Steve Burt
2008-Mar-12 17:35 UTC
[Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 34, Issue 24
Hi Rich, Ok so I think I have to create an ldif file There is a workaround - if the fqdn is host.example.com, you just have to create the following entries: dn: cn=host.example.com, ou=example.com, o=NetscapeRoot objectclass: top objectclass: nsHost objectclass: groupOfUniqueNames cn: host.example.com nsosversion: output of uname -a on the machine nshardwareplatform: arch e.g. i386 or x86_64 or ... serverHostName: host.example.com dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot objectclass: top objectclass: nsAdminGroup objectclass: nsDirectoryInfo objectclass: groupOfUniqueNames nsAdminGroupName: Server Group nsDirectoryInfoRef: cn=User Directory, ou=Global Preferences, ou=example.com, o=NetscapeRoot Is that correct On 12/03/2008, fedora-directory-users-request@redhat.com <fedora-directory-users-request@redhat.com> wrote:> Send Fedora-directory-users mailing list submissions to > fedora-directory-users@redhat.com > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.redhat.com/mailman/listinfo/fedora-directory-users > or, via email, send a message with subject or body ''help'' to > fedora-directory-users-request@redhat.com > > You can reach the person managing the list at > fedora-directory-users-owner@redhat.com > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Fedora-directory-users digest..." > > > Today''s Topics: > > 1. SELinux policy for Fedora Directory Server 1.1.0 (P?r Aronsson) > 2. Problems in adding a second server into a new (Steve Burt) > 3. Re: Problems in adding a second server into a new (Rich Megginson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 11 Mar 2008 17:34:09 +0100 > From: P?r Aronsson <par.aronsson@telia.com> > Subject: [Fedora-directory-users] SELinux policy for Fedora Directory > Server 1.1.0 > To: selinux@tycho.nsa.gov, fedora-directory-users@redhat.com > Message-ID: <200803111734.10289.par.aronsson@telia.com> > Content-Type: text/plain; charset="utf-8" > > Hello, > > Attached is a SELinux policy for the Fedora Directory Server 1.1.0. > It is composed of three parts. > * dirsrv - directory server and setup programs > * dirsrv-admin - administration server and setup programs > * fedora-idm-console - java based console for administration > > The policies were developed on a CentOS 5.1 with the following packages: > fedora-ds-base-1.1.0-3.fc6 > fedora-ds-admin-1.1.1-1.fc6 > fedora-ds-console-1.1.0-5.fc6 > selinux-policy-2.4.6-106.el5_1.3 > kernel-2.6.18-53.1.4.el5 > > I''ve succesfully tested the policies in targeted and strict mode. > > The dirsrv-admin policy requires that the apache policy module is loaded. > Also run: > setsebool -P httpd_enable_cgi on > > Comment out the following in /usr/sbin/start-ds-admin (line 63-65): > if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then > SELINUX_CMD="runcon -t unconfined_t --" > fi > > I had trouble with the replication plugin so I haven''t been able to do any > testing with replication. > > Any comments are welcome. > > // Pär Aronsson > -------------- next part -------------- > ## <summary>Administration application for Fedora Directory Server, dirsrv-admin.</summary> > > ######################################## > ## <summary> > ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain > ## and the system_r role. Strict policy. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Prefix of the domain performing this action. > ## </summary> > ## </param> > ## <param name="role"> > ## <summary> > ## The role to allow the domain. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_setup_domtrans_strict'',` > gen_require(` > type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t; > type $1_t, $1_devpts_t; > '') > > domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) > allow dirsrvadmin_setup_t $1_t:fd use; > allow dirsrvadmin_setup_t $1_t:process sigchld; > allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms; > role $2 types dirsrvadmin_setup_t; > role system_r types dirsrvadmin_setup_t; > role_transition $2 dirsrvadmin_setupexec_t system_r; > '') > > ######################################## > ## <summary> > ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain > ## and the system_r role. Targeted policy. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Prefix of the domain performing this action. > ## </summary> > ## </param> > ## <param name="role"> > ## <summary> > ## The role to allow the domain. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_setup_domtrans_targeted'',` > gen_require(` > type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t; > '') > > domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) > '') > > ######################################## > ## <summary> > ## Read setup log files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_read_setuplog'',` > gen_require(` > type dirsrvadmin_setuplog_t; > '') > > files_search_tmp($1) > allow $1 dirsrvadmin_setuplog_t:file r_file_perms; > '') > > ######################################## > ## <summary> > ## Manage setup log files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_manage_setuplog'',` > gen_require(` > type dirsrvadmin_setuplog_t; > '') > > files_search_tmp($1) > allow $1 dirsrvadmin_setuplog_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Extend httpd domain for dirsrv-admin. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_extend_httpd'',` > gen_require(` > type httpd_t; > '') > > # Allow httpd domain to interact with dirsrv > dirsrv_manage_config(httpd_t) > dirsrv_manage_log(httpd_t) > dirsrv_manage_var_run(httpd_t) > dirsrvadmin_manage_setuplog(httpd_t) > dirsrvadmin_manage_config(httpd_t) > dirsrv_signal(httpd_t) > dirsrv_signull(httpd_t) > dirsrv_run_helper_exec(httpd_t) > files_exec_usr_files(httpd_t) > corenet_tcp_bind_generic_port(httpd_t) > corenet_tcp_connect_generic_port(httpd_t) > > # Strict policy > ifdef(`strict_policy'',` > userdom_dontaudit_search_sysadm_home_dirs(httpd_t) > '') > '') > > ######################################## > ## <summary> > ## Extend httpd domain for dirsrv-admin cgi. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_script_extend_httpd'',` > gen_require(` > type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t; > '') > > allow $1 httpd_exec_t:file { read getattr execute_no_trans }; > allow $1 httpd_suexec_exec_t:file getattr; > allow $1 httpd_tmp_t:file { read write }; > allow $1 httpd_t:udp_socket { read write }; > allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; > allow $1 httpd_t:netlink_route_socket { read write }; > allow $1 httpd_t:fifo_file { write read }; > allow $1 httpd_var_run_t:file { read getattr }; > apache_list_modules($1) > apache_exec_modules($1) > apache_use_fds($1) > dirsrvadmin_run_httpd_script_exec(httpd_t) > '') > > ######################################## > ## <summary> > ## Extend init domain for dirsrv-admin. > ## The initscript searches in a config file. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_extend_init'',` > gen_require(` > type initrc_t; > '') > > allow initrc_t dirsrvadmin_config_t:file read; > '') > > ######################################## > ## <summary> > ## Exec dirsrv-admin programs. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_run_exec'',` > gen_require(` > type dirsrvadmin_exec_t; > '') > > allow $1 dirsrvadmin_exec_t:dir search_dir_perms; > can_exec($1,dirsrvadmin_exec_t) > '') > > ######################################## > ## <summary> > ## Exec cgi programs. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_run_httpd_script_exec'',` > gen_require(` > type httpd_dirsrvadmin_script_exec_t; > '') > > allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; > can_exec($1, httpd_dirsrvadmin_script_exec_t) > '') > > ######################################## > ## <summary> > ## Manage cgi programs. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_manage_httpd_script_exec'',` > gen_require(` > type httpd_dirsrvadmin_script_exec_t; > '') > > allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms; > allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Read tmp files created by cgi programs. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_read_httpd_script_tmpfile'',` > gen_require(` > type httpd_dirsrvadmin_script_rw_t; > '') > > allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms; > '') > > ######################################## > ## <summary> > ## Manage tmp files created by cgi programs. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_manage_httpd_script_tmpfile'',` > gen_require(` > type httpd_dirsrvadmin_script_rw_t; > '') > > allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Read dirsrv-adminserver configuration files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_read_config'',` > gen_require(` > type dirsrvadmin_config_t; > '') > > allow $1 dirsrvadmin_config_t:dir r_dir_perms; > allow $1 dirsrvadmin_config_t:file r_file_perms; > '') > > ######################################## > ## <summary> > ## Manage dirsrv-adminserver configuration files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_manage_config'',` > gen_require(` > type dirsrvadmin_config_t; > '') > > allow $1 dirsrvadmin_config_t:dir manage_dir_perms; > allow $1 dirsrvadmin_config_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Read and write to cgi program over an unix stream socket. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_script_stream_rw'',` > gen_require(` > type httpd_dirsrvadmin_script_t; > '') > > allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write }; > '') > > ######################################## > ## <summary> > ## Read migration inf file in sysadm home dir. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrvadmin_read_inffile'',` > ifdef(`targeted_policy'',` > gen_require(` > type user_home_t, user_home_dir_t; > '') > > userdom_list_user_home_dirs(user, $1) > allow $1 user_home_t:file r_file_perms; > '',` > gen_require(` > type sysadm_home_t; > '') > > userdom_list_sysadm_home_dirs($1) > allow $1 sysadm_home_t:file r_file_perms; > '') > '') > > -------------- next part -------------- > # Start script for daemon (domain entry point) > /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) > /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) > /usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) > # Configuration > /etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) > # Log dir > /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > # Pid > /var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) > # cgi > /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) > # Setup applications > /usr/sbin/migrate-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) > /usr/sbin/setup-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) > -------------- next part -------------- > # Daemon (domain entry point) > /usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) > # Setup applications > /usr/sbin/migrate-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) > /usr/sbin/setup-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) > # Helper scripts > /usr/lib/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_helper_exec_t,s0) > # Configuration > /etc/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) > # Db files > /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_db_t,s0) > # Lock files > /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_lock_t,s0) > # Log files > /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_log_t,s0) > # var_run > /var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) > -------------- next part -------------- > ## <summary>Fedora Directory server, dirsrv</summary> > > ######################################## > ## <summary> > ## Execute dirsrv programs in the dirsrv_t domain. > ## </summary> > ## <param name="domain"> > ## <summary> > ## The type of the process performing this action. > ## </summary> > ## </param> > # > interface(`dirsrv_domtrans'',` > gen_require(` > type dirsrv_t, dirsrv_exec_t; > '') > > allow $1 dirsrv_t:process signull; > domain_auto_trans($1, dirsrv_exec_t, dirsrv_t) > allow dirsrv_t $1:fd use; > allow dirsrv_t $1:fifo_file rw_file_perms; > allow dirsrv_t $1:process sigchld; > '') > > ######################################## > ## <summary> > ## Execute dirsrv setup programs in the dirsrv_setup_t domain > ## and the system_r role. Strict policy. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Prefix of the domain performing this action. > ## </summary> > ## </param> > ## <param name="role"> > ## <summary> > ## The role to allow the domain. > ## </summary> > ## </param> > # > interface(`dirsrv_setup_domtrans_strict'',` > gen_require(` > type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t; > type $1_t, $1_devpts_t; > '') > > domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t) > allow dirsrv_setup_t $1_t:fd use; > allow dirsrv_setup_t $1_t:process sigchld; > allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms; > role $2 types dirsrv_setup_t; > role_transition $2 dirsrv_setupexec_t system_r; > '') > > ######################################## > ## <summary> > ## Execute dirsrv setup programs in the dirsrv_setup_t domain > ## and the system_r role. Targeted policy. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Prefix of the domain performing this action. > ## </summary> > ## </param> > ## <param name="role"> > ## <summary> > ## The role to allow the domain. > ## </summary> > ## </param> > # > interface(`dirsrv_setup_domtrans_targeted'',` > gen_require(` > type dirsrv_setupexec_t, dirsrv_setup_t; > '') > > domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t) > '') > > ######################################## > ## <summary> > ## Extend httpd domain for dirsrv. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_extend_httpd'',` > gen_require(` > type httpd_t, httpd_tmp_t; > '') > > allow $1 httpd_t:fifo_file { write read }; > allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; > allow $1 httpd_tmp_t:file { read write }; > apache_use_fds($1) > '') > > ######################################## > ## <summary> > ## Read setup log files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_read_setuplog'',` > gen_require(` > type dirsrv_setuplog_t; > '') > > files_search_tmp($1) > allow $1 dirsrv_setuplog_t:file r_file_perms; > '') > > ######################################## > ## <summary> > ## Read the contents of Directory server > ## database directories. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_list_db'',` > gen_require(` > type dirsrv_db_t; > '') > > allow $1 dirsrv_db_t:dir r_dir_perms; > '') > > ######################################## > ## <summary> > ## Manage the contents of Directory server > ## database directories. