freeipa/selinux/ipa.te
Florence Blanc-Renaud ed001c97ee ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME

The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.

--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.

This command can be run multiple times.

Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00

493 lines
12 KiB
Plaintext

policy_module(ipa, 1.0.0)
########################################
#
# Declarations
#
attribute ipa_domain;
attribute_role ipa_helper_roles;
roleattribute system_r ipa_helper_roles;
type ipa_otpd_t, ipa_domain;
type ipa_otpd_exec_t;
init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
type ipa_dnskey_t, ipa_domain;
type ipa_dnskey_exec_t;
init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
type ipa_ods_exporter_t, ipa_domain;
type ipa_ods_exporter_exec_t;
init_daemon_domain(ipa_ods_exporter_t, ipa_ods_exporter_exec_t)
type ipa_otpd_unit_file_t;
systemd_unit_file(ipa_otpd_unit_file_t)
type ipa_dnskey_unit_file_t;
systemd_unit_file(ipa_dnskey_unit_file_t)
type ipa_ods_exporter_unit_file_t;
systemd_unit_file(ipa_ods_exporter_unit_file_t)
type ipa_log_t;
logging_log_file(ipa_log_t)
type ipa_var_lib_t;
files_type(ipa_var_lib_t)
type ipa_var_run_t;
files_pid_file(ipa_var_run_t)
type ipa_helper_t;
type ipa_helper_exec_t;
domain_type(ipa_helper_t)
domain_obj_id_change_exemption(ipa_helper_t)
init_system_domain(ipa_helper_t, ipa_helper_exec_t)
role ipa_helper_roles types ipa_helper_t;
type ipa_cert_t;
miscfiles_cert_type(ipa_cert_t)
type ipa_tmp_t;
files_tmp_file(ipa_tmp_t)
type ipa_custodia_t;
type ipa_custodia_exec_t;
init_daemon_domain(ipa_custodia_t, ipa_custodia_exec_t)
type ipa_custodia_dmldap_exec_t;
init_script_file(ipa_custodia_dmldap_exec_t)
type ipa_custodia_pki_tomcat_exec_t;
init_script_file(ipa_custodia_pki_tomcat_exec_t)
type ipa_custodia_pki_tomcat_t;
type ipa_custodia_ra_agent_exec_t;
init_script_file(ipa_custodia_ra_agent_exec_t)
type ipa_custodia_log_t;
logging_log_file(ipa_custodia_log_t)
type ipa_custodia_tmp_t;
files_tmp_file(ipa_custodia_tmp_t)
type ipa_pki_retrieve_key_exec_t;
type ipa_pki_retrieve_key_t;
domain_type(ipa_pki_retrieve_key_t)
init_script_file(ipa_pki_retrieve_key_exec_t)
########################################
#
# ipa_otpd local policy
#
allow ipa_otpd_t self:capability2 block_suspend;
allow ipa_otpd_t self:fifo_file rw_fifo_file_perms;
allow ipa_otpd_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
read_lnk_files_pattern(ipa_otpd_t, ipa_cert_t, ipa_cert_t)
manage_dirs_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
manage_files_pattern(ipa_otpd_t, ipa_var_run_t, ipa_var_run_t)
files_pid_filetrans(ipa_otpd_t, ipa_var_run_t, file)
corenet_tcp_connect_radius_port(ipa_otpd_t)
dev_read_urand(ipa_otpd_t)
dev_read_rand(ipa_otpd_t)
sysnet_dns_name_resolve(ipa_otpd_t)
optional_policy(`
dirsrv_stream_connect(ipa_otpd_t)
')
optional_policy(`
kerberos_use(ipa_otpd_t)
')
optional_policy(`
sssd_stream_connect(ipa_otpd_t)
')
########################################
#
# password policy local policy
#
optional_policy(`
gen_require(`
type kadmind_t;
type crack_db_t;
class file getattr;
class file open;
class file read;
class dir search;
')
allow kadmind_t crack_db_t:file { getattr open read };
allow kadmind_t crack_db_t:dir search;
')
########################################
#
# ipa-helper local policy
#
allow ipa_helper_t self:capability { chown dac_override dac_read_search net_admin };
seutil_read_config(ipa_helper_t)
#kernel bug
dontaudit ipa_helper_t self:capability2 block_suspend;
allow ipa_helper_t self:process setfscreate;
allow ipa_helper_t self:fifo_file rw_fifo_file_perms;
allow ipa_helper_t self:netlink_route_socket r_netlink_socket_perms;
manage_files_pattern(ipa_helper_t, ipa_log_t, ipa_log_t)
logging_log_filetrans(ipa_helper_t, ipa_log_t, file)
manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file })
manage_files_pattern(ipa_helper_t, ipa_tmp_t, ipa_tmp_t)
files_tmp_filetrans(ipa_helper_t, ipa_tmp_t, { file })
kernel_read_system_state(ipa_helper_t)
kernel_read_network_state(ipa_helper_t)
corenet_tcp_connect_ldap_port(ipa_helper_t)
corenet_tcp_connect_smbd_port(ipa_helper_t)
corenet_tcp_connect_http_port(ipa_helper_t)
corenet_tcp_connect_kerberos_password_port(ipa_helper_t)
corecmd_exec_bin(ipa_helper_t)
corecmd_exec_shell(ipa_helper_t)
dev_read_urand(ipa_helper_t)
auth_use_nsswitch(ipa_helper_t)
files_list_tmp(ipa_helper_t)
init_read_state(ipa_helper_t)
init_stream_connect(ipa_helper_t)
ipa_manage_pid_files(ipa_helper_t)
ipa_read_lib(ipa_helper_t)
logging_send_syslog_msg(ipa_helper_t)
optional_policy(`
dirsrv_stream_connect(ipa_helper_t)
')
optional_policy(`
dirsrv_systemctl(ipa_helper_t)
')
optional_policy(`
ldap_stream_connect(ipa_helper_t)
')
optional_policy(`
libs_exec_ldconfig(ipa_helper_t)
')
optional_policy(`
kerberos_read_keytab(ipa_helper_t)
')
optional_policy(`
oddjob_system_entry(ipa_helper_t, ipa_helper_exec_t)
')
optional_policy(`
rpm_read_db(ipa_helper_t)
')
optional_policy(`
samba_read_config(ipa_helper_t)
')
optional_policy(`
sssd_manage_lib_files(ipa_helper_t)
sssd_systemctl(ipa_helper_t)
')
########################################
#
# ipa-dnskey local policy
#
allow ipa_dnskey_t self:tcp_socket create_stream_socket_perms;
allow ipa_dnskey_t self:udp_socket create_socket_perms;
allow ipa_dnskey_t self:unix_dgram_socket create_socket_perms;
allow ipa_dnskey_t self:netlink_route_socket { create_netlink_socket_perms nlmsg_read };
read_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
read_lnk_files_pattern(ipa_dnskey_t, ipa_cert_t, ipa_cert_t)
manage_files_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
setattr_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
list_dirs_pattern(ipa_dnskey_t, ipa_var_lib_t, ipa_var_lib_t)
manage_files_pattern(ipa_dnskey_t, ipa_tmp_t, ipa_tmp_t)
files_tmp_filetrans(ipa_dnskey_t, ipa_tmp_t, { file })
kernel_dgram_send(ipa_dnskey_t)
kernel_read_system_state(ipa_dnskey_t)
kernel_read_network_state(ipa_dnskey_t)
auth_use_nsswitch(ipa_dnskey_t)
corecmd_exec_bin(ipa_dnskey_t)
corecmd_exec_shell(ipa_dnskey_t)
corenet_tcp_bind_generic_node(ipa_dnskey_t)
corenet_tcp_connect_kerberos_port(ipa_dnskey_t)
corenet_tcp_connect_rndc_port(ipa_dnskey_t)
dev_read_rand(ipa_dnskey_t)
can_exec(ipa_dnskey_t,ipa_dnskey_exec_t)
libs_exec_ldconfig(ipa_dnskey_t)
logging_send_syslog_msg(ipa_dnskey_t)
miscfiles_read_generic_certs(ipa_dnskey_t)
sysnet_read_config(ipa_dnskey_t)
optional_policy(`
apache_search_config(ipa_dnskey_t)
')
optional_policy(`
bind_domtrans_ndc(ipa_dnskey_t)
bind_read_dnssec_keys(ipa_dnskey_t)
bind_manage_zone(ipa_dnskey_t)
bind_manage_zone_dirs(ipa_dnskey_t)
bind_search_cache(ipa_dnskey_t)
')
optional_policy(`
dirsrv_stream_connect(ipa_dnskey_t)
')
optional_policy(`
kerberos_read_keytab(ipa_dnskey_t)
')
optional_policy(`
opendnssec_domtrans(ipa_dnskey_t)
opendnssec_manage_config(ipa_dnskey_t)
opendnssec_manage_var_files(ipa_dnskey_t)
opendnssec_filetrans_etc_content(ipa_dnskey_t)
opendnssec_stream_connect(ipa_dnskey_t)
')
########################################
#
# ipa-ods-exporter local policy
#
allow ipa_ods_exporter_t self:netlink_route_socket { bind create getattr nlmsg_read };
allow ipa_ods_exporter_t self:udp_socket { connect create getattr };
allow ipa_ods_exporter_t self:unix_dgram_socket { create getopt setopt };
manage_files_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
list_dirs_pattern(ipa_ods_exporter_t, ipa_var_lib_t, ipa_var_lib_t)
manage_files_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t)
manage_dirs_pattern(ipa_ods_exporter_t, ipa_tmp_t, ipa_tmp_t)
files_tmp_filetrans(ipa_ods_exporter_t, ipa_tmp_t, { dir file })
