policy_module(sssd, 1.2.0)
########################################
#
# Declarations
#
attribute_role sssd_roles;
##
##
## Allow sssd read, view, and write access to kernel keys with kernel_t type
##
##
gen_tunable(sssd_access_kernel_keys, false)
##
##
## Allow sssd connect to all unreserved ports
##
##
gen_tunable(sssd_connect_all_unreserved_ports, false)
##
##
## Allow sssd use usb devices
##
##
gen_tunable(sssd_use_usb, false)
type sssd_t;
type sssd_exec_t;
init_daemon_domain(sssd_t, sssd_exec_t)
role sssd_roles types sssd_t;
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
type sssd_conf_t;
files_config_file(sssd_conf_t)
type sssd_public_t;
files_pid_file(sssd_public_t)
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
mls_trusted_object(sssd_var_lib_t)
type sssd_var_log_t;
logging_log_file(sssd_var_log_t)
type sssd_var_run_t;
files_pid_file(sssd_var_run_t)
type sssd_unit_file_t;
systemd_unit_file(sssd_unit_file_t)
type sssd_selinux_manager_t;
type sssd_selinux_manager_exec_t;
application_domain(sssd_selinux_manager_t, sssd_selinux_manager_exec_t)
role system_r types sssd_selinux_manager_t;
########################################
#
# sssd local policy
#
allow sssd_t self:capability { dac_override ipc_lock chown dac_read_search kill net_admin sys_nice fowner setgid setuid sys_admin sys_resource };
allow sssd_t self:process { setfscreate setsched sigkill signal getsched setrlimit setpgid setcap};
allow sssd_t self:fifo_file rw_fifo_file_perms;
allow sssd_t self:io_uring sqpoll;
allow sssd_t self:key manage_key_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
# Allow sssd_t to execute responders; which has different context now
allow sssd_t sssd_exec_t:file execute_no_trans;
read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
read_lnk_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
allow sssd_t sssd_public_t:file map;
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_lnk_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
allow sssd_t sssd_var_lib_t:file map;
files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir })
# Allow systemd to create sockets for socket activated responders
create_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t)
delete_sock_files_pattern(init_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
logging_log_filetrans(sssd_t, sssd_var_log_t, file)
manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file })
kernel_read_network_state(sssd_t)
kernel_read_system_state(sssd_t)
kernel_request_load_module(sssd_t)
kernel_read_net_sysctls(sssd_t)
corenet_udp_bind_generic_port(sssd_t)
corenet_dontaudit_udp_bind_all_ports(sssd_t)
corenet_tcp_connect_kerberos_password_port(sssd_t)
corenet_tcp_connect_smbd_port(sssd_t)
corenet_tcp_connect_http_port(sssd_t)
corenet_tcp_connect_http_cache_port(sssd_t)
corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
dev_read_sysfs(sssd_t)
dev_rw_crypto(sssd_t)
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
files_list_tmp(sssd_t)
files_read_etc_runtime_files(sssd_t)
files_list_var_lib(sssd_t)
files_watch_etc_dirs(sssd_t)
fs_getattr_cgroup(sssd_t)
fs_search_cgroup_dirs(sssd_t)
fs_getattr_tmpfs(sssd_t)
fs_getattr_xattr_fs(sssd_t)
selinux_validate_context(sssd_t)
seutil_read_config(sssd_t)
seutil_read_file_contexts(sssd_t)
# sssd wants to write /etc/selinux//logins/ for SELinux PAM module
seutil_rw_login_config_dirs(sssd_t)
seutil_manage_login_config_files(sssd_t)
seutil_dontaudit_access_check_load_policy(sssd_t)
seutil_dontaudit_access_check_setfiles(sssd_t)
seutil_dontaudit_access_check_semanage_read_lock(sssd_t)
seutil_dontaudit_access_check_semanage_module_store(sssd_t)
mls_file_read_to_clearance(sssd_t)
mls_socket_read_to_clearance(sssd_t)
mls_socket_write_to_clearance(sssd_t)
mls_trusted_object(sssd_t)
# auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
auth_manage_cache(sssd_t)
