[refpolicy] [Patch 4/4] Implementation of nsswitch_domain attribute

Miroslav Grepl mgrepl at redhat.com
Tue Jul 10 07:38:23 CDT 2012


On 07/10/2012 02:37 PM, Christopher J. PeBenito wrote:
> On 07/10/12 08:32, Miroslav Grepl wrote:
>> On 07/10/2012 02:28 PM, Christopher J. PeBenito wrote:
>>> On 07/10/12 08:14, Miroslav Grepl wrote:
>>>> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>>>>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>>>>> * Add ldap_stream_connect() interface for domains which need it
>>>>> Since this is in the nsswitch patch set, I assume this access is for nsswitch.  Why not put it in authlogin and use the attribute?
>>>> The problem is we have now
>>>>
>>>> optional_policy(`
>>>>       tunable_policy(`authlogin_nsswitch_use_ldap',`
>>>>           ldap_stream_connect(nsswitch_domain)
>>>>       ')
>>>> ')
>>>>
>>>> but these domains need this access without this boolean.
>>> So this is not actually related to the nsswitch patches?
>> previously , ldap_stream_connect() was allowed by default (where auth_use_nsswitch() was used) without the authlogin_nsswitch_use_ldap boolean. If we now add this boolean, it will not be allowed by default it will break these domains.
> Ok, I get it.  These domains actually need the access unconditionally, but it was obscured by auth_use_nsswitch() always having ldap_stream_connect().  Right?
>
Yes.



More information about the refpolicy mailing list