add nscd

refpolicy/Changelog

@@ -2,6 +2,8 @@
 	* Doc tool now links directly to the interface/template in the
 	  module page when it is selected in the interface/template index.
 	* Added support for layer summaries.
+	* Added policies:
+		nscd
 
 20050707 (7 Jul 2005)
 	* Changed xml to have modules encapsulated by layer tags, rather

refpolicy/policy/modules/admin/logrotate.te

@@ -6,7 +6,7 @@ policy_module(logrotate,1.0)
 # Declarations
 #
 
-type logrotate_t; #, priv_system_role, nscd_client_domain;
+type logrotate_t; #, priv_system_role
 domain_type(logrotate_t)
 domain_obj_id_change_exempt(logrotate_t)
 role system_r types logrotate_t;
@@ -122,6 +122,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(logrotate_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(logrotate_t)
+')
+
 ifdef(`TODO',`
 
 #from privmail this needs more work:

refpolicy/policy/modules/admin/netutils.te

@@ -14,12 +14,12 @@ role system_r types netutils_t;
 type netutils_tmp_t;
 files_tmp_file(netutils_tmp_t)
 
-type ping_t; #, nscd_client_domain;
+type ping_t;
 type ping_exec_t;
 init_system_domain(ping_t,ping_exec_t)
 role system_r types ping_t;
 
-type traceroute_t; #, nscd_client_domain;
+type traceroute_t;
 type traceroute_exec_t;
 init_system_domain(traceroute_t,traceroute_exec_t)
 role system_r types traceroute_t;
@@ -128,14 +128,16 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(ping_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(ping_t)
+')
+
 optional_policy(`sysnetwork.te',`
 	optional_policy(`hotplug.te',`
 		hotplug_use_fd(ping_t)
 	')
 ')
 
-
-
 ifdef(`TODO',`
 in_user_role(ping_t)
 tunable_policy(`user_ping',`
@@ -199,6 +201,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(traceroute_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(traceroute_t)
+')
+
 ifdef(`TODO',`
 in_user_role(traceroute_t)
 tunable_policy(`user_ping',`

refpolicy/policy/modules/admin/usermanage.te

@@ -29,7 +29,7 @@ files_type(crack_db_t)
 type crack_tmp_t;
 files_tmp_file(crack_tmp_t)
 
-type groupadd_t; #, nscd_client_domain;
+type groupadd_t;
 type groupadd_exec_t;
 domain_obj_id_change_exempt(groupadd_t)
 init_system_domain(groupadd_t,groupadd_exec_t)
@@ -51,7 +51,7 @@ domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
 type sysadm_passwd_tmp_t;
 files_type(sysadm_passwd_tmp_t)
 
-type useradd_t; # nscd_client_domain;
+type useradd_t;
 type useradd_exec_t;
 domain_obj_id_change_exempt(useradd_t)
 init_system_domain(useradd_t,useradd_exec_t)
@@ -252,6 +252,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(groupadd_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(groupadd_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_use_fd(groupadd_t)
 	rpm_rw_pipe(groupadd_t)
@@ -523,6 +527,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(useradd_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(useradd_t)
+')
+
 optional_policy(`rpm.te',`
 	rpm_use_fd(useradd_t)
 	rpm_rw_pipe(useradd_t)

refpolicy/policy/modules/services/cron.te

@@ -13,7 +13,7 @@ files_type(anacron_exec_t)
 type cron_spool_t;
 files_type(cron_spool_t)
 