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_manage_db'',` > gen_require(` > type dirsrv_db_t; > '') > > allow $1 dirsrv_db_t:dir manage_dir_perms; > allow $1 dirsrv_db_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Read Directory server configuration files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_read_config'',` > gen_require(` > type dirsrv_config_t; > '') > > allow $1 dirsrv_config_t:dir r_dir_perms; > allow $1 dirsrv_config_t:file r_file_perms; > '') > > ######################################## > ## <summary> > ## Manage Directory server configuration files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_manage_config'',` > gen_require(` > type dirsrv_config_t; > '') > > allow $1 dirsrv_config_t:dir manage_dir_perms; > allow $1 dirsrv_config_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Read Directory server log files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_list_log'',` > gen_require(` > type dirsrv_log_t; > '') > > allow $1 dirsrv_log_t:dir r_dir_perms; > '') > > ######################################## > ## <summary> > ## Manage Directory server log files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_manage_log'',` > gen_require(` > type dirsrv_log_t; > '') > > allow $1 dirsrv_log_t:dir manage_dir_perms; > allow $1 dirsrv_log_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Read Directory server lock files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_list_lock'',` > gen_require(` > type dirsrv_lock_t; > '') > > allow $1 dirsrv_lock_t:dir r_dir_perms; > '') > > ######################################## > ## <summary> > ## Manage Directory server lock files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_manage_lock'',` > gen_require(` > type dirsrv_lock_t; > '') > > allow $1 dirsrv_lock_t:dir manage_dir_perms; > allow $1 dirsrv_lock_t:file manage_file_perms; > '') > > ######################################## > ## <summary> > ## Read Directory server var_run files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_list_var_run'',` > gen_require(` > type dirsrv_var_run_t; > '') > > allow $1 dirsrv_var_run_t:dir r_dir_perms; > '') > > ######################################## > ## <summary> > ## Manage Directory server var_run files. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_manage_var_run'',` > gen_require(` > type dirsrv_var_run_t; > '') > > allow $1 dirsrv_var_run_t:dir manage_dir_perms; > allow $1 dirsrv_var_run_t:file manage_file_perms; > allow $1 dirsrv_var_run_t:sock_file manage_file_perms; > # Allow creating a dir in /var/run with this type > files_pid_filetrans($1, dirsrv_var_run_t, dir) > '') > > ######################################## > ## <summary> > ## Exec Directory server helper programs. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_run_helper_exec'',` > gen_require(` > type dirsrv_helper_exec_t; > '') > > allow $1 dirsrv_helper_exec_t:dir search_dir_perms; > can_exec($1,dirsrv_helper_exec_t) > '') > > ######################################## > ## <summary> > ## Manage Directory server helper programs. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_manage_helper_exec'',` > gen_require(` > type dirsrv_helper_exec_t; > '') > > allow $1 dirsrv_helper_exec_t:dir manage_dir_perms; > allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms }; > '') > > ######################################## > ## <summary> > ## Allow caller to signal dirsrv. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain to not audit. > ## </summary> > ## </param> > # > interface(`dirsrv_signal'',` > gen_require(` > type dirsrv_t; > '') > > allow $1 dirsrv_t:process signal; > '') > > > ######################################## > ## <summary> > ## Send a null signal to dirsrv. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`dirsrv_signull'',` > gen_require(` > type dirsrv_t; > '') > > allow $1 dirsrv_t:process signull; > '') > -------------- next part -------------- > policy_module(dirsrv,1.0.0) > > ######################################## > # > # Declarations for daemon > # > > ## Create domain for daemon > type dirsrv_t; > domain_type(dirsrv_t) > > ## Type for the daemon > type dirsrv_exec_t; > files_type(dirsrv_exec_t) > # Start from initrc > init_domain(dirsrv_t, dirsrv_exec_t) > init_daemon_domain(dirsrv_t, dirsrv_exec_t) > role system_r types dirsrv_t; > > ## Type for helper programs > type dirsrv_helper_exec_t; > files_type(dirsrv_helper_exec_t); > > ## Type for configuration files > type dirsrv_config_t; > files_config_file(dirsrv_config_t) > > ## Type for db files > type dirsrv_db_t; > files_type(dirsrv_db_t) > > ## Type for lock files > type dirsrv_lock_t; > files_lock_file(dirsrv_lock_t) > files_lock_filetrans(dirsrv_t, dirsrv_lock_t, {file dir}) > > ## Type for log files > type dirsrv_log_t; > logging_log_file(dirsrv_log_t) > > ## Type for var_run file > type dirsrv_var_run_t; > files_pid_file(dirsrv_var_run_t) > files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, {file dir}) > > ######################################## > # > # Declarations for setup programs > # > > ## Domain for setup program > type dirsrv_setup_t; > domain_type(dirsrv_setup_t) > role sysadm_r types dirsrv_setup_t; > > ## Type for setup program > type dirsrv_setupexec_t; > files_type(dirsrv_setupexec_t) > domain_entry_file(dirsrv_setup_t, dirsrv_setupexec_t) > > ## Type for tmp files setup creates > type dirsrv_setuplog_t; > files_tmp_file(dirsrv_setuplog_t) > files_tmp_filetrans(dirsrv_setup_t, dirsrv_setuplog_t, file) > files_tmp_filetrans(dirsrv_t, dirsrv_setuplog_t, file) > > ######################################## > # > # Local policy for the daemon > # > > ## Executable > allow dirsrv_t self:capability { chown dac_override fowner setuid sys_nice setgid }; > allow dirsrv_t self:process { setsched getsched signull }; > allow dirsrv_t self:fifo_file { write read }; > allow dirsrv_t self:sem { create getattr associate unix_read unix_write }; > ## Config > allow dirsrv_t dirsrv_config_t:file { getattr read create_file_perms }; > allow dirsrv_t dirsrv_config_t:dir create_dir_perms; > ## Database files > allow dirsrv_t dirsrv_db_t:dir manage_dir_perms; > allow dirsrv_t dirsrv_db_t:file manage_file_perms; > # Allow search in /var/lib > files_list_var_lib(dirsrv_t) > ## Manage locks > allow dirsrv_t dirsrv_lock_t:dir manage_dir_perms; > allow dirsrv_t dirsrv_lock_t:file manage_file_perms; > ## Logging > allow dirsrv_t dirsrv_log_t:file { create rename setattr manage_file_perms }; > allow dirsrv_t dirsrv_log_t:dir { setattr rw_dir_perms }; > allow dirsrv_t self:unix_dgram_socket create_socket_perms; > # Allow search in /var/log > logging_search_logs(dirsrv_t) > ## var_run > allow dirsrv_t dirsrv_var_run_t:file manage_file_perms; > allow dirsrv_t dirsrv_var_run_t:dir rw_dir_perms; > ## Helper programs > dirsrv_run_helper_exec(dirsrv_t) > ## Setup log > dirsrv_read_setuplog(dirsrv_t) > dirsrvadmin_read_setuplog(dirsrv_t) > ## Files in /tmp, created by setup app > allow dirsrv_t dirsrv_setuplog_t:file manage_file_perms; > > ## When restarted from cgi script the dirsrv need to communicate back > dirsrvadmin_script_stream_rw(dirsrv_t) > # dirsrv need some permissions that has no interface in the apache policy > dirsrv_extend_httpd(dirsrv_t) > dirsrvadmin_manage_httpd_script_tmpfile(dirsrv_t) > > ## Allow networking > corenet_tcp_bind_ldap_port(dirsrv_t) > corenet_tcp_sendrecv_ldap_port(dirsrv_t) > corenet_sendrecv_ldap_server_packets(dirsrv_t) > corenet_tcp_bind_unspec_node(dirsrv_t) > corenet_tcp_bind_inaddr_any_node(dirsrv_t) > kernel_sendrecv_unlabeled_packets(dirsrv_t) > allow dirsrv_t self:tcp_socket create_stream_socket_perms; > allow dirsrv_t self:udp_socket create_socket_perms; > > ## Misc interfaces > # Access to shared libraries > libs_use_ld_so(dirsrv_t) > libs_use_shared_libs(dirsrv_t) > files_exec_usr_files(dirsrv_t) > # Read locale > miscfiles_read_localization(dirsrv_t) > # Read etc > files_read_etc_files(dirsrv_t) > sysnet_read_config(dirsrv_t) > # Allow using syslog > logging_send_syslog_msg(dirsrv_t) > # Search sbin > corecmd_search_sbin(dirsrv_t) > # Allow read urandom > dev_read_urand(dirsrv_t) > # Allow listing /tmp > files_list_tmp(dirsrv_t) > # Allow read /usr/tmp > files_read_usr_symlinks(dirsrv_t) > # Allow stat file system > fs_getattr_xattr_fs(dirsrv_t) > # Allow read proc > kernel_read_system_state(dirsrv_t) > > # Strict policy > ifdef(`strict_policy'',` > # Daemon search for plugins in cwd > userdom_dontaudit_search_sysadm_home_dirs(dirsrv_t) > '') > > # In targeted policy > ifdef(`targeted_policy'',` > files_read_generic_tmp_files(dirsrv_t) > userdom_dontaudit_search_generic_user_home_dirs(dirsrv_t) > '') > > ######################################## > # > # Local policy for setup programs > # > > ## Transtion