selinux-refpolicy/policy/modules/services/likewise.if

132 lines
3.7 KiB
Plaintext
Raw Normal View History

## <summary>Likewise Active Directory support for UNIX.</summary>
#######################################
## <summary>
## The template to define a likewise domain.
## </summary>
## <param name="userdomain_prefix">
## <summary>
## The type of daemon to be used.
## </summary>
## </param>
#
template(`likewise_domain_template',`
gen_require(`
attribute likewise_domains;
type likewise_var_lib_t;
')
########################################
#
# Declarations
#
type $1_t;
type $1_exec_t;
init_daemon_domain($1_t, $1_exec_t)
typeattribute $1_t likewise_domains;
type $1_runtime_t alias $1_var_run_t;
files_runtime_file($1_runtime_t)
type $1_var_socket_t;
files_type($1_var_socket_t)
type $1_var_lib_t;
files_type($1_var_lib_t)
####################################
#
# Policy
#
allow $1_t self:process { signal_perms getsched setsched };
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_stream_socket { accept listen };
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
manage_files_pattern($1_t, $1_runtime_t, $1_runtime_t)
files_runtime_filetrans($1_t, $1_runtime_t, file)
manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)
manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
')
########################################
## <summary>
## Connect to lsassd with a unix domain
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`likewise_stream_connect_lsassd',`
gen_require(`
type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
')
files_search_runtime($1)
stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
')
########################################
## <summary>
## All of the rules required to
## administrate an likewise environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`likewise_admin',`
gen_require(`
attribute likewise_domains;
type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
type eventlogd_runtime_t, lsassd_runtime_t, lwiod_runtime_t;
type lwregd_runtime_t, netlogond_runtime_t, srvsvcd_runtime_t;
')
allow $1 likewise_domains:process { ptrace signal_perms };
ps_process_pattern($1, likewise_domains)
init_startstop_service($1, $2, likewise_domains, likewise_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })
files_search_var_lib($1)
admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
admin_pattern($1, dcerpcd_var_lib_t)
files_list_tmp($1)
admin_pattern($1, lsassd_tmp_t)
files_list_runtime($1)
admin_pattern($1, { eventlogd_runtime_t lsassd_runtime_t lwiod_runtime_t })
admin_pattern($1, { lwregd_runtime_t netlogond_runtime_t srvsvcd_runtime_t })
')