diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 77cfb61..67d7923 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,8 @@
* Doc tool now links directly to the interface/template in the
module page when it is selected in the interface/template index.
* Added support for layer summaries.
+ * Added policies:
+ nscd
20050707 (7 Jul 2005)
* Changed xml to have modules encapsulated by layer tags, rather
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index fd6c32e..39b6cb8 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -6,7 +6,7 @@ policy_module(logrotate,1.0)
# Declarations
#
-type logrotate_t; #, priv_system_role, nscd_client_domain;
+type logrotate_t; #, priv_system_role
domain_type(logrotate_t)
domain_obj_id_change_exempt(logrotate_t)
role system_r types logrotate_t;
@@ -122,6 +122,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(logrotate_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(logrotate_t)
+')
+
ifdef(`TODO',`
#from privmail this needs more work:
diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te
index 857ea94..7c95c5c 100644
--- a/refpolicy/policy/modules/admin/netutils.te
+++ b/refpolicy/policy/modules/admin/netutils.te
@@ -14,12 +14,12 @@ role system_r types netutils_t;
type netutils_tmp_t;
files_tmp_file(netutils_tmp_t)
-type ping_t; #, nscd_client_domain;
+type ping_t;
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t;
-type traceroute_t; #, nscd_client_domain;
+type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t;
@@ -128,14 +128,16 @@ optional_policy(`nis.te',`
nis_use_ypbind(ping_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(ping_t)
+')
+
optional_policy(`sysnetwork.te',`
optional_policy(`hotplug.te',`
hotplug_use_fd(ping_t)
')
')
-
-
ifdef(`TODO',`
in_user_role(ping_t)
tunable_policy(`user_ping',`
@@ -199,6 +201,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(traceroute_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(traceroute_t)
+')
+
ifdef(`TODO',`
in_user_role(traceroute_t)
tunable_policy(`user_ping',`
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 56fc933..d2b0a15 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -29,7 +29,7 @@ files_type(crack_db_t)
type crack_tmp_t;
files_tmp_file(crack_tmp_t)
-type groupadd_t; #, nscd_client_domain;
+type groupadd_t;
type groupadd_exec_t;
domain_obj_id_change_exempt(groupadd_t)
init_system_domain(groupadd_t,groupadd_exec_t)
@@ -51,7 +51,7 @@ domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
type sysadm_passwd_tmp_t;
files_type(sysadm_passwd_tmp_t)
-type useradd_t; # nscd_client_domain;
+type useradd_t;
type useradd_exec_t;
domain_obj_id_change_exempt(useradd_t)
init_system_domain(useradd_t,useradd_exec_t)
@@ -252,6 +252,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(groupadd_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(groupadd_t)
+')
+
optional_policy(`rpm.te',`
rpm_use_fd(groupadd_t)
rpm_rw_pipe(groupadd_t)
@@ -523,6 +527,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(useradd_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(useradd_t)
+')
+
optional_policy(`rpm.te',`
rpm_use_fd(useradd_t)
rpm_rw_pipe(useradd_t)
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 5ac1c30..a1dddfd 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -13,7 +13,7 @@ files_type(anacron_exec_t)
type cron_spool_t;
files_type(cron_spool_t)
-type crond_t; #, privmail, nscd_client_domain
+type crond_t; #, privmail
type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t)
@@ -31,7 +31,7 @@ type crontab_exec_t;
files_type(crontab_exec_t)
type system_cron_spool_t;
-type system_crond_t; #, privmail, nscd_client_domain;
+type system_crond_t; #, privmail
init_daemon_domain(system_crond_t,anacron_exec_t)
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
@@ -141,6 +141,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(crond_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(crond_t)
+')
+
optional_policy(`rpm.te',`
# Commonly used from postinst scripts
rpm_read_pipe(crond_t)
@@ -310,6 +314,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(system_crond_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(system_crond_t)
+')
+
ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use;
diff --git a/refpolicy/policy/modules/services/inetd.te b/refpolicy/policy/modules/services/inetd.te
index 28691d7..9919d1d 100644
--- a/refpolicy/policy/modules/services/inetd.te
+++ b/refpolicy/policy/modules/services/inetd.te
@@ -19,7 +19,7 @@ files_tmp_file(inetd_tmp_t)
type inetd_var_run_t;
files_pid_file(inetd_var_run_t)
-type inetd_child_t; #, nscd_client_domain;
+type inetd_child_t;
type inetd_child_exec_t;
inetd_service_domain(inetd_child_t,inetd_child_exec_t)
role system_r types inetd_child_t;
@@ -218,3 +218,7 @@ optional_policy(`kerberos.te',`
