From cdc91b9aeb422bcb85b0ea64883dcc8986520b46 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 8 Mar 2007 15:14:45 +0000
Subject: [PATCH] Patch for handling restart of nscd when ran from useradd,
 groupadd, and admin passwd, from Dan Walsh.

---
 Changelog                          |  2 ++
 policy/modules/admin/usermanage.if |  3 +++
 policy/modules/admin/usermanage.te | 11 +----------
 policy/modules/services/nscd.if    | 31 ++++++++++++++++++++++++++++++
 policy/modules/services/nscd.te    |  2 +-
 5 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/Changelog b/Changelog
index b9f3917e..4fea4ca1 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Patch for handling restart of nscd when ran from useradd, groupadd, and
+  admin passwd, from Dan Walsh.
 - Patch for procmail, spamassassin, and pyzor updates from Dan Walsh.
 - Patch for setroubleshoot for validating file contexts from Dan Walsh.
 - Patch for gssd fixes from Dan Walsh.
diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index f71a57f0..7d0a3943 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -101,6 +101,7 @@ interface(`usermanage_run_groupadd',`
 	usermanage_domtrans_groupadd($1)
 	role $2 types groupadd_t;
 	allow groupadd_t $3:chr_file rw_term_perms;
+	nscd_run(groupadd_t, $2, $3)
 ')
 
 ########################################
@@ -206,6 +207,7 @@ interface(`usermanage_run_admin_passwd',`
 	usermanage_domtrans_admin_passwd($1)
 	role $2 types sysadm_passwd_t;
 	allow sysadm_passwd_t $3:chr_file rw_term_perms;
+	nscd_run(sysadm_passwd_t, $2, $3)
 ')
 
 ########################################
@@ -258,6 +260,7 @@ interface(`usermanage_run_useradd',`
 	usermanage_domtrans_useradd($1)
 	role $2 types useradd_t;
 	allow useradd_t $3:chr_file rw_term_perms;
+	nscd_run(useradd_t, $2, $3)
 ')
 
 ########################################
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 56705bcb..9e37d63c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
 
-policy_module(usermanage,1.5.1)
+policy_module(usermanage,1.5.2)
 
 ########################################
 #
@@ -256,10 +256,6 @@ optional_policy(`
 	dpkg_rw_pipes(groupadd_t)
 ')
 
-optional_policy(`
-	nscd_domtrans(groupadd_t)
-')
-
 optional_policy(`
 	rpm_use_fds(groupadd_t)
 	rpm_rw_pipes(groupadd_t)
@@ -444,7 +440,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nscd_domtrans(sysadm_passwd_t)
 	nscd_socket_use(sysadm_passwd_t)
 ')
 
@@ -539,10 +534,6 @@ optional_policy(`
 	dpkg_rw_pipes(useradd_t)
 ')
 
-optional_policy(`
-	nscd_domtrans(useradd_t)
-')
-
 optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
diff --git a/policy/modules/services/nscd.if b/policy/modules/services/nscd.if
index edeb2175..80d8f6db 100644
--- a/policy/modules/services/nscd.if
+++ b/policy/modules/services/nscd.if
@@ -173,3 +173,34 @@ interface(`nscd_unconfined',`
 
 	allow $1 nscd_t:nscd *;
 ')
+
+########################################
+## <summary>
+##	Execute nscd in the nscd domain, and
+##	allow the specified role the nscd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the nscd domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the role's terminal.
+##	</summary>
+## </param>
+#
+interface(`nscd_run',`
+	gen_require(`
+		type nscd_t;
+	')
+
+	nscd_domtrans($1)
+	role $2 types nscd_t;
+	dontaudit nscd_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index fe31de30..50652cc0 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.3.1)
+policy_module(nscd,1.3.2)
 
 gen_require(`
 	class nscd all_nscd_perms;