add patch from dan
This commit is contained in:
parent
a0f5ff6435
commit
7b062eac78
@ -1,3 +1,4 @@
|
||||
- Fixes from Dan Walsh for ldap and authlogin.
|
||||
- Fix corenetwork gen_context()'s to expand during the policy
|
||||
build phase instead of during the generation phase.
|
||||
- DISTRO=redhat now implies DIRECT_INITRC=y.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(ldap,1.0)
|
||||
policy_module(ldap,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -10,12 +10,18 @@ type slapd_t;
|
||||
type slapd_exec_t;
|
||||
init_daemon_domain(slapd_t,slapd_exec_t)
|
||||
|
||||
type slapd_cert_t;
|
||||
files_type(slapd_cert_t)
|
||||
|
||||
type slapd_db_t;
|
||||
files_type(slapd_db_t)
|
||||
|
||||
type slapd_etc_t;
|
||||
files_config_file(slapd_etc_t)
|
||||
|
||||
type slapd_lock_t;
|
||||
files_lock_file(slapd_lock_t)
|
||||
|
||||
type slapd_replog_t;
|
||||
files_type(slapd_replog_t)
|
||||
|
||||
@ -41,6 +47,10 @@ allow slapd_t self:udp_socket create_socket_perms;
|
||||
#slapd needs to listen and accept needed by ldapsearch (slapd needs to accept from ldapseach)
|
||||
allow slapd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow slapd_t slapd_cert_t:dir r_dir_perms;
|
||||
allow slapd_t slapd_cert_t:file r_file_perms;
|
||||
allow slapd_t slapd_cert_t:lnk_file { getattr read };
|
||||
|
||||
# Allow access to the slapd databases
|
||||
allow slapd_t slapd_db_t:dir create_dir_perms;
|
||||
allow slapd_t slapd_db_t:file create_file_perms;
|
||||
@ -48,6 +58,9 @@ allow slapd_t slapd_db_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow slapd_t slapd_etc_t:file { getattr read };
|
||||
|
||||
allow slapd_t slapd_lock_t:file create_file_perms;
|
||||
files_create_lock(slapd_t,slapd_lock_t)
|
||||
|
||||
# Allow access to write the replication log (should tighten this)
|
||||
allow slapd_t slapd_replog_t:dir create_dir_perms;
|
||||
allow slapd_t slapd_replog_t:file create_file_perms;
|
||||
|
@ -23,6 +23,8 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/db/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
|
||||
|
||||
/var/lib/abl(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
|
||||
|
||||
/var/log/btmp.* -- gen_context(system_u:object_r:faillog_t,s0)
|
||||
/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/faillog -- gen_context(system_u:object_r:faillog_t,s0)
|
||||
|
@ -920,6 +920,12 @@ interface(`auth_manage_login_records',`
|
||||
## </param>
|
||||
#
|
||||
interface(`auth_use_nsswitch',`
|
||||
gen_require(`
|
||||
type var_auth_t;
|
||||
')
|
||||
|
||||
allow $1 var_auth_t:dir r_dir_perms;
|
||||
allow $1 var_auth_t:file create_file_perms;
|
||||
|
||||
sysnet_dns_name_resolve($1)
|
||||
sysnet_use_ldap($1)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.0)
|
||||
policy_module(authlogin,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -64,6 +64,13 @@ domain_type(utempter_t)
|
||||
type utempter_exec_t;
|
||||
domain_entry_file(utempter_t,utempter_exec_t)
|
||||
|
||||
#
|
||||
# var_auth_t is the type of /var/lib/auth, usually
|
||||
# used for auth data in pam_able
|
||||
#
|
||||
type var_auth_t;
|
||||
files_type(var_auth_t)
|
||||
|
||||
type wtmp_t;
|
||||
logging_log_file(wtmp_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.0)
|
||||
policy_module(logging,1.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -108,6 +108,7 @@ allow auditd_t self:process { signal_perms setsched };
|
||||
allow auditd_t self:file { getattr read write };
|
||||
allow auditd_t self:unix_dgram_socket create_socket_perms;
|
||||
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
allow auditd_t self:fifo_file rw_file_perms;
|
||||
|
||||
allow auditd_t auditd_etc_t:file r_file_perms;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user