-type crond_t; #, privmail, nscd_client_domain
+type crond_t; #, privmail
 type crond_exec_t;
 init_daemon_domain(crond_t,crond_exec_t)
 domain_wide_inherit_fd(crond_t)
@@ -31,7 +31,7 @@ type crontab_exec_t;
 files_type(crontab_exec_t)
 
 type system_cron_spool_t;
-type system_crond_t; #, privmail, nscd_client_domain;
+type system_crond_t; #, privmail
 init_daemon_domain(system_crond_t,anacron_exec_t)
 corecmd_shell_entry_type(system_crond_t)
 role system_r types system_crond_t;
@@ -141,6 +141,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(crond_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(crond_t)
+')
+
 optional_policy(`rpm.te',`
 	# Commonly used from postinst scripts
 	rpm_read_pipe(crond_t)
@@ -310,6 +314,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(system_crond_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(system_crond_t)
+')
+
 ifdef(`TODO',`
 dontaudit userdomain system_crond_t:fd use;
 

refpolicy/policy/modules/services/inetd.te

@@ -19,7 +19,7 @@ files_tmp_file(inetd_tmp_t)
 type inetd_var_run_t;
 files_pid_file(inetd_var_run_t)
 
-type inetd_child_t; #, nscd_client_domain;
+type inetd_child_t;
 type inetd_child_exec_t;
 inetd_service_domain(inetd_child_t,inetd_child_exec_t)
 role system_r types inetd_child_t;
@@ -218,3 +218,7 @@ optional_policy(`kerberos.te',`
 optional_policy(`nis.te',`
 	nis_use_ypbind(inetd_child_t)
 ')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(inetd_child_t)
+')

refpolicy/policy/modules/services/mta.if

@@ -7,7 +7,7 @@
 # mta_per_userdomain_template(userdomain_prefix)
 #
 template(`mta_per_userdomain_template',`
-	type $1_mail_t; # , user_mail_domain, nscd_client_domain;
+	type $1_mail_t; # , user_mail_domain
 	domain_type($1_mail_t)
 	role $1_r types $1_mail_t;
 
@@ -81,6 +81,10 @@ template(`mta_per_userdomain_template',`
 		nis_use_ypbind($1_mail_t)
 	')
 
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_mail_t)
+	')
+
 	optional_policy(`procmail.te',`
 		procmail_execute($1_mail_t)
 	')

refpolicy/policy/modules/services/mta.te

@@ -23,7 +23,7 @@ files_type(mail_spool_t)
 type sendmail_exec_t;
 files_type(sendmail_exec_t)
 
-type system_mail_t; #, user_mail_domain, nscd_client_domain;
+type system_mail_t; #, user_mail_domain
 domain_type(system_mail_t)
 role system_r types system_mail_t;
 
@@ -94,6 +94,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(system_mail_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(system_mail_t)
+')
+
 optional_policy(`procmail.te',`
 	procmail_exec(system_mail_t)
 ')

refpolicy/policy/modules/services/nscd.fc

@@ -0,0 +1,9 @@
+
+/usr/sbin/nscd		--	system_u:object_r:nscd_exec_t
+
+/var/db/nscd(/.*)?		system_u:object_r:nscd_var_run_t
+
+/var/run/nscd\.pid	--	system_u:object_r:nscd_var_run_t
+/var/run/\.nscd_socket	-s	system_u:object_r:nscd_var_run_t
+
+/var/run/nscd(/.*)?		system_u:object_r:nscd_var_run_t

