Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/nscd.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/nscd.if')
-rw-r--r--policy/modules/contrib/nscd.if291
1 files changed, 291 insertions, 0 deletions
diff --git a/policy/modules/contrib/nscd.if b/policy/modules/contrib/nscd.if
new file mode 100644
index 000000000..85188dc77
--- /dev/null
+++ b/policy/modules/contrib/nscd.if
@@ -0,0 +1,291 @@
+## <summary>Name service cache daemon</summary>
+
+########################################
+## <summary>
+## Send generic signals to NSCD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signal',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signal;
+')
+
+########################################
+## <summary>
+## Send NSCD the kill signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_kill',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process sigkill;
+')
+
+########################################
+## <summary>
+## Send signulls to NSCD.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_signull',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:process signull;
+')
+
+########################################
+## <summary>
+## Execute NSCD in the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nscd_domtrans',`
+ gen_require(`
+ type nscd_t, nscd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, nscd_exec_t, nscd_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to execute nscd
+## in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_exec',`
+ gen_require(`
+ type nscd_exec_t;
+ ')
+
+ can_exec($1, nscd_exec_t)
+')
+
+########################################
+## <summary>
+## Use NSCD services by connecting using
+## a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_socket_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv };
+ ')
+
+ allow $1 self:unix_stream_socket create_socket_perms;
+
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_t:fd use;
+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+ files_search_pids($1)
+ stream_connect_pattern($1, nscd_var_run_t, nscd_var_run_t, nscd_t)
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_shm_use',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ ')
+
+ allow $1 nscd_var_run_t:dir list_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 nscd_t:unix_stream_socket connectto;
+ allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the NSCD pid directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`nscd_dontaudit_search_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ dontaudit $1 nscd_var_run_t:dir search;
+')
+
+########################################
+## <summary>
+## Read NSCD pid file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_read_pid',`
+ gen_require(`
+ type nscd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, nscd_var_run_t, nscd_var_run_t)
+')
+
+########################################
+## <summary>
+## Unconfined access to NSCD services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_unconfined',`
+ gen_require(`
+ type nscd_t;
+ class nscd all_nscd_perms;
+ ')
+
+ allow $1 nscd_t:nscd *;
+')
+
+########################################
+## <summary>
+## Execute nscd in the nscd domain, and
+## allow the specified role the nscd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`nscd_run',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ nscd_domtrans($1)
+ role $2 types nscd_t;
+')
+
+########################################
+## <summary>
+## Execute the nscd server init script.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nscd_initrc_domtrans',`
+ gen_require(`
+ type nscd_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an nscd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the nscd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`nscd_admin',`
+ gen_require(`
+ type nscd_t, nscd_log_t, nscd_var_run_t;
+ type nscd_initrc_exec_t;
+ ')
+
+ allow $1 nscd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, nscd_t)
+
+ init_labeled_script_domtrans($1, nscd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 nscd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ logging_list_logs($1)
+ admin_pattern($1, nscd_log_t)
+
+ files_list_pids($1)
+ admin_pattern($1, nscd_var_run_t)
+')