mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Integrate ipa_custodia policy
ipa-custodia is an internal service for IPA. The upstream SELinux policy has a separate module for ipa_custodia. Fold the current policy from Fedora rawhide into ipa's SELinux policy. Related: https://pagure.io/freeipa/issue/6891 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
c77f4213e9
commit
a55a722237
@ -24,3 +24,11 @@
|
||||
/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0)
|
||||
|
||||
/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
|
||||
|
||||
/usr/libexec/ipa/ipa-custodia -- gen_context(system_u:object_r:ipa_custodia_exec_t,s0)
|
||||
/usr/libexec/ipa/custodia/ipa-custodia-dmldap -- gen_context(system_u:object_r:ipa_custodia_dmldap_exec_t,s0)
|
||||
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
||||
/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
||||
/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
|
||||
|
||||
/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)
|
||||
|
@ -308,3 +308,60 @@ interface(`ipa_read_tmp',`
|
||||
|
||||
read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ipa_custodia_exec_t in the ipa_custodia domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ipa_custodia_domtrans',`
|
||||
gen_require(`
|
||||
type ipa_custodia_t, ipa_custodia_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t)
|
||||
')
|
||||
|
||||
######################################
|
||||
## <summary>
|
||||
## Execute ipa_custodia in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ipa_custodia_exec',`
|
||||
gen_require(`
|
||||
type ipa_custodia_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, ipa_custodia_exec_t)
|
||||
')
|
||||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Connect to ipa_custodia with a unix
|
||||
## domain stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`ipa_custodia_stream_connect',`
|
||||
gen_require(`
|
||||
type ipa_custodia_t;
|
||||
')
|
||||
|
||||
allow $1 ipa_custodia_t:unix_stream_socket { connectto };
|
||||
')
|
||||
|
@ -53,6 +53,25 @@ miscfiles_cert_type(ipa_cert_t)
|
||||
type ipa_tmp_t;
|
||||
files_tmp_file(ipa_tmp_t)
|
||||
|
||||
type ipa_custodia_t;
|
||||
type ipa_custodia_exec_t;
|
||||
init_daemon_domain(ipa_custodia_t, ipa_custodia_exec_t)
|
||||
|
||||
type ipa_custodia_dmldap_exec_t;
|
||||
init_script_file(ipa_custodia_dmldap_exec_t)
|
||||
|
||||
type ipa_custodia_pki_tomcat_exec_t;
|
||||
init_script_file(ipa_custodia_pki_tomcat_exec_t)
|
||||
|
||||
type ipa_custodia_ra_agent_exec_t;
|
||||
init_script_file(ipa_custodia_ra_agent_exec_t)
|
||||
|
||||
type ipa_custodia_log_t;
|
||||
logging_log_file(ipa_custodia_log_t)
|
||||
|
||||
type ipa_custodia_tmp_t;
|
||||
files_tmp_file(ipa_custodia_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# ipa_otpd local policy
|
||||
@ -286,3 +305,78 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
ldap_stream_connect(ipa_ods_exporter_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# ipa_custodia local policy
|
||||
#
|
||||
allow ipa_custodia_t self:capability { setgid setuid };
|
||||
allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
|
||||
allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
||||
allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
||||
allow ipa_custodia_t self:udp_socket create_socket_perms;
|
||||
|
||||
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
||||
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
||||
manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
||||
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
||||
|
||||
kernel_dgram_send(ipa_custodia_t)
|
||||
|
||||
auth_read_passwd(ipa_custodia_t)
|
||||
|
||||
can_exec(ipa_custodia_t, ipa_custodia_dmldap_exec_t)
|
||||
can_exec(ipa_custodia_t, ipa_custodia_pki_tomcat_exec_t)
|
||||
can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
|
||||
|
||||
corecmd_exec_bin(ipa_custodia_t)
|
||||
corecmd_mmap_bin_files(ipa_custodia_t)
|
||||
|
||||
domain_use_interactive_fds(ipa_custodia_t)
|
||||
|
||||
files_mmap_usr_files(ipa_custodia_t)
|
||||
|
||||
fs_getattr_xattr_fs(ipa_custodia_t)
|
||||
|
||||
files_read_etc_files(ipa_custodia_t)
|
||||
|
||||
libs_exec_ldconfig(ipa_custodia_t)
|
||||
libs_ldconfig_exec_entry_type(ipa_custodia_t)
|
||||
|
||||
miscfiles_read_generic_certs(ipa_custodia_t)
|
||||
miscfiles_read_localization(ipa_custodia_t)
|
||||
|
||||
sysnet_read_config(ipa_custodia_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_search_config(ipa_custodia_t)
|
||||
apache_systemctl(ipa_custodia_t)
|
||||
apache_manage_pid_files(ipa_custodia_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dirsrv_manage_var_run(ipa_custodia_t)
|
||||
dirsrv_stream_connect(ipa_custodia_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ipa_read_lib(ipa_custodia_t)
|
||||
ipa_search_lib(ipa_custodia_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pki_manage_tomcat_etc_rw(ipa_custodia_t)
|
||||
pki_read_tomcat_cert(ipa_custodia_t)
|
||||
pki_rw_tomcat_cert(ipa_custodia_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sssd_read_public_files(ipa_custodia_t)
|
||||
sssd_run_stream_connect(ipa_custodia_t)
|
||||
sssd_search_lib(ipa_custodia_t)
|
||||
sssd_stream_connect(ipa_custodia_t)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user