refpolicy/policy/modules/services/nscd.if

@@ -0,0 +1,112 @@
+## <summary>Name service cache daemon</summary>
+
+########################################
+## <summary>
+##	Execute NSCD in the nscd domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`nscd_domtrans',`
+	gen_require(`
+		type nscd_t, nscd_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,nscd_exec_t,nscd_t)
+
+	allow $1 nscd_t:fd use;
+	allow nscd_t $1:fd use;
+	allow nscd_t $1:fifo_file rw_file_perms;
+	allow nscd_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Use NSCD services by connecting using
+##	a unix stream socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`nscd_use_socket',`
+	gen_require(`
+		type nscd_t, nscd_var_run_t;
+		class fd use;
+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+		class unix_stream_socket { create_stream_socket_perms connectto };
+		class dir { search getattr };
+		class sock_file rw_file_perms;
+		class file { getattr read };
+	')
+
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+
+	allow $1 nscd_t:unix_stream_socket connectto;
+	allow $1 nscd_t:nscd { getpwd getgrp gethost };
+	dontaudit $1 nscd_t:fd use;
+	dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+	files_search_pids($1)
+	allow $1 nscd_var_run_t:sock_file rw_file_perms;
+	dontaudit $1 nscd_var_run_t:dir { search getattr };
+	dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Use NSCD services by mapping the database from
+##	an inherited NSCD file descriptor.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`nscd_use_shared_mem',`
+	gen_require(`
+		type nscd_t, nscd_var_run_t;
+		class fd use;
+		class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
+		class unix_stream_socket { create_stream_socket_perms connectto };
+		class dir r_dir_perms;
+		class sock_file rw_file_perms;
+		class file { getattr read };
+	')
+
+	allow $1 nscd_var_run_t:dir r_dir_perms;
+	allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
+
+	# Receive fd from nscd and map the backing file with read access.
+	allow $1 nscd_t:fd use;
+
+	# cjp: these were originally inherited from the
+	# nscd_socket_domain macro.  need to investigate
+	# if they are all actually required
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+	allow $1 nscd_t:unix_stream_socket connectto;
+	allow $1 nscd_var_run_t:sock_file rw_file_perms;
+	files_search_pids($1)
+	allow $1 nscd_t:nscd { getpwd getgrp gethost };
+	dontaudit $1 nscd_var_run_t:file { getattr read };
+')
+
+########################################
+## <summary>
+##	Unconfined access to NSCD services.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`nscd_unconfined',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	allow $1 nscd_t:nscd *;
+')

