LinuxLists.cc - [refpolicy] [PATCH] NSCD related changes in various policy modules

2012-12-17 20:06:29

Subject: [refpolicy] [PATCH] NSCD related changes in various policy modules

Use nscd_use instead of nscd_socket_use. This conditionally allows
nscd_shm_use

Remove the nscd_socket_use from ssh_keygen since it was redundant
already allowed by auth_use_nsswitch

Had to make some ssh_keysign_t rules unconditional else
nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
not matter, the only actual domain transition to ssh_keysign_t is
conditional so the other unconditional ssh_keygen_t rules are
conditional in practice

Signed-off-by: Dominick Grift <[email protected]>
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index eeb8e69..8f55b4f 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -203,7 +203,7 @@
')

optional_policy(`
- nscd_socket_use(bootloader_t)
+ nscd_use(bootloader_t)
')

optional_policy(`
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index d440e3b..6b47da6 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -200,21 +200,17 @@
# ssh_keysign_t local policy
#

-tunable_policy(`allow_ssh_keysign',`
- allow ssh_keysign_t self:capability { setgid setuid };
- allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+allow ssh_keysign_t self:capability { setgid setuid };
+allow ssh_keysign_t self:unix_stream_socket create_socket_perms;

- allow ssh_keysign_t sshd_key_t:file { getattr read };
+allow ssh_keysign_t sshd_key_t:file { getattr read };

- dev_read_urand(ssh_keysign_t)
+dev_read_urand(ssh_keysign_t)

- files_read_etc_files(ssh_keysign_t)
-')
+files_read_etc_files(ssh_keysign_t)

optional_policy(`
- tunable_policy(`allow_ssh_keysign',`
- nscd_socket_use(ssh_keysign_t)
- ')
+ nscd_use(ssh_keysign_t)
')

#################################
@@ -327,10 +323,6 @@
logging_send_syslog_msg(ssh_keygen_t)

userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
-
-optional_policy(`
- nscd_socket_use(ssh_keygen_t)
-')

optional_policy(`
seutil_sigchld_newrole(ssh_keygen_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 4dfa3da..49e5f67 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -397,7 +397,7 @@
')

optional_policy(`
- nscd_socket_use(utempter_t)
+ nscd_use(utempter_t)
')

optional_policy(`
@@ -447,7 +447,7 @@
')

optional_policy(`
- nscd_socket_use(nsswitch_domain)
+ nscd_use(nsswitch_domain)
')

optional_policy(`
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index 711b998..3928e71 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -65,7 +65,7 @@
')

optional_policy(`
- nscd_socket_use(hwclock_t)
+ nscd_use(hwclock_t)
')

optional_policy(`
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index fd100fc..9db083e 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -125,7 +125,7 @@
')

optional_policy(`
- nscd_socket_use(getty_t)
+ nscd_use(getty_t)
')

optional_policy(`
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index b2e41cc..f0f991b 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -168,7 +168,7 @@
')

optional_policy(`
- nscd_socket_use(hotplug_t)
+ nscd_use(hotplug_t)
')

optional_policy(`
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3f0c2d3..24e7804 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -234,7 +234,7 @@
')

optional_policy(`
- nscd_socket_use($1)
+ nscd_use($1)
')
')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d073ad6..cbe19c9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -208,7 +208,7 @@
')

optional_policy(`
- nscd_socket_use(init_t)
+ nscd_use(init_t)
')

optional_policy(`
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index df56407..3de8096 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -326,7 +326,7 @@
')

optional_policy(`
- nscd_socket_use(ipsec_mgmt_t)
+ nscd_use(ipsec_mgmt_t)
')

########################################
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 9fd5be7..cf279a0 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -181,7 +181,7 @@
')

optional_policy(`
- nscd_socket_use(local_login_t)
+ nscd_use(local_login_t)
')

optional_policy(`
@@ -262,5 +262,5 @@
')

optional_policy(`
- nscd_socket_use(sulogin_t)
+ nscd_use(sulogin_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 79d3e65..203d216 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -205,7 +205,7 @@
')

optional_policy(`
- nscd_socket_use(insmod_t)
+ nscd_use(insmod_t)
')

optional_policy(`
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index fcefe61..6944526 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -699,7 +699,7 @@
')

optional_policy(`
- nscd_socket_use($1)
+ nscd_use($1)
')
')

