Steve Burt wrote:
Yes, I think so. I think that's what was reported as the workaround in the bug.Hi Rich, Ok so I think I have to create an ldif file There is a workaround - if the fqdn is host.example.com, you just have to create the following entries: dn: cn=host.example.com, ou=example.com, o=NetscapeRoot objectclass: top objectclass: nsHost objectclass: groupOfUniqueNames cn: host.example.com nsosversion: output of uname -a on the machine nshardwareplatform: arch e.g. i386 or x86_64 or ... serverHostName: host.example.com dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot objectclass: top objectclass: nsAdminGroup objectclass: nsDirectoryInfo objectclass: groupOfUniqueNames nsAdminGroupName: Server Group nsDirectoryInfoRef: cn=User Directory, ou=Global Preferences, ou=example.com, o=NetscapeRoot Is that correct
On 12/03/2008, fedora-directory-users-request@xxxxxxxxxx <fedora-directory-users-request@xxxxxxxxxx> wrote:Send Fedora-directory-users mailing list submissions to fedora-directory-users@xxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit https://www.redhat.com/mailman/listinfo/fedora-directory-users or, via email, send a message with subject or body 'help' to fedora-directory-users-request@xxxxxxxxxx You can reach the person managing the list at fedora-directory-users-owner@xxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-directory-users digest..." Today's Topics: 1. SELinux policy for Fedora Directory Server 1.1.0 (P?r Aronsson) 2. Problems in adding a second server into a new (Steve Burt) 3. Re: Problems in adding a second server into a new (Rich Megginson) ---------------------------------------------------------------------- Message: 1 Date: Tue, 11 Mar 2008 17:34:09 +0100 From: P?r Aronsson <par.aronsson@xxxxxxxxx> Subject: SELinux policy for Fedora Directory Server 1.1.0 To: selinux@xxxxxxxxxxxxx, fedora-directory-users@xxxxxxxxxx Message-ID: <200803111734.10289.par.aronsson@xxxxxxxxx> Content-Type: text/plain; charset="utf-8" Hello, Attached is a SELinux policy for the Fedora Directory Server 1.1.0. It is composed of three parts. * dirsrv - directory server and setup programs * dirsrv-admin - administration server and setup programs * fedora-idm-console - java based console for administration The policies were developed on a CentOS 5.1 with the following packages: fedora-ds-base-1.1.0-3.fc6 fedora-ds-admin-1.1.1-1.fc6 fedora-ds-console-1.1.0-5.fc6 selinux-policy-2.4.6-106.el5_1.3 kernel-2.6.18-53.1.4.el5 I've succesfully tested the policies in targeted and strict mode. The dirsrv-admin policy requires that the apache policy module is loaded. Also run: setsebool -P httpd_enable_cgi on Comment out the following in /usr/sbin/start-ds-admin (line 63-65): if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then SELINUX_CMD="runcon -t unconfined_t --" fi I had trouble with the replication plugin so I haven't been able to do any testing with replication. Any comments are welcome. // Pär Aronsson -------------- next part -------------- ## <summary>Administration application for Fedora Directory Server, dirsrv-admin.</summary> ######################################## ## <summary> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain ## and the system_r role. Strict policy. ## </summary> ## <param name="domain"> ## <summary> ## Prefix of the domain performing this action. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to allow the domain. ## </summary> ## </param> # interface(`dirsrvadmin_setup_domtrans_strict',` gen_require(` type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t; type $1_t, $1_devpts_t; ') domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) allow dirsrvadmin_setup_t $1_t:fd use; allow dirsrvadmin_setup_t $1_t:process sigchld; allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms; role $2 types dirsrvadmin_setup_t; role system_r types dirsrvadmin_setup_t; role_transition $2 dirsrvadmin_setupexec_t system_r; ') ######################################## ## <summary> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain ## and the system_r role. Targeted policy. ## </summary> ## <param name="domain"> ## <summary> ## Prefix of the domain performing this action. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to allow the domain. ## </summary> ## </param> # interface(`dirsrvadmin_setup_domtrans_targeted',` gen_require(` type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t; ') domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) ') ######################################## ## <summary> ## Read setup log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_read_setuplog',` gen_require(` type dirsrvadmin_setuplog_t; ') files_search_tmp($1) allow $1 dirsrvadmin_setuplog_t:file r_file_perms; ') ######################################## ## <summary> ## Manage setup log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_manage_setuplog',` gen_require(` type dirsrvadmin_setuplog_t; ') files_search_tmp($1) allow $1 dirsrvadmin_setuplog_t:file manage_file_perms; ') ######################################## ## <summary> ## Extend httpd domain for dirsrv-admin. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_extend_httpd',` gen_require(` type httpd_t; ') # Allow httpd domain to interact with dirsrv dirsrv_manage_config(httpd_t) dirsrv_manage_log(httpd_t) dirsrv_manage_var_run(httpd_t) dirsrvadmin_manage_setuplog(httpd_t) dirsrvadmin_manage_config(httpd_t) dirsrv_signal(httpd_t) dirsrv_signull(httpd_t) dirsrv_run_helper_exec(httpd_t) files_exec_usr_files(httpd_t) corenet_tcp_bind_generic_port(httpd_t) corenet_tcp_connect_generic_port(httpd_t) # Strict policy ifdef(`strict_policy',` userdom_dontaudit_search_sysadm_home_dirs(httpd_t) ') ') ######################################## ## <summary> ## Extend httpd domain for dirsrv-admin cgi. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_script_extend_httpd',` gen_require(` type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t; ') allow $1 httpd_exec_t:file { read getattr execute_no_trans }; allow $1 httpd_suexec_exec_t:file getattr; allow $1 httpd_tmp_t:file { read write }; allow $1 httpd_t:udp_socket { read write }; allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; allow $1 httpd_t:netlink_route_socket { read write }; allow $1 httpd_t:fifo_file { write read }; allow $1 httpd_var_run_t:file { read getattr }; apache_list_modules($1) apache_exec_modules($1) apache_use_fds($1) dirsrvadmin_run_httpd_script_exec(httpd_t) ') ######################################## ## <summary> ## Extend init domain for dirsrv-admin. ## The initscript searches in a config file. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_extend_init',` gen_require(` type initrc_t; ') allow initrc_t dirsrvadmin_config_t:file read; ') ######################################## ## <summary> ## Exec dirsrv-admin programs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_run_exec',` gen_require(` type dirsrvadmin_exec_t; ') allow $1 dirsrvadmin_exec_t:dir search_dir_perms; can_exec($1,dirsrvadmin_exec_t) ') ######################################## ## <summary> ## Exec cgi programs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_run_httpd_script_exec',` gen_require(` type httpd_dirsrvadmin_script_exec_t; ') allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; can_exec($1, httpd_dirsrvadmin_script_exec_t) ') ######################################## ## <summary> ## Manage cgi programs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_manage_httpd_script_exec',` gen_require(` type httpd_dirsrvadmin_script_exec_t; ') allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms; allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms; ') ######################################## ## <summary> ## Read tmp files created by cgi programs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_read_httpd_script_tmpfile',` gen_require(` type httpd_dirsrvadmin_script_rw_t; ') allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms; ') ######################################## ## <summary> ## Manage tmp files created by cgi programs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_manage_httpd_script_tmpfile',` gen_require(` type