optional_policy(`nis.te',`
nis_use_ypbind(inetd_child_t)
')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(inetd_child_t)
+')
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 665b6b8..1b4ffd7 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -7,7 +7,7 @@
# mta_per_userdomain_template(userdomain_prefix)
#
template(`mta_per_userdomain_template',`
- type $1_mail_t; # , user_mail_domain, nscd_client_domain;
+ type $1_mail_t; # , user_mail_domain
domain_type($1_mail_t)
role $1_r types $1_mail_t;
@@ -81,6 +81,10 @@ template(`mta_per_userdomain_template',`
nis_use_ypbind($1_mail_t)
')
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_mail_t)
+ ')
+
optional_policy(`procmail.te',`
procmail_execute($1_mail_t)
')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index daa8b58..6c2ea5b 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -23,7 +23,7 @@ files_type(mail_spool_t)
type sendmail_exec_t;
files_type(sendmail_exec_t)
-type system_mail_t; #, user_mail_domain, nscd_client_domain;
+type system_mail_t; #, user_mail_domain
domain_type(system_mail_t)
role system_r types system_mail_t;
@@ -94,6 +94,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(system_mail_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(system_mail_t)
+')
+
optional_policy(`procmail.te',`
procmail_exec(system_mail_t)
')
diff --git a/refpolicy/policy/modules/services/nscd.fc b/refpolicy/policy/modules/services/nscd.fc
new file mode 100644
index 0000000..a21cf11
--- /dev/null
+++ b/refpolicy/policy/modules/services/nscd.fc
@@ -0,0 +1,9 @@
+
+/usr/sbin/nscd -- system_u:object_r:nscd_exec_t
+
+/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
+
+/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
+/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t
+
+/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if
new file mode 100644
index 0000000..4c858a8
--- /dev/null
+++ b/refpolicy/policy/modules/services/nscd.if
@@ -0,0 +1,112 @@
+## <summary>Name service cache daemon</summary>
+
+########################################
+## <summary>
+## Execute NSCD in the nscd domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`nscd_domtrans',`
+ gen_require(`
+ type nscd_t, nscd_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,nscd_exec_t,nscd_t)
+
+ allow $1 nscd_t:fd use;
+ allow nscd_t $1:fd use;
+ allow nscd_t $1:fifo_file rw_file_perms;
+ allow nscd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Use NSCD services by connecting using
+## a unix stream socket.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`nscd_use_socket',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class fd use;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ class unix_stream_socket { create_stream_socket_perms connectto };
+ class dir { search getattr };
+ class sock_file rw_file_perms;
+ class file { getattr read };
+ ')
+
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+ allow $1 nscd_t:unix_stream_socket connectto;
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_t:fd use;
+ dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+ files_search_pids($1)
+ allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ dontaudit $1 nscd_var_run_t:dir { search getattr };
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Use NSCD services by mapping the database from
+## an inherited NSCD file descriptor.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`nscd_use_shared_mem',`
+ gen_require(`
+ type nscd_t, nscd_var_run_t;
+ class fd use;
+ class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+ class unix_stream_socket { create_stream_socket_perms connectto };
+ class dir r_dir_perms;
+ class sock_file rw_file_perms;
+ class file { getattr read };
+ ')
+
+ allow $1 nscd_var_run_t:dir r_dir_perms;
+ allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+ # Receive fd from nscd and map the backing file with read access.
+ allow $1 nscd_t:fd use;
+
+ # cjp: these were originally inherited from the
+ # nscd_socket_domain macro. need to investigate
+ # if they are all actually required
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 nscd_t:unix_stream_socket connectto;
+ allow $1 nscd_var_run_t:sock_file rw_file_perms;
+ files_search_pids($1)
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+## Unconfined access to NSCD services.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`nscd_unconfined',`
+ gen_require(`
+ type nscd_t;
+ ')
+
+ allow $1 nscd_t:nscd *;
+')
diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te
new file mode 100644
index 0000000..4b04a58
--- /dev/null
+++ b/refpolicy/policy/modules/services/nscd.te
@@ -0,0 +1,125 @@
+
+policy_module(nscd,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# nscd is both the client program and the daemon.