2013-01-03 15:54:32

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] NSCD related changes in various policy modules

On 12/17/12 15:06, Dominick Grift wrote:
>
> Use nscd_use instead of nscd_socket_use. This conditionally allows
> nscd_shm_use
>
> Remove the nscd_socket_use from ssh_keygen since it was redundant
> already allowed by auth_use_nsswitch
>
> Had to make some ssh_keysign_t rules unconditional else
> nscd_use(ssh_keysign_t) would not build (nested booleans) but that does
> not matter, the only actual domain transition to ssh_keysign_t is
> conditional so the other unconditional ssh_keygen_t rules are
> conditional in practice

Merged.

> Signed-off-by: Dominick Grift <[email protected]>
> diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
> index eeb8e69..8f55b4f 100644
> --- a/policy/modules/admin/bootloader.te
> +++ b/policy/modules/admin/bootloader.te
> @@ -203,7 +203,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(bootloader_t)
> + nscd_use(bootloader_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index d440e3b..6b47da6 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -200,21 +200,17 @@
> # ssh_keysign_t local policy
> #
>
> -tunable_policy(`allow_ssh_keysign',`
> - allow ssh_keysign_t self:capability { setgid setuid };
> - allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
> +allow ssh_keysign_t self:capability { setgid setuid };
> +allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
>
> - allow ssh_keysign_t sshd_key_t:file { getattr read };
> +allow ssh_keysign_t sshd_key_t:file { getattr read };
>
> - dev_read_urand(ssh_keysign_t)
> +dev_read_urand(ssh_keysign_t)
>
> - files_read_etc_files(ssh_keysign_t)
> -')
> +files_read_etc_files(ssh_keysign_t)
>
> optional_policy(`
> - tunable_policy(`allow_ssh_keysign',`
> - nscd_socket_use(ssh_keysign_t)
> - ')
> + nscd_use(ssh_keysign_t)
> ')
>
> #################################
> @@ -327,10 +323,6 @@
> logging_send_syslog_msg(ssh_keygen_t)
>
> userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
> -
> -optional_policy(`
> - nscd_socket_use(ssh_keygen_t)
> -')
>
> optional_policy(`
> seutil_sigchld_newrole(ssh_keygen_t)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 4dfa3da..49e5f67 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -397,7 +397,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(utempter_t)
> + nscd_use(utempter_t)
> ')
>
> optional_policy(`
> @@ -447,7 +447,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(nsswitch_domain)
> + nscd_use(nsswitch_domain)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
> index 711b998..3928e71 100644
> --- a/policy/modules/system/clock.te
> +++ b/policy/modules/system/clock.te
> @@ -65,7 +65,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(hwclock_t)
> + nscd_use(hwclock_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
> index fd100fc..9db083e 100644
> --- a/policy/modules/system/getty.te
> +++ b/policy/modules/system/getty.te
> @@ -125,7 +125,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(getty_t)
> + nscd_use(getty_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
> index b2e41cc..f0f991b 100644
> --- a/policy/modules/system/hotplug.te
> +++ b/policy/modules/system/hotplug.te
> @@ -168,7 +168,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(hotplug_t)
> + nscd_use(hotplug_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 3f0c2d3..24e7804 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -234,7 +234,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use($1)
> + nscd_use($1)
> ')
> ')
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index d073ad6..cbe19c9 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -208,7 +208,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(init_t)
> + nscd_use(init_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index df56407..3de8096 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -326,7 +326,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(ipsec_mgmt_t)
> + nscd_use(ipsec_mgmt_t)
> ')
>
> ########################################
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 9fd5be7..cf279a0 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -181,7 +181,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(local_login_t)
> + nscd_use(local_login_t)
> ')
>
> optional_policy(`
> @@ -262,5 +262,5 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(sulogin_t)
> + nscd_use(sulogin_t)
> ')
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index 79d3e65..203d216 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -205,7 +205,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use(insmod_t)
> + nscd_use(insmod_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index fcefe61..6944526 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -699,7 +699,7 @@
> ')
>
> optional_policy(`
> - nscd_socket_use($1)
> + nscd_use($1)
> ')
> ')
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com