httpd_dirsrvadmin_script_rw_t; ') allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms; ') ######################################## ## <summary> ## Read dirsrv-adminserver configuration files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_read_config',` gen_require(` type dirsrvadmin_config_t; ') allow $1 dirsrvadmin_config_t:dir r_dir_perms; allow $1 dirsrvadmin_config_t:file r_file_perms; ') ######################################## ## <summary> ## Manage dirsrv-adminserver configuration files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_manage_config',` gen_require(` type dirsrvadmin_config_t; ') allow $1 dirsrvadmin_config_t:dir manage_dir_perms; allow $1 dirsrvadmin_config_t:file manage_file_perms; ') ######################################## ## <summary> ## Read and write to cgi program over an unix stream socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_script_stream_rw',` gen_require(` type httpd_dirsrvadmin_script_t; ') allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write }; ') ######################################## ## <summary> ## Read migration inf file in sysadm home dir. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrvadmin_read_inffile',` ifdef(`targeted_policy',` gen_require(` type user_home_t, user_home_dir_t; ') userdom_list_user_home_dirs(user, $1) allow $1 user_home_t:file r_file_perms; ',` gen_require(` type sysadm_home_t; ') userdom_list_sysadm_home_dirs($1) allow $1 sysadm_home_t:file r_file_perms; ') ') -------------- next part -------------- # Start script for daemon (domain entry point) /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) /usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) # Configuration /etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) # Log dir /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) # Pid /var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) # cgi /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) # Setup applications /usr/sbin/migrate-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) /usr/sbin/setup-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) -------------- next part -------------- # Daemon (domain entry point) /usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) # Setup applications /usr/sbin/migrate-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) /usr/sbin/setup-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) # Helper scripts /usr/lib/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_helper_exec_t,s0) # Configuration /etc/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) # Db files /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_db_t,s0) # Lock files /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_lock_t,s0) # Log files /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_log_t,s0) # var_run /var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) -------------- next part -------------- ## <summary>Fedora Directory server, dirsrv</summary> ######################################## ## <summary> ## Execute dirsrv programs in the dirsrv_t domain. ## </summary> ## <param name="domain"> ## <summary> ## The type of the process performing this action. ## </summary> ## </param> # interface(`dirsrv_domtrans',` gen_require(` type dirsrv_t, dirsrv_exec_t; ') allow $1 dirsrv_t:process signull; domain_auto_trans($1, dirsrv_exec_t, dirsrv_t) allow dirsrv_t $1:fd use; allow dirsrv_t $1:fifo_file rw_file_perms; allow dirsrv_t $1:process sigchld; ') ######################################## ## <summary> ## Execute dirsrv setup programs in the dirsrv_setup_t domain ## and the system_r role. Strict policy. ## </summary> ## <param name="domain"> ## <summary> ## Prefix of the domain performing this action. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to allow the domain. ## </summary> ## </param> # interface(`dirsrv_setup_domtrans_strict',` gen_require(` type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t; type $1_t, $1_devpts_t; ') domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t) allow dirsrv_setup_t $1_t:fd use; allow dirsrv_setup_t $1_t:process sigchld; allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms; role $2 types dirsrv_setup_t; role_transition $2 dirsrv_setupexec_t system_r; ') ######################################## ## <summary> ## Execute dirsrv setup programs in the dirsrv_setup_t domain ## and the system_r role. Targeted policy. ## </summary> ## <param name="domain"> ## <summary> ## Prefix of the domain performing this action. ## </summary> ## </param> ## <param name="role"> ## <summary> ## The role to allow the domain. ## </summary> ## </param> # interface(`dirsrv_setup_domtrans_targeted',` gen_require(` type dirsrv_setupexec_t, dirsrv_setup_t; ') domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t) ') ######################################## ## <summary> ## Extend httpd domain for dirsrv. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_extend_httpd',` gen_require(` type httpd_t, httpd_tmp_t; ') allow $1 httpd_t:fifo_file { write read }; allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; allow $1 httpd_tmp_t:file { read write }; apache_use_fds($1) ') ######################################## ## <summary> ## Read setup log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_read_setuplog',` gen_require(` type dirsrv_setuplog_t; ') files_search_tmp($1) allow $1 dirsrv_setuplog_t:file r_file_perms; ') ######################################## ## <summary> ## Read the contents of Directory server ## database directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_list_db',` gen_require(` type dirsrv_db_t; ') allow $1 dirsrv_db_t:dir r_dir_perms; ') ######################################## ## <summary> ## Manage the contents of Directory server ## database directories. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_manage_db',` gen_require(` type dirsrv_db_t; ') allow $1 dirsrv_db_t:dir manage_dir_perms; allow $1 dirsrv_db_t:file manage_file_perms; ') ######################################## ## <summary> ## Read Directory server configuration files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_read_config',` gen_require(` type dirsrv_config_t; ') allow $1 dirsrv_config_t:dir r_dir_perms; allow $1 dirsrv_config_t:file r_file_perms; ') ######################################## ## <summary> ## Manage Directory server configuration files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_manage_config',` gen_require(` type dirsrv_config_t; ') allow $1 dirsrv_config_t:dir manage_dir_perms; allow $1 dirsrv_config_t:file manage_file_perms; ') ######################################## ## <summary> ## Read Directory server log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_list_log',` gen_require(` type dirsrv_log_t; ') allow $1 dirsrv_log_t:dir r_dir_perms; ') ######################################## ## <summary> ## Manage Directory server log files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_manage_log',` gen_require(` type dirsrv_log_t; ') allow $1 dirsrv_log_t:dir manage_dir_perms; allow $1 dirsrv_log_t:file manage_file_perms; ') ######################################## ## <summary> ## Read Directory server lock files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_list_lock',` gen_require(` type dirsrv_lock_t; ') allow $1 dirsrv_lock_t:dir r_dir_perms; ') ######################################## ## <summary> ## Manage Directory server lock files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_manage_lock',` gen_require(` type dirsrv_lock_t; ') allow $1 dirsrv_lock_t:dir manage_dir_perms; allow $1 dirsrv_lock_t:file manage_file_perms; ') ######################################## ## <summary> ## Read Directory server var_run files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_list_var_run',` gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir r_dir_perms; ') ######################################## ## <summary> ## Manage Directory server var_run files. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_manage_var_run',` gen_require(` type dirsrv_var_run_t; ') allow $1 dirsrv_var_run_t:dir manage_dir_perms; allow $1 dirsrv_var_run_t:file manage_file_perms; allow $1 dirsrv_var_run_t:sock_file manage_file_perms; # Allow creating a dir in /var/run with this type files_pid_filetrans($1, dirsrv_var_run_t, dir) ') ######################################## ## <summary> ## Exec Directory server helper programs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_run_helper_exec',` gen_require(` type dirsrv_helper_exec_t; ') allow $1 dirsrv_helper_exec_t:dir search_dir_perms; can_exec($1,dirsrv_helper_exec_t) ') ######################################## ## <summary> ## Manage Directory server helper programs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_manage_helper_exec',` gen_require(` type dirsrv_helper_exec_t; ') allow $1 dirsrv_helper_exec_t:dir manage_dir_perms; allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms }; ') ######################################## ## <summary> ## Allow caller to signal dirsrv. ## </summary> ## <param name="domain"> ## <summary> ## Domain to not audit. ## </summary> ## </param> # interface(`dirsrv_signal',` gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signal; ') ######################################## ## <summary> ## Send a null signal to dirsrv. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`dirsrv_signull',` gen_require(` type dirsrv_t; ') allow $1 dirsrv_t:process signull; ') -------------- next part -------------- policy_module(dirsrv,1.0.0) ######################################## # # Declarations for daemon # ## Create domain for daemon type dirsrv_t; domain_type(dirsrv_t) ## Type for the daemon type dirsrv_exec_t; files_type(dirsrv_exec_t) # Start from initrc init_domain(dirsrv_t, dirsrv_exec_t) init_daemon_domain(dirsrv_t, dirsrv_exec_t) role system_r types dirsrv_t; ## Type for helper programs type dirsrv_helper_exec_t; files_type(dirsrv_helper_exec_t); ## Type for configuration files type dirsrv_config_t; files_config_file(dirsrv_config_t) ## Type for db files type dirsrv_db_t; files_type(dirsrv_db_t) ## Type for lock files type dirsrv_lock_t; files_lock_file(dirsrv_lock_t) files_lock_filetrans(dirsrv_t, dirsrv_lock_t, {file dir}) ## Type for log files type dirsrv_log_t; logging_log_file(dirsrv_log_t) ## Type for var_run file type dirsrv_var_run_t; files_pid_file(dirsrv_var_run_t) files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, {file dir}) ######################################## # # Declarations for setup programs # ## Domain for setup program type dirsrv_setup_t; domain_type(dirsrv_setup_t) role sysadm_r types dirsrv_setup_t; ## Type for setup program type dirsrv_setupexec_t; files_type(dirsrv_setupexec_t) domain_entry_file(dirsrv_setup_t, dirsrv_setupexec_t) ## Type for tmp files setup creates type dirsrv_setuplog_t; files_tmp_file(dirsrv_setuplog_t) files_tmp_filetrans(dirsrv_setup_t, dirsrv_setuplog_t, file) files_tmp_filetrans(dirsrv_t, dirsrv_setuplog_t, file) ######################################## # # Local policy for the daemon # ## Executable allow dirsrv_t self:capability { chown dac_override fowner setuid sys_nice setgid }; allow dirsrv_t self:process { setsched getsched signull }; allow dirsrv_t self:fifo_file { write read }; allow dirsrv_t self:sem { create getattr associate unix_read unix_write }; ## Config allow dirsrv_t dirsrv_config_t:file { getattr read create_file_perms }; allow dirsrv_t dirsrv_config_t:dir create_dir_perms; ## Database files allow dirsrv_t dirsrv_db_t:dir manage_dir_perms; allow dirsrv_t dirsrv_db_t:file manage_file_perms; # Allow search in /var/lib files_list_var_lib(dirsrv_t) ## Manage locks allow dirsrv_t dirsrv_lock_t:dir manage_dir_perms; allow dirsrv_t dirsrv_lock_t:file manage_file_perms; ## Logging allow dirsrv_t dirsrv_log_t:file { create rename setattr manage_file_perms }; allow dirsrv_t dirsrv_log_t:dir { setattr rw_dir_perms }; allow dirsrv_t self:unix_dgram_socket create_socket_perms; # Allow search in /var/log logging_search_logs(dirsrv_t) ## var_run allow dirsrv_t dirsrv_var_run_t:file manage_file_perms; allow dirsrv_t dirsrv_var_run_t:dir rw_dir_perms; ## Helper programs dirsrv_run_helper_exec(dirsrv_t) ## Setup log dirsrv_read_setuplog(dirsrv_t) dirsrvadmin_read_setuplog(dirsrv_t) ## Files in /tmp, created by setup app allow dirsrv_t dirsrv_setuplog_t:file