Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/services/ldap.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/services/ldap.if')
-rw-r--r--policy/modules/services/ldap.if156
1 files changed, 156 insertions, 0 deletions
diff --git a/policy/modules/services/ldap.if b/policy/modules/services/ldap.if
new file mode 100644
index 000000000..59752140d
--- /dev/null
+++ b/policy/modules/services/ldap.if
@@ -0,0 +1,156 @@
+## <summary>OpenLDAP directory server.</summary>
+
+########################################
+## <summary>
+## List ldap database directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_list_db',`
+ gen_require(`
+ type slapd_db_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_db_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
+## Read ldap configuration files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_read_config',`
+ gen_require(`
+ type slapd_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 slapd_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Connect to slapd over an unix
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_stream_connect',`
+ gen_require(`
+ type slapd_t, slapd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
+')
+
+########################################
+## <summary>
+## Connect to ldap over the network.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_tcp_connect',`
+ gen_require(`
+ type slapd_t;
+ ')
+
+ corenet_sendrecv_ldap_client_packets($1)
+ corenet_tcp_connect_ldap_port($1)
+ corenet_tcp_recvfrom_labeled($1, slapd_t)
+ corenet_tcp_sendrecv_ldap_port($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an ldap environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ldap_admin',`
+ gen_require(`
+ type slapd_t, slapd_tmp_t, slapd_replog_t;
+ type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
+ type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
+ type slapd_db_t, slapd_keytab_t;
+ ')
+
+ allow $1 slapd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, slapd_t)
+
+ init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t)
+
+ files_list_etc($1)
+ admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
+
+ files_list_locks($1)
+ admin_pattern($1, slapd_lock_t)
+
+ logging_list_logs($1)
+ admin_pattern($1, slapd_log_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, slapd_replog_t)
+
+ files_list_tmp($1)
+ admin_pattern($1, slapd_tmp_t)
+
+ files_list_pids($1)
+ admin_pattern($1, slapd_var_run_t)
+')
+
+########################################
+## <summary>
+## Execute slapd in the slapd domain, and
+## allow the given role the slapd_t type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`ldap_run',`
+ gen_require(`
+ type slapd_t;
+ type slapd_exec_t;
+ ')
+
+ role $2 types slapd_t;
+ domtrans_pattern($1, slapd_exec_t, slapd_t)
+')