From 493d6c4adc3927b2e85b89f6a0a4504a1a8d7bd3 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jul 13 2005 20:48:51 +0000 Subject: add nscd --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 77cfb61..67d7923 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -2,6 +2,8 @@ * Doc tool now links directly to the interface/template in the module page when it is selected in the interface/template index. * Added support for layer summaries. + * Added policies: + nscd 20050707 (7 Jul 2005) * Changed xml to have modules encapsulated by layer tags, rather diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index fd6c32e..39b6cb8 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -6,7 +6,7 @@ policy_module(logrotate,1.0) # Declarations # -type logrotate_t; #, priv_system_role, nscd_client_domain; +type logrotate_t; #, priv_system_role domain_type(logrotate_t) domain_obj_id_change_exempt(logrotate_t) role system_r types logrotate_t; @@ -122,6 +122,10 @@ optional_policy(`nis.te',` nis_use_ypbind(logrotate_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(logrotate_t) +') + ifdef(`TODO',` #from privmail this needs more work: diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index 857ea94..7c95c5c 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -14,12 +14,12 @@ role system_r types netutils_t; type netutils_tmp_t; files_tmp_file(netutils_tmp_t) -type ping_t; #, nscd_client_domain; +type ping_t; type ping_exec_t; init_system_domain(ping_t,ping_exec_t) role system_r types ping_t; -type traceroute_t; #, nscd_client_domain; +type traceroute_t; type traceroute_exec_t; init_system_domain(traceroute_t,traceroute_exec_t) role system_r types traceroute_t; @@ -128,14 +128,16 @@ optional_policy(`nis.te',` nis_use_ypbind(ping_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(ping_t) +') + optional_policy(`sysnetwork.te',` optional_policy(`hotplug.te',` hotplug_use_fd(ping_t) ') ') - - ifdef(`TODO',` in_user_role(ping_t) tunable_policy(`user_ping',` @@ -199,6 +201,10 @@ optional_policy(`nis.te',` nis_use_ypbind(traceroute_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(traceroute_t) +') + ifdef(`TODO',` in_user_role(traceroute_t) tunable_policy(`user_ping',` diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 56fc933..d2b0a15 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -29,7 +29,7 @@ files_type(crack_db_t) type crack_tmp_t; files_tmp_file(crack_tmp_t) -type groupadd_t; #, nscd_client_domain; +type groupadd_t; type groupadd_exec_t; domain_obj_id_change_exempt(groupadd_t) init_system_domain(groupadd_t,groupadd_exec_t) @@ -51,7 +51,7 @@ domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t) type sysadm_passwd_tmp_t; files_type(sysadm_passwd_tmp_t) -type useradd_t; # nscd_client_domain; +type useradd_t; type useradd_exec_t; domain_obj_id_change_exempt(useradd_t) init_system_domain(useradd_t,useradd_exec_t) @@ -252,6 +252,10 @@ optional_policy(`nis.te',` nis_use_ypbind(groupadd_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(groupadd_t) +') + optional_policy(`rpm.te',` rpm_use_fd(groupadd_t) rpm_rw_pipe(groupadd_t) @@ -523,6 +527,10 @@ optional_policy(`nis.te',` nis_use_ypbind(useradd_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(useradd_t) +') + optional_policy(`rpm.te',` rpm_use_fd(useradd_t) rpm_rw_pipe(useradd_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index 5ac1c30..a1dddfd 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -13,7 +13,7 @@ files_type(anacron_exec_t) type cron_spool_t; files_type(cron_spool_t) -type crond_t; #, privmail, nscd_client_domain +type crond_t; #, privmail type crond_exec_t; init_daemon_domain(crond_t,crond_exec_t) domain_wide_inherit_fd(crond_t) @@ -31,7 +31,7 @@ type crontab_exec_t; files_type(crontab_exec_t) type system_cron_spool_t; -type system_crond_t; #, privmail, nscd_client_domain; +type system_crond_t; #, privmail init_daemon_domain(system_crond_t,anacron_exec_t) corecmd_shell_entry_type(system_crond_t) role system_r types system_crond_t; @@ -141,6 +141,10 @@ optional_policy(`nis.te',` nis_use_ypbind(crond_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(crond_t) +') + optional_policy(`rpm.te',` # Commonly used from postinst scripts rpm_read_pipe(crond_t) @@ -310,6 +314,10 @@ optional_policy(`nis.te',` nis_use_ypbind(system_crond_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(system_crond_t) +') + ifdef(`TODO',` dontaudit userdomain system_crond_t:fd use; diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te index 28691d7..9919d1d 100644 --- a/refpolicy/policy/modules/services/inetd.te +++ b/refpolicy/policy/modules/services/inetd.te @@ -19,7 +19,7 @@ files_tmp_file(inetd_tmp_t) type inetd_var_run_t; files_pid_file(inetd_var_run_t) -type inetd_child_t; #, nscd_client_domain; +type inetd_child_t; type inetd_child_exec_t; inetd_service_domain(inetd_child_t,inetd_child_exec_t) role system_r types inetd_child_t; @@ -218,3 +218,7 @@ optional_policy(`kerberos.te',` optional_policy(`nis.te',` nis_use_ypbind(inetd_child_t) ') + +optional_policy(`nscd.te',` + nscd_use_socket(inetd_child_t) +') diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if index 665b6b8..1b4ffd7 100644 --- a/refpolicy/policy/modules/services/mta.if +++ b/refpolicy/policy/modules/services/mta.if @@ -7,7 +7,7 @@ # mta_per_userdomain_template(userdomain_prefix) # template(`mta_per_userdomain_template',` - type $1_mail_t; # , user_mail_domain, nscd_client_domain; + type $1_mail_t; # , user_mail_domain domain_type($1_mail_t) role $1_r types $1_mail_t; @@ -81,6 +81,10 @@ template(`mta_per_userdomain_template',` nis_use_ypbind($1_mail_t) ') + optional_policy(`nscd.te',` + nscd_use_socket($1_mail_t) + ') + optional_policy(`procmail.te',` procmail_execute($1_mail_t) ') diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index daa8b58..6c2ea5b 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -23,7 +23,7 @@ files_type(mail_spool_t) type sendmail_exec_t; files_type(sendmail_exec_t) -type system_mail_t; #, user_mail_domain, nscd_client_domain; +type system_mail_t; #, user_mail_domain domain_type(system_mail_t) role system_r types system_mail_t; @@ -94,6 +94,10 @@ optional_policy(`nis.te',` nis_use_ypbind(system_mail_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(system_mail_t) +') + optional_policy(`procmail.te',` procmail_exec(system_mail_t) ') diff --git a/refpolicy/policy/modules/services/nscd.fc b/refpolicy/policy/modules/services/nscd.fc new file mode 100644 index 0000000..a21cf11 --- /dev/null +++ b/refpolicy/policy/modules/services/nscd.fc @@ -0,0 +1,9 @@ + +/usr/sbin/nscd -- system_u:object_r:nscd_exec_t + +/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t + +/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t +/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t + +/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if new file mode 100644 index 0000000..4c858a8 --- /dev/null +++ b/refpolicy/policy/modules/services/nscd.if @@ -0,0 +1,112 @@ +## Name service cache daemon + +######################################## +## +## Execute NSCD in the nscd domain. +## +## +## The type of the process performing this action. +## +# +interface(`nscd_domtrans',` + gen_require(` + type nscd_t, nscd_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_sbin($1) + domain_auto_trans($1,nscd_exec_t,nscd_t) + + allow $1 nscd_t:fd use; + allow nscd_t $1:fd use; + allow nscd_t $1:fifo_file rw_file_perms; + allow