manage_file_perms; ## When restarted from cgi script the dirsrv need to communicate back dirsrvadmin_script_stream_rw(dirsrv_t) # dirsrv need some permissions that has no interface in the apache policy dirsrv_extend_httpd(dirsrv_t) dirsrvadmin_manage_httpd_script_tmpfile(dirsrv_t) ## Allow networking corenet_tcp_bind_ldap_port(dirsrv_t) corenet_tcp_sendrecv_ldap_port(dirsrv_t) corenet_sendrecv_ldap_server_packets(dirsrv_t) corenet_tcp_bind_unspec_node(dirsrv_t) corenet_tcp_bind_inaddr_any_node(dirsrv_t) kernel_sendrecv_unlabeled_packets(dirsrv_t) allow dirsrv_t self:tcp_socket create_stream_socket_perms; allow dirsrv_t self:udp_socket create_socket_perms; ## Misc interfaces # Access to shared libraries libs_use_ld_so(dirsrv_t) libs_use_shared_libs(dirsrv_t) files_exec_usr_files(dirsrv_t) # Read locale miscfiles_read_localization(dirsrv_t) # Read etc files_read_etc_files(dirsrv_t) sysnet_read_config(dirsrv_t) # Allow using syslog logging_send_syslog_msg(dirsrv_t) # Search sbin corecmd_search_sbin(dirsrv_t) # Allow read urandom dev_read_urand(dirsrv_t) # Allow listing /tmp files_list_tmp(dirsrv_t) # Allow read /usr/tmp files_read_usr_symlinks(dirsrv_t) # Allow stat file system fs_getattr_xattr_fs(dirsrv_t) # Allow read proc kernel_read_system_state(dirsrv_t) # Strict policy ifdef(`strict_policy',` # Daemon search for plugins in cwd userdom_dontaudit_search_sysadm_home_dirs(dirsrv_t) ') # In targeted policy ifdef(`targeted_policy',` files_read_generic_tmp_files(dirsrv_t) userdom_dontaudit_search_generic_user_home_dirs(dirsrv_t) ') ######################################## # # Local policy for setup programs # ## Transtion into dirsrv domain when running setup # Should be in userdomain ifdef(`strict_policy',` dirsrv_setup_domtrans_strict(sysadm, sysadm_r) ') # A similar policy should be in unconfined ifdef(`targeted_policy',` dirsrv_setup_domtrans_targeted(unconfined_t) ') seutil_use_newrole_fds(dirsrv_setup_t) ## Executable allow dirsrv_setup_t self:capability { sys_nice chown fsetid fowner kill net_bind_service dac_override }; allow dirsrv_setup_t self:fifo_file { read write getattr ioctl }; allow dirsrv_setup_t self:process { setsched getsched }; allow dirsrv_setup_t self:tcp_socket { bind create ioctl }; # Start daemon from setup program dirsrv_domtrans(dirsrv_setup_t) ## Manage db dir dirsrv_manage_db(dirsrv_setup_t) ## Manage configuration dirsrv_manage_config(dirsrv_setup_t) ## Manage log dir dirsrv_manage_log(dirsrv_setup_t) ## Manage lock dir dirsrv_manage_lock(dirsrv_setup_t) ## Manage var_run files dirsrv_manage_var_run(dirsrv_setup_t) ## Manage helper programs dirsrv_manage_helper_exec(dirsrv_setup_t) dirsrv_run_helper_exec(dirsrv_setup_t) ## Files in /tmp allow dirsrv_setup_t dirsrv_setuplog_t:file manage_file_perms; ## Networking # Connect server using ldap corenet_tcp_bind_inaddr_any_node(dirsrv_setup_t) corenet_tcp_bind_ldap_port(dirsrv_setup_t) ## Misc interfaces # Access to shared libraries libs_use_ld_so(dirsrv_setup_t) libs_use_shared_libs(dirsrv_setup_t) # Read locale miscfiles_read_localization(dirsrv_setup_t) # mtab files_dontaudit_read_etc_runtime_files(dirsrv_setup_t) # Execute corecmd_exec_bin(dirsrv_setup_t) corecmd_exec_sbin(dirsrv_setup_t) corecmd_exec_shell(dirsrv_setup_t) # Read /usr/share files_read_usr_files(dirsrv_setup_t) # Allow read urandom dev_read_urand(dirsrv_setup_t) # Read proc kernel_read_net_sysctls(dirsrv_setup_t) kernel_read_sysctl(dirsrv_setup_t) kernel_read_system_state(dirsrv_setup_t) kernel_search_network_sysctl(dirsrv_setup_t) # Stat shadow auth_read_shadow(dirsrv_setup_t) # Exec nsswitch.conf files_exec_etc_files(dirsrv_setup_t) # Find dirsrv dirs files_search_locks(dirsrv_setup_t) files_search_var_lib(dirsrv_setup_t) logging_search_logs(dirsrv_setup_t) # Allow stat file system fs_getattr_xattr_fs(dirsrv_setup_t) sysnet_read_config(dirsrv_setup_t) term_search_ptys(dirsrv_setup_t) optional_policy(` nscd_read_pid(dirsrv_setup_t) ') # Strict policy ifdef(`strict_policy',` # Read cwd (/root) userdom_list_sysadm_home_dirs(dirsrv_setup_t) ') # In targeted policy