trunk: add sssd from dan.
This commit is contained in:
Chris PeBenito
parent
26410ddf54
commit
c017ee17ab
|
|
@ -29,6 +29,7 @@
|
||||||
pingd (Dan Walsh)
|
pingd (Dan Walsh)
|
||||||
psad (Dan Walsh)
|
psad (Dan Walsh)
|
||||||
portreserve (Dan Walsh)
|
portreserve (Dan Walsh)
|
||||||
|
sssd (Dan Walsh)
|
||||||
ulogd (Dan Walsh)
|
ulogd (Dan Walsh)
|
||||||
webadm (Dan Walsh)
|
webadm (Dan Walsh)
|
||||||
xguest (Dan Walsh)
|
xguest (Dan Walsh)
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,6 @@
|
||||||
|
/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||||
|
|
||||||
|
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
|
||||||
|
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||||
|
|
@ -0,0 +1,200 @@
|
||||||
|
## <summary>System Security Services Daemon</summary>
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Execute a domain transition to run sssd.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed to transition.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_domtrans',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_t, sssd_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
domtrans_pattern($1, sssd_exec_t, sssd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read sssd PID files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_read_pid_files',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
allow $1 sssd_var_run_t:file read_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Manage sssd var_run files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_manage_pids',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||||
|
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search sssd lib directories.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_search_lib',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 sssd_var_lib_t:dir search_dir_perms;
|
||||||
|
files_search_var_lib($1)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read sssd lib files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_read_lib_files',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create, read, write, and delete
|
||||||
|
## sssd lib files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_manage_lib_files',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_var_lib($1)
|
||||||
|
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Send and receive messages from
|
||||||
|
## sssd over dbus.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_dbus_chat',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_t;
|
||||||
|
class dbus send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 sssd_t:dbus send_msg;
|
||||||
|
allow sssd_t $1:dbus send_msg;
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Connect to sssd over an unix stream socket.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`sssd_stream_connect',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_t, sssd_var_lib_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_pids($1)
|
||||||
|
stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## All of the rules required to administrate
|
||||||
|
## an sssd environment
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="role">
|
||||||
|
## <summary>
|
||||||
|
## The role to be allowed to manage the sssd domain.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <param name="terminal">
|
||||||
|
## <summary>
|
||||||
|
## The type of the user terminal.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
## <rolecap/>
|
||||||
|
#
|
||||||
|
interface(`sssd_admin',`
|
||||||
|
gen_require(`
|
||||||
|
type sssd_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 sssd_t:process { ptrace signal_perms getattr };
|
||||||
|
read_files_pattern($1, sssd_t, sssd_t)
|
||||||
|
|
||||||
|
gen_require(`
|
||||||
|
type sssd_initrc_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
# Allow sssd_t to restart the apache service
|
||||||
|
sssd_initrc_domtrans($1)
|
||||||
|
domain_system_change_exemption($1)
|
||||||
|
role_transition $2 sssd_initrc_exec_t system_r;
|
||||||
|
allow $2 system_r;
|
||||||
|
|
||||||
|
sssd_manage_pids($1)
|
||||||
|
|
||||||
|
sssd_manage_lib_files($1)
|
||||||
|
')
|
||||||
|
|
@ -0,0 +1,64 @@
|
||||||
|
|
||||||
|
policy_module(sssd, 1.0.0)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type sssd_t;
|
||||||
|
type sssd_exec_t;
|
||||||
|
init_daemon_domain(sssd_t, sssd_exec_t)
|
||||||
|
|
||||||
|
type sssd_initrc_exec_t;
|
||||||
|
init_script_file(sssd_initrc_exec_t)
|
||||||
|
|
||||||
|
type sssd_var_lib_t;
|
||||||
|
files_type(sssd_var_lib_t)
|
||||||
|
|
||||||
|
type sssd_var_run_t;
|
||||||
|
files_pid_file(sssd_var_run_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# sssd local policy
|
||||||
|
#
|
||||||
|
allow sssd_t self:capability { sys_nice setuid };
|
||||||
|
allow sssd_t self:process { setsched signal getsched };
|
||||||
|
allow sssd_t self:fifo_file rw_file_perms;
|
||||||
|
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||||
|
|
||||||
|
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||||
|
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
|
||||||
|
|
||||||
|
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||||
|
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||||
|
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
||||||
|
|
||||||
|
kernel_read_system_state(sssd_t)
|
||||||
|
|
||||||
|
corecmd_exec_bin(sssd_t)
|
||||||
|
|
||||||
|
dev_read_urand(sssd_t)
|
||||||
|
|
||||||
|
files_list_tmp(sssd_t)
|
||||||
|
files_read_etc_files(sssd_t)
|
||||||
|
files_read_usr_files(sssd_t)
|
||||||
|
|
||||||
|
auth_use_nsswitch(sssd_t)
|
||||||
|
auth_domtrans_chk_passwd(sssd_t)
|
||||||
|
auth_domtrans_upd_passwd(sssd_t)
|
||||||
|
|
||||||
|
init_read_utmp(sssd_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(sssd_t)
|
||||||
|
logging_send_audit_msgs(sssd_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(sssd_t)
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
dbus_system_bus_client(sssd_t)
|
||||||
|
dbus_connect_system_bus(sssd_t)
|
||||||
|
')
|
||||||
Loading…
Reference in New Issue