policy_module(nscd, 1.9.1)
gen_require(`
class nscd all_nscd_perms;
')
########################################
#
# Declarations
#
# cjp: this is out of order because of an
# ordering problem with loadable modules
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
# nscd is both the client program and the daemon.
type nscd_t;
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)
type nscd_log_t;
logging_log_file(nscd_log_t)
########################################
#
# Local policy
#
allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket create_socket_perms;
# For client program operation, invoked from sysadm_t.
# Transition occurs to nscd_t due to direct_sysadm_daemon.
allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_log_t:file manage_file_perms;
logging_log_filetrans(nscd_t, nscd_log_t, file)
manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })
corecmd_search_bin(nscd_t)
can_exec(nscd_t, nscd_exec_t)
kernel_read_kernel_sysctls(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
dev_read_sysfs(nscd_t)
dev_read_rand(nscd_t)
dev_read_urand(nscd_t)
fs_getattr_all_fs(nscd_t)
fs_search_auto_mountpoints(nscd_t)
# for when /etc/passwd has just been updated and has the wrong type
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
corenet_all_recvfrom_unlabeled(nscd_t)
corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_generic_if(nscd_t)
corenet_udp_sendrecv_generic_if(nscd_t)
corenet_tcp_sendrecv_generic_node(nscd_t)
corenet_udp_sendrecv_generic_node(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
corenet_udp_bind_generic_node(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_sendrecv_all_client_packets(nscd_t)
corenet_rw_tun_tap_dev(nscd_t)
selinux_get_fs_mount(nscd_t)
selinux_validate_context(nscd_t)
selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)
domain_use_interactive_fds(nscd_t)
files_read_etc_files(nscd_t)
files_read_generic_tmp_symlinks(nscd_t)
# Needed to read files created by firstboot "/etc/hesiod.conf"
files_read_etc_runtime_files(nscd_t)
logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
seutil_read_config(nscd_t)
seutil_read_default_contexts(nscd_t)
seutil_sigchld_newrole(nscd_t)
sysnet_read_config(nscd_t)
userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)
optional_policy(`
cron_read_system_job_tmp_files(nscd_t)
')
optional_policy(`
kerberos_use(nscd_t)
')
optional_policy(`
udev_read_db(nscd_t)
')
optional_policy(`
xen_dontaudit_rw_unix_stream_sockets(nscd_t)
xen_append_log(nscd_t)
')