diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
index 2aad570..4271815 100644
--- a/policy/modules/services/sssd.fc
+++ b/policy/modules/services/sssd.fc
@@ -4,6 +4,8 @@
/var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
-/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)? gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)
/var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 47913d6..5eff513 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -38,6 +38,25 @@ interface(`sssd_initrc_domtrans',`
########################################
##
+## Read sssd public files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`sssd_read_public_files',`
+ gen_require(`
+ type sssd_public_t;
+ ')
+
+ sssd_search_lib($1)
+ read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+##
## Read sssd PID files.
##
##
@@ -95,6 +114,25 @@ interface(`sssd_search_lib',`
########################################
##
+## Do not audit attempts to search sssd lib directories.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`sssd_dontaudit_search_lib',`
+ gen_require(`
+ type sssd_var_lib_t;
+ ')
+
+ dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+##
## Read sssd lib files.
##
##
@@ -196,16 +234,13 @@ interface(`sssd_stream_connect',`
#
interface(`sssd_admin',`
gen_require(`
- type sssd_t;
+ type sssd_t, sssd_public_t;
+ type sssd_initrc_exec_t;
')
allow $1 sssd_t:process { ptrace signal_perms getattr };
read_files_pattern($1, sssd_t, sssd_t)
- gen_require(`
- type sssd_initrc_exec_t;
- ')
-
# Allow sssd_t to restart the apache service
sssd_initrc_domtrans($1)
domain_system_change_exemption($1)
@@ -215,4 +250,6 @@ interface(`sssd_admin',`
sssd_manage_pids($1)
sssd_manage_lib_files($1)
+
+ admin_pattern($1, sssd_public_t)
')
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 059bb6f..d47425e 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -1,5 +1,5 @@
-policy_module(sssd, 1.0.1)
+policy_module(sssd, 1.0.2)
########################################
#
@@ -13,6 +13,9 @@ init_daemon_domain(sssd_t, sssd_exec_t)
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
type sssd_var_lib_t;
files_type(sssd_var_lib_t)
@@ -26,11 +29,14 @@ files_pid_file(sssd_var_run_t)
#
# sssd local policy
#
-allow sssd_t self:capability { sys_nice setgid setuid };
-allow sssd_t self:process { setsched signal getsched };
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -49,12 +55,21 @@ corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
files_list_tmp(sssd_t)
files_read_etc_files(sssd_t)
files_read_usr_files(sssd_t)
fs_list_inotifyfs(sssd_t)
+selinux_validate_context(sssd_t)
+
+seutil_read_file_contexts(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
auth_use_nsswitch(sssd_t)
auth_domtrans_chk_passwd(sssd_t)
auth_domtrans_upd_passwd(sssd_t)
@@ -70,3 +85,7 @@ optional_policy(`
dbus_system_bus_client(sssd_t)
dbus_connect_system_bus(sssd_t)
')
+
+optional_policy(`
+ kerberos_manage_host_rcache(sssd_t)
+')