nscd_t $1:process sigchld; +') + +######################################## +## +## Use NSCD services by connecting using +## a unix stream socket. +## +## +## Domain allowed access. +## +# +interface(`nscd_use_socket',` + gen_require(` + type nscd_t, nscd_var_run_t; + class fd use; + class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + class unix_stream_socket { create_stream_socket_perms connectto }; + class dir { search getattr }; + class sock_file rw_file_perms; + class file { getattr read }; + ') + + allow $1 self:unix_stream_socket create_stream_socket_perms; + + allow $1 nscd_t:unix_stream_socket connectto; + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_t:fd use; + dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; + + files_search_pids($1) + allow $1 nscd_var_run_t:sock_file rw_file_perms; + dontaudit $1 nscd_var_run_t:dir { search getattr }; + dontaudit $1 nscd_var_run_t:file { getattr read }; +') + +######################################## +## +## Use NSCD services by mapping the database from +## an inherited NSCD file descriptor. +## +## +## Domain allowed access. +## +# +interface(`nscd_use_shared_mem',` + gen_require(` + type nscd_t, nscd_var_run_t; + class fd use; + class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; + class unix_stream_socket { create_stream_socket_perms connectto }; + class dir r_dir_perms; + class sock_file rw_file_perms; + class file { getattr read }; + ') + + allow $1 nscd_var_run_t:dir r_dir_perms; + allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; + + # Receive fd from nscd and map the backing file with read access. + allow $1 nscd_t:fd use; + + # cjp: these were originally inherited from the + # nscd_socket_domain macro. need to investigate + # if they are all actually required + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 nscd_t:unix_stream_socket connectto; + allow $1 nscd_var_run_t:sock_file rw_file_perms; + files_search_pids($1) + allow $1 nscd_t:nscd { getpwd getgrp gethost }; + dontaudit $1 nscd_var_run_t:file { getattr read }; +') + +######################################## +## +## Unconfined access to NSCD services. +## +## +## Domain allowed access. +## +# +interface(`nscd_unconfined',` + gen_require(` + type nscd_t; + ') + + allow $1 nscd_t:nscd *; +') diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te new file mode 100644 index 0000000..4b04a58 --- /dev/null +++ b/refpolicy/policy/modules/services/nscd.te @@ -0,0 +1,125 @@ + +policy_module(nscd,1.0) + +######################################## +# +# Declarations +# + +# nscd is both the client program and the daemon. +type nscd_t; #, userspace_objmgr +type nscd_exec_t; +init_daemon_domain(nscd_t,nscd_exec_t) + +type nscd_var_run_t; +files_pid_file(nscd_var_run_t) + +######################################## +# +# Local policy +# + +allow nscd_t self:capability { kill setgid setuid }; +dontaudit nscd_t self:capability sys_tty_config; +allow nscd_t self:process { getattr setsched }; +allow nscd_t self:unix_stream_socket create_stream_socket_perms; +allow nscd_t self:unix_dgram_socket create_socket_perms; +allow nscd_t self:netlink_selinux_socket create_socket_perms; +allow nscd_t self:netlink_route_socket r_netlink_socket_perms; +allow nscd_t self:tcp_socket create_socket_perms; +allow nscd_t self:udp_socket { connect connected_socket_perms }; +allow nscd_t self:fifo_file { read write }; + +# For client program operation, invoked from sysadm_t. +# Transition occurs to nscd_t due to direct_sysadm_daemon. +# cjp: this should probably be in a direct_sysadm_daemon tunable +allow nscd_t self:nscd { admin getstat }; + +allow nscd_t nscd_var_run_t:file create_file_perms; +allow nscd_t nscd_var_run_t:sock_file