+type nscd_t; #, userspace_objmgr
+type nscd_exec_t;
+init_daemon_domain(nscd_t,nscd_exec_t)
+
+type nscd_var_run_t;
+files_pid_file(nscd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow nscd_t self:capability { kill setgid setuid };
+dontaudit nscd_t self:capability sys_tty_config;
+allow nscd_t self:process { getattr setsched };
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket { connect connected_socket_perms };
+allow nscd_t self:fifo_file { read write };
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon.
+# cjp: this should probably be in a direct_sysadm_daemon tunable
+allow nscd_t self:nscd { admin getstat };
+
+allow nscd_t nscd_var_run_t:file create_file_perms;
+allow nscd_t nscd_var_run_t:sock_file create_file_perms;
+files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file})
+
+kernel_read_kernel_sysctl(nscd_t)
+kernel_list_proc(nscd_t)
+kernel_read_proc_symlinks(nscd_t)
+
+dev_read_sysfs(nscd_t)
+dev_read_rand(nscd_t)
+dev_read_urand(nscd_t)
+
+fs_getattr_all_fs(nscd_t)
+fs_search_auto_mountpoints(nscd_t)
+
+term_dontaudit_use_console(nscd_t)
+
+# for when /etc/passwd has just been updated and has the wrong type
+auth_getattr_shadow(nscd_t)
+
+corenet_tcp_sendrecv_all_if(nscd_t)
+corenet_udp_sendrecv_all_if(nscd_t)
+corenet_raw_sendrecv_all_if(nscd_t)
+corenet_tcp_sendrecv_all_nodes(nscd_t)
+corenet_udp_sendrecv_all_nodes(nscd_t)
+corenet_raw_sendrecv_all_nodes(nscd_t)
+corenet_tcp_sendrecv_all_ports(nscd_t)
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_tcp_bind_all_nodes(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
+
+domain_use_wide_inherit_fd(nscd_t)
+
+files_read_etc_files(nscd_t)
+
+init_use_fd(nscd_t)
+init_use_script_pty(nscd_t)
+
+libs_use_ld_so(nscd_t)
+libs_use_shared_libs(nscd_t)
+
+logging_send_syslog_msg(nscd_t)
+
+miscfiles_read_localization(nscd_t)
+
+sysnet_read_config(nscd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(nscd_t)
+userdom_dontaudit_search_sysadm_home_dir(nscd_t)
+
+ifdef(`targeted_policy', `
+ term_dontaudit_use_unallocated_tty(nscd_t)
+ term_dontaudit_use_generic_pty(nscd_t)
+ files_dontaudit_read_root_file(nscd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(nscd_t)
+')
+
+optional_policy(`rhgb.te',`
+ rhgb_domain(nscd_t)
+')
+
+optional_policy(`selinuxutils.te',`
+ seutil_sigchld_newrole(nscd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(nscd_t)
+')
+
+ifdef(`TODO',`
+
+nscd_socket_domain(daemon)
+
+optional_policy(`winbind.te', `
+ # Handle winbind for samba, Might only be needed for targeted policy
+
+ allow nscd_t winbind_var_run_t:sock_file { read write getattr };
+ can_unix_connect(nscd_t, winbind_t)
+ allow nscd_t samba_var_t:dir search;
+ allow nscd_t winbind_var_run_t:dir { getattr search };
+')
+
+allow nscd_t tmp_t:dir { search getattr };
+allow nscd_t tmp_t:lnk_file read;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te
index 03c9a63..27f01c9 100644
--- a/refpolicy/policy/modules/services/remotelogin.te
+++ b/refpolicy/policy/modules/services/remotelogin.te
@@ -6,7 +6,7 @@ policy_module(authlogin,1.0)
# Declarations
#
-type remote_login_t; #, nscd_client_domain;
+type remote_login_t;
domain_obj_id_change_exempt(remote_login_t)
domain_subj_id_change_exempt(remote_login_t)
domain_role_change_exempt(remote_login_t)
@@ -158,6 +158,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(remote_login_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(remote_login_t)
+')
+
optional_policy(`usermanage.te',`
usermanage_read_crack_db(remote_login_t)
')
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 5460dee..0589320 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -6,7 +6,7 @@ policy_module(sendmail,1.0)
# Declarations
#
-type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm)
+type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm)
mta_sendmail_mailserver(sendmail_t)
type sendmail_log_t;
@@ -104,6 +104,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(sendmail_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(sendmail_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(sendmail_t)
')
diff --git a/refpolicy/policy/modules/services/ssh.if b/refpolicy/policy/modules/services/ssh.if
index 8b34c0d..24770b8 100644
--- a/refpolicy/policy/modules/services/ssh.if
+++ b/refpolicy/policy/modules/services/ssh.if
@@ -31,7 +31,7 @@ template(`ssh_per_userdomain_template',`
files_type($1_home_ssh_t)
role $1_r types $1_ssh_t;
- type $1_ssh_t; #, nscd_client_domain;
+ type $1_ssh_t;
domain_type($1_ssh_t)
type $1_ssh_agent_t;
@@ -170,6 +170,10 @@ template(`ssh_per_userdomain_template',`
nis_use_ypbind($1_ssh_t)
')
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_ssh_t)
+ ')