refpolicy/policy/modules/services/nscd.te

@@ -0,0 +1,125 @@
+
+policy_module(nscd,1.0)
+
+########################################
+#
+# Declarations
+#
+
+# nscd is both the client program and the daemon.
+type nscd_t; #, userspace_objmgr
+type nscd_exec_t;
+init_daemon_domain(nscd_t,nscd_exec_t)
+
+type nscd_var_run_t;
+files_pid_file(nscd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow nscd_t self:capability { kill setgid setuid };
+dontaudit nscd_t self:capability sys_tty_config;
+allow nscd_t self:process { getattr setsched };
+allow nscd_t self:unix_stream_socket create_stream_socket_perms;
+allow nscd_t self:unix_dgram_socket create_socket_perms;
+allow nscd_t self:netlink_selinux_socket create_socket_perms;
+allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
+allow nscd_t self:tcp_socket create_socket_perms;
+allow nscd_t self:udp_socket { connect connected_socket_perms };
+allow nscd_t self:fifo_file { read write };
+
+# For client program operation, invoked from sysadm_t.
+# Transition occurs to nscd_t due to direct_sysadm_daemon. 
+# cjp: this should probably be in a direct_sysadm_daemon tunable
+allow nscd_t self:nscd { admin getstat };
+
+allow nscd_t nscd_var_run_t:file create_file_perms;
+allow nscd_t nscd_var_run_t:sock_file create_file_perms;
+files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file})
+
+kernel_read_kernel_sysctl(nscd_t)
+kernel_list_proc(nscd_t)
+kernel_read_proc_symlinks(nscd_t)
+
+dev_read_sysfs(nscd_t)
+dev_read_rand(nscd_t)
+dev_read_urand(nscd_t)
+
+fs_getattr_all_fs(nscd_t)
+fs_search_auto_mountpoints(nscd_t)
+
+term_dontaudit_use_console(nscd_t)
+
+# for when /etc/passwd has just been updated and has the wrong type
+auth_getattr_shadow(nscd_t)
+
+corenet_tcp_sendrecv_all_if(nscd_t)
+corenet_udp_sendrecv_all_if(nscd_t)
+corenet_raw_sendrecv_all_if(nscd_t)
+corenet_tcp_sendrecv_all_nodes(nscd_t)
+corenet_udp_sendrecv_all_nodes(nscd_t)
+corenet_raw_sendrecv_all_nodes(nscd_t)
+corenet_tcp_sendrecv_all_ports(nscd_t)
+corenet_udp_sendrecv_all_ports(nscd_t)
+corenet_tcp_bind_all_nodes(nscd_t)
+corenet_udp_bind_all_nodes(nscd_t)
+
+domain_use_wide_inherit_fd(nscd_t)
+
+files_read_etc_files(nscd_t)
+
+init_use_fd(nscd_t)
+init_use_script_pty(nscd_t)
+
+libs_use_ld_so(nscd_t)
+libs_use_shared_libs(nscd_t)
+
+logging_send_syslog_msg(nscd_t)
+
+miscfiles_read_localization(nscd_t)
+
+sysnet_read_config(nscd_t)
+
+userdom_dontaudit_use_unpriv_user_fd(nscd_t)
+userdom_dontaudit_search_sysadm_home_dir(nscd_t)
+
+ifdef(`targeted_policy', `
+	term_dontaudit_use_unallocated_tty(nscd_t)
+	term_dontaudit_use_generic_pty(nscd_t)
+	files_dontaudit_read_root_file(nscd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(nscd_t)
+')
+
+optional_policy(`rhgb.te',`
+	rhgb_domain(nscd_t)
+')
+
+optional_policy(`selinuxutils.te',`
+	seutil_sigchld_newrole(nscd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(nscd_t)
+')
+
+ifdef(`TODO',`
+
+nscd_socket_domain(daemon)
+
+optional_policy(`winbind.te', `
+	# Handle winbind for samba, Might only be needed for targeted policy
+
+	allow nscd_t winbind_var_run_t:sock_file { read write getattr };
+	can_unix_connect(nscd_t, winbind_t)
+	allow nscd_t samba_var_t:dir search;
+	allow nscd_t winbind_var_run_t:dir { getattr search };
+')
+
+allow nscd_t tmp_t:dir { search getattr };
+allow nscd_t tmp_t:lnk_file read;
+') dnl end TODO

refpolicy/policy/modules/services/remotelogin.te

@@ -6,7 +6,7 @@ policy_module(authlogin,1.0)
 # Declarations
 #
 
-type remote_login_t; #, nscd_client_domain;
+type remote_login_t;
 domain_obj_id_change_exempt(remote_login_t)
 domain_subj_id_change_exempt(remote_login_t)
 domain_role_change_exempt(remote_login_t)
@@ -158,6 +158,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(remote_login_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(remote_login_t)
+')
+
 optional_policy(`usermanage.te',`
 	usermanage_read_crack_db(remote_login_t)
 ')

refpolicy/policy/modules/services/sendmail.te

@@ -6,7 +6,7 @@ policy_module(sendmail,1.0)
 # Declarations
 #
 
-type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm)
+type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm)
 mta_sendmail_mailserver(sendmail_t)
 
 type sendmail_log_t;
@@ -104,6 +104,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(sendmail_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(sendmail_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(sendmail_t)
 ')

refpolicy/policy/modules/services/ssh.if

@@ -31,7 +31,7 @@ template(`ssh_per_userdomain_template',`
 	files_type($1_home_ssh_t)
 	role $1_r types $1_ssh_t;
 
-	type $1_ssh_t; #, nscd_client_domain;
+	type $1_ssh_t;
 	domain_type($1_ssh_t)
 
 	type $1_ssh_agent_t;
@@ -170,6 +170,10 @@ template(`ssh_per_userdomain_template',`
 		nis_use_ypbind($1_ssh_t)
 	')
 
