# Last Modified: Fri Feb 29 11:13:57 2008 #include <tunables/global> /usr/sbin/slapd { #include <abstractions/base> #include <abstractions/nameservice> capability net_bind_service, capability dac_override, capability setgid, capability setuid, /etc/hosts.allow r, /etc/hosts.deny r, /etc/openldap/** r, /etc/openldap/slapd.d/** rw, /etc/pki/tls/certs/ca-bundle.crt r, /etc/pki/tls/rootcerts/* r, /etc/ssl/openldap/* r, /usr/share/openldap/schema/*.schema r, /usr/lib/* mr, /usr/lib64/* mr, # sasl /etc/sasl2/*.conf r, /usr/lib/sasl2 r, /usr/lib64/sasl2 r, /usr/lib/sasl2/* mr, /usr/lib64/sasl2/* mr, /var/lib/sasl2/sasl.db r, /etc/krb5.conf r, /etc/krb5.keytab rk, /var/tmp/* rw, # slapd /usr/sbin/slapd mr, /usr/lib/openldap/* mr, /usr/lib64/openldap/* mr, /var/run/ldap/ldapi rw, # database /var/lib/ldap/** krw, /var/run/ldap/slapd.args rw, /var/run/ldap/slapd.pid rw, }