rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

add nscd

Browse Source
This commit is contained in:
Chris PeBenito 2005-07-13 20:48:51 +00:00
parent df00b2e235
commit 493d6c4adc
21 changed files with 391 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
refpolicy/Changelog
View File

@ -2,6 +2,8 @@
* Doc tool now links directly to the interface/template in the * Doc tool now links directly to the interface/template in the
module page when it is selected in the interface/template index. module page when it is selected in the interface/template index.
* Added support for layer summaries. * Added support for layer summaries.
* Added policies:
nscd
20050707 (7 Jul 2005) 20050707 (7 Jul 2005)
* Changed xml to have modules encapsulated by layer tags, rather * Changed xml to have modules encapsulated by layer tags, rather

6
refpolicy/policy/modules/admin/logrotate.te
View File

@ -6,7 +6,7 @@ policy_module(logrotate,1.0)
# Declarations # Declarations
# #
type logrotate_t; #, priv_system_role, nscd_client_domain; type logrotate_t; #, priv_system_role
domain_type(logrotate_t) domain_type(logrotate_t)
domain_obj_id_change_exempt(logrotate_t) domain_obj_id_change_exempt(logrotate_t)
role system_r types logrotate_t; role system_r types logrotate_t;
@ -122,6 +122,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(logrotate_t) nis_use_ypbind(logrotate_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(logrotate_t)
')
ifdef(`TODO',` ifdef(`TODO',`
#from privmail this needs more work: #from privmail this needs more work:

14
refpolicy/policy/modules/admin/netutils.te
View File

@ -14,12 +14,12 @@ role system_r types netutils_t;
type netutils_tmp_t; type netutils_tmp_t;
files_tmp_file(netutils_tmp_t) files_tmp_file(netutils_tmp_t)
type ping_t; #, nscd_client_domain; type ping_t;
type ping_exec_t; type ping_exec_t;
init_system_domain(ping_t,ping_exec_t) init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t; role system_r types ping_t;
type traceroute_t; #, nscd_client_domain; type traceroute_t;
type traceroute_exec_t; type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t) init_system_domain(traceroute_t,traceroute_exec_t)
role system_r types traceroute_t; role system_r types traceroute_t;
@ -128,14 +128,16 @@ optional_policy(`nis.te',`
nis_use_ypbind(ping_t) nis_use_ypbind(ping_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(ping_t)
')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`
optional_policy(`hotplug.te',` optional_policy(`hotplug.te',`
hotplug_use_fd(ping_t) hotplug_use_fd(ping_t)
') ')
') ')
ifdef(`TODO',` ifdef(`TODO',`
in_user_role(ping_t) in_user_role(ping_t)
tunable_policy(`user_ping',` tunable_policy(`user_ping',`
@ -199,6 +201,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(traceroute_t) nis_use_ypbind(traceroute_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(traceroute_t)
')
ifdef(`TODO',` ifdef(`TODO',`
in_user_role(traceroute_t) in_user_role(traceroute_t)
tunable_policy(`user_ping',` tunable_policy(`user_ping',`

12
refpolicy/policy/modules/admin/usermanage.te
View File

@ -29,7 +29,7 @@ files_type(crack_db_t)
type crack_tmp_t; type crack_tmp_t;
files_tmp_file(crack_tmp_t) files_tmp_file(crack_tmp_t)
type groupadd_t; #, nscd_client_domain; type groupadd_t;
type groupadd_exec_t; type groupadd_exec_t;
domain_obj_id_change_exempt(groupadd_t) domain_obj_id_change_exempt(groupadd_t)
init_system_domain(groupadd_t,groupadd_exec_t) init_system_domain(groupadd_t,groupadd_exec_t)
@ -51,7 +51,7 @@ domain_entry_file(sysadm_passwd_t,admin_passwd_exec_t)
type sysadm_passwd_tmp_t; type sysadm_passwd_tmp_t;
files_type(sysadm_passwd_tmp_t) files_type(sysadm_passwd_tmp_t)
type useradd_t; # nscd_client_domain; type useradd_t;
type useradd_exec_t; type useradd_exec_t;
domain_obj_id_change_exempt(useradd_t) domain_obj_id_change_exempt(useradd_t)
init_system_domain(useradd_t,useradd_exec_t) init_system_domain(useradd_t,useradd_exec_t)
@ -252,6 +252,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(groupadd_t) nis_use_ypbind(groupadd_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(groupadd_t)
')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
rpm_use_fd(groupadd_t) rpm_use_fd(groupadd_t)
rpm_rw_pipe(groupadd_t) rpm_rw_pipe(groupadd_t)
@ -523,6 +527,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(useradd_t) nis_use_ypbind(useradd_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(useradd_t)
')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
rpm_use_fd(useradd_t) rpm_use_fd(useradd_t)
rpm_rw_pipe(useradd_t) rpm_rw_pipe(useradd_t)