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_ssh_t)
+	')
+
 	ifdef(`TODO',`
 	# Read /var.
 	allow $1_ssh_t var_t:dir r_dir_perms;
@@ -367,7 +371,7 @@ template(`ssh_per_userdomain_template',`
 ## </param>
 #
 template(`ssh_server_template', `
-	type $1_t, ssh_server; #, nscd_client_domain;
+	type $1_t, ssh_server;
 	role system_r types $1_t;
 
 	type $1_devpts_t;
@@ -480,6 +484,10 @@ template(`ssh_server_template', `
 		mount_send_nfs_client_request($1_t)
 	')
 
+	optional_policy(`nscd.te',`
+		nscd_use_socket(crond_t)
+	')
+
 	ifdef(`TODO',`
 
 	# Read /var.

refpolicy/policy/modules/system/authlogin.if

@@ -35,7 +35,7 @@ template(`authlogin_per_userdomain_template',`
 		class fifo_file rw_file_perms;
 	')
 
-	type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
+	type $1_chkpwd_t, can_read_shadow_passwords;
 	domain_type($1_chkpwd_t)
 	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
 	role $1_r types $1_chkpwd_t;
@@ -103,6 +103,10 @@ template(`authlogin_per_userdomain_template',`
 		nis_use_ypbind($1_chkpwd_t)
 	')
 
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_chkpwd_t)
+	')
+
 	optional_policy(`selinuxutil.te',`
 		seutil_use_newrole_fd($1_chkpwd_t)
 	')
@@ -203,17 +207,36 @@ interface(`auth_domtrans_chk_passwd',`
 ')
 
 ########################################
-## <desc>
-##	
-## </desc>
+## <summary>
+##	Get the attributes of the shadow passwords file.
+## </summary>
 ## <param name="domain">
 ##	The type of the process performing this action.
 ## </param>
 #
+interface(`auth_getattr_shadow',`
+	gen_require(`
+		type shadow_t;
+		class file getattr;
+	')
+
+	files_search_etc($1)
+	allow $1 shadow_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes
+##	of the shadow passwords file.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
 interface(`auth_dontaudit_getattr_shadow',`
 	gen_require(`
 		type shadow_t;
-		class file stat_file_perms;
+		class file getattr;
 	')
 
 	dontaudit $1 shadow_t:file getattr;

refpolicy/policy/modules/system/authlogin.te

@@ -29,7 +29,7 @@ role system_r types pam_console_t;
 
 domain_entry_file(pam_console_t,pam_console_exec_t)
 
-type pam_t; #, nscd_client_domain;
+type pam_t;
 domain_type(pam_t)
 role system_r types pam_t;
 
@@ -39,7 +39,7 @@ domain_entry_file(pam_t,pam_exec_t)
 type pam_tmp_t;
 files_tmp_file(pam_tmp_t)
 
-type pam_var_console_t; #, nscd_client_domain
+type pam_var_console_t;
 files_type(pam_var_console_t)
 
 type pam_var_run_t;
@@ -51,12 +51,12 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
-type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain;
+type system_chkpwd_t, can_read_shadow_passwords;
 domain_type(system_chkpwd_t)
 domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
 role system_r types system_chkpwd_t;
 
-type utempter_t; #, nscd_client_domain;
+type utempter_t;
 domain_type(utempter_t)
 
 type utempter_exec_t;
@@ -118,6 +118,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(pam_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(pam_t)
+')
+
 ifdef(`TODO',`
 ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
 ') dnl endif TODO
@@ -207,6 +211,10 @@ optional_policy(`hotplug.te', `
 	hotplug_dontaudit_search_config(pam_console_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(pam_console_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(pam_console_t)
 ')
@@ -280,6 +288,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(system_chkpwd_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(system_chkpwd_t)
+')
+
 ifdef(`TODO',`
 can_ldap(system_chkpwd_t)
 ') dnl end TODO
@@ -314,6 +326,10 @@ logging_search_logs(utempter_t)
 # Allow utemper to write to /tmp/.xses-*
 userdom_write_unpriv_user_tmp(utempter_t)
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(utempter_t)
+')
+
 optional_policy(`xdm.te', `
 	#allow utempter_t xdm_t:fd use;
 	xdm_use_fd(utempter_t)