+
ifdef(`TODO',`
# Read /var.
allow $1_ssh_t var_t:dir r_dir_perms;
@@ -367,7 +371,7 @@ template(`ssh_per_userdomain_template',`
## </param>
#
template(`ssh_server_template', `
- type $1_t, ssh_server; #, nscd_client_domain;
+ type $1_t, ssh_server;
role system_r types $1_t;
type $1_devpts_t;
@@ -480,6 +484,10 @@ template(`ssh_server_template', `
mount_send_nfs_client_request($1_t)
')
+ optional_policy(`nscd.te',`
+ nscd_use_socket(crond_t)
+ ')
+
ifdef(`TODO',`
# Read /var.
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 9e2bd4b..89c56c2 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -35,7 +35,7 @@ template(`authlogin_per_userdomain_template',`
class fifo_file rw_file_perms;
')
- type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
+ type $1_chkpwd_t, can_read_shadow_passwords;
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
role $1_r types $1_chkpwd_t;
@@ -103,6 +103,10 @@ template(`authlogin_per_userdomain_template',`
nis_use_ypbind($1_chkpwd_t)
')
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_chkpwd_t)
+ ')
+
optional_policy(`selinuxutil.te',`
seutil_use_newrole_fd($1_chkpwd_t)
')
@@ -203,17 +207,36 @@ interface(`auth_domtrans_chk_passwd',`
')
########################################
-## <desc>
-##
-## </desc>
+## <summary>
+## Get the attributes of the shadow passwords file.
+## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
+interface(`auth_getattr_shadow',`
+ gen_require(`
+ type shadow_t;
+ class file getattr;
+ ')
+
+ files_search_etc($1)
+ allow $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to get the attributes
+## of the shadow passwords file.
+## </summary>
+## <param name="domain">
+## Domain to not audit.
+## </param>
+#
interface(`auth_dontaudit_getattr_shadow',`
gen_require(`
type shadow_t;
- class file stat_file_perms;
+ class file getattr;
')
dontaudit $1 shadow_t:file getattr;
diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te
index 7ea0080..29f071a 100644
--- a/refpolicy/policy/modules/system/authlogin.te
+++ b/refpolicy/policy/modules/system/authlogin.te
@@ -29,7 +29,7 @@ role system_r types pam_console_t;
domain_entry_file(pam_console_t,pam_console_exec_t)
-type pam_t; #, nscd_client_domain;
+type pam_t;
domain_type(pam_t)
role system_r types pam_t;
@@ -39,7 +39,7 @@ domain_entry_file(pam_t,pam_exec_t)
type pam_tmp_t;
files_tmp_file(pam_tmp_t)
-type pam_var_console_t; #, nscd_client_domain
+type pam_var_console_t;
files_type(pam_var_console_t)
type pam_var_run_t;
@@ -51,12 +51,12 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
-type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
+type system_chkpwd_t, can_read_shadow_passwords;
domain_type(system_chkpwd_t)
domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
role system_r types system_chkpwd_t;
-type utempter_t; #, nscd_client_domain;
+type utempter_t;
domain_type(utempter_t)
type utempter_exec_t;
@@ -118,6 +118,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(pam_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(pam_t)
+')
+
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
') dnl endif TODO
@@ -207,6 +211,10 @@ optional_policy(`hotplug.te', `
hotplug_dontaudit_search_config(pam_console_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(pam_console_t)
+')
+
optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(pam_console_t)
')
@@ -280,6 +288,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(system_chkpwd_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(system_chkpwd_t)
+')
+
ifdef(`TODO',`
can_ldap(system_chkpwd_t)
') dnl end TODO
@@ -314,6 +326,10 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_user_tmp(utempter_t)
+optional_policy(`nscd.te',`