12
refpolicy/policy/modules/services/cron.te
View File

@ -13,7 +13,7 @@ files_type(anacron_exec_t)
type cron_spool_t; type cron_spool_t;
files_type(cron_spool_t) files_type(cron_spool_t)
type crond_t; #, privmail, nscd_client_domain type crond_t; #, privmail
type crond_exec_t; type crond_exec_t;
init_daemon_domain(crond_t,crond_exec_t) init_daemon_domain(crond_t,crond_exec_t)
domain_wide_inherit_fd(crond_t) domain_wide_inherit_fd(crond_t)
@ -31,7 +31,7 @@ type crontab_exec_t;
files_type(crontab_exec_t) files_type(crontab_exec_t)
type system_cron_spool_t; type system_cron_spool_t;
type system_crond_t; #, privmail, nscd_client_domain; type system_crond_t; #, privmail
init_daemon_domain(system_crond_t,anacron_exec_t) init_daemon_domain(system_crond_t,anacron_exec_t)
corecmd_shell_entry_type(system_crond_t) corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t; role system_r types system_crond_t;
@ -141,6 +141,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(crond_t) nis_use_ypbind(crond_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(crond_t)
')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
# Commonly used from postinst scripts # Commonly used from postinst scripts
rpm_read_pipe(crond_t) rpm_read_pipe(crond_t)
@ -310,6 +314,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(system_crond_t) nis_use_ypbind(system_crond_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(system_crond_t)
')
ifdef(`TODO',` ifdef(`TODO',`
dontaudit userdomain system_crond_t:fd use; dontaudit userdomain system_crond_t:fd use;

6
refpolicy/policy/modules/services/inetd.te
View File

@ -19,7 +19,7 @@ files_tmp_file(inetd_tmp_t)
type inetd_var_run_t; type inetd_var_run_t;
files_pid_file(inetd_var_run_t) files_pid_file(inetd_var_run_t)
type inetd_child_t; #, nscd_client_domain; type inetd_child_t;
type inetd_child_exec_t; type inetd_child_exec_t;
inetd_service_domain(inetd_child_t,inetd_child_exec_t) inetd_service_domain(inetd_child_t,inetd_child_exec_t)
role system_r types inetd_child_t; role system_r types inetd_child_t;
@ -218,3 +218,7 @@ optional_policy(`kerberos.te',`
optional_policy(`nis.te',` optional_policy(`nis.te',`
nis_use_ypbind(inetd_child_t) nis_use_ypbind(inetd_child_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(inetd_child_t)
')

6
refpolicy/policy/modules/services/mta.if
View File

@ -7,7 +7,7 @@
# mta_per_userdomain_template(userdomain_prefix) # mta_per_userdomain_template(userdomain_prefix)
# #
template(`mta_per_userdomain_template',` template(`mta_per_userdomain_template',`
type $1_mail_t; # , user_mail_domain, nscd_client_domain; type $1_mail_t; # , user_mail_domain
domain_type($1_mail_t) domain_type($1_mail_t)
role $1_r types $1_mail_t; role $1_r types $1_mail_t;
@ -81,6 +81,10 @@ template(`mta_per_userdomain_template',`
nis_use_ypbind($1_mail_t) nis_use_ypbind($1_mail_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket($1_mail_t)
')
optional_policy(`procmail.te',` optional_policy(`procmail.te',`
procmail_execute($1_mail_t) procmail_execute($1_mail_t)
') ')

