diff options
Diffstat (limited to 'policy/modules/contrib/sssd.if')
-rw-r--r-- | policy/modules/contrib/sssd.if | 361 |
1 files changed, 0 insertions, 361 deletions
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if deleted file mode 100644 index a2404551..00000000 --- a/policy/modules/contrib/sssd.if +++ /dev/null @@ -1,361 +0,0 @@ -## <summary>System Security Services Daemon.</summary> - -####################################### -## <summary> -## Get attributes of sssd executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_getattr_exec',` - gen_require(` - type sssd_exec_t; - ') - - allow $1 sssd_exec_t:file getattr_file_perms; -') - -######################################## -## <summary> -## Execute a domain transition to run sssd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sssd_domtrans',` - gen_require(` - type sssd_t, sssd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, sssd_exec_t, sssd_t) -') - -######################################## -## <summary> -## Execute sssd init scripts in -## the initrc domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`sssd_initrc_domtrans',` - gen_require(` - type sssd_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, sssd_initrc_exec_t) -') - -####################################### -## <summary> -## Read sssd configuration content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_config',` - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - list_dirs_pattern($1, sssd_conf_t, sssd_conf_t) - read_files_pattern($1, sssd_conf_t, sssd_conf_t) -') - -###################################### -## <summary> -## Write sssd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_write_config',` - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - write_files_pattern($1, sssd_conf_t, sssd_conf_t) -') - -#################################### -## <summary> -## Create, read, write, and delete -## sssd configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_config',` - gen_require(` - type sssd_conf_t; - ') - - files_search_etc($1) - manage_files_pattern($1, sssd_conf_t, sssd_conf_t) -') - -######################################## -## <summary> -## Read sssd public files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_public_files',` - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - allow $1 sssd_public_t:dir list_dir_perms; - read_files_pattern($1, sssd_public_t, sssd_public_t) -') - -####################################### -## <summary> -## Create, read, write, and delete -## sssd public files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_public_files',` - gen_require(` - type sssd_public_t; - ') - - sssd_search_lib($1) - manage_files_pattern($1, sssd_public_t, sssd_public_t) -') - -######################################## -## <summary> -## Read sssd pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_pid_files',` - gen_require(` - type sssd_var_run_t; - ') - - files_search_pids($1) - allow $1 sssd_var_run_t:file read_file_perms; -') - -######################################## -## <summary> -## Create, read, write, and delete -## sssd pid content. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_pids',` - gen_require(` - type sssd_var_run_t; - ') - - files_search_pids($1) - manage_dirs_pattern($1, sssd_var_run_t, sssd_var_run_t) - manage_files_pattern($1, sssd_var_run_t, sssd_var_run_t) -') - -######################################## -## <summary> -## Search sssd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - allow $1 sssd_var_lib_t:dir search_dir_perms; - files_search_var_lib($1) -') - -######################################## -## <summary> -## Do not audit attempts to search -## sssd lib directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`sssd_dontaudit_search_lib',` - gen_require(` - type sssd_var_lib_t; - ') - - dontaudit $1 sssd_var_lib_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read sssd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_read_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - read_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## sssd lib files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_manage_lib_files',` - gen_require(` - type sssd_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) - manage_lnk_files_pattern($1, sssd_var_lib_t, sssd_var_lib_t) -') - -######################################## -## <summary> -## Send and receive messages from -## sssd over dbus. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_dbus_chat',` - gen_require(` - type sssd_t; - class dbus send_msg; - ') - - allow $1 sssd_t:dbus send_msg; - allow sssd_t $1:dbus send_msg; -') - -######################################## -## <summary> -## Connect to sssd with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`sssd_stream_connect',` - gen_require(` - type sssd_t, sssd_var_lib_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, sssd_var_lib_t, sssd_var_lib_t, sssd_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an sssd environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`sssd_admin',` - gen_require(` - type sssd_t, sssd_public_t, sssd_initrc_exec_t; - type sssd_var_lib_t, sssd_var_run_t, sssd_conf_t; - type sssd_log_t; - ') - - allow $1 sssd_t:process { ptrace signal_perms }; - ps_process_pattern($1, sssd_t) - - sssd_initrc_domtrans($1) - domain_system_change_exemption($1) - role_transition $2 sssd_initrc_exec_t system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, sssd_conf_t) - - files_search_var_lib($1) - admin_pattern($1, { sssd_var_lib_t sssd_public_t }) - - files_search_pids($1) - admin_pattern($1, sssd_var_run_t) - - logging_search_logs($1) - admin_pattern($1, sssd_log_t) -') |