diff --git a/refpolicy/policy/modules/services/ldap.te b/refpolicy/policy/modules/services/ldap.te index aa20055..2cd4495 100644 --- a/refpolicy/policy/modules/services/ldap.te +++ b/refpolicy/policy/modules/services/ldap.te @@ -38,6 +38,8 @@ allow slapd_t self:process setsched; allow slapd_t self:fifo_file { read write }; allow slapd_t self:netlink_route_socket r_netlink_socket_perms; allow slapd_t self:udp_socket create_socket_perms; +#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) +allow slapd_t self:tcp_socket create_stream_socket_perms; # Allow access to the slapd databases allow slapd_t slapd_db_t:dir create_dir_perms; @@ -106,7 +108,16 @@ sysnet_read_config(slapd_t) userdom_dontaudit_use_unpriv_user_fd(slapd_t) userdom_dontaudit_search_sysadm_home_dir(slapd_t) -ifdef(`targeted_policy', ` +ifdef(`targeted_policy', + #reh slapcat will want to talk to the terminal + term_use_generic_pty(slapd_t) + term_use_unallocated_tty(slapd_t) + + userdom_search_generic_user_home_dir(slapd_t) + #need to be able to read ldif files created by root + # cjp: fix to not use templated interface: + userdom_read_user_home_files(user,slapd_t) + term_dontaudit_use_unallocated_tty(slapd_t) term_dontaudit_use_generic_pty(slapd_t) files_dontaudit_read_root_file(slapd_t)