forked from OwlCyberDefense/refpolicy-contrib
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathldap.if
130 lines (113 loc) · 2.58 KB
/
ldap.if
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
## <summary>OpenLDAP directory server.</summary>
########################################
## <summary>
## List ldap database directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ldap_list_db',`
gen_require(`
type slapd_db_t;
')
files_search_etc($1)
allow $1 slapd_db_t:dir list_dir_perms;
')
########################################
## <summary>
## Read ldap configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`ldap_read_config',`
gen_require(`
type slapd_etc_t;
')
files_search_etc($1)
allow $1 slapd_etc_t:file read_file_perms;
')
########################################
## <summary>
## Connect to slapd over an unix
## stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ldap_stream_connect',`
gen_require(`
type slapd_t, slapd_var_run_t;
')
files_search_pids($1)
stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
')
########################################
## <summary>
## Connect to ldap over the network.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ldap_tcp_connect',`
gen_require(`
type slapd_t;
')
corenet_sendrecv_ldap_client_packets($1)
corenet_tcp_connect_ldap_port($1)
corenet_tcp_recvfrom_labeled($1, slapd_t)
corenet_tcp_sendrecv_ldap_port($1)
')
########################################
## <summary>
## All of the rules required to
## administrate an ldap environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`ldap_admin',`
gen_require(`
type slapd_t, slapd_tmp_t, slapd_replog_t;
type slapd_lock_t, slapd_etc_t, slapd_var_run_t;
type slapd_initrc_exec_t, slapd_log_t, slapd_cert_t;
type slapd_db_t, slapd_keytab_t;
')
allow $1 slapd_t:process { ptrace signal_perms };
ps_process_pattern($1, slapd_t)
init_startstop_service($1, $2, slapd_t, slapd_initrc_exec_t)
files_list_etc($1)
admin_pattern($1, { slapd_etc_t slapd_db_t slapd_cert_t slapd_keytab_t })
files_list_locks($1)
admin_pattern($1, slapd_lock_t)
logging_list_logs($1)
admin_pattern($1, slapd_log_t)
files_search_var_lib($1)
admin_pattern($1, slapd_replog_t)
files_list_tmp($1)
admin_pattern($1, slapd_tmp_t)
files_list_pids($1)
admin_pattern($1, slapd_var_run_t)
')