6
refpolicy/policy/modules/services/mta.te
View File

@ -23,7 +23,7 @@ files_type(mail_spool_t)
type sendmail_exec_t; type sendmail_exec_t;
files_type(sendmail_exec_t) files_type(sendmail_exec_t)
type system_mail_t; #, user_mail_domain, nscd_client_domain; type system_mail_t; #, user_mail_domain
domain_type(system_mail_t) domain_type(system_mail_t)
role system_r types system_mail_t; role system_r types system_mail_t;
@ -94,6 +94,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(system_mail_t) nis_use_ypbind(system_mail_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(system_mail_t)
')
optional_policy(`procmail.te',` optional_policy(`procmail.te',`
procmail_exec(system_mail_t) procmail_exec(system_mail_t)
') ')

9
refpolicy/policy/modules/services/nscd.fc Normal file
View File

@ -0,0 +1,9 @@
/usr/sbin/nscd -- system_u:object_r:nscd_exec_t
/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t
/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t

112
refpolicy/policy/modules/services/nscd.if Normal file
View File

@ -0,0 +1,112 @@
## <summary>Name service cache daemon</summary>
########################################
## <summary>
## Execute NSCD in the nscd domain.
## </summary>
## <param name="domain">
## The type of the process performing this action.
## </param>
#
interface(`nscd_domtrans',`
gen_require(`
type nscd_t, nscd_exec_t;
class process sigchld;
class fd use;
class fifo_file rw_file_perms;
')
corecmd_search_sbin($1)
domain_auto_trans($1,nscd_exec_t,nscd_t)
allow $1 nscd_t:fd use;
allow nscd_t $1:fd use;
allow nscd_t $1:fifo_file rw_file_perms;
allow nscd_t $1:process sigchld;
')
########################################
## <summary>
## Use NSCD services by connecting using
## a unix stream socket.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`nscd_use_socket',`
gen_require(`
type nscd_t, nscd_var_run_t;
class fd use;
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
class unix_stream_socket { create_stream_socket_perms connectto };
class dir { search getattr };
class sock_file rw_file_perms;
class file { getattr read };
')
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 nscd_t:unix_stream_socket connectto;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
files_search_pids($1)
allow $1 nscd_var_run_t:sock_file rw_file_perms;
dontaudit $1 nscd_var_run_t:dir { search getattr };
dontaudit $1 nscd_var_run_t:file { getattr read };
')
########################################
## <summary>
## Use NSCD services by mapping the database from
## an inherited NSCD file descriptor.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`nscd_use_shared_mem',`
gen_require(`
type nscd_t, nscd_var_run_t;
class fd use;
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
class unix_stream_socket { create_stream_socket_perms connectto };
class dir r_dir_perms;
class sock_file rw_file_perms;
class file { getattr read };
')
allow $1 nscd_var_run_t:dir r_dir_perms;
allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
# Receive fd from nscd and map the backing file with read access.
allow $1 nscd_t:fd use;
# cjp: these were originally inherited from the
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 nscd_t:unix_stream_socket connectto;
allow $1 nscd_var_run_t:sock_file rw_file_perms;
files_search_pids($1)
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_var_run_t:file { getattr read };
')
########################################
## <summary>
## Unconfined access to NSCD services.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`nscd_unconfined',`
gen_require(`
type nscd_t;
')
allow $1 nscd_t:nscd *;
')