ifdef(`targeted_policy',` term_use_generic_ptys(dirsrv_setup_t) # Read cwd (/root) userdom_list_user_home_dirs(user,dirsrv_setup_t) userdom_search_generic_user_home_dirs(dirsrv_setup_t) ') -------------- next part -------------- A non-text attachment was scrubbed... Name: dirsrv-admin.te Type: text/x-java Size: 8756 bytes Desc: not available Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080311/b721a4c9/dirsrv-admin.bin -------------- next part -------------- -------------- next part -------------- policy_module(fedora-idm-console,1.0.0) ######################################## # # Declarations # type fedora-idm-console_t; domain_type(fedora-idm-console_t) ######################################## # # Local policy # # In strict policy we need to extend the java domain ifdef(`strict_policy',` fedoraidmconsole_extend_java(user) ## Misc interfaces # Access to shared libraries libs_use_ld_so(fedora-idm-console_t) libs_use_shared_libs(fedora-idm-console_t) # Read locale miscfiles_read_localization(fedora-idm-console_t) ') -------------- next part -------------- ## <summary>Java based fedora-idm-console</summary> ######################################## ## <summary> ## Extend java domain for fedora-idm-console. ## </summary> ## <param name="domain"> ## <summary> ## Prefix of domain allowed access. ## </summary> ## </param> # interface(`fedoraidmconsole_extend_java',` gen_require(` type $1_javaplugin_t; type $1_t, $1_xserver_tmp_t, $1_gconf_home_t, $1_home_ssh_t, $1_mozilla_home_t; ') allow $1_javaplugin_t $1_t:process sigchld; allow $1_t $1_javaplugin_t:process { signal ptrace }; allow $1_javaplugin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; allow $1_javaplugin_t self:tcp_socket { accept listen }; allow $1_javaplugin_t $1_xserver_tmp_t:dir search; allow $1_javaplugin_t $1_xserver_tmp_t:sock_file write; dirsrv_list_db($1_javaplugin_t) corecmd_exec_bin($1_javaplugin_t) corenet_tcp_bind_inaddr_any_node($1_javaplugin_t) files_read_var_files($1_javaplugin_t) # Sun java check out some dirs, there is probably more than this dontaudit $1_javaplugin_t $1_gconf_home_t:dir getattr; dontaudit $1_javaplugin_t $1_home_ssh_t:dir getattr; dontaudit $1_javaplugin_t $1_mozilla_home_t:dir getattr; ') ------------------------------ Message: 2 Date: Wed, 12 Mar 2008 11:44:32 +0000 From: "Steve Burt" <burt.s.e@xxxxxxxxx> Subject: Problems in adding a second server into a new To: fedora-directory-users@xxxxxxxxxx Message-ID: <dbef0ac20803120444s12cbfbb1o526ff972ddba65b6@xxxxxxxxxxxxxx> Content-Type: text/plain; charset=ISO-8859-1 Greetings Folks I am very new to Fedora-DS and have I think Sucessfully installed a Directory Server and a server group with a admin server and 1 Directory Server. My Aim is to Install a second directory server, I think this is basically running the setup-ds-admin.pl on the second server... Could anyone help.. Yours Humbly Steve ------------------------------ Message: 3 Date: Wed, 12 Mar 2008 07:52:09 -0600 From: Rich Megginson <rmeggins@xxxxxxxxxx> Subject: Re: Problems in adding a second server into a new To: "General discussion list for the Fedora Directory server project." <fedora-directory-users@xxxxxxxxxx> Message-ID: <47D7E009.9060605@xxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Steve Burt wrote: > Greetings Folks > > I am very new to Fedora-DS and have I think Sucessfully installed a > Directory Server and a server group with a admin server and 1 > Directory Server. > > My Aim is to Install a second directory server, I think this is > basically running the setup-ds-admin.pl on the second server... > Yes. But read about this bug first - https://bugzilla.redhat.com/show_bug.cgi?id=431103 > Could anyone help.. > > Yours Humbly > > Steve > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080312/c35d1379/smime.bin ------------------------------ -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users End of Fedora-directory-users Digest, Vol 34, Issue 24 ******************************************************-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
<<attachment: smime.p7s>>
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
