/console.conf", $! ] );
+ }
+ } else {
+ # Find the Listen directive and read the port number.
+ while (<CONSOLECONF>) {
+ if (/^Listen /g) {
+ # The port is after the last ':'
+ my @listenline = split(/:/);
+ $port = $listenline[-1];
+ }
+ }
+ close(CONSOLECONF);
+ }
+
+ if (!$port) {
+ if ($force) {
+ debug(1, "Warning: Could not determine port number - forcing continue\n");
+ debug(1, "Warning: Port not removed from selinux policy correctly. Remove label manually using semanage.\n");
+ } else {
+ debug(1, "Error: Could not determine port number - aborting - use -f flag to force removal\n");
+ return ( [ 'error_reading_port' ] );
+ }
+ } else {
+ # Attempt to remove the http_port_t label from the port used by Admin Server.
+ my $semanage_err = `semanage port -d -t http_port_t -p tcp $port 2>&1`;
+ if ($? != 0) {
+ if ($semanage_err !~ /defined in policy, cannot be deleted/) {
+ debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n");
+ if (!$force) {
+ return( [ 'error_removing_port_label', $port, $semanage_err ] );
+ }
+ }
+ }
+ }
+ }
+
# remove admin server files in $rundir
my $file;
for $file (glob("$rundir/admin-serv.*")) {
@@ -626,6 +686,41 @@ sub removeAdminServer {
return;
}
+sub updateSelinuxPolicy {
+ my $setup = shift;
+ my $configdir = shift;
+ my $securitydir = shift;
+ my $logdir = shift;
+ my $rundir = shift;
+
+ # if selinux is not available, do nothing
+ if ("@with_selinux@") {
+ # run restorecon on all directories we created
+ system("restorecon -R $configdir $securitydir $logdir $rundir");
+
+ # Label the selected port as http_port_t.
+ if ($setup->{inf}->{admin}->{Port}) {
+ my $need_label = 1;
+
+ # check if the port is already labeled properly
+ my $portline = `semanage port -l | grep http_port_t | grep tcp`;
+ chomp($portline);
+ $portline =~ s/http_port_t\s+tcp\s+//g;
+ my @labeledports = split(/,\s+/, $portline);
+ foreach my $labeledport (@labeledports) {
+ if ($setup->{inf}->{admin}->{Port} == $labeledport) {
+ $need_label = 0;
+ last;
+ }
+ }
+
+ if ($need_label == 1) {
+ system("semanage port -a -t http_port_t -p tcp $setup->{inf}->{admin}->{Port}");
+ }
+ }
+ }
+}
+
1;
# emacs settings
diff --git a/admserv/newinst/src/setup-ds-admin.res.in b/admserv/newinst/src/setup-ds-admin.res.in
index 463b2ea..a39a22e 100644
--- a/admserv/newinst/src/setup-ds-admin.res.in
+++ b/admserv/newinst/src/setup-ds-admin.res.in
@@ -143,3 +143,5 @@ error_finding_isie = Unable to find the software configuration entry '%s' in ser
error_updating_conffile = Unable to update the config file '%s'. Error: %s\n
error_reading_conffile = Unable to read the config file '%s'. Error: %s\n
error_admconf_isie = Unable to find the isie attribute in the config file '%s'\nPlease make sure you have registerd this server with the configuration Directory Server.\n\n
+error_reading_port = Unable to determine the Admin Server port number.\n
+error_removing_port_label = Error: could not remove selinux label from port '%s'. Error: %s\n
diff --git a/configure.ac b/configure.ac
index d5ab227..d0e133c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -226,6 +226,10 @@ m4_include(m4/icu.m4)
m4_include(m4/adminutil.m4)
m4_include(m4/mod_nss.m4)
+# Check for SELinux
+m4_include(m4/selinux.m4)
+AM_CONDITIONAL(SELINUX,test "$with_selinux" = "yes")
+
# this is the subdir under $PACKAGE_BASE_NAME where admin server
# specific configs, logs, etc. are found
instancename=admin-serv
diff --git a/m4/selinux.m4 b/m4/selinux.m4
new file mode 100644
index 0000000..de97c94
--- /dev/null
+++ b/m4/selinux.m4
@@ -0,0 +1,34 @@
+# BEGIN COPYRIGHT BLOCK
+# Copyright (C) 2009 Red Hat, Inc.
