selinux-refpolicy/policy/modules/services/sssd.te
Chris PeBenito 78276fc43b Drop module versioning.
Semodule stopped using this many years ago. The policy_module() macro will
continue to support an optional second parameter as version.
If it is not specified, a default value of 1 is set.

Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2022-01-06 09:19:13 -05:00

128 lines
3.4 KiB
Plaintext

policy_module(sssd)
########################################
#
# Declarations
#
type sssd_t;
type sssd_exec_t;
init_daemon_domain(sssd_t, sssd_exec_t)
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
type sssd_conf_t;
files_config_file(sssd_conf_t)
type sssd_public_t;
files_runtime_file(sssd_public_t)
type sssd_runtime_t alias sssd_var_run_t;
files_runtime_file(sssd_runtime_t)
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
mls_trusted_object(sssd_var_lib_t)
type sssd_var_log_t;
logging_log_file(sssd_var_log_t)
########################################
#
# Local policy
#
allow sssd_t self:capability { chown dac_override dac_read_search kill net_admin setgid setuid sys_admin sys_nice sys_resource };
allow sssd_t self:capability2 block_suspend;
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit };
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { accept connectto listen };
read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
append_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
create_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
setattr_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_runtime_t, sssd_runtime_t)
manage_files_pattern(sssd_t, sssd_runtime_t, sssd_runtime_t)
files_runtime_filetrans(sssd_t, sssd_runtime_t, { file dir })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
corenet_all_recvfrom_netlabel(sssd_t)
corenet_udp_sendrecv_generic_if(sssd_t)
corenet_udp_sendrecv_generic_node(sssd_t)
corenet_udp_bind_generic_node(sssd_t)
corenet_sendrecv_generic_server_packets(sssd_t)
corenet_udp_bind_generic_port(sssd_t)
corenet_dontaudit_udp_bind_all_ports(sssd_t)
corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
dev_read_sysfs(sssd_t)
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_etc_runtime_files(sssd_t)
files_read_usr_files(sssd_t)
files_list_var_lib(sssd_t)
fs_list_inotifyfs(sssd_t)
selinux_validate_context(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
# seutil_rw_login_config_dirs(sssd_t)
# seutil_manage_login_config_files(sssd_t)
mls_file_read_to_clearance(sssd_t)
mls_socket_read_to_clearance(sssd_t)
mls_socket_write_to_clearance(sssd_t)
mls_trusted_object(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
init_read_utmp(sssd_t)
logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
miscfiles_read_localization(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
')
optional_policy(`
kerberos_read_config(sssd_t)
kerberos_manage_host_rcache(sssd_t)
kerberos_tmp_filetrans_host_rcache(sssd_t, file, "host_0")
')