into dirsrv domain when running setup > # Should be in userdomain > ifdef(`strict_policy'',` > dirsrv_setup_domtrans_strict(sysadm, sysadm_r) > '') > # A similar policy should be in unconfined > ifdef(`targeted_policy'',` > dirsrv_setup_domtrans_targeted(unconfined_t) > '') > seutil_use_newrole_fds(dirsrv_setup_t) > > ## Executable > allow dirsrv_setup_t self:capability { sys_nice chown fsetid fowner kill net_bind_service dac_override }; > allow dirsrv_setup_t self:fifo_file { read write getattr ioctl }; > allow dirsrv_setup_t self:process { setsched getsched }; > allow dirsrv_setup_t self:tcp_socket { bind create ioctl }; > > # Start daemon from setup program > dirsrv_domtrans(dirsrv_setup_t) > ## Manage db dir > dirsrv_manage_db(dirsrv_setup_t) > ## Manage configuration > dirsrv_manage_config(dirsrv_setup_t) > ## Manage log dir > dirsrv_manage_log(dirsrv_setup_t) > ## Manage lock dir > dirsrv_manage_lock(dirsrv_setup_t) > ## Manage var_run files > dirsrv_manage_var_run(dirsrv_setup_t) > ## Manage helper programs > dirsrv_manage_helper_exec(dirsrv_setup_t) > dirsrv_run_helper_exec(dirsrv_setup_t) > ## Files in /tmp > allow dirsrv_setup_t dirsrv_setuplog_t:file manage_file_perms; > > ## Networking > # Connect server using ldap > corenet_tcp_bind_inaddr_any_node(dirsrv_setup_t) > corenet_tcp_bind_ldap_port(dirsrv_setup_t) > > ## Misc interfaces > # Access to shared libraries > libs_use_ld_so(dirsrv_setup_t) > libs_use_shared_libs(dirsrv_setup_t) > # Read locale > miscfiles_read_localization(dirsrv_setup_t) > # mtab > files_dontaudit_read_etc_runtime_files(dirsrv_setup_t) > # Execute > corecmd_exec_bin(dirsrv_setup_t) > corecmd_exec_sbin(dirsrv_setup_t) > corecmd_exec_shell(dirsrv_setup_t) > # Read /usr/share > files_read_usr_files(dirsrv_setup_t) > # Allow read urandom > dev_read_urand(dirsrv_setup_t) > # Read proc > kernel_read_net_sysctls(dirsrv_setup_t) > kernel_read_sysctl(dirsrv_setup_t) > kernel_read_system_state(dirsrv_setup_t) > kernel_search_network_sysctl(dirsrv_setup_t) > # Stat shadow > auth_read_shadow(dirsrv_setup_t) > # Exec nsswitch.conf > files_exec_etc_files(dirsrv_setup_t) > # Find dirsrv dirs > files_search_locks(dirsrv_setup_t) > files_search_var_lib(dirsrv_setup_t) > logging_search_logs(dirsrv_setup_t) > # Allow stat file system > fs_getattr_xattr_fs(dirsrv_setup_t) > sysnet_read_config(dirsrv_setup_t) > term_search_ptys(dirsrv_setup_t) > > optional_policy(` > nscd_read_pid(dirsrv_setup_t) > '') > > # Strict policy > ifdef(`strict_policy'',` > # Read cwd (/root) > userdom_list_sysadm_home_dirs(dirsrv_setup_t) > '') > > # In targeted policy > ifdef(`targeted_policy'',` > term_use_generic_ptys(dirsrv_setup_t) > # Read cwd (/root) > userdom_list_user_home_dirs(user,dirsrv_setup_t) > userdom_search_generic_user_home_dirs(dirsrv_setup_t) > '') > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: dirsrv-admin.te > Type: text/x-java > Size: 8756 bytes > Desc: not available > Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080311/b721a4c9/dirsrv-admin.bin > -------------- next part -------------- > > -------------- next part -------------- > policy_module(fedora-idm-console,1.0.0) > > ######################################## > # > # Declarations > # > > type fedora-idm-console_t; > domain_type(fedora-idm-console_t) > > ######################################## > # > # Local policy > # > > # In strict policy we need to extend the java domain > ifdef(`strict_policy'',` > fedoraidmconsole_extend_java(user) > ## Misc interfaces > # Access to shared libraries > libs_use_ld_so(fedora-idm-console_t) > libs_use_shared_libs(fedora-idm-console_t) > # Read locale > miscfiles_read_localization(fedora-idm-console_t) > '') > -------------- next part -------------- > ## <summary>Java based fedora-idm-console</summary> > > ######################################## > ## <summary> > ## Extend java domain for fedora-idm-console. > ## </summary> > ## <param name="domain"> > ## <summary> > ## Prefix of domain allowed access. > ## </summary> > ## </param> > # > interface(`fedoraidmconsole_extend_java'',` > gen_require(` > type $1_javaplugin_t; > type $1_t, $1_xserver_tmp_t, $1_gconf_home_t, $1_home_ssh_t, $1_mozilla_home_t; > '') > > allow $1_javaplugin_t $1_t:process sigchld; > allow $1_t $1_javaplugin_t:process { signal ptrace }; > allow $1_javaplugin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; > allow $1_javaplugin_t self:tcp_socket { accept listen }; > allow $1_javaplugin_t $1_xserver_tmp_t:dir search; > allow $1_javaplugin_t $1_xserver_tmp_t:sock_file write; > dirsrv_list_db($1_javaplugin_t) > corecmd_exec_bin($1_javaplugin_t) > corenet_tcp_bind_inaddr_any_node($1_javaplugin_t) > files_read_var_files($1_javaplugin_t) > > # Sun java check out some dirs, there is probably more than this > dontaudit $1_javaplugin_t $1_gconf_home_t:dir getattr; > dontaudit $1_javaplugin_t $1_home_ssh_t:dir getattr; > dontaudit $1_javaplugin_t $1_mozilla_home_t:dir getattr; > '') > > ------------------------------ > > Message: 2 > Date: Wed, 12 Mar 2008 11:44:32 +0000 > From: "Steve Burt" <burt.s.e@gmail.com> > Subject: [Fedora-directory-users] Problems in adding a second server > into a new > To: fedora-directory-users@redhat.com > Message-ID: > <dbef0ac20803120444s12cbfbb1o526ff972ddba65b6@mail.gmail.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Greetings Folks > > I am very new to Fedora-DS and have I think Sucessfully installed a > Directory Server and a server group with a admin server and 1 > Directory Server. > > My Aim is to Install a second directory server, I think this is > basically running the setup-ds-admin.pl on the second server... > > Could anyone help.. > > Yours Humbly > > Steve > > > > ------------------------------ > > Message: 3 > Date: Wed, 12 Mar 2008 07:52:09 -0600 > From: Rich Megginson <rmeggins@redhat.com> > Subject: Re: [Fedora-directory-users] Problems in adding a second > server into a new > To: "General discussion list for the Fedora Directory server project." > <fedora-directory-users@redhat.com> > Message-ID: <47D7E009.9060605@redhat.com> > Content-Type: text/plain; charset="iso-8859-1" > > Steve Burt wrote: > > Greetings Folks > > > > I am very new to Fedora-DS and have I think Sucessfully installed a > > Directory Server and a server group with a admin server and 1 > > Directory Server. > > > > My Aim is to Install a second directory server, I think this is > > basically running the setup-ds-admin.pl on the second server... > > > Yes. But read about this bug first - > https://bugzilla.redhat.com/show_bug.cgi?id=431103 > > Could anyone help.. > > > > Yours Humbly > > > > Steve > > > > -- > > Fedora-directory-users mailing list > > Fedora-directory-users@redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/x-pkcs7-signature > Size: 3245 bytes > Desc: S/MIME Cryptographic Signature > Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080312/c35d1379/smime.bin > > ------------------------------ > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > End of Fedora-directory-users Digest, Vol 34, Issue 24 > ****************************************************** >
Rich Megginson
2008-Mar-12 19:50 UTC
Re: [Fedora-directory-users] Re: Fedora-directory-users Digest, Vol 34, Issue 24