+# All rights reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+# END COPYRIGHT BLOCK
+
+AC_CHECKING(for SELinux)
+
+# check for --with-selinux
+AC_MSG_CHECKING(for --with-selinux)
+AC_ARG_WITH(selinux, [ --with-selinux Build SELinux policy],
+[
+ with_selinux=yes
+ AC_MSG_RESULT(yes)
+ AC_SUBST(with_selinux)
+ if test ! -f "/usr/share/selinux/devel/Makefile"; then
+ AC_MSG_ERROR([SELinux development tools (selinux-policy) not found])
+ fi
+],
+AC_MSG_RESULT(no))
diff --git a/selinux/dirsrv-admin.fc.in b/selinux/dirsrv-admin.fc.in
new file mode 100644
index 0000000..d00380b
--- /dev/null
+++ b/selinux/dirsrv-admin.fc.in
@@ -0,0 +1,16 @@
+# Start/stop/restart scripts for daemon (domain entry point)
+@sbindir@/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+@sbindir@/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+@sbindir@/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0)
+
+# Configuration
+@configdir@(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0)
+
+# Log dir
+@logdir@(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+
+# Pidfile
+@piddir@/@instancename@.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+# CGIs
+@cgibindir@(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0)
diff --git a/selinux/dirsrv-admin.if b/selinux/dirsrv-admin.if
new file mode 100644
index 0000000..3b0cb7e
--- /dev/null
+++ b/selinux/dirsrv-admin.if
@@ -0,0 +1,181 @@
+## <summary>Administration Server for Directory Server, dirsrv-admin.</summary>
+
+########################################
+## <summary>
+## Extend httpd domain for dirsrv-admin.
+## </summary>
+#
+interface(`dirsrvadmin_extend_httpd',`
+ gen_require(`
+ type httpd_t;
+ type httpd_tmp_t;
+ type dirsrv_t;
+ ')
+
+ # Allow httpd domain to interact with dirsrv
+ dirsrv_manage_config(httpd_t)
+ dirsrv_manage_log(httpd_t)
+ dirsrv_manage_var_run(httpd_t)
+ dirsrv_exec_lib(httpd_t)
+ dirsrv_read_share(httpd_t)
+ dirsrv_signal(httpd_t)
+ dirsrv_signull(httpd_t)
+ dirsrvadmin_manage_config(httpd_t)
+ dirsrvadmin_manage_tmp(httpd_t)
+
+ files_exec_usr_files(httpd_t)
+ files_manage_generic_tmp_files(httpd_t)
+ corenet_tcp_connect_generic_port(httpd_t)
+
+ # Strict policy
+ ifdef(`strict_policy',`
+ userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
+ ')
+')
+
+########################################
+## <summary>
+## Extend httpd domain for dirsrv-admin cgi.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_script_extend_httpd',`
+ gen_require(`
+ type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t;
+ ')
+
+ allow $1 httpd_exec_t:file { read getattr execute_no_trans };
+ allow $1 httpd_suexec_exec_t:file getattr;
+ allow $1 httpd_tmp_t:file { read write };
+ allow $1 httpd_t:udp_socket { read write };
+ allow $1 httpd_t:unix_stream_socket { ioctl getattr read write };
+ allow $1 httpd_t:netlink_route_socket { read write };
+ allow $1 httpd_t:fifo_file { write read };
+ allow $1 httpd_t:process signal;
+ allow $1 httpd_var_run_t:file read_file_perms;
+ apache_list_modules($1)
+ apache_exec_modules($1)
+ apache_use_fds($1)
+ apache_read_log($1)
+ apache_read_config($1)
+ apache_domtrans($1)
+ dirsrvadmin_run_httpd_script_exec(httpd_t)
+')
+
+########################################
+## <summary>
+## Extend dirsrv domain for dirsrv-admin.