refpolicy/policy/modules/system/locallogin.te

@@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
 # Declarations
 #
 
-type local_login_t; #, nscd_client_domain;
+type local_login_t;
 auth_login_entry_type(local_login_t)
 domain_type(local_login_t)
 domain_obj_id_change_exempt(local_login_t)
@@ -190,6 +190,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(local_login_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(local_login_t)
+')
+
 optional_policy(`usermanage.te',`
 	usermanage_read_crack_db(local_login_t)
 ')

refpolicy/policy/modules/system/selinuxutil.te

@@ -37,7 +37,7 @@ role system_r types load_policy_t;
 type load_policy_exec_t;
 domain_entry_file(load_policy_t,load_policy_exec_t)
 
-type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
+type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
 domain_role_change_exempt(newrole_t)
 domain_obj_id_change_exempt(newrole_t)
 domain_type(newrole_t)
@@ -244,6 +244,10 @@ optional_policy(`nis.te',`
 	nis_use_ypbind(newrole_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(newrole_t)
+')
+
 ifdef(`TODO',`
 ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
 ') dnl ifdef TODO

refpolicy/policy/modules/system/udev.te

@@ -6,7 +6,7 @@ policy_module(udev,1.0)
 # Declarations
 #
 
-type udev_t; # nscd_client_domain
+type udev_t;
 type udev_exec_t;
 type udev_helper_exec_t;
 kernel_userland_entry(udev_t,udev_exec_t)
@@ -148,6 +148,10 @@ optional_policy(`hotplug.te',`
 	hotplug_read_config(udev_t)
 ')
 
+optional_policy(`nscd.te',`
+	nscd_use_socket(udev_t)
+')
+
 optional_policy(`sysnetwork.te',`
 	sysnet_domtrans_dhcpc(udev_t)
 ')

refpolicy/policy/modules/system/unconfined.if

@@ -47,6 +47,10 @@ template(`unconfined_domain_template',`
 		bootloader_manage_kernel_modules($1)
 	')
 
+	optional_policy(`nscd.te', `
+		nscd_unconfined($1)
+	')
+
 	optional_policy(`selinuxutil.te',`
 		seutil_create_binary_pol($1)
 		seutil_relabelto_binary_pol($1)
@@ -67,10 +71,6 @@ template(`unconfined_domain_template',`
 		allow $1 system_dbusd_t:dbus *;
 	')
 
-	ifdef(`nscd.te', `
-		# Get info via nscd.
-		allow $1 nscd_t:nscd *;
-	')
 	') dnl end TODO
 ')
 

refpolicy/policy/modules/system/userdomain.if

@@ -232,6 +232,10 @@ template(`base_user_template',`
 		nis_use_ypbind($1_t)
 	')
 
+	optional_policy(`nscd.te',`
+		nscd_use_socket($1_t)
+	')
+
 	optional_policy(`rpm.te',`
 		files_getattr_var_lib_dir($1_t)
 		files_search_var_lib($1_t)
@@ -440,7 +444,7 @@ template(`unpriv_user_template', `
 	# Inherit rules for ordinary users.
 	base_user_template($1)
 
-	typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain;
+	typeattribute $1_t unpriv_userdomain; #, web_client_domain
 	domain_wide_inherit_fd($1_t)
 
 	#typeattribute $1_devpts_t userpty_type, user_tty_type;
@@ -669,7 +673,7 @@ template(`admin_user_template',`
 	# Inherit rules for ordinary users.
 	base_user_template($1)
 
-	typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain;
+	typeattribute $1_t privhome; #, admin, web_client_domain
 	domain_obj_id_change_exempt($1_t)
 	role system_r types $1_t;