125
refpolicy/policy/modules/services/nscd.te Normal file
View File

@ -0,0 +1,125 @@
policy_module(nscd,1.0)
########################################
#
# Declarations
#
# nscd is both the client program and the daemon.
type nscd_t; #, userspace_objmgr
type nscd_exec_t;
init_daemon_domain(nscd_t,nscd_exec_t)
type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
########################################
#
# Local policy
#
allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr setsched };
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
allow nscd_t self:unix_dgram_socket create_socket_perms;
allow nscd_t self:netlink_selinux_socket create_socket_perms;
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
allow nscd_t self:tcp_socket create_socket_perms;
allow nscd_t self:udp_socket { connect connected_socket_perms };
allow nscd_t self:fifo_file { read write };
# For client program operation, invoked from sysadm_t.
# Transition occurs to nscd_t due to direct_sysadm_daemon.
# cjp: this should probably be in a direct_sysadm_daemon tunable
allow nscd_t self:nscd { admin getstat };
allow nscd_t nscd_var_run_t:file create_file_perms;
allow nscd_t nscd_var_run_t:sock_file create_file_perms;
files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file})
kernel_read_kernel_sysctl(nscd_t)
kernel_list_proc(nscd_t)
kernel_read_proc_symlinks(nscd_t)
dev_read_sysfs(nscd_t)
dev_read_rand(nscd_t)
dev_read_urand(nscd_t)
fs_getattr_all_fs(nscd_t)
fs_search_auto_mountpoints(nscd_t)
term_dontaudit_use_console(nscd_t)
# for when /etc/passwd has just been updated and has the wrong type
auth_getattr_shadow(nscd_t)
corenet_tcp_sendrecv_all_if(nscd_t)
corenet_udp_sendrecv_all_if(nscd_t)
corenet_raw_sendrecv_all_if(nscd_t)
corenet_tcp_sendrecv_all_nodes(nscd_t)
corenet_udp_sendrecv_all_nodes(nscd_t)
corenet_raw_sendrecv_all_nodes(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)
corenet_udp_sendrecv_all_ports(nscd_t)
corenet_tcp_bind_all_nodes(nscd_t)
corenet_udp_bind_all_nodes(nscd_t)
domain_use_wide_inherit_fd(nscd_t)
files_read_etc_files(nscd_t)
init_use_fd(nscd_t)
init_use_script_pty(nscd_t)
libs_use_ld_so(nscd_t)
libs_use_shared_libs(nscd_t)
logging_send_syslog_msg(nscd_t)
miscfiles_read_localization(nscd_t)
sysnet_read_config(nscd_t)
userdom_dontaudit_use_unpriv_user_fd(nscd_t)
userdom_dontaudit_search_sysadm_home_dir(nscd_t)
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(nscd_t)
term_dontaudit_use_generic_pty(nscd_t)
files_dontaudit_read_root_file(nscd_t)
')
optional_policy(`nis.te',`
nis_use_ypbind(nscd_t)
')
optional_policy(`rhgb.te',`
rhgb_domain(nscd_t)
')
optional_policy(`selinuxutils.te',`
seutil_sigchld_newrole(nscd_t)
')
optional_policy(`udev.te', `
udev_read_db(nscd_t)
')
ifdef(`TODO',`
nscd_socket_domain(daemon)
optional_policy(`winbind.te', `
# Handle winbind for samba, Might only be needed for targeted policy
allow nscd_t winbind_var_run_t:sock_file { read write getattr };
can_unix_connect(nscd_t, winbind_t)
allow nscd_t samba_var_t:dir search;
allow nscd_t winbind_var_run_t:dir { getattr search };
')
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
') dnl end TODO

6
refpolicy/policy/modules/services/remotelogin.te
View File

@ -6,7 +6,7 @@ policy_module(authlogin,1.0)
# Declarations # Declarations
# #
type remote_login_t; #, nscd_client_domain; type remote_login_t;
domain_obj_id_change_exempt(remote_login_t) domain_obj_id_change_exempt(remote_login_t)
domain_subj_id_change_exempt(remote_login_t) domain_subj_id_change_exempt(remote_login_t)
domain_role_change_exempt(remote_login_t) domain_role_change_exempt(remote_login_t)
@ -158,6 +158,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(remote_login_t) nis_use_ypbind(remote_login_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(remote_login_t)
')
optional_policy(`usermanage.te',` optional_policy(`usermanage.te',`
usermanage_read_crack_db(remote_login_t) usermanage_read_crack_db(remote_login_t)
') ')

