add nscd_socket_use() to auth_use_nsswitch() since it caches nss lookups.
This commit is contained in:
Chris PeBenito
parent
2ed690dd9b
commit
3ef029db7c
@ -1,3 +1,4 @@
|
||||
- Add nscd_socket_use() to auth_use_nsswitch().
|
||||
- Remove old selopt rules.
|
||||
- Full support for netfilter_contexts.
|
||||
- MRTG patch for daemon operation from Stefan.
|
||||
|
||||
@ -119,10 +119,6 @@ template(`su_restricted_domain_template', `
|
||||
kerberos_use($1_su_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_su_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# Caused by su - init scripts
|
||||
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
||||
@ -302,10 +298,6 @@ template(`su_per_userdomain_template',`
|
||||
kerberos_use($1_su_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_su_t)
|
||||
')
|
||||
|
||||
# Modify .Xauthority file (via xauth program).
|
||||
optional_policy(`
|
||||
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
||||
|
||||
@ -255,13 +255,8 @@ optional_policy(`
|
||||
dpkg_rw_pipes(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_exec(groupadd_t)
|
||||
nscd_socket_use(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -530,13 +525,8 @@ optional_policy(`
|
||||
dpkg_rw_pipes(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_exec(useradd_t)
|
||||
nscd_socket_use(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -268,7 +268,6 @@ miscfiles_read_certs(httpd_t)
|
||||
|
||||
seutil_dontaudit_search_config(httpd_t)
|
||||
|
||||
sysnet_use_ldap(httpd_t)
|
||||
sysnet_read_config(httpd_t)
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
@ -411,10 +410,6 @@ optional_policy(`
|
||||
nagios_domtrans_cgi(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(httpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
openca_domtrans(httpd_t)
|
||||
openca_signal(httpd_t)
|
||||
|
||||
@ -38,7 +38,6 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
|
||||
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
|
||||
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
||||
|
||||
@ -103,7 +102,6 @@ libs_use_shared_libs(system_dbusd_t)
|
||||
logging_send_syslog_msg(system_dbusd_t)
|
||||
|
||||
miscfiles_read_localization(system_dbusd_t)
|
||||
miscfiles_read_certs(system_dbusd_t)
|
||||
|
||||
seutil_read_config(system_dbusd_t)
|
||||
seutil_read_default_contexts(system_dbusd_t)
|
||||
@ -130,10 +128,6 @@ optional_policy(`
|
||||
bind_domtrans(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(system_dbusd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysnet_domtrans_dhcpc(system_dbusd_t)
|
||||
')
|
||||
|
||||
@ -193,8 +193,6 @@ miscfiles_read_localization(dovecot_auth_t)
|
||||
|
||||
seutil_dontaudit_search_config(dovecot_auth_t)
|
||||
|
||||
sysnet_dns_name_resolve(dovecot_auth_t)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use(dovecot_auth_t)
|
||||
')
|
||||
@ -202,11 +200,3 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(dovecot_auth_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(dovecot_auth_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(dovecot_auth_t)
|
||||
')
|
||||
|
||||
@ -243,10 +243,6 @@ optional_policy(`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ftpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ftpd_t)
|
||||
')
|
||||
|
||||
@ -209,14 +209,6 @@ optional_policy(`
|
||||
mount_domtrans(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(hald_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ntp_domtrans(hald_t)
|
||||
')
|
||||
|
||||
@ -123,14 +123,6 @@ optional_policy(`
|
||||
daemontools_service_domain(mysqld_t, mysqld_exec_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(mysqld_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(mysqld_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(mysqld_t)
|
||||
')
|
||||
|
||||
@ -138,18 +138,6 @@ optional_policy(`
|
||||
logrotate_exec(ntpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(ntpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(ntpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind(ntpd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(ntpd_t)
|
||||
')
|
||||
|
||||
@ -137,10 +137,6 @@ optional_policy(`
|
||||
logging_send_syslog_msg(pegasus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(pegasus_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_exec(pegasus_t)
|
||||
')
|
||||
|
||||
@ -86,10 +86,6 @@ optional_policy(`
|
||||
logging_send_syslog_msg(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for a bug in the postfix local program
|
||||
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
|
||||
|
||||
@ -126,7 +126,3 @@ ifdef(`targeted_policy',`
|
||||
optional_policy(`
|
||||
