add patch from dan

This commit is contained in:
Chris PeBenito 2005-11-15 16:34:10 +00:00
parent a0f5ff6435
commit 7b062eac78
6 changed files with 33 additions and 3 deletions

View File

@ -1,3 +1,4 @@
- Fixes from Dan Walsh for ldap and authlogin.
- Fix corenetwork gen_context()'s to expand during the policy - Fix corenetwork gen_context()'s to expand during the policy
build phase instead of during the generation phase. build phase instead of during the generation phase.
- DISTRO=redhat now implies DIRECT_INITRC=y. - DISTRO=redhat now implies DIRECT_INITRC=y.

View File

@ -1,5 +1,5 @@
policy_module(ldap,1.0) policy_module(ldap,1.0.1)
######################################## ########################################
# #
@ -10,12 +10,18 @@ type slapd_t;
type slapd_exec_t; type slapd_exec_t;
init_daemon_domain(slapd_t,slapd_exec_t) init_daemon_domain(slapd_t,slapd_exec_t)
type slapd_cert_t;
files_type(slapd_cert_t)
type slapd_db_t; type slapd_db_t;
files_type(slapd_db_t) files_type(slapd_db_t)
type slapd_etc_t; type slapd_etc_t;
files_config_file(slapd_etc_t) files_config_file(slapd_etc_t)
type slapd_lock_t;
files_lock_file(slapd_lock_t)
type slapd_replog_t; type slapd_replog_t;
files_type(slapd_replog_t) files_type(slapd_replog_t)
@ -41,6 +47,10 @@ allow slapd_t self:udp_socket create_socket_perms;
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach) #slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
allow slapd_t self:tcp_socket create_stream_socket_perms; allow slapd_t self:tcp_socket create_stream_socket_perms;
allow slapd_t slapd_cert_t:dir r_dir_perms;
allow slapd_t slapd_cert_t:file r_file_perms;
allow slapd_t slapd_cert_t:lnk_file { getattr read };
# Allow access to the slapd databases # Allow access to the slapd databases
allow slapd_t slapd_db_t:dir create_dir_perms; allow slapd_t slapd_db_t:dir create_dir_perms;
allow slapd_t slapd_db_t:file create_file_perms; allow slapd_t slapd_db_t:file create_file_perms;
@ -48,6 +58,9 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
allow slapd_t slapd_etc_t:file { getattr read }; allow slapd_t slapd_etc_t:file { getattr read };
allow slapd_t slapd_lock_t:file create_file_perms;
files_create_lock(slapd_t,slapd_lock_t)
# Allow access to write the replication log (should tighten this) # Allow access to write the replication log (should tighten this)
allow slapd_t slapd_replog_t:dir create_dir_perms; allow slapd_t slapd_replog_t:dir create_dir_perms;
allow slapd_t slapd_replog_t:file create_file_perms; allow slapd_t slapd_replog_t:file create_file_perms;

View File

@ -23,6 +23,8 @@ ifdef(`distro_suse', `
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0) /var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0) /var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0) /var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)

View File

@ -920,6 +920,12 @@ interface(`auth_manage_login_records',`
## </param> ## </param>
# #
interface(`auth_use_nsswitch',` interface(`auth_use_nsswitch',`
gen_require(`
type var_auth_t;
')
allow $1 var_auth_t:dir r_dir_perms;
allow $1 var_auth_t:file create_file_perms;
sysnet_dns_name_resolve($1) sysnet_dns_name_resolve($1)
sysnet_use_ldap($1) sysnet_use_ldap($1)

View File

@ -1,5 +1,5 @@
policy_module(authlogin,1.0) policy_module(authlogin,1.0.1)
######################################## ########################################
# #
@ -64,6 +64,13 @@ domain_type(utempter_t)
type utempter_exec_t; type utempter_exec_t;
domain_entry_file(utempter_t,utempter_exec_t) domain_entry_file(utempter_t,utempter_exec_t)
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
#
type var_auth_t;
files_type(var_auth_t)
type wtmp_t; type wtmp_t;
logging_log_file(wtmp_t) logging_log_file(wtmp_t)

View File

@ -1,5 +1,5 @@
policy_module(logging,1.0) policy_module(logging,1.0.1)
######################################## ########################################
# #
@ -108,6 +108,7 @@ allow auditd_t self:process { signal_perms setsched };
allow auditd_t self:file { getattr read write }; allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms; allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv }; allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:file r_file_perms; allow auditd_t auditd_etc_t:file r_file_perms;