6
refpolicy/policy/modules/services/sendmail.te
View File

@ -6,7 +6,7 @@ policy_module(sendmail,1.0)
# Declarations # Declarations
# #
type sendmail_t; # , nscd_client_domain, mta_delivery_agent, mail_server_sender', nosysadm) type sendmail_t; #, mta_delivery_agent, mail_server_sender', nosysadm)
mta_sendmail_mailserver(sendmail_t) mta_sendmail_mailserver(sendmail_t)
type sendmail_log_t; type sendmail_log_t;
@ -104,6 +104,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(sendmail_t) nis_use_ypbind(sendmail_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(sendmail_t)
')
optional_policy(`selinuxutil.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(sendmail_t) seutil_sigchld_newrole(sendmail_t)
') ')

12
refpolicy/policy/modules/services/ssh.if
View File

@ -31,7 +31,7 @@ template(`ssh_per_userdomain_template',`
files_type($1_home_ssh_t) files_type($1_home_ssh_t)
role $1_r types $1_ssh_t; role $1_r types $1_ssh_t;
type $1_ssh_t; #, nscd_client_domain; type $1_ssh_t;
domain_type($1_ssh_t) domain_type($1_ssh_t)
type $1_ssh_agent_t; type $1_ssh_agent_t;
@ -170,6 +170,10 @@ template(`ssh_per_userdomain_template',`
nis_use_ypbind($1_ssh_t) nis_use_ypbind($1_ssh_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket($1_ssh_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# Read /var. # Read /var.
allow $1_ssh_t var_t:dir r_dir_perms; allow $1_ssh_t var_t:dir r_dir_perms;
@ -367,7 +371,7 @@ template(`ssh_per_userdomain_template',`
## </param> ## </param>
# #
template(`ssh_server_template', ` template(`ssh_server_template', `
type $1_t, ssh_server; #, nscd_client_domain; type $1_t, ssh_server;
role system_r types $1_t; role system_r types $1_t;
type $1_devpts_t; type $1_devpts_t;
@ -480,6 +484,10 @@ template(`ssh_server_template', `
mount_send_nfs_client_request($1_t) mount_send_nfs_client_request($1_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(crond_t)
')
ifdef(`TODO',` ifdef(`TODO',`
# Read /var. # Read /var.

33
refpolicy/policy/modules/system/authlogin.if
View File

@ -35,7 +35,7 @@ template(`authlogin_per_userdomain_template',`
class fifo_file rw_file_perms; class fifo_file rw_file_perms;
') ')
type $1_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; type $1_chkpwd_t, can_read_shadow_passwords;
domain_type($1_chkpwd_t) domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t) domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
role $1_r types $1_chkpwd_t; role $1_r types $1_chkpwd_t;
@ -103,6 +103,10 @@ template(`authlogin_per_userdomain_template',`
nis_use_ypbind($1_chkpwd_t) nis_use_ypbind($1_chkpwd_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket($1_chkpwd_t)
')
optional_policy(`selinuxutil.te',` optional_policy(`selinuxutil.te',`
seutil_use_newrole_fd($1_chkpwd_t) seutil_use_newrole_fd($1_chkpwd_t)
') ')
@ -203,17 +207,36 @@ interface(`auth_domtrans_chk_passwd',`
') ')
######################################## ########################################
## <desc> ## <summary>
## ## Get the attributes of the shadow passwords file.
## </desc> ## </summary>
## <param name="domain"> ## <param name="domain">
## The type of the process performing this action. ## The type of the process performing this action.
## </param> ## </param>
# #
interface(`auth_getattr_shadow',`
gen_require(`
type shadow_t;
class file getattr;
')
files_search_etc($1)
allow $1 shadow_t:file getattr;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of the shadow passwords file.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`auth_dontaudit_getattr_shadow',` interface(`auth_dontaudit_getattr_shadow',`
gen_require(` gen_require(`
type shadow_t; type shadow_t;
class file stat_file_perms; class file getattr;
') ')
dontaudit $1 shadow_t:file getattr; dontaudit $1 shadow_t:file getattr;

