likewise.if

## <summary>Likewise Active Directory support for UNIX.</summary>

#######################################
## <summary>
##	The template to define a likewise domain.
## </summary>
## <param name="userdomain_prefix">
##	<summary>
##	The type of daemon to be used.
##	</summary>
## </param>
#
template(`likewise_domain_template',`
	gen_require(`
		attribute likewise_domains;
		type likewise_var_lib_t;
	')

	########################################
	#
	# Declarations
	#

	type $1_t;
	type $1_exec_t;
	init_daemon_domain($1_t, $1_exec_t)

	typeattribute $1_t likewise_domains;

	type $1_var_run_t;
	files_pid_file($1_var_run_t)

	type $1_var_socket_t;
	files_type($1_var_socket_t)

	type $1_var_lib_t;
	files_type($1_var_lib_t)

	####################################
	#
	# Policy
	#

	allow $1_t self:process { signal_perms getsched setsched };
	allow $1_t self:fifo_file rw_fifo_file_perms;
	allow $1_t self:unix_stream_socket { accept listen };
	allow $1_t self:tcp_socket create_stream_socket_perms;
	allow $1_t self:udp_socket create_socket_perms;

	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
	files_pid_filetrans($1_t, $1_var_run_t, file)

	manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)

	manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
')

########################################
## <summary>
##	Connect to lsassd with a unix domain
##	stream socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`likewise_stream_connect_lsassd',`
	gen_require(`
		type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
	')

	files_search_pids($1)
	stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
')

########################################
## <summary>
##	All of the rules required to
##	administrate an likewise environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`likewise_admin',`
	gen_require(`
		attribute likewise_domains;
		type likewise_initrc_exec_t, likewise_etc_t, likewise_pstore_lock_t;
		type likewise_krb5_ad_t, likewise_var_lib_t, eventlogd_var_socket_t;
		type lsassd_var_socket_t, lwiod_var_socket_t, lwregd_var_socket_t;
		type lwsmd_var_socket_t, lwsmd_var_lib_t, netlogond_var_socket_t;
		type netlogond_var_lib_t, lsassd_var_lib_t, lwregd_var_lib_t;
		type eventlogd_var_lib_t, dcerpcd_var_lib_t, lsassd_tmp_t;
		type eventlogd_var_run_t, lsassd_var_run_t, lwiod_var_run_t;
		type lwregd_var_run_t, netlogond_var_run_t, srvsvcd_var_run_t;
	')

	allow $1 likewise_domains:process { ptrace signal_perms };
	ps_process_pattern($1, likewise_domains)

	init_startstop_service($1, $2, likewise_domains, likewise_initrc_exec_t)

	files_list_etc($1)
	admin_pattern($1, { likewise_etc_t likewise_pstore_lock_t likewise_krb5_ad_t })

	files_search_var_lib($1)
	admin_pattern($1, { likewise_var_lib_t eventlogd_var_socket_t lsassd_var_socket_t })
	admin_pattern($1, { lwiod_var_socket_t lwregd_var_socket_t lwsmd_var_socket_t })
	admin_pattern($1, { lwsmd_var_lib_t netlogond_var_socket_t netlogond_var_lib_t })
	admin_pattern($1, { lsassd_var_lib_t lwregd_var_lib_t eventlogd_var_lib_t })
	admin_pattern($1, dcerpcd_var_lib_t)

	files_list_tmp($1)
	admin_pattern($1, lsassd_tmp_t)

	files_list_pids($1)
	admin_pattern($1, { eventlogd_var_run_t lsassd_var_run_t lwiod_var_run_t })
	admin_pattern($1, { lwregd_var_run_t netlogond_var_run_t srvsvcd_var_run_t })
')