+## </summary>
+#
+interface(`dirsrvadmin_extend_dirsrv',`
+ gen_require(`
+ type dirsrv_t;
+ type httpd_t;
+ type httpd_tmp_t;
+ ')
+
+ # Allow dirsrv to interact with CGIs
+ allow dirsrv_t httpd_dirsrvadmin_script_t:unix_stream_socket { read write };
+ allow dirsrv_t dirsrvadmin_tmp_t:file write;
+
+ # Allow dirsrv domain to interact with httpd
+ allow dirsrv_t httpd_t:fifo_file { write read };
+ allow dirsrv_t httpd_t:unix_stream_socket { ioctl getattr read write };
+ allow dirsrv_t httpd_tmp_t:file { read write };
+ apache_use_fds(dirsrv_t)
+')
+
+########################################
+## <summary>
+## Extend init domain for dirsrv-admin.
+## The initscript searches in a config file.
+## </summary>
+#
+interface(`dirsrvadmin_extend_init',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow initrc_t dirsrvadmin_config_t:file read;
+')
+
+########################################
+## <summary>
+## Exec dirsrv-admin programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_run_exec',`
+ gen_require(`
+ type dirsrvadmin_exec_t;
+ ')
+
+ allow $1 dirsrvadmin_exec_t:dir search_dir_perms;
+ can_exec($1,dirsrvadmin_exec_t)
+')
+
+########################################
+## <summary>
+## Exec cgi programs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_run_httpd_script_exec',`
+ gen_require(`
+ type httpd_dirsrvadmin_script_exec_t;
+ ')
+
+ allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms;
+ can_exec($1, httpd_dirsrvadmin_script_exec_t)
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_config',`
+ gen_require(`
+ type dirsrvadmin_config_t;
+ ')
+
+ allow $1 dirsrvadmin_config_t:dir manage_dir_perms;
+ allow $1 dirsrvadmin_config_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Manage dirsrv-adminserver tmp files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dirsrvadmin_manage_tmp',`
+ gen_require(`
+ type dirsrvadmin_tmp_t;
+ ')
+
+ manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+ manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+')
+
diff --git a/selinux/dirsrv-admin.te b/selinux/dirsrv-admin.te
new file mode 100644
index 0000000..e6ecb4b
--- /dev/null
+++ b/selinux/dirsrv-admin.te
@@ -0,0 +1,130 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
+#
+# Declarations for the daemon
+#
+
+require {
+ type httpd_t;
+ type httpd_var_run_t;
+}
+
+type dirsrvadmin_t;
+domain_type(dirsrvadmin_t)
+
+## Create a dirsrvadmin_exec_t domain to transition to httpd_t.
+type dirsrvadmin_exec_t;
+files_type(dirsrvadmin_exec_t)
+
+# Start from initrc
+init_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+init_daemon_domain(dirsrvadmin_t, dirsrvadmin_exec_t)
+role system_r types dirsrvadmin_t;
+
+# Keep configuration files in a private domain
+type dirsrvadmin_config_t;
+files_type(dirsrvadmin_config_t)
+
+# tmp files
+type dirsrvadmin_tmp_t;
+files_tmp_file(dirsrvadmin_tmp_t)
+
+########################################
+#
+# Local policy for the daemon
+#
+
+# Transition to httpd domain
+apache_domtrans(dirsrvadmin_t)
+
+# Extend the dirsrv and httpd policy
+dirsrvadmin_extend_httpd()
+dirsrvadmin_extend_dirsrv()
+
+# The initscript for dirsrv-admin searches in a private conf file.
+# Extend the init domain to allow the search.
