Skip to content

Commit

Permalink
kanidm: initial policy
Browse files Browse the repository at this point in the history
Signed-off-by: Kenton Groombridge <[email protected]>
  • Loading branch information
0xC0ncord committed Aug 10, 2024
1 parent 2cc82ec commit 37d90b6
Show file tree
Hide file tree
Showing 6 changed files with 470 additions and 0 deletions.
18 changes: 18 additions & 0 deletions policy/modules/kernel/files.if
Original file line number Diff line number Diff line change
Expand Up @@ -4116,6 +4116,24 @@ interface(`files_watch_home',`
allow $1 home_root_t:dir watch;
')

########################################
## <summary>
## Manage user home root symlinks.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`files_manage_home_symlinks',`
gen_require(`
type home_root_t;
')

allow $1 home_root_t:lnk_file manage_lnk_file_perms;
')

########################################
## <summary>
## Create objects in /home.
Expand Down
16 changes: 16 additions & 0 deletions policy/modules/services/kanidm.fc
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
/usr/bin/kanidmd -- gen_context(system_u:object_r:kanidmd_exec_t,s0)
/usr/bin/kanidm_unixd -- gen_context(system_u:object_r:kanidm_unixd_exec_t,s0)
/usr/bin/kanidm_unixd_tasks -- gen_context(system_u:object_r:kanidm_unixd_tasks_exec_t,s0)

/usr/sbin/kanidmd -- gen_context(system_u:object_r:kanidmd_exec_t,s0)
/usr/sbin/kanidm_unixd -- gen_context(system_u:object_r:kanidm_unixd_exec_t,s0)
/usr/sbin/kanidm_unixd_tasks -- gen_context(system_u:object_r:kanidm_unixd_tasks_exec_t,s0)

/etc/kanidm(/.*)? gen_context(system_u:object_r:kanidm_config_t,s0)

/run/kanidm-unixd(/.*)? gen_context(system_u:object_r:kanidm_unixd_runtime_t,s0)

/var/cache/kanidm-unixd(/.*)? gen_context(system_u:object_r:kanidm_unixd_cache_t,s0)

/var/lib/kanidmd(/.*)? gen_context(system_u:object_r:kanidm_var_lib_t,s0)
/var/lib/kanidm-unixd(/.*)? gen_context(system_u:object_r:kanidm_unixd_var_lib_t,s0)
201 changes: 201 additions & 0 deletions policy/modules/services/kanidm.if
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
## <summary>A simple, secure and fast identity management platform</summary>

########################################
## <summary>
## Execute kanidmd in the kanidmd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kanidm_domtrans_server',`
gen_require(`
type kanidmd_t, kanidmd_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, kanidmd_exec_t, kanidmd_t)
')

########################################
## <summary>
## Execute kanidmd in the kanidmd domain, and
## allow the specified role the kanidmd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kanidm_run_server',`
gen_require(`
type kanidmd_t;
')

kanidm_domtrans_server($1)
role $2 types kanidmd_t;
')

########################################
## <summary>
## Execute kanidmd-unixd in the
## kanidmd-unixd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`kanidm_domtrans_unixd',`
gen_require(`
type kanidm_unixd_t, kanidm_unixd_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, kanidm_unixd_exec_t, kanidm_unixd_t)
')

########################################
## <summary>
## Execute kanidm-unixd in the kanidm-unixd
## domain, and allow the specified role the
## kanidm-unixd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kanidm_run_unixd',`
gen_require(`
type kanidm_unixd_t;
')

kanidm_domtrans_unixd($1)
role $2 types kanidm_unixd_t;
')

########################################
## <summary>
## Read kanidm config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kanidm_read_config',`
gen_require(`
type kanidm_config_t;
')

files_search_etc($1)
read_files_pattern($1, kanidm_config_t, kanidm_config_t)
')

########################################
## <summary>
## Set attributes on kanidm-unixd cache directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kanidm_setattr_unixd_cache_dirs',`
gen_require(`
type kanidm_unixd_cache_t;
')

allow $1 kanidm_unixd_cache_t:dir setattr_dir_perms;
')

#######################################
## <summary>
## Connect to kanidm-unixd with a
## domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kanidm_unixd_stream_connect',`
gen_require(`
type kanidm_unixd_t, kanidm_unixd_runtime_t;
')

files_search_runtime($1)
stream_connect_pattern($1, kanidm_unixd_runtime_t, kanidm_unixd_runtime_t, kanidm_unixd_t)
')

########################################
## <summary>
## All of the rules required to
## administrate a Kanidm environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kanidm_admin',`
gen_require(`
type kanidmd_t;
type kanidm_unixd_t;
type kanidm_config_t;
type kanidm_unixd_cache_t;
type kanidm_unixd_runtime_t;
type kanidm_var_lib_t;
')

kanidm_run_server($1, $2)
kanidm_run_unixd($1, $2)

allow $1 kanidmd_t:process { ptrace signal_perms };
ps_process_pattern($1, kanidmd_t)

allow $1 kanidm_unixd_t:process { ptrace signal_perms };
ps_process_pattern($1, kanidm_unixd_t)

stream_connect_pattern($1, kanidm_unixd_runtime_t, kanidm_unixd_runtime_t, kanidm_unixd_t)

files_search_etc($1)
admin_pattern($1, kanidm_config_t)

files_search_runtime($1)
admin_pattern($1, kanidm_unixd_runtime_t)

files_search_var($1)
admin_pattern($1, kanidm_unixd_cache_t)

files_search_var_lib($1)
admin_pattern($1, kanidm_var_lib_t)
')
Loading

0 comments on commit 37d90b6

Please sign in to comment.