# Bogus allow because we don't handle keyring properly in code.
auth_login_manage_key(sssd_t)
dontaudit sssd_t init_t:dbus send_msg;
auth_watch_passwd(sssd_t)
# sssd uses inotify to watch for changes in /run/systemd/resolve
init_list_pid_dirs(sssd_t)
init_read_utmp(sssd_t)
init_watch_pid_dir(sssd_t)
logging_send_syslog_msg(sssd_t)
logging_send_audit_msgs(sssd_t)
miscfiles_read_generic_certs(sssd_t)
miscfiles_manage_cert_files(sssd_t)
miscfiles_dontaudit_access_check_cert(sssd_t)
miscfiles_map_generic_certs(sssd_t)
sysnet_dns_name_resolve(sssd_t)
sysnet_use_ldap(sssd_t)
sysnet_watch_config(sssd_t)
userdom_manage_tmp_role(system_r, sssd_t)
userdom_manage_all_users_keys(sssd_t)
userdom_dbus_send_all_users(sssd_t)
userdom_home_reader(sssd_t)
tunable_policy(`sssd_access_kernel_keys',`
kernel_rw_key(sssd_t)
')
tunable_policy(`sssd_connect_all_unreserved_ports',`
corenet_tcp_connect_all_unreserved_ports(sssd_t)
')
tunable_policy(`sssd_use_usb',`
dev_rw_generic_usb_dev(sssd_t)
')
optional_policy(`
tunable_policy(`sssd_use_usb',`
ipa_domtrans_otpd(sssd_t)
')
')
optional_policy(`
accountsd_read_fifo_file(sssd_t)
')
optional_policy(`
bind_read_cache(sssd_t)
')
optional_policy(`
cloudform_rw_pipes(sssd_t)
')
optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
optional_policy(`
cron_dbus_chat_system_job(sssd_t)
')
')
optional_policy(`
kerberos_manage_host_rcache(sssd_t)
kerberos_tmp_filetrans_host_rcache(sssd_t, "host_0")
kerberos_read_home_content(sssd_t)
kerberos_rw_config(sssd_t)
kerberos_rw_keytab(sssd_t)
')
optional_policy(`
dirsrv_stream_connect(sssd_t)
')
optional_policy(`
gnome_read_home_config(sssd_t)
')
optional_policy(`
ica_rw_map_tmpfs_files(sssd_t)
')
optional_policy(`
ipa_sigkill_otpd(sssd_t)
')
optional_policy(`
ldap_stream_connect(sssd_t)
ldap_read_certs(sssd_t)
')
optional_policy(`
networkmanager_read_pid_files(sssd_t)
networkmanager_watch_pid_dirs(sssd_t)
')
optional_policy(`
pkcs_domtrans(sssd_t)
pkcs_read_lock(sssd_t)
')
optional_policy(`
samba_exec_net(sssd_t)
samba_manage_var_dirs(sssd_t)
samba_manage_var_files(sssd_t)
samba_manage_var_sock_files(sssd_t)
')
optional_policy(`
systemd_login_read_pid_files(sssd_t)
systemd_resolved_read_pid(sssd_t)
systemd_resolved_watch_pid_dirs(sssd_t)
')
optional_policy(`
realmd_read_var_lib(sssd_t)
')
########################################
#
# sssd SELinux manager local policy
#
# allow sssd_t to kill unresponsive selinux_child process
allow sssd_t sssd_selinux_manager_t:process signal;
allow sssd_selinux_manager_t self:capability { setgid setuid };
dontaudit sssd_selinux_manager_t self:capability net_admin;
domtrans_pattern(sssd_t, sssd_selinux_manager_exec_t, sssd_selinux_manager_t)
init_rw_stream_sockets(sssd_selinux_manager_t)
logging_send_audit_msgs(sssd_selinux_manager_t)
seutil_semanage_policy(sssd_selinux_manager_t)
seutil_manage_file_contexts(sssd_selinux_manager_t)
seutil_manage_config(sssd_selinux_manager_t)
seutil_manage_login_config(sssd_selinux_manager_t)
seutil_manage_default_contexts(sssd_selinux_manager_t)
seutil_exec_setfiles(sssd_selinux_manager_t)
logging_dontaudit_search_audit_logs(sssd_selinux_manager_t)
# allow to communicate with systemd via libnss_systemd.so.2
optional_policy(`
dbus_system_bus_client(sssd_selinux_manager_t)
init_dbus_chat(sssd_selinux_manager_t)
')