logging_send_syslog_msg(pyzord_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(pyzord_t)
|
||||
')
|
||||
|
||||
@ -321,14 +321,6 @@ optional_policy(`
|
||||
kerberos_use(smbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(smbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(smbd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpc_search_nfs_state_data(smbd_t)
|
||||
')
|
||||
|
||||
@ -89,10 +89,6 @@ ifdef(`targeted_policy',`
|
||||
files_dontaudit_read_root_files(xfs_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(xfs_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(xfs_t)
|
||||
')
|
||||
|
||||
@ -40,40 +40,26 @@ template(`authlogin_common_auth_domain_template',`
|
||||
dev_read_rand($1_chkpwd_t)
|
||||
dev_read_urand($1_chkpwd_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
||||
|
||||
libs_use_ld_so($1_chkpwd_t)
|
||||
libs_use_shared_libs($1_chkpwd_t)
|
||||
|
||||
files_read_etc_files($1_chkpwd_t)
|
||||
# for nscd
|
||||
files_dontaudit_search_var($1_chkpwd_t)
|
||||
|
||||
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
||||
|
||||
auth_use_nsswitch($1_chkpwd_t)
|
||||
|
||||
libs_use_ld_so($1_chkpwd_t)
|
||||
libs_use_shared_libs($1_chkpwd_t)
|
||||
|
||||
logging_send_syslog_msg($1_chkpwd_t)
|
||||
|
||||
miscfiles_read_certs($1_chkpwd_t)
|
||||
miscfiles_read_localization($1_chkpwd_t)
|
||||
|
||||
seutil_read_config($1_chkpwd_t)
|
||||
|
||||
sysnet_dns_name_resolve($1_chkpwd_t)
|
||||
sysnet_use_ldap($1_chkpwd_t)
|
||||
|
||||
optional_policy(`
|
||||
kerberos_use($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1_chkpwd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1_chkpwd_t)
|
||||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
@ -121,6 +107,7 @@ template(`authlogin_per_userdomain_template',`
|
||||
role $3 types $1_chkpwd_t;
|
||||
role $3 types system_chkpwd_t;
|
||||
|
||||
# cjp: is this really needed?
|
||||
allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
|
||||
dontaudit $2 shadow_t:file { getattr read };
|
||||
@ -1340,6 +1327,10 @@ interface(`auth_use_nsswitch',`
|
||||
nis_use_ypbind($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
samba_stream_connect_winbind($1)
|
||||
')
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.3.10)
|
||||
policy_module(authlogin,1.3.11)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -214,7 +214,6 @@ libs_use_shared_libs(pam_console_t)
|
||||
logging_send_syslog_msg(pam_console_t)
|
||||
|
||||
miscfiles_read_localization(pam_console_t)
|
||||
miscfiles_read_certs(pam_console_t)
|
||||
|
||||
seutil_read_file_contexts(pam_console_t)
|
||||
|
||||
@ -236,10 +235,6 @@ optional_policy(`
|
||||
hotplug_dontaudit_search_config(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(pam_console_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_sigchld_newrole(pam_console_t)
|
||||
')
|
||||
|
||||
@ -550,7 +550,6 @@ allow semanage_t self:capability { dac_override audit_write };
|
||||
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow semanage_t self:unix_dgram_socket create_socket_perms;
|
||||
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
allow semanage_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
|
||||
allow semanage_t policy_config_t:file { read write };
|
||||
|
||||
@ -614,10 +613,6 @@ ifdef(`targeted_policy',`
|
||||
userdom_read_generic_user_home_content_files(semanage_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(semanage_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Setfiles local policy
|
||||
|
||||
@ -99,6 +99,8 @@ selinux_compute_create_context(udev_t)
|
||||
selinux_compute_relabel_context(udev_t)
|
||||
selinux_compute_user_contexts(udev_t)
|
||||
|
||||
auth_read_pam_console_data(udev_t)
|
||||
auth_domtrans_pam_console(udev_t)
|
||||
auth_use_nsswitch(udev_t)
|
||||
|
||||
corecmd_exec_all_executables(udev_t)
|
||||
@ -138,6 +140,7 @@ seutil_read_file_contexts(udev_t)
|
||||
seutil_domtrans_restorecon(udev_t)
|
||||
|
||||
sysnet_domtrans_ifconfig(udev_t)
|
||||
sysnet_domtrans_dhcpc(udev_t)
|
||||
|
||||
userdom_use_sysadm_ttys(udev_t)
|
||||
userdom_dontaudit_search_all_users_home_content(udev_t)
|
||||
@ -163,11 +166,6 @@ ifdef(`targeted_policy',`
|
||||
unconfined_domain(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
auth_read_pam_console_data(udev_t)
|
||||
auth_domtrans_pam_console(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
consoletype_exec(udev_t)
|
||||
')
|
||||
@ -184,18 +182,6 @@ optional_policy(`
|
||||
hotplug_read_config(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sysnet_domtrans_dhcpc(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_read_xdm_pid(udev_t)
|
||||
')
|
||||
|
||||
Loading…
Reference in New Issue
Block a user