[DSE-User] SELinux on Wheezy: ldap

[Arno Schuring]

Apart from the usual filecontexts, openldap needs access to random()
for ssl/tls communication.

There is a problem in the current package though: /usr/sbin/slapd is
hardlinked to a number of other slap* binaries, of which only slapd is
supposed to be labeled slapd_exec_t. My current workaround is to
manually break the hardlink by copying the binary over itself. Maybe
because of this workaround, slapd requires execmod on its own binary.
The former is #634081, the execmod issue is not reported because I
don't know if I caused that myself.


Regards,
Arno

-8<--
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index c62f23e..8777578 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -1,6 +1,7 @@
 
 /etc/ldap/slapd\.conf	--	gen_context(system_u:object_r:slapd_etc_t,s0)
 /etc/rc\.d/init\.d/ldap	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
+/etc/init\.d/slapd	--	gen_context(system_u:object_r:slapd_initrc_exec_t,s0)
 
 /usr/sbin/slapd		--	gen_context(system_u:object_r:slapd_exec_t,s0)
 
@@ -15,3 +16,4 @@ ifdef(`distro_debian',`
 /var/run/openldap(/.*)?		gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.args	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
 /var/run/slapd\.pid	--	gen_context(system_u:object_r:slapd_var_run_t,s0)
+/run/slapd/.*		gen_context(system_u:object_r:slapd_var_run_t,s0)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index 64fd1ff..36e0159 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,4 +1,4 @@
-policy_module(ldap, 1.10.0)
+policy_module(ldap, 1.10.5)
 
 ########################################
 #
@@ -37,6 +37,11 @@ files_pid_file(slapd_var_run_t)
 #
 # Local policy
 #
+allow slapd_t slapd_exec_t:file execmod;
+
+dev_read_rand(slapd_t)
+dev_read_urand(slapd_t)
+kernel_read_crypto_sysctls(slapd_t)
 
 # should not need kill
 # cjp: why net_raw?