trunk: add sssd from dan.
This commit is contained in:
Chris PeBenito
parent
26410ddf54
commit
c017ee17ab
|
|
@ -29,6 +29,7 @@
|
|||
pingd (Dan Walsh)
|
||||
psad (Dan Walsh)
|
||||
portreserve (Dan Walsh)
|
||||
sssd (Dan Walsh)
|
||||
ulogd (Dan Walsh)
|
||||
webadm (Dan Walsh)
|
||||
xguest (Dan Walsh)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
|
||||
|
||||
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
|
||||
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
|
||||
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
|
||||
|
|
@ -0,0 +1,200 @@
|
|||
## <summary>System Security Services Daemon</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run sssd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_domtrans',`
|
||||
gen_require(`
|
||||
type sssd_t, sssd_exec_t;
|
||||
')
|
||||
|
||||
domtrans_pattern($1, sssd_exec_t, sssd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read sssd PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_read_pid_files',`
|
||||
gen_require(`
|
||||
type sssd_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 sssd_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage sssd var_run files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_manage_pids',`
|
||||
gen_require(`
|
||||
type sssd_var_run_t;
|
||||
')
|
||||
|
||||
manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||
manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search sssd lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_search_lib',`
|
||||
gen_require(`
|
||||
type sssd_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 sssd_var_lib_t:dir search_dir_perms;
|
||||
files_search_var_lib($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read sssd lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_read_lib_files',`
|
||||
gen_require(`
|
||||
type sssd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete
|
||||
## sssd lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_manage_lib_files',`
|
||||
gen_require(`
|
||||
type sssd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Send and receive messages from
|
||||
## sssd over dbus.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_dbus_chat',`
|
||||
gen_require(`
|
||||
type sssd_t;
|
||||
class dbus send_msg;
|
||||
')
|
||||
|
||||
allow $1 sssd_t:dbus send_msg;
|
||||
allow sssd_t $1:dbus send_msg;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to sssd over an unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sssd_stream_connect',`
|
||||
gen_require(`
|
||||
type sssd_t, sssd_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an sssd environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the sssd domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## <summary>
|
||||
## The type of the user terminal.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`sssd_admin',`
|
||||
gen_require(`
|
||||
type sssd_t;
|
||||
')
|
||||
|
||||
allow $1 sssd_t:process { ptrace signal_perms getattr };
|
||||
read_files_pattern($1, sssd_t, sssd_t)
|
||||
|
||||
gen_require(`
|
||||
type sssd_initrc_exec_t;
|
||||
')
|
||||
|
||||
# Allow sssd_t to restart the apache service
|
||||
sssd_initrc_domtrans($1)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 sssd_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
sssd_manage_pids($1)
|
||||
|
||||
sssd_manage_lib_files($1)
|
||||
')
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
|
||||
policy_module(sssd, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type sssd_t;
|
||||
type sssd_exec_t;
|
||||
init_daemon_domain(sssd_t, sssd_exec_t)
|
||||
|
||||
type sssd_initrc_exec_t;
|
||||
init_script_file(sssd_initrc_exec_t)
|
||||
|
||||
type sssd_var_lib_t;
|
||||
files_type(sssd_var_lib_t)
|
||||
|
||||
type sssd_var_run_t;
|
||||
files_pid_file(sssd_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# sssd local policy
|
||||
#
|
||||
allow sssd_t self:capability { sys_nice setuid };
|
||||
allow sssd_t self:process { setsched signal getsched };
|
||||
allow sssd_t self:fifo_file rw_file_perms;
|
||||
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
|
||||
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
|
||||
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
|
||||
|
||||
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
|
||||
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
|
||||
|
||||
kernel_read_system_state(sssd_t)
|
||||
|
||||
corecmd_exec_bin(sssd_t)
|
||||
|
||||
dev_read_urand(sssd_t)
|
||||
|
||||
files_list_tmp(sssd_t)
|
||||
files_read_etc_files(sssd_t)
|
||||
files_read_usr_files(sssd_t)
|
||||
|
||||
auth_use_nsswitch(sssd_t)
|
||||
auth_domtrans_chk_passwd(sssd_t)
|
||||
auth_domtrans_upd_passwd(sssd_t)
|
||||
|
||||
init_read_utmp(sssd_t)
|
||||
|
||||
logging_send_syslog_msg(sssd_t)
|
||||
logging_send_audit_msgs(sssd_t)
|
||||
|
||||
miscfiles_read_localization(sssd_t)
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(sssd_t)
|
||||
dbus_connect_system_bus(sssd_t)
|
||||
')
|
||||
Loading…
Reference in New Issue