create_file_perms; +files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file}) + +kernel_read_kernel_sysctl(nscd_t) +kernel_list_proc(nscd_t) +kernel_read_proc_symlinks(nscd_t) + +dev_read_sysfs(nscd_t) +dev_read_rand(nscd_t) +dev_read_urand(nscd_t) + +fs_getattr_all_fs(nscd_t) +fs_search_auto_mountpoints(nscd_t) + +term_dontaudit_use_console(nscd_t) + +# for when /etc/passwd has just been updated and has the wrong type +auth_getattr_shadow(nscd_t) + +corenet_tcp_sendrecv_all_if(nscd_t) +corenet_udp_sendrecv_all_if(nscd_t) +corenet_raw_sendrecv_all_if(nscd_t) +corenet_tcp_sendrecv_all_nodes(nscd_t) +corenet_udp_sendrecv_all_nodes(nscd_t) +corenet_raw_sendrecv_all_nodes(nscd_t) +corenet_tcp_sendrecv_all_ports(nscd_t) +corenet_udp_sendrecv_all_ports(nscd_t) +corenet_tcp_bind_all_nodes(nscd_t) +corenet_udp_bind_all_nodes(nscd_t) + +domain_use_wide_inherit_fd(nscd_t) + +files_read_etc_files(nscd_t) + +init_use_fd(nscd_t) +init_use_script_pty(nscd_t) + +libs_use_ld_so(nscd_t) +libs_use_shared_libs(nscd_t) + +logging_send_syslog_msg(nscd_t) + +miscfiles_read_localization(nscd_t) + +sysnet_read_config(nscd_t) + +userdom_dontaudit_use_unpriv_user_fd(nscd_t) +userdom_dontaudit_search_sysadm_home_dir(nscd_t) + +ifdef(`targeted_policy', ` + term_dontaudit_use_unallocated_tty(nscd_t) + term_dontaudit_use_generic_pty(nscd_t) + files_dontaudit_read_root_file(nscd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(nscd_t) +') + +optional_policy(`rhgb.te',` + rhgb_domain(nscd_t) +') + +optional_policy(`selinuxutils.te',` + seutil_sigchld_newrole(nscd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(nscd_t) +') + +ifdef(`TODO',` + +nscd_socket_domain(daemon) + +optional_policy(`winbind.te', ` + # Handle winbind for samba, Might only be needed for targeted policy + + allow nscd_t winbind_var_run_t:sock_file { read write getattr }; + can_unix_connect(nscd_t, winbind_t) + allow nscd_t samba_var_t:dir search; + allow nscd_t winbind_var_run_t:dir { getattr search }; +') + +allow nscd_t tmp_t:dir { search getattr }; +allow nscd_t tmp_t:lnk_file read; +') dnl end TODO diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 03c9a63..27f01c9 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -6,7 +6,7 @@ policy_module(authlogin,1.0) # Declarations # -type remote_login_t; #, nscd_client_domain; +type remote_login_t; domain_obj_id_change_exempt(remote_login_t) domain_subj_id_change_exempt(remote_login_t) domain_role_change_exempt(remote_login_t) @@ -158,6 +158,10 @@ optional_policy(`nis.te',` nis_use_ypbind(remote_login_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(remote_login_t) +') + optional_policy(`usermanage.te',` usermanage_read_crack_db(remote_login_t) ') diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index 5460dee..0589320 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -6,7 +6,7 @@ policy_module(sendmail,1.0) # Declarations # -type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm) +type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm) mta_sendmail_mailserver(sendmail_t) type sendmail_log_t; @@ -104,6 +104,10 @@ optional_policy(`nis.te',` nis_use_ypbind(sendmail_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(sendmail_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(sendmail_t) ') diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if index 8b34c0d..24770b8 100644 --- a/refpolicy/policy/modules/services/ssh.if +++ b/refpolicy/policy/modules/services/ssh.if @@ -31,7 +31,7 @@ template(`ssh_per_userdomain_template',` files_type($1_home_ssh_t) role $1_r types $1_ssh_t; - type $1_ssh_t; #, nscd_client_domain; + type $1_ssh_t; domain_type($1_ssh_t) type $1_ssh_agent_t; @@ -170,6 +170,10 @@ template(`ssh_per_userdomain_template',` nis_use_ypbind($1_ssh_t) ') + optional_policy(`nscd.te',` + nscd_use_socket($1_ssh_t) + ') + ifdef(`TODO',` # Read /var. allow $1_ssh_t var_t:dir r_dir_perms; @@ -367,7 +371,7 @@ template(`ssh_per_userdomain_template',` ## # template(`ssh_server_template', ` - type $1_t, ssh_server; #, nscd_client_domain; + type $1_t, ssh_server; role system_r types $1_t; type $1_devpts_t; @@ -480,6 +484,10 @@ template(`ssh_server_template', ` mount_send_nfs_client_request($1_t) ') + optional_policy(`nscd.te',` + nscd_use_socket(crond_t) + ') + ifdef(`TODO',` # Read /var. diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if index 9e2bd4b..89c56c2 100644 --- a/refpolicy/policy/modules/system/authlogin.if +++ b/refpolicy/policy/modules/system/authlogin.if @@ -35,7 +35,7 @@ template(`authlogin_per_userdomain_template',` class fifo_file rw_file_perms; ') - type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; + type $1_chkpwd_t, can_read_shadow_passwords; domain_type($1_chkpwd_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t) role $1_r types $1_chkpwd_t; @@ -103,6 +103,10 @@ template(`authlogin_per_userdomain_template',` nis_use_ypbind($1_chkpwd_t) ') + optional_policy(`nscd.te',` + nscd_use_socket($1_chkpwd_t) + ') + optional_policy(`selinuxutil.te',` seutil_use_newrole_fd($1_chkpwd_t) ') @@ -203,17 +207,36 @@ interface(`auth_domtrans_chk_passwd',` ') ######################################## -## -## -## +## +## Get the attributes of the shadow passwords file. +## ## ## The type of the process performing this action. ## # +interface(`auth_getattr_shadow',` + gen_require(` + type shadow_t; + class file getattr; + ') + + files_search_etc($1) + allow $1 shadow_t:file getattr; +') + +######################################## +## +## Do not audit attempts to get the attributes +## of the shadow passwords file. +## +## +## Domain to not audit. +## +# interface(`auth_dontaudit_getattr_shadow',` gen_require(` type shadow_t; - class file stat_file_perms; + class file getattr; ') dontaudit $1 shadow_t:file getattr; diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 7ea0080..29f071a 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -29,7 +29,7 @@ role system_r types pam_console_t; domain_entry_file(pam_console_t,pam_console_exec_t) -type pam_t; #, nscd_client_domain; +type pam_t; domain_type(pam_t) role system_r types pam_t; @@ -39,7 +39,7 @@ domain_entry_file(pam_t,pam_exec_t) type pam_tmp_t; files_tmp_file(pam_tmp_t) -type pam_var_console_t; #, nscd_client_domain +type pam_var_console_t; files_type(pam_var_console_t) type pam_var_run_t; @@ -51,12 +51,12 @@ neverallow ~can_read_shadow_passwords shadow_t:file read; neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; -type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; +type system_chkpwd_t, can_read_shadow_passwords; domain_type(system_chkpwd_t) domain_entry_file(system_chkpwd_t,chkpwd_exec_t) role system_r types system_chkpwd_t; -type utempter_t; #, nscd_client_domain; +type utempter_t; domain_type(utempter_t) type utempter_exec_t; @@ -118,6 +118,10 @@ optional_policy(`nis.te',` nis_use_ypbind(pam_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(pam_t) +') + ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') ') dnl endif TODO @@ -207,6 +211,10 @@ optional_policy(`hotplug.te', ` hotplug_dontaudit_search_config(pam_console_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(pam_console_t) +') + optional_policy(`selinuxutil.te',` seutil_sigchld_newrole(pam_console_t) ') @@ -280,6 +288,10 @@ optional_policy(`nis.te',` nis_use_ypbind(system_chkpwd_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(system_chkpwd_t) +') + ifdef(`TODO',` can_ldap(system_chkpwd_t) ') dnl