+dirsrvadmin_extend_init()
+
+# tmp files
+manage_files_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(dirsrvadmin_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(dirsrvadmin_t, dirsrvadmin_tmp_t, { file dir })
+files_manage_generic_tmp_files(dirsrvadmin_t)
+
+# Things needed by the start script (before transition to httpd domain)
+allow dirsrvadmin_t self:fifo_file { write read getattr };
+allow dirsrvadmin_t self:capability { dac_read_search dac_override sys_tty_config };
+logging_search_logs(dirsrvadmin_t)
+corecmd_exec_bin(dirsrvadmin_t)
+corecmd_read_bin_symlinks(dirsrvadmin_t)
+corecmd_search_bin(dirsrvadmin_t)
+corecmd_shell_entry_type(dirsrvadmin_t)
+files_exec_etc_files(dirsrvadmin_t)
+libs_exec_ld_so(dirsrvadmin_t)
+libs_use_ld_so(dirsrvadmin_t)
+libs_use_shared_libs(dirsrvadmin_t)
+miscfiles_read_localization(dirsrvadmin_t)
+kernel_read_system_state(dirsrvadmin_t)
+# In strict policy
+ifdef(`strict_policy',`
+ # Read cwd (/root)
+ userdom_dontaudit_search_sysadm_home_dirs(dirsrvadmin_t)
+')
+# In targeted policy
+ifdef(`targeted_policy',`
+ # Read cwd (/root)
+ userdom_dontaudit_search_generic_user_home_dirs(dirsrvadmin_t)
+')
+
+# Needed for stop and restart scripts
+dirsrv_read_var_run(dirsrvadmin_t)
+allow dirsrvadmin_t httpd_t:process signal;
+allow dirsrvadmin_t httpd_var_run_t:file read_file_perms;
+
+########################################
+#
+# Local policy for the CGIs
+#
+#
+#
+# Create a domain for the CGI scripts
+apache_content_template(dirsrvadmin)
+
+# Process and networking stuff
+allow httpd_dirsrvadmin_script_t self:process { getsched getpgid };
+allow httpd_dirsrvadmin_script_t self:capability { setuid net_bind_service setgid chown sys_nice kill dac_read_search dac_override };
+allow httpd_dirsrvadmin_script_t self:tcp_socket { write getopt create read connect bind getattr setopt accept listen shutdown };
+allow httpd_dirsrvadmin_script_t self:udp_socket { write read create connect getattr };
+allow httpd_dirsrvadmin_script_t self:unix_dgram_socket { write create connect };
+allow httpd_dirsrvadmin_script_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow httpd_dirsrvadmin_script_t self:sem { write destroy create unix_write setattr };
+kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
+sysnet_read_config(httpd_dirsrvadmin_script_t)
+files_search_var_lib(httpd_dirsrvadmin_script_t)
+
+# The CGI scripts require some interfaces that doesn't exist in httpd_t
+dirsrvadmin_script_extend_httpd(httpd_dirsrvadmin_script_t)
+
+# The CGI scripts must be able to manage dirsrv-admin
+dirsrvadmin_run_exec(httpd_dirsrvadmin_script_t)
+dirsrvadmin_manage_config(httpd_dirsrvadmin_script_t)
+manage_files_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+manage_dirs_pattern(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, dirsrvadmin_tmp_t)
+files_tmp_filetrans(httpd_dirsrvadmin_script_t, dirsrvadmin_tmp_t, { file dir })
+
+# The CGI scripts must be able to manage the dirsrv
+dirsrv_domtrans(httpd_dirsrvadmin_script_t)
+dirsrv_signal(httpd_dirsrvadmin_script_t)
+dirsrv_signull(httpd_dirsrvadmin_script_t)
+dirsrv_manage_log(httpd_dirsrvadmin_script_t)
+dirsrv_manage_var_lib(httpd_dirsrvadmin_script_t)
+dirsrv_manage_var_run(httpd_dirsrvadmin_script_t)
+dirsrv_manage_config(httpd_dirsrvadmin_script_t)
+dirsrv_exec_lib(httpd_dirsrvadmin_script_t)
+dirsrv_read_share(httpd_dirsrvadmin_script_t)
+
--
1.6.2.5
--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