kernel_dgram_send(ipa_ods_exporter_t)
auth_use_nsswitch(ipa_ods_exporter_t)
corecmd_exec_bin(ipa_ods_exporter_t)
corecmd_exec_shell(ipa_ods_exporter_t)
libs_exec_ldconfig(ipa_ods_exporter_t)
logging_send_syslog_msg(ipa_ods_exporter_t)
miscfiles_read_generic_certs(ipa_ods_exporter_t)
sysnet_read_config(ipa_ods_exporter_t)
optional_policy(`
bind_search_cache(ipa_ods_exporter_t)
')
optional_policy(`
dirsrv_stream_connect(ipa_ods_exporter_t)
')
optional_policy(`
kerberos_read_keytab(ipa_ods_exporter_t)
')
optional_policy(`
opendnssec_manage_var_files(ipa_ods_exporter_t)
opendnssec_stream_connect(ipa_ods_exporter_t)
')
optional_policy(`
ldap_stream_connect(ipa_ods_exporter_t)
')
########################################
#
# ipa_custodia local policy
#
allow ipa_custodia_t self:capability { setgid setuid };
allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
allow ipa_custodia_t self:process execmem;
allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
allow ipa_custodia_t self:tcp_socket { bind create };
allow ipa_custodia_t self:udp_socket create_socket_perms;
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
mmap_exec_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
kernel_read_system_state(ipa_custodia_t)
auth_read_passwd(ipa_custodia_t)
can_exec(ipa_custodia_t, ipa_custodia_dmldap_exec_t)
can_exec(ipa_custodia_t, ipa_custodia_pki_tomcat_exec_t)
can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
corecmd_exec_bin(ipa_custodia_t)
corecmd_mmap_bin_files(ipa_custodia_t)
dev_read_urand(ipa_custodia_t)
dev_read_rand(ipa_custodia_t)
dev_read_sysfs(ipa_custodia_t)
domain_use_interactive_fds(ipa_custodia_t)
files_mmap_usr_files(ipa_custodia_t)
fs_getattr_xattr_fs(ipa_custodia_t)
files_read_etc_files(ipa_custodia_t)
libs_exec_ldconfig(ipa_custodia_t)
libs_ldconfig_exec_entry_type(ipa_custodia_t)
logging_send_syslog_msg(ipa_custodia_t)
miscfiles_read_generic_certs(ipa_custodia_t)
miscfiles_read_localization(ipa_custodia_t)
sysnet_read_config(ipa_custodia_t)
optional_policy(`
apache_search_config(ipa_custodia_t)
apache_systemctl(ipa_custodia_t)
apache_manage_pid_files(ipa_custodia_t)
')
optional_policy(`
dirsrv_manage_var_run(ipa_custodia_t)
dirsrv_stream_connect(ipa_custodia_t)
')
optional_policy(`
ipa_read_lib(ipa_custodia_t)
ipa_search_lib(ipa_custodia_t)
')
optional_policy(`
gen_require(` #selint-disable:S-001
type httpd_t;
')
ipa_custodia_stream_connect(httpd_t)
')
optional_policy(`
pki_manage_tomcat_etc_rw(ipa_custodia_t)
pki_read_tomcat_cert(ipa_custodia_t)
pki_rw_tomcat_cert(ipa_custodia_t)
')
optional_policy(`
sssd_read_public_files(ipa_custodia_t)
sssd_run_stream_connect(ipa_custodia_t)
sssd_search_lib(ipa_custodia_t)
sssd_stream_connect(ipa_custodia_t)
')
optional_policy(`
systemd_private_tmp(ipa_custodia_tmp_t)
')
optional_policy(`
gen_require(` #selint-disable:S-001
type tomcat_t;
')
can_exec(tomcat_t, ipa_pki_retrieve_key_exec_t)
pki_manage_tomcat_etc_rw(ipa_pki_retrieve_key_t)
')
optional_policy(`
gen_require(` #selint-disable:S-001
type devlog_t;
')
dontaudit ipa_custodia_t devlog_t:lnk_file read_lnk_file_perms;
')
optional_policy(`
java_exec(ipa_custodia_pki_tomcat_t)
# allow Java to read system status and RNG
')
optional_policy(`
gen_require(` #selint-disable:S-001
type tomcat_t;
')
kerberos_read_config(tomcat_t)
kerberos_read_keytab(tomcat_t)
')
optional_policy(`
gen_require(` #selint-disable:S-001
type node_t;
')
allow ipa_custodia_t node_t:tcp_socket node_bind;
')
optional_policy(`
gen_require(` #selint-disable:S-001
type pki_tomcat_cert_t;
')
allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
allow ipa_custodia_t pki_tomcat_cert_t:file create;
allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
')
optional_policy(`
gen_require(` #selint-disable:S-001
type oddjob_t;
')
ipa_helper_noatsecure(oddjob_t)
')