end TODO @@ -314,6 +326,10 @@ logging_search_logs(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_unpriv_user_tmp(utempter_t) +optional_policy(`nscd.te',` + nscd_use_socket(utempter_t) +') + optional_policy(`xdm.te', ` #allow utempter_t xdm_t:fd use; xdm_use_fd(utempter_t) diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 90fca14..295d626 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -6,7 +6,7 @@ policy_module(locallogin,1.0) # Declarations # -type local_login_t; #, nscd_client_domain; +type local_login_t; auth_login_entry_type(local_login_t) domain_type(local_login_t) domain_obj_id_change_exempt(local_login_t) @@ -190,6 +190,10 @@ optional_policy(`nis.te',` nis_use_ypbind(local_login_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(local_login_t) +') + optional_policy(`usermanage.te',` usermanage_read_crack_db(local_login_t) ') diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index f993778..c2367e1 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -37,7 +37,7 @@ role system_r types load_policy_t; type load_policy_exec_t; domain_entry_file(load_policy_t,load_policy_exec_t) -type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; +type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; domain_role_change_exempt(newrole_t) domain_obj_id_change_exempt(newrole_t) domain_type(newrole_t) @@ -244,6 +244,10 @@ optional_policy(`nis.te',` nis_use_ypbind(newrole_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(newrole_t) +') + ifdef(`TODO',` ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') ') dnl ifdef TODO diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 050a8dc..aaa51ce 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -6,7 +6,7 @@ policy_module(udev,1.0) # Declarations # -type udev_t; # nscd_client_domain +type udev_t; type udev_exec_t; type udev_helper_exec_t; kernel_userland_entry(udev_t,udev_exec_t) @@ -148,6 +148,10 @@ optional_policy(`hotplug.te',` hotplug_read_config(udev_t) ') +optional_policy(`nscd.te',` + nscd_use_socket(udev_t) +') + optional_policy(`sysnetwork.te',` sysnet_domtrans_dhcpc(udev_t) ') diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if index 6b62a14..6d49f92 100644 --- a/refpolicy/policy/modules/system/unconfined.if +++ b/refpolicy/policy/modules/system/unconfined.if @@ -47,6 +47,10 @@ template(`unconfined_domain_template',` bootloader_manage_kernel_modules($1) ') + optional_policy(`nscd.te', ` + nscd_unconfined($1) + ') + optional_policy(`selinuxutil.te',` seutil_create_binary_pol($1) seutil_relabelto_binary_pol($1) @@ -67,10 +71,6 @@ template(`unconfined_domain_template',` allow $1 system_dbusd_t:dbus *; ') - ifdef(`nscd.te', ` - # Get info via nscd. - allow $1 nscd_t:nscd *; - ') ') dnl end TODO ') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index e8b6655..cdedb60 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -232,6 +232,10 @@ template(`base_user_template',` nis_use_ypbind($1_t) ') + optional_policy(`nscd.te',` + nscd_use_socket($1_t) + ') + optional_policy(`rpm.te',` files_getattr_var_lib_dir($1_t) files_search_var_lib($1_t) @@ -440,7 +444,7 @@ template(`unpriv_user_template', ` # Inherit rules for ordinary users. base_user_template($1) - typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; + typeattribute $1_t unpriv_userdomain; #, web_client_domain domain_wide_inherit_fd($1_t) #typeattribute $1_devpts_t userpty_type, user_tty_type; @@ -669,7 +673,7 @@ template(`admin_user_template',` # Inherit rules for ordinary users. base_user_template($1) - typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; + typeattribute $1_t privhome; #, admin, web_client_domain domain_obj_id_change_exempt($1_t) role system_r types $1_t;