Steve Burt wrote:> Hi Rich, > > Ok so I think I have to create an ldif file > > There is a workaround - if the fqdn is host.example.com, you just have to create > the following entries: > > dn: cn=host.example.com, ou=example.com, o=NetscapeRoot > objectclass: top > objectclass: nsHost > objectclass: groupOfUniqueNames > cn: host.example.com > nsosversion: output of uname -a on the machine > nshardwareplatform: arch e.g. i386 or x86_64 or ... > serverHostName: host.example.com > > dn: cn=Server Group, cn=host.example.com, ou=example.com, o=NetscapeRoot > objectclass: top > objectclass: nsAdminGroup > objectclass: nsDirectoryInfo > objectclass: groupOfUniqueNames > nsAdminGroupName: Server Group > nsDirectoryInfoRef: cn=User Directory, ou=Global Preferences, ou=example.com, > o=NetscapeRoot > > Is that correct >Yes, I think so. I think that''s what was reported as the workaround in the bug.> On 12/03/2008, fedora-directory-users-request@redhat.com > <fedora-directory-users-request@redhat.com> wrote: > >> Send Fedora-directory-users mailing list submissions to >> fedora-directory-users@redhat.com >> >> To subscribe or unsubscribe via the World Wide Web, visit >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> or, via email, send a message with subject or body ''help'' to >> fedora-directory-users-request@redhat.com >> >> You can reach the person managing the list at >> fedora-directory-users-owner@redhat.com >> >> When replying, please edit your Subject line so it is more specific >> than "Re: Contents of Fedora-directory-users digest..." >> >> >> Today''s Topics: >> >> 1. SELinux policy for Fedora Directory Server 1.1.0 (P?r Aronsson) >> 2. Problems in adding a second server into a new (Steve Burt) >> 3. Re: Problems in adding a second server into a new (Rich Megginson) >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Tue, 11 Mar 2008 17:34:09 +0100 >> From: P?r Aronsson <par.aronsson@telia.com> >> Subject: [Fedora-directory-users] SELinux policy for Fedora Directory >> Server 1.1.0 >> To: selinux@tycho.nsa.gov, fedora-directory-users@redhat.com >> Message-ID: <200803111734.10289.par.aronsson@telia.com> >> Content-Type: text/plain; charset="utf-8" >> >> Hello, >> >> Attached is a SELinux policy for the Fedora Directory Server 1.1.0. >> It is composed of three parts. >> * dirsrv - directory server and setup programs >> * dirsrv-admin - administration server and setup programs >> * fedora-idm-console - java based console for administration >> >> The policies were developed on a CentOS 5.1 with the following packages: >> fedora-ds-base-1.1.0-3.fc6 >> fedora-ds-admin-1.1.1-1.fc6 >> fedora-ds-console-1.1.0-5.fc6 >> selinux-policy-2.4.6-106.el5_1.3 >> kernel-2.6.18-53.1.4.el5 >> >> I''ve succesfully tested the policies in targeted and strict mode. >> >> The dirsrv-admin policy requires that the apache policy module is loaded. >> Also run: >> setsebool -P httpd_enable_cgi on >> >> Comment out the following in /usr/sbin/start-ds-admin (line 63-65): >> if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then >> SELINUX_CMD="runcon -t unconfined_t --" >> fi >> >> I had trouble with the replication plugin so I haven''t been able to do any >> testing with replication. >> >> Any comments are welcome. >> >> // Pär Aronsson >> -------------- next part -------------- >> ## <summary>Administration application for Fedora Directory Server, dirsrv-admin.</summary> >> >> ######################################## >> ## <summary> >> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain >> ## and the system_r role. Strict policy. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Prefix of the domain performing this action. >> ## </summary> >> ## </param> >> ## <param name="role"> >> ## <summary> >> ## The role to allow the domain. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_setup_domtrans_strict'',` >> gen_require(` >> type dirsrvadmin_t, dirsrvadmin_setup_t, dirsrvadmin_setupexec_t; >> type $1_t, $1_devpts_t; >> '') >> >> domain_auto_trans($1_t, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) >> allow dirsrvadmin_setup_t $1_t:fd use; >> allow dirsrvadmin_setup_t $1_t:process sigchld; >> allow dirsrvadmin_setup_t $1_devpts_t:chr_file rw_term_perms; >> role $2 types dirsrvadmin_setup_t; >> role system_r types dirsrvadmin_setup_t; >> role_transition $2 dirsrvadmin_setupexec_t system_r; >> '') >> >> ######################################## >> ## <summary> >> ## Execute dirsrv-admin setup programs in the dirsrvadmin_setup_t domain >> ## and the system_r role. Targeted policy. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Prefix of the domain performing this action. >> ## </summary> >> ## </param> >> ## <param name="role"> >> ## <summary> >> ## The role to allow the domain. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_setup_domtrans_targeted'',` >> gen_require(` >> type $1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t; >> '') >> >> domain_auto_trans($1, dirsrvadmin_setupexec_t, dirsrvadmin_setup_t) >> '') >> >> ######################################## >> ## <summary> >> ## Read setup log files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_read_setuplog'',` >> gen_require(` >> type dirsrvadmin_setuplog_t; >> '') >> >> files_search_tmp($1) >> allow $1 dirsrvadmin_setuplog_t:file r_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage setup log files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_manage_setuplog'',` >> gen_require(` >> type dirsrvadmin_setuplog_t; >> '') >> >> files_search_tmp($1) >> allow $1 dirsrvadmin_setuplog_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Extend httpd domain for dirsrv-admin. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_extend_httpd'',` >> gen_require(` >> type httpd_t; >> '') >> >> # Allow httpd domain to interact with dirsrv >> dirsrv_manage_config(httpd_t) >> dirsrv_manage_log(httpd_t) >> dirsrv_manage_var_run(httpd_t) >> dirsrvadmin_manage_setuplog(httpd_t) >> dirsrvadmin_manage_config(httpd_t) >> dirsrv_signal(httpd_t) >> dirsrv_signull(httpd_t) >> dirsrv_run_helper_exec(httpd_t) >> files_exec_usr_files(httpd_t) >> corenet_tcp_bind_generic_port(httpd_t) >> corenet_tcp_connect_generic_port(httpd_t) >> >> # Strict policy >> ifdef(`strict_policy'',` >> userdom_dontaudit_search_sysadm_home_dirs(httpd_t) >> '') >> '') >> >> ######################################## >> ## <summary> >> ## Extend httpd domain for dirsrv-admin cgi. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_script_extend_httpd'',` >> gen_require(` >> type httpd_t, httpd_exec_t, httpd_suexec_exec_t, httpd_tmp_t, httpd_var_run_t; >> '') >> >> allow $1 httpd_exec_t:file { read getattr execute_no_trans }; >> allow $1 httpd_suexec_exec_t:file getattr; >> allow $1 httpd_tmp_t:file { read write }; >> allow $1 httpd_t:udp_socket { read write }; >> allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; >> allow $1 httpd_t:netlink_route_socket { read write }; >> allow $1 httpd_t:fifo_file { write read }; >> allow $1 httpd_var_run_t:file { read getattr }; >> apache_list_modules($1) >> apache_exec_modules($1) >> apache_use_fds($1) >> dirsrvadmin_run_httpd_script_exec(httpd_t) >> '') >> >> ######################################## >> ## <summary> >> ## Extend init domain for dirsrv-admin. >> ## The initscript searches in a config file. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_extend_init'',` >> gen_require(` >> type initrc_t; >> '') >> >> allow initrc_t dirsrvadmin_config_t:file read; >> '') >> >> ######################################## >> ## <summary> >> ## Exec dirsrv-admin programs. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_run_exec'',` >> gen_require(` >> type dirsrvadmin_exec_t; >> '') >> >> allow $1 dirsrvadmin_exec_t:dir search_dir_perms; >> can_exec($1,dirsrvadmin_exec_t) >> '') >> >> ######################################## >> ## <summary> >> ## Exec cgi programs. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_run_httpd_script_exec'',` >> gen_require(` >> type httpd_dirsrvadmin_script_exec_t; >> '') >> >> allow $1 httpd_dirsrvadmin_script_exec_t:dir search_dir_perms; >> can_exec($1, httpd_dirsrvadmin_script_exec_t) >> '') >> >> ######################################## >> ## <summary> >> ## Manage cgi programs. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_manage_httpd_script_exec'',` >> gen_require(` >> type httpd_dirsrvadmin_script_exec_t; >> '') >> >> allow $1 httpd_dirsrvadmin_script_exec_t:dir manage_dir_perms; >> allow $1 httpd_dirsrvadmin_script_exec_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read tmp files created by cgi programs. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_read_httpd_script_tmpfile'',` >> gen_require(` >> type httpd_dirsrvadmin_script_rw_t; >> '') >> >> allow $1 httpd_dirsrvadmin_script_rw_t:file r_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage tmp files created by cgi programs. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_manage_httpd_script_tmpfile'',` >> gen_require(` >> type httpd_dirsrvadmin_script_rw_t; >> '') >> >> allow $1 httpd_dirsrvadmin_script_rw_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read dirsrv-adminserver configuration files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_read_config'',` >> gen_require(` >> type dirsrvadmin_config_t; >> '') >> >> allow $1 dirsrvadmin_config_t:dir r_dir_perms; >> allow $1 dirsrvadmin_config_t:file r_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage dirsrv-adminserver configuration files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_manage_config'',` >> gen_require(` >> type dirsrvadmin_config_t; >> '') >> >> allow $1 dirsrvadmin_config_t:dir manage_dir_perms; >> allow $1 dirsrvadmin_config_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read and write to cgi program over an unix stream socket. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_script_stream_rw'',` >> gen_require(` >> type httpd_dirsrvadmin_script_t; >> '') >> >> allow $1 httpd_dirsrvadmin_script_t:unix_stream_socket { read write }; >> '') >> >> ######################################## >> ## <summary> >> ## Read migration inf file in sysadm home dir. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrvadmin_read_inffile'',` >> ifdef(`targeted_policy'',` >> gen_require(` >> type user_home_t, user_home_dir_t; >> '') >> >> userdom_list_user_home_dirs(user, $1) >> allow $1 user_home_t:file r_file_perms; >> '',` >> gen_require(` >> type sysadm_home_t; >> '') >> >> userdom_list_sysadm_home_dirs($1) >> allow $1 sysadm_home_t:file r_file_perms; >> '') >> '') >> >> -------------- next part -------------- >> # Start script for daemon (domain entry point) >> /usr/sbin/start-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) >> /usr/sbin/stop-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) >> /usr/sbin/restart-ds-admin -- gen_context(system_u:object_r:dirsrvadmin_exec_t,s0) >> # Configuration >> /etc/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:dirsrvadmin_config_t,s0) >> # Log dir >> /var/log/dirsrv/admin-serv(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) >> # Pid >> /var/run/dirsrv/admin-serv.* gen_context(system_u:object_r:httpd_var_run_t,s0) >> # cgi >> /usr/lib/dirsrv/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_dirsrvadmin_script_exec_t,s0) >> # Setup applications >> /usr/sbin/migrate-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) >> /usr/sbin/setup-ds-admin.pl -- gen_context(system_u:object_r:dirsrvadmin_setupexec_t,s0) >> -------------- next part -------------- >> # Daemon (domain entry point) >> /usr/sbin/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) >> # Setup applications >> /usr/sbin/migrate-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) >> /usr/sbin/setup-ds.pl -- gen_context(system_u:object_r:dirsrv_setupexec_t,s0) >> # Helper scripts >> /usr/lib/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_helper_exec_t,s0) >> # Configuration >> /etc/dirsrv(/slapd-.*)? gen_context(system_u:object_r:dirsrv_config_t,s0) >> # Db files >> /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_db_t,s0) >> # Lock files >> /var/lock/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_lock_t,s0) >> # Log files >> /var/log/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_log_t,s0) >> # var_run >> /var/run/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_run_t,s0) >> -------------- next part -------------- >> ## <summary>Fedora Directory server, dirsrv</summary> >> >> ######################################## >> ## <summary> >> ## Execute dirsrv programs in the dirsrv_t domain. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## The type of the process performing this action. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_domtrans'',` >> gen_require(` >> type dirsrv_t, dirsrv_exec_t; >> '') >> >> allow $1 dirsrv_t:process signull; >> domain_auto_trans($1, dirsrv_exec_t, dirsrv_t) >> allow dirsrv_t $1:fd use; >> allow dirsrv_t $1:fifo_file rw_file_perms; >> allow dirsrv_t $1:process sigchld; >> '') >> >> ######################################## >> ## <summary> >> ## Execute dirsrv setup programs in the dirsrv_setup_t domain >> ## and the system_r role. Strict policy. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Prefix of the domain performing this action. >> ## </summary> >> ## </param> >> ## <param name="role"> >> ## <summary> >> ## The role to allow the domain. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_setup_domtrans_strict'',` >> gen_require(` >> type dirsrv_t, dirsrv_setup_t, dirsrv_setupexec_t; >> type $1_t, $1_devpts_t; >> '') >> >> domain_auto_trans($1_t, dirsrv_setupexec_t, dirsrv_setup_t) >> allow dirsrv_setup_t $1_t:fd use; >> allow dirsrv_setup_t $1_t:process sigchld; >> allow dirsrv_setup_t $1_devpts_t:chr_file rw_term_perms; >> role $2 types dirsrv_setup_t; >> role_transition $2 dirsrv_setupexec_t system_r; >> '') >> >> ######################################## >> ## <summary> >> ## Execute dirsrv setup programs in the dirsrv_setup_t domain >> ## and the system_r role. Targeted policy. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Prefix of the domain performing this action. >> ## </summary> >> ## </param> >> ## <param name="role"> >> ## <summary> >> ## The role to allow the domain. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_setup_domtrans_targeted'',` >> gen_require(` >> type dirsrv_setupexec_t, dirsrv_setup_t; >> '') >> >> domain_auto_trans($1, dirsrv_setupexec_t, dirsrv_setup_t) >> '') >> >> ######################################## >> ## <summary> >> ## Extend httpd domain for dirsrv. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_extend_httpd'',` >> gen_require(` >> type httpd_t, httpd_tmp_t; >> '') >> >> allow $1 httpd_t:fifo_file { write read }; >> allow $1 httpd_t:unix_stream_socket { ioctl getattr read write }; >> allow $1 httpd_tmp_t:file { read write }; >> apache_use_fds($1) >> '') >> >> ######################################## >> ## <summary> >> ## Read setup log files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_read_setuplog'',` >> gen_require(` >> type dirsrv_setuplog_t; >> '') >> >> files_search_tmp($1) >> allow $1 dirsrv_setuplog_t:file r_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read the contents of Directory server >> ## database directories. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_list_db'',` >> gen_require(` >> type dirsrv_db_t; >> '') >> >> allow $1 dirsrv_db_t:dir r_dir_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage the contents of Directory server >> ## database directories. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_manage_db'',` >> gen_require(` >> type dirsrv_db_t; >> '') >> >> allow $1 dirsrv_db_t:dir manage_dir_perms; >> allow $1 dirsrv_db_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read Directory server configuration files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_read_config'',` >> gen_require(` >> type dirsrv_config_t; >> '') >> >> allow $1 dirsrv_config_t:dir r_dir_perms; >> allow $1 dirsrv_config_t:file r_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage Directory server configuration files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_manage_config'',` >> gen_require(` >> type dirsrv_config_t; >> '') >> >> allow $1 dirsrv_config_t:dir manage_dir_perms; >> allow $1 dirsrv_config_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read Directory server log files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_list_log'',` >> gen_require(` >> type dirsrv_log_t; >> '') >> >> allow $1 dirsrv_log_t:dir r_dir_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage Directory server log files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_manage_log'',` >> gen_require(` >> type dirsrv_log_t; >> '') >> >> allow $1 dirsrv_log_t:dir manage_dir_perms; >> allow $1 dirsrv_log_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read Directory server lock files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_list_lock'',` >> gen_require(` >> type dirsrv_lock_t; >> '') >> >> allow $1 dirsrv_lock_t:dir r_dir_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage Directory server lock files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_manage_lock'',` >> gen_require(` >> type dirsrv_lock_t; >> '') >> >> allow $1 dirsrv_lock_t:dir manage_dir_perms; >> allow $1 dirsrv_lock_t:file manage_file_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Read Directory server var_run files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_list_var_run'',` >> gen_require(` >> type dirsrv_var_run_t; >> '') >> >> allow $1 dirsrv_var_run_t:dir r_dir_perms; >> '') >> >> ######################################## >> ## <summary> >> ## Manage Directory server var_run files. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_manage_var_run'',` >> gen_require(` >> type dirsrv_var_run_t; >> '') >> >> allow $1 dirsrv_var_run_t:dir manage_dir_perms; >> allow $1 dirsrv_var_run_t:file manage_file_perms; >> allow $1 dirsrv_var_run_t:sock_file manage_file_perms; >> # Allow creating a dir in /var/run with this type >> files_pid_filetrans($1, dirsrv_var_run_t, dir) >> '') >> >> ######################################## >> ## <summary> >> ## Exec Directory server helper programs. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_run_helper_exec'',` >> gen_require(` >> type dirsrv_helper_exec_t; >> '') >> >> allow $1 dirsrv_helper_exec_t:dir search_dir_perms; >> can_exec($1,dirsrv_helper_exec_t) >> '') >> >> ######################################## >> ## <summary> >> ## Manage Directory server helper programs. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_manage_helper_exec'',` >> gen_require(` >> type dirsrv_helper_exec_t; >> '') >> >> allow $1 dirsrv_helper_exec_t:dir manage_dir_perms; >> allow $1 dirsrv_helper_exec_t:file { manage_file_perms rw_file_perms }; >> '') >> >> ######################################## >> ## <summary> >> ## Allow caller to signal dirsrv. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain to not audit. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_signal'',` >> gen_require(` >> type dirsrv_t; >> '') >> >> allow $1 dirsrv_t:process signal; >> '') >> >> >> ######################################## >> ## <summary> >> ## Send a null signal to dirsrv. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`dirsrv_signull'',` >> gen_require(` >> type dirsrv_t; >> '') >> >> allow $1 dirsrv_t:process signull; >> '') >> -------------- next part -------------- >> policy_module(dirsrv,1.0.0) >> >> ######################################## >> # >> # Declarations for daemon >> # >> >> ## Create domain for daemon >> type dirsrv_t; >> domain_type(dirsrv_t) >> >> ## Type for the daemon >> type dirsrv_exec_t; >> files_type(dirsrv_exec_t) >> # Start from initrc >> init_domain(dirsrv_t, dirsrv_exec_t) >> init_daemon_domain(dirsrv_t, dirsrv_exec_t) >> role system_r types dirsrv_t; >> >> ## Type for helper programs >> type dirsrv_helper_exec_t; >> files_type(dirsrv_helper_exec_t); >> >> ## Type for configuration files >> type dirsrv_config_t; >> files_config_file(dirsrv_config_t) >> >> ## Type for db files >> type dirsrv_db_t; >> files_type(dirsrv_db_t) >> >> ## Type for lock files >> type dirsrv_lock_t; >> files_lock_file(dirsrv_lock_t) >> files_lock_filetrans(dirsrv_t, dirsrv_lock_t, {file dir}) >> >> ## Type for log files >> type dirsrv_log_t; >> logging_log_file(dirsrv_log_t) >> >> ## Type for var_run file >> type dirsrv_var_run_t; >> files_pid_file(dirsrv_var_run_t) >> files_pid_filetrans(dirsrv_t, dirsrv_var_run_t, {file dir}) >> >> ######################################## >> # >> # Declarations for setup programs >> # >> >> ## Domain for setup program >> type dirsrv_setup_t; >> domain_type(dirsrv_setup_t) >> role sysadm_r types dirsrv_setup_t; >> >> ## Type for setup program >> type dirsrv_setupexec_t; >> files_type(dirsrv_setupexec_t) >> domain_entry_file(dirsrv_setup_t, dirsrv_setupexec_t) >> >> ## Type for tmp files setup creates >> type dirsrv_setuplog_t; >> files_tmp_file(dirsrv_setuplog_t) >> files_tmp_filetrans(dirsrv_setup_t, dirsrv_setuplog_t, file) >> files_tmp_filetrans(dirsrv_t, dirsrv_setuplog_t, file) >> >> ######################################## >> # >> # Local policy for the daemon >> # >> >> ## Executable >> allow dirsrv_t self:capability { chown dac_override fowner setuid sys_nice setgid }; >> allow dirsrv_t self:process { setsched getsched signull }; >> allow dirsrv_t self:fifo_file { write read }; >> allow dirsrv_t self:sem { create getattr associate unix_read unix_write }; >> ## Config >> allow dirsrv_t dirsrv_config_t:file { getattr read create_file_perms }; >> allow dirsrv_t dirsrv_config_t:dir create_dir_perms; >> ## Database files >> allow dirsrv_t dirsrv_db_t:dir manage_dir_perms; >> allow dirsrv_t dirsrv_db_t:file manage_file_perms; >> # Allow search in /var/lib >> files_list_var_lib(dirsrv_t) >> ## Manage locks >> allow dirsrv_t dirsrv_lock_t:dir manage_dir_perms; >> allow dirsrv_t dirsrv_lock_t:file manage_file_perms; >> ## Logging >> allow dirsrv_t dirsrv_log_t:file { create rename setattr manage_file_perms }; >> allow dirsrv_t dirsrv_log_t:dir { setattr rw_dir_perms }; >> allow dirsrv_t self:unix_dgram_socket create_socket_perms; >> # Allow search in /var/log >> logging_search_logs(dirsrv_t) >> ## var_run >> allow dirsrv_t dirsrv_var_run_t:file manage_file_perms; >> allow dirsrv_t dirsrv_var_run_t:dir rw_dir_perms; >> ## Helper programs >> dirsrv_run_helper_exec(dirsrv_t) >> ## Setup log >> dirsrv_read_setuplog(dirsrv_t) >> dirsrvadmin_read_setuplog(dirsrv_t) >> ## Files in /tmp, created by setup app >> allow dirsrv_t dirsrv_setuplog_t:file manage_file_perms; >> >> ## When restarted from cgi script the dirsrv need to communicate back >> dirsrvadmin_script_stream_rw(dirsrv_t) >> # dirsrv need some permissions that has no interface in the apache policy >> dirsrv_extend_httpd(dirsrv_t) >> dirsrvadmin_manage_httpd_script_tmpfile(dirsrv_t) >> >> ## Allow networking >> corenet_tcp_bind_ldap_port(dirsrv_t) >> corenet_tcp_sendrecv_ldap_port(dirsrv_t) >> corenet_sendrecv_ldap_server_packets(dirsrv_t) >> corenet_tcp_bind_unspec_node(dirsrv_t) >> corenet_tcp_bind_inaddr_any_node(dirsrv_t) >> kernel_sendrecv_unlabeled_packets(dirsrv_t) >> allow dirsrv_t self:tcp_socket create_stream_socket_perms; >> allow dirsrv_t self:udp_socket create_socket_perms; >> >> ## Misc interfaces >> # Access to shared libraries >> libs_use_ld_so(dirsrv_t) >> libs_use_shared_libs(dirsrv_t) >> files_exec_usr_files(dirsrv_t) >> # Read locale >> miscfiles_read_localization(dirsrv_t) >> # Read etc >> files_read_etc_files(dirsrv_t) >> sysnet_read_config(dirsrv_t) >> # Allow using syslog >> logging_send_syslog_msg(dirsrv_t) >> # Search sbin >> corecmd_search_sbin(dirsrv_t) >> # Allow read urandom >> dev_read_urand(dirsrv_t) >> # Allow listing /tmp >> files_list_tmp(dirsrv_t) >> # Allow read /usr/tmp >> files_read_usr_symlinks(dirsrv_t) >> # Allow stat file system >> fs_getattr_xattr_fs(dirsrv_t) >> # Allow read proc >> kernel_read_system_state(dirsrv_t) >> >> # Strict policy >> ifdef(`strict_policy'',` >> # Daemon search for plugins in cwd >> userdom_dontaudit_search_sysadm_home_dirs(dirsrv_t) >> '') >> >> # In