1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
policy_module(ldap, 1.10.1)
########################################
#
# Declarations
#
type slapd_t;
type slapd_exec_t;
init_daemon_domain(slapd_t, slapd_exec_t)
type slapd_cert_t;
files_type(slapd_cert_t)
type slapd_db_t;
files_type(slapd_db_t)
type slapd_etc_t;
files_config_file(slapd_etc_t)
type slapd_initrc_exec_t;
init_script_file(slapd_initrc_exec_t)
type slapd_lock_t;
files_lock_file(slapd_lock_t)
type slapd_replog_t;
files_type(slapd_replog_t)
type slapd_tmp_t;
files_tmp_file(slapd_tmp_t)
type slapd_var_run_t;
files_pid_file(slapd_var_run_t)
########################################
#
# Local policy
#
# should not need kill
# cjp: why net_raw?
allow slapd_t self:capability { kill setgid setuid net_raw dac_override dac_read_search };
dontaudit slapd_t self:capability sys_tty_config;
allow slapd_t self:process { setsched signal };
allow slapd_t self:fifo_file rw_fifo_file_perms;
allow slapd_t self:udp_socket create_socket_perms;
allow slapd_t self:unix_stream_socket listen;
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
allow slapd_t self:tcp_socket create_stream_socket_perms;
allow slapd_t slapd_cert_t:dir list_dir_perms;
read_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
read_lnk_files_pattern(slapd_t, slapd_cert_t, slapd_cert_t)
# Allow access to the slapd databases
manage_dirs_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
manage_lnk_files_pattern(slapd_t, slapd_db_t, slapd_db_t)
allow slapd_t slapd_etc_t:file read_file_perms;
allow slapd_t slapd_lock_t:file manage_file_perms;
files_lock_filetrans(slapd_t, slapd_lock_t, file)
# Allow access to write the replication log (should tighten this)
manage_dirs_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_lnk_files_pattern(slapd_t, slapd_replog_t, slapd_replog_t)
manage_dirs_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
manage_files_pattern(slapd_t, slapd_tmp_t, slapd_tmp_t)
files_tmp_filetrans(slapd_t, slapd_tmp_t, { file dir })
manage_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
manage_sock_files_pattern(slapd_t, slapd_var_run_t, slapd_var_run_t)
files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
corenet_all_recvfrom_unlabeled(slapd_t)
corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_generic_if(slapd_t)
corenet_udp_sendrecv_generic_if(slapd_t)
corenet_tcp_sendrecv_generic_node(slapd_t)
corenet_udp_sendrecv_generic_node(slapd_t)
corenet_tcp_sendrecv_all_ports(slapd_t)
corenet_udp_sendrecv_all_ports(slapd_t)
corenet_tcp_bind_generic_node(slapd_t)
corenet_tcp_bind_ldap_port(slapd_t)
corenet_tcp_connect_all_ports(slapd_t)
corenet_sendrecv_ldap_server_packets(slapd_t)
corenet_sendrecv_all_client_packets(slapd_t)
dev_read_urand(slapd_t)
dev_read_sysfs(slapd_t)
fs_getattr_all_fs(slapd_t)
fs_search_auto_mountpoints(slapd_t)
domain_use_interactive_fds(slapd_t)
files_read_etc_files(slapd_t)
files_read_etc_runtime_files(slapd_t)
files_read_usr_files(slapd_t)
files_list_var_lib(slapd_t)
auth_use_nsswitch(slapd_t)
logging_send_syslog_msg(slapd_t)
miscfiles_read_generic_certs(slapd_t)
miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
userdom_use_user_terminals(slapd_t)
optional_policy(`
kerberos_keytab_template(slapd, slapd_t)
')
optional_policy(`
sasl_connect(slapd_t)
')
optional_policy(`
seutil_sigchld_newrole(slapd_t)
')
optional_policy(`
udev_read_db(slapd_t)
')
|