161bda392e
Remove unused permission definitions from SELinux. Many of these were only ever used in pre-mainline versions of SELinux, prior to Linux 2.6.0. Some of them were used in the legacy network or compat_net=1 checks that were disabled by default in Linux 2.6.18 and fully removed in Linux 2.6.30. The corresponding classmap declarations were removed from the mainline kernel in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=42a9699a9fa179c0054ea3cf5ad3cc67104a6162 Permissions never used in mainline Linux: file swapon filesystem transition tcp_socket { connectto newconn acceptfrom } node enforce_dest unix_stream_socket { newconn acceptfrom } Legacy network checks, removed in 2.6.30: socket { recv_msg send_msg } node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send } Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
130 lines
2.5 KiB
Plaintext
130 lines
2.5 KiB
Plaintext
## <summary>OpenLDAP directory server.</summary>
|
|
|
|
########################################
|
|
## <summary>
|
|
## List ldap database directories.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ldap_list_db',`
|
|
gen_require(`
|
|
type slapd_db_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 slapd_db_t:dir list_dir_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Read ldap configuration files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`ldap_read_config',`
|
|
gen_require(`
|
|
type slapd_etc_t;
|
|
')
|
|
|
|
files_search_etc($1)
|
|
allow $1 slapd_etc_t:file read_file_perms;
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to slapd over an unix
|
|
## stream socket.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ldap_stream_connect',`
|
|
gen_require(`
|
|
type slapd_t, slapd_runtime_t;
|
|
')
|
|
|
|
files_search_pids($1)
|
|
stream_connect_pattern($1, slapd_runtime_t, slapd_runtime_t, slapd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## Connect to ldap over the network.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
#
|
|
interface(`ldap_tcp_connect',`
|
|
gen_require(`
|
|
type slapd_t;
|
|
')
|
|
|
|
corenet_sendrecv_ldap_client_packets($1)
|
|
corenet_tcp_connect_ldap_port($1)
|
|
corenet_tcp_recvfrom_labeled($1, slapd_t)
|
|
')
|
|
|
|
########################################
|
|
## <summary>
|
|
## All of the rules required to
|
|
## administrate an ldap environment.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
## Domain allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <param name="role">
|
|
## <summary>
|
|
## Role allowed access.
|
|
## </summary>
|
|
## </param>
|
|
## <rolecap/>
|
|
#
|
|
interface(`ldap_admin',`
|
|
gen_require(`
|
|
type slapd_t, slapd_tmp_t, slapd_replog_t;
|
|
type slapd_lock_t, slapd_etc_t, slapd_runtime_t;
|
|
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
|
|
type slapd_db_t, slapd_keytab_t;
|
|
')
|
|
|
|
allow $1 slapd_t:process { ptrace signal_perms };
|
|
ps_process_pattern($1, slapd_t)
|
|
|
|
init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t)
|
|
|
|
files_list_etc($1)
|
|
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
|
|
|
|
files_list_locks($1)
|
|
admin_pattern($1, slapd_lock_t)
|
|
|
|
logging_list_logs($1)
|
|
admin_pattern($1, slapd_log_t)
|
|
|
|
files_search_var_lib($1)
|
|
admin_pattern($1, slapd_replog_t)
|
|
|
|
files_list_tmp($1)
|
|
admin_pattern($1, slapd_tmp_t)
|
|
|
|
files_list_pids($1)
|
|
admin_pattern($1, slapd_runtime_t)
|
|
')
|