+ nscd_use_socket(utempter_t)
+')
+
optional_policy(`xdm.te', `
#allow utempter_t xdm_t:fd use;
xdm_use_fd(utempter_t)
diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te
index 90fca14..295d626 100644
--- a/refpolicy/policy/modules/system/locallogin.te
+++ b/refpolicy/policy/modules/system/locallogin.te
@@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
# Declarations
#
-type local_login_t; #, nscd_client_domain;
+type local_login_t;
auth_login_entry_type(local_login_t)
domain_type(local_login_t)
domain_obj_id_change_exempt(local_login_t)
@@ -190,6 +190,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(local_login_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(local_login_t)
+')
+
optional_policy(`usermanage.te',`
usermanage_read_crack_db(local_login_t)
')
diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te
index f993778..c2367e1 100644
--- a/refpolicy/policy/modules/system/selinuxutil.te
+++ b/refpolicy/policy/modules/system/selinuxutil.te
@@ -37,7 +37,7 @@ role system_r types load_policy_t;
type load_policy_exec_t;
domain_entry_file(load_policy_t,load_policy_exec_t)
-type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
domain_role_change_exempt(newrole_t)
domain_obj_id_change_exempt(newrole_t)
domain_type(newrole_t)
@@ -244,6 +244,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(newrole_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(newrole_t)
+')
+
ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
') dnl ifdef TODO
diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te
index 050a8dc..aaa51ce 100644
--- a/refpolicy/policy/modules/system/udev.te
+++ b/refpolicy/policy/modules/system/udev.te
@@ -6,7 +6,7 @@ policy_module(udev,1.0)
# Declarations
#
-type udev_t; # nscd_client_domain
+type udev_t;
type udev_exec_t;
type udev_helper_exec_t;
kernel_userland_entry(udev_t,udev_exec_t)
@@ -148,6 +148,10 @@ optional_policy(`hotplug.te',`
hotplug_read_config(udev_t)
')
+optional_policy(`nscd.te',`
+ nscd_use_socket(udev_t)
+')
+
optional_policy(`sysnetwork.te',`
sysnet_domtrans_dhcpc(udev_t)
')
diff --git a/refpolicy/policy/modules/system/unconfined.if b/refpolicy/policy/modules/system/unconfined.if
index 6b62a14..6d49f92 100644
--- a/refpolicy/policy/modules/system/unconfined.if
+++ b/refpolicy/policy/modules/system/unconfined.if
@@ -47,6 +47,10 @@ template(`unconfined_domain_template',`
bootloader_manage_kernel_modules($1)
')
+ optional_policy(`nscd.te', `
+ nscd_unconfined($1)
+ ')
+
optional_policy(`selinuxutil.te',`
seutil_create_binary_pol($1)
seutil_relabelto_binary_pol($1)
@@ -67,10 +71,6 @@ template(`unconfined_domain_template',`
allow $1 system_dbusd_t:dbus *;
')
- ifdef(`nscd.te', `
- # Get info via nscd.
- allow $1 nscd_t:nscd *;
- ')
') dnl end TODO
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index e8b6655..cdedb60 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -232,6 +232,10 @@ template(`base_user_template',`
nis_use_ypbind($1_t)
')
+ optional_policy(`nscd.te',`
+ nscd_use_socket($1_t)
+ ')
+
optional_policy(`rpm.te',`
files_getattr_var_lib_dir($1_t)
files_search_var_lib($1_t)
@@ -440,7 +444,7 @@ template(`unpriv_user_template', `
# Inherit rules for ordinary users.
base_user_template($1)
- typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
+ typeattribute $1_t unpriv_userdomain; #, web_client_domain
domain_wide_inherit_fd($1_t)
#typeattribute $1_devpts_t userpty_type, user_tty_type;
@@ -669,7 +673,7 @@ template(`admin_user_template',`
# Inherit rules for ordinary users.
base_user_template($1)
- typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
+ typeattribute $1_t privhome; #, admin, web_client_domain
domain_obj_id_change_exempt($1_t)
role system_r types $1_t;