24
refpolicy/policy/modules/system/authlogin.te
View File

@ -29,7 +29,7 @@ role system_r types pam_console_t;
domain_entry_file(pam_console_t,pam_console_exec_t) domain_entry_file(pam_console_t,pam_console_exec_t)
type pam_t; #, nscd_client_domain; type pam_t;
domain_type(pam_t) domain_type(pam_t)
role system_r types pam_t; role system_r types pam_t;
@ -39,7 +39,7 @@ domain_entry_file(pam_t,pam_exec_t)
type pam_tmp_t; type pam_tmp_t;
files_tmp_file(pam_tmp_t) files_tmp_file(pam_tmp_t)
type pam_var_console_t; #, nscd_client_domain type pam_var_console_t;
files_type(pam_var_console_t) files_type(pam_var_console_t)
type pam_var_run_t; type pam_var_run_t;
@ -51,12 +51,12 @@ neverallow ~can_read_shadow_passwords shadow_t:file read;
neverallow ~can_write_shadow_passwords shadow_t:file { create write }; neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
type system_chkpwd_t, can_read_shadow_passwords; # , nscd_client_domain; type system_chkpwd_t, can_read_shadow_passwords;
domain_type(system_chkpwd_t) domain_type(system_chkpwd_t)
domain_entry_file(system_chkpwd_t,chkpwd_exec_t) domain_entry_file(system_chkpwd_t,chkpwd_exec_t)
role system_r types system_chkpwd_t; role system_r types system_chkpwd_t;
type utempter_t; #, nscd_client_domain; type utempter_t;
domain_type(utempter_t) domain_type(utempter_t)
type utempter_exec_t; type utempter_exec_t;
@ -118,6 +118,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(pam_t) nis_use_ypbind(pam_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(pam_t)
')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow pam_t gphdomain:fd use;')
') dnl endif TODO ') dnl endif TODO
@ -207,6 +211,10 @@ optional_policy(`hotplug.te', `
hotplug_dontaudit_search_config(pam_console_t) hotplug_dontaudit_search_config(pam_console_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(pam_console_t)
')
optional_policy(`selinuxutil.te',` optional_policy(`selinuxutil.te',`
seutil_sigchld_newrole(pam_console_t) seutil_sigchld_newrole(pam_console_t)
') ')
@ -280,6 +288,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(system_chkpwd_t) nis_use_ypbind(system_chkpwd_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(system_chkpwd_t)
')
ifdef(`TODO',` ifdef(`TODO',`
can_ldap(system_chkpwd_t) can_ldap(system_chkpwd_t)
') dnl end TODO ') dnl end TODO
@ -314,6 +326,10 @@ logging_search_logs(utempter_t)
# Allow utemper to write to /tmp/.xses-* # Allow utemper to write to /tmp/.xses-*
userdom_write_unpriv_user_tmp(utempter_t) userdom_write_unpriv_user_tmp(utempter_t)
optional_policy(`nscd.te',`
nscd_use_socket(utempter_t)
')
optional_policy(`xdm.te', ` optional_policy(`xdm.te', `
#allow utempter_t xdm_t:fd use; #allow utempter_t xdm_t:fd use;
xdm_use_fd(utempter_t) xdm_use_fd(utempter_t)

6
refpolicy/policy/modules/system/locallogin.te
View File

@ -6,7 +6,7 @@ policy_module(locallogin,1.0)
# Declarations # Declarations
# #
type local_login_t; #, nscd_client_domain; type local_login_t;
auth_login_entry_type(local_login_t) auth_login_entry_type(local_login_t)
domain_type(local_login_t) domain_type(local_login_t)
domain_obj_id_change_exempt(local_login_t) domain_obj_id_change_exempt(local_login_t)
@ -190,6 +190,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(local_login_t) nis_use_ypbind(local_login_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(local_login_t)
')
optional_policy(`usermanage.te',` optional_policy(`usermanage.te',`
usermanage_read_crack_db(local_login_t) usermanage_read_crack_db(local_login_t)
') ')