targeted policy >> ifdef(`targeted_policy'',` >> files_read_generic_tmp_files(dirsrv_t) >> userdom_dontaudit_search_generic_user_home_dirs(dirsrv_t) >> '') >> >> ######################################## >> # >> # Local policy for setup programs >> # >> >> ## Transtion into dirsrv domain when running setup >> # Should be in userdomain >> ifdef(`strict_policy'',` >> dirsrv_setup_domtrans_strict(sysadm, sysadm_r) >> '') >> # A similar policy should be in unconfined >> ifdef(`targeted_policy'',` >> dirsrv_setup_domtrans_targeted(unconfined_t) >> '') >> seutil_use_newrole_fds(dirsrv_setup_t) >> >> ## Executable >> allow dirsrv_setup_t self:capability { sys_nice chown fsetid fowner kill net_bind_service dac_override }; >> allow dirsrv_setup_t self:fifo_file { read write getattr ioctl }; >> allow dirsrv_setup_t self:process { setsched getsched }; >> allow dirsrv_setup_t self:tcp_socket { bind create ioctl }; >> >> # Start daemon from setup program >> dirsrv_domtrans(dirsrv_setup_t) >> ## Manage db dir >> dirsrv_manage_db(dirsrv_setup_t) >> ## Manage configuration >> dirsrv_manage_config(dirsrv_setup_t) >> ## Manage log dir >> dirsrv_manage_log(dirsrv_setup_t) >> ## Manage lock dir >> dirsrv_manage_lock(dirsrv_setup_t) >> ## Manage var_run files >> dirsrv_manage_var_run(dirsrv_setup_t) >> ## Manage helper programs >> dirsrv_manage_helper_exec(dirsrv_setup_t) >> dirsrv_run_helper_exec(dirsrv_setup_t) >> ## Files in /tmp >> allow dirsrv_setup_t dirsrv_setuplog_t:file manage_file_perms; >> >> ## Networking >> # Connect server using ldap >> corenet_tcp_bind_inaddr_any_node(dirsrv_setup_t) >> corenet_tcp_bind_ldap_port(dirsrv_setup_t) >> >> ## Misc interfaces >> # Access to shared libraries >> libs_use_ld_so(dirsrv_setup_t) >> libs_use_shared_libs(dirsrv_setup_t) >> # Read locale >> miscfiles_read_localization(dirsrv_setup_t) >> # mtab >> files_dontaudit_read_etc_runtime_files(dirsrv_setup_t) >> # Execute >> corecmd_exec_bin(dirsrv_setup_t) >> corecmd_exec_sbin(dirsrv_setup_t) >> corecmd_exec_shell(dirsrv_setup_t) >> # Read /usr/share >> files_read_usr_files(dirsrv_setup_t) >> # Allow read urandom >> dev_read_urand(dirsrv_setup_t) >> # Read proc >> kernel_read_net_sysctls(dirsrv_setup_t) >> kernel_read_sysctl(dirsrv_setup_t) >> kernel_read_system_state(dirsrv_setup_t) >> kernel_search_network_sysctl(dirsrv_setup_t) >> # Stat shadow >> auth_read_shadow(dirsrv_setup_t) >> # Exec nsswitch.conf >> files_exec_etc_files(dirsrv_setup_t) >> # Find dirsrv dirs >> files_search_locks(dirsrv_setup_t) >> files_search_var_lib(dirsrv_setup_t) >> logging_search_logs(dirsrv_setup_t) >> # Allow stat file system >> fs_getattr_xattr_fs(dirsrv_setup_t) >> sysnet_read_config(dirsrv_setup_t) >> term_search_ptys(dirsrv_setup_t) >> >> optional_policy(` >> nscd_read_pid(dirsrv_setup_t) >> '') >> >> # Strict policy >> ifdef(`strict_policy'',` >> # Read cwd (/root) >> userdom_list_sysadm_home_dirs(dirsrv_setup_t) >> '') >> >> # In targeted policy >> ifdef(`targeted_policy'',` >> term_use_generic_ptys(dirsrv_setup_t) >> # Read cwd (/root) >> userdom_list_user_home_dirs(user,dirsrv_setup_t) >> userdom_search_generic_user_home_dirs(dirsrv_setup_t) >> '') >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: dirsrv-admin.te >> Type: text/x-java >> Size: 8756 bytes >> Desc: not available >> Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080311/b721a4c9/dirsrv-admin.bin >> -------------- next part -------------- >> >> -------------- next part -------------- >> policy_module(fedora-idm-console,1.0.0) >> >> ######################################## >> # >> # Declarations >> # >> >> type fedora-idm-console_t; >> domain_type(fedora-idm-console_t) >> >> ######################################## >> # >> # Local policy >> # >> >> # In strict policy we need to extend the java domain >> ifdef(`strict_policy'',` >> fedoraidmconsole_extend_java(user) >> ## Misc interfaces >> # Access to shared libraries >> libs_use_ld_so(fedora-idm-console_t) >> libs_use_shared_libs(fedora-idm-console_t) >> # Read locale >> miscfiles_read_localization(fedora-idm-console_t) >> '') >> -------------- next part -------------- >> ## <summary>Java based fedora-idm-console</summary> >> >> ######################################## >> ## <summary> >> ## Extend java domain for fedora-idm-console. >> ## </summary> >> ## <param name="domain"> >> ## <summary> >> ## Prefix of domain allowed access. >> ## </summary> >> ## </param> >> # >> interface(`fedoraidmconsole_extend_java'',` >> gen_require(` >> type $1_javaplugin_t; >> type $1_t, $1_xserver_tmp_t, $1_gconf_home_t, $1_home_ssh_t, $1_mozilla_home_t; >> '') >> >> allow $1_javaplugin_t $1_t:process sigchld; >> allow $1_t $1_javaplugin_t:process { signal ptrace }; >> allow $1_javaplugin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >> allow $1_javaplugin_t self:tcp_socket { accept listen }; >> allow $1_javaplugin_t $1_xserver_tmp_t:dir search; >> allow $1_javaplugin_t $1_xserver_tmp_t:sock_file write; >> dirsrv_list_db($1_javaplugin_t) >> corecmd_exec_bin($1_javaplugin_t) >> corenet_tcp_bind_inaddr_any_node($1_javaplugin_t) >> files_read_var_files($1_javaplugin_t) >> >> # Sun java check out some dirs, there is probably more than this >> dontaudit $1_javaplugin_t $1_gconf_home_t:dir getattr; >> dontaudit $1_javaplugin_t $1_home_ssh_t:dir getattr; >> dontaudit $1_javaplugin_t $1_mozilla_home_t:dir getattr; >> '') >> >> ------------------------------ >> >> Message: 2 >> Date: Wed, 12 Mar 2008 11:44:32 +0000 >> From: "Steve Burt" <burt.s.e@gmail.com> >> Subject: [Fedora-directory-users] Problems in adding a second server >> into a new >> To: fedora-directory-users@redhat.com >> Message-ID: >> <dbef0ac20803120444s12cbfbb1o526ff972ddba65b6@mail.gmail.com> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Greetings Folks >> >> I am very new to Fedora-DS and have I think Sucessfully installed a >> Directory Server and a server group with a admin server and 1 >> Directory Server. >> >> My Aim is to Install a second directory server, I think this is >> basically running the setup-ds-admin.pl on the second server... >> >> Could anyone help.. >> >> Yours Humbly >> >> Steve >> >> >> >> ------------------------------ >> >> Message: 3 >> Date: Wed, 12 Mar 2008 07:52:09 -0600 >> From: Rich Megginson <rmeggins@redhat.com> >> Subject: Re: [Fedora-directory-users] Problems in adding a second >> server into a new >> To: "General discussion list for the Fedora Directory server project." >> <fedora-directory-users@redhat.com> >> Message-ID: <47D7E009.9060605@redhat.com> >> Content-Type: text/plain; charset="iso-8859-1" >> >> Steve Burt wrote: >> > Greetings Folks >> > >> > I am very new to Fedora-DS and have I think Sucessfully installed a >> > Directory Server and a server group with a admin server and 1 >> > Directory Server. >> > >> > My Aim is to Install a second directory server, I think this is >> > basically running the setup-ds-admin.pl on the second server... >> > >> Yes. But read about this bug first - >> https://bugzilla.redhat.com/show_bug.cgi?id=431103 >> > Could anyone help.. >> > >> > Yours Humbly >> > >> > Steve >> > >> > -- >> > Fedora-directory-users mailing list >> > Fedora-directory-users@redhat.com >> > https://www.redhat.com/mailman/listinfo/fedora-directory-users >> > >> >> -------------- next part -------------- >> A non-text attachment was scrubbed... >> Name: smime.p7s >> Type: application/x-pkcs7-signature >> Size: 3245 bytes >> Desc: S/MIME Cryptographic Signature >> Url : https://www.redhat.com/archives/fedora-directory-users/attachments/20080312/c35d1379/smime.bin >> >> ------------------------------ >> >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> End of Fedora-directory-users Digest, Vol 34, Issue 24 >> ****************************************************** >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >