[refpolicy] [Patch 4/4] Implementation of nsswitch_domain attribute

Christopher J. PeBenito cpebenito at tresys.com
Tue Jul 10 07:28:55 CDT 2012


On 07/10/12 08:14, Miroslav Grepl wrote:
> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>> * Add ldap_stream_connect() interface for domains which need it
>> Since this is in the nsswitch patch set, I assume this access is for nsswitch.  Why not put it in authlogin and use the attribute?
> The problem is we have now
> 
> optional_policy(`
>     tunable_policy(`authlogin_nsswitch_use_ldap',`
>         ldap_stream_connect(nsswitch_domain)
>     ')
> ')
> 
> but these domains need this access without this boolean.

So this is not actually related to the nsswitch patches?

>> The other three patches are fine.
>>
>>> diff --git a/apache.te b/apache.te
>>> index a36a01d..4b0f792 100644
>>> --- a/apache.te
>>> +++ b/apache.te
>>> @@ -559,6 +559,11 @@ optional_policy(`
>>>   ')
>>>     optional_policy(`
>>> +    # needed by FreeIPA
>>> +    ldap_stream_connect(httpd_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>       mailman_signal_cgi(httpd_t)
>>>       mailman_domtrans_cgi(httpd_t)
>>>       mailman_read_data_files(httpd_t)
>>> diff --git a/bind.te b/bind.te
>>> index 4deca04..0968cb4 100644
>>> --- a/bind.te
>>> +++ b/bind.te
>>> @@ -171,6 +171,11 @@ optional_policy(`
>>>   ')
>>>     optional_policy(`
>>> +    # needed by FreeIPA with DNS support
>>> +    ldap_stream_connect(named_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>       # this seems like fds that arent being
>>>       # closed. these should probably be
>>>       # dontaudits instead.
>>> diff --git a/kerberos.te b/kerberos.te
>>> index 8edc29b..519d5fc 100644
>>> --- a/kerberos.te
>>> +++ b/kerberos.te
>>> @@ -160,6 +160,10 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
>>>   userdom_dontaudit_search_user_home_dirs(kadmind_t)
>>>     optional_policy(`
>>> +    ldap_stream_connect(kadmind_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>       nis_use_ypbind(kadmind_t)
>>>   ')
>>>   @@ -260,6 +264,10 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
>>>   userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
>>>     optional_policy(`
>>> +    ldap_stream_connect(krb5kdc_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>       nis_use_ypbind(krb5kdc_t)
>>>   ')
>>>   diff --git a/ldap.if b/ldap.if
>>> index 3aa8fa7..73fda9b 100644
>>> --- a/ldap.if
>>> +++ b/ldap.if
>>> @@ -69,8 +69,7 @@ interface(`ldap_stream_connect',`
>>>       ')
>>>         files_search_pids($1)
>>> -    allow $1 slapd_var_run_t:sock_file write;
>>> -    allow $1 slapd_t:unix_stream_socket connectto;
>>> +    stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
>>>   ')
>>>     ########################################
>>> diff --git a/nslcd.te b/nslcd.te
>>> index 4e28d58..d9854ff 100644
>>> --- a/nslcd.te
>>> +++ b/nslcd.te
>>> @@ -43,3 +43,7 @@ auth_use_nsswitch(nslcd_t)
>>>   logging_send_syslog_msg(nslcd_t)
>>>     miscfiles_read_localization(nslcd_t)
>>> +
>>> +optional_policy(`
>>> +    ldap_stream_connect(nslcd_t)
>>> +')
>>> diff --git a/samba.te b/samba.te
>>> index fc22785..ca5c978 100644
>>> --- a/samba.te
>>> +++ b/samba.te
>>> @@ -219,6 +219,10 @@ userdom_use_user_terminals(samba_net_t)
>>>   userdom_list_user_home_dirs(samba_net_t)
>>>     optional_policy(`
>>> +    ldap_stream_connect(samba_net_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>       pcscd_read_pub_files(samba_net_t)
>>>   ')
>>>   @@ -421,6 +425,10 @@ optional_policy(`
>>>   ')
>>>     optional_policy(`
>>> +    ldap_stream_connect(smbd_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>       lpd_exec_lpr(smbd_t)
>>>   ')
>>>   diff --git a/sssd.te b/sssd.te
>>> index 8ffa257..a1b61bc 100644
>>> --- a/sssd.te
>>> +++ b/sssd.te
>>> @@ -88,3 +88,7 @@ optional_policy(`
>>>   optional_policy(`
>>>       kerberos_manage_host_rcache(sssd_t)
>>>   ')
>>> +
>>> +optional_policy(`
>>> +    ldap_stream_connect(sssd_t)
>>> +')
>>
>>
> 
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com




More information about the refpolicy mailing list