80 lines
2.8 KiB
Plaintext
80 lines
2.8 KiB
Plaintext
#DESC NSCD - Name service cache daemon cache lookup of user-name
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: nscd
|
|
#
|
|
define(`nscd_socket_domain', `
|
|
can_unix_connect($1, nscd_t)
|
|
allow $1 nscd_var_run_t:sock_file rw_file_perms;
|
|
allow $1 { var_run_t var_t }:dir search;
|
|
allow $1 nscd_t:nscd { getpwd getgrp gethost };
|
|
dontaudit $1 nscd_t:fd use;
|
|
dontaudit $1 nscd_var_run_t:dir { search getattr };
|
|
dontaudit $1 nscd_var_run_t:file { getattr read };
|
|
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
|
|
')
|
|
#################################
|
|
#
|
|
# Rules for the nscd_t domain.
|
|
#
|
|
# nscd is both the client program and the daemon.
|
|
daemon_domain(nscd, `, userspace_objmgr')
|
|
|
|
allow nscd_t etc_t:file r_file_perms;
|
|
allow nscd_t etc_t:lnk_file read;
|
|
can_network_client(nscd_t)
|
|
allow nscd_t port_type:tcp_socket name_connect;
|
|
can_ypbind(nscd_t)
|
|
|
|
file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
|
|
|
|
allow nscd_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
nscd_socket_domain(nscd_client_domain)
|
|
nscd_socket_domain(daemon)
|
|
|
|
# Clients that are allowed to map the database via a fd obtained from nscd.
|
|
nscd_socket_domain(nscd_shmem_domain)
|
|
allow nscd_shmem_domain nscd_var_run_t:dir r_dir_perms;
|
|
allow nscd_shmem_domain nscd_t:nscd { shmempwd shmemgrp shmemhost };
|
|
# Receive fd from nscd and map the backing file with read access.
|
|
allow nscd_shmem_domain nscd_t:fd use;
|
|
|
|
# For client program operation, invoked from sysadm_t.
|
|
# Transition occurs to nscd_t due to direct_sysadm_daemon.
|
|
allow nscd_t self:nscd { admin getstat };
|
|
allow nscd_t admin_tty_type:chr_file rw_file_perms;
|
|
|
|
read_sysctl(nscd_t)
|
|
allow nscd_t self:process { getattr setsched };
|
|
allow nscd_t self:unix_dgram_socket create_socket_perms;
|
|
allow nscd_t self:fifo_file { read write };
|
|
allow nscd_t self:capability { kill setgid setuid net_bind_service };
|
|
|
|
# for when /etc/passwd has just been updated and has the wrong type
|
|
allow nscd_t shadow_t:file getattr;
|
|
|
|
dontaudit nscd_t sysadm_home_dir_t:dir search;
|
|
|
|
ifdef(`winbind.te', `
|
|
#
|
|
# Handle winbind for samba, Might only be needed for targeted policy
|
|
#
|
|
allow nscd_t winbind_var_run_t:sock_file { read write getattr };
|
|
can_unix_connect(nscd_t, winbind_t)
|
|
allow nscd_t samba_var_t:dir search;
|
|
allow nscd_t winbind_var_run_t:dir { getattr search };
|
|
')
|
|
|
|
r_dir_file(nscd_t, selinux_config_t)
|
|
can_getsecurity(nscd_t)
|
|
allow nscd_t self:netlink_selinux_socket create_socket_perms;
|
|
allow nscd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow nscd_t tmp_t:dir { search getattr };
|
|
allow nscd_t tmp_t:lnk_file read;
|
|
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
|
|
log_domain(nscd)
|
|
r_dir_file(nscd_t, cert_t)
|
|
allow nscd_t tun_tap_device_t:chr_file { read write };
|
|
allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|