6
refpolicy/policy/modules/system/selinuxutil.te
View File

@ -37,7 +37,7 @@ role system_r types load_policy_t;
type load_policy_exec_t; type load_policy_exec_t;
domain_entry_file(load_policy_t,load_policy_exec_t) domain_entry_file(load_policy_t,load_policy_exec_t)
type newrole_t; # nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl; type newrole_t; # mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
domain_role_change_exempt(newrole_t) domain_role_change_exempt(newrole_t)
domain_obj_id_change_exempt(newrole_t) domain_obj_id_change_exempt(newrole_t)
domain_type(newrole_t) domain_type(newrole_t)
@ -244,6 +244,10 @@ optional_policy(`nis.te',`
nis_use_ypbind(newrole_t) nis_use_ypbind(newrole_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(newrole_t)
')
ifdef(`TODO',` ifdef(`TODO',`
ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;') ifdef(`gnome-pty-helper.te', `allow newrole_t gphdomain:fd use;')
') dnl ifdef TODO ') dnl ifdef TODO

6
refpolicy/policy/modules/system/udev.te
View File

@ -6,7 +6,7 @@ policy_module(udev,1.0)
# Declarations # Declarations
# #
type udev_t; # nscd_client_domain type udev_t;
type udev_exec_t; type udev_exec_t;
type udev_helper_exec_t; type udev_helper_exec_t;
kernel_userland_entry(udev_t,udev_exec_t) kernel_userland_entry(udev_t,udev_exec_t)
@ -148,6 +148,10 @@ optional_policy(`hotplug.te',`
hotplug_read_config(udev_t) hotplug_read_config(udev_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket(udev_t)
')
optional_policy(`sysnetwork.te',` optional_policy(`sysnetwork.te',`
sysnet_domtrans_dhcpc(udev_t) sysnet_domtrans_dhcpc(udev_t)
') ')

8
refpolicy/policy/modules/system/unconfined.if
View File

@ -47,6 +47,10 @@ template(`unconfined_domain_template',`
bootloader_manage_kernel_modules($1) bootloader_manage_kernel_modules($1)
') ')
optional_policy(`nscd.te', `
nscd_unconfined($1)
')
optional_policy(`selinuxutil.te',` optional_policy(`selinuxutil.te',`
seutil_create_binary_pol($1) seutil_create_binary_pol($1)
seutil_relabelto_binary_pol($1) seutil_relabelto_binary_pol($1)
@ -67,10 +71,6 @@ template(`unconfined_domain_template',`
allow $1 system_dbusd_t:dbus *; allow $1 system_dbusd_t:dbus *;
') ')
ifdef(`nscd.te', `
# Get info via nscd.
allow $1 nscd_t:nscd *;
')
') dnl end TODO ') dnl end TODO
') ')

8
refpolicy/policy/modules/system/userdomain.if
View File

@ -232,6 +232,10 @@ template(`base_user_template',`
nis_use_ypbind($1_t) nis_use_ypbind($1_t)
') ')
optional_policy(`nscd.te',`
nscd_use_socket($1_t)
')
optional_policy(`rpm.te',` optional_policy(`rpm.te',`
files_getattr_var_lib_dir($1_t) files_getattr_var_lib_dir($1_t)
files_search_var_lib($1_t) files_search_var_lib($1_t)
@ -440,7 +444,7 @@ template(`unpriv_user_template', `
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
base_user_template($1) base_user_template($1)
typeattribute $1_t unpriv_userdomain; #, web_client_domain, nscd_client_domain; typeattribute $1_t unpriv_userdomain; #, web_client_domain
domain_wide_inherit_fd($1_t) domain_wide_inherit_fd($1_t)
#typeattribute $1_devpts_t userpty_type, user_tty_type; #typeattribute $1_devpts_t userpty_type, user_tty_type;
@ -669,7 +673,7 @@ template(`admin_user_template',`
# Inherit rules for ordinary users. # Inherit rules for ordinary users.
base_user_template($1) base_user_template($1)
typeattribute $1_t privhome; #, admin, web_client_domain, nscd_client_domain; typeattribute $1_t privhome; #, admin, web_client_domain
domain_obj_id_change_exempt($1_t) domain_obj_id_change_exempt($1_t)
role system_r types $1_t; role system_r types $1_t;