LinuxLists.cc - [refpolicy] [ likewise patch 1/1] Likewise fixes.

2010-03-22 19:50:03

Subject: [refpolicy] [ likewise patch 1/1] Likewise fixes.

Enclosed are some pretty insignifant modifications to likewise policy, mostly cosmetic.

Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 057a4e4... 2521c12... M policy/modules/services/likewise.fc
:100644 100644 771e04b... 200b58c... M policy/modules/services/likewise.if
:100644 100644 5f2bded... fdcae6b... M policy/modules/services/likewise.te
policy/modules/services/likewise.fc | 98 +++++++++++++++++-----------------
policy/modules/services/likewise.if | 11 ++--
policy/modules/services/likewise.te | 26 +++++----
3 files changed, 70 insertions(+), 65 deletions(-)

diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
index 057a4e4..2521c12 100644
--- a/policy/modules/services/likewise.fc
+++ b/policy/modules/services/likewise.fc
@@ -1,54 +1,54 @@
-/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
-/etc/likewise-open/.pstore.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
-/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
+/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
+/etc/likewise-open/\.pstore\.lock -- gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/etc/likewise-open/likewise-krb5-ad\.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)

-/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)

-/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
-/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
-/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
-/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
-/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
-/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
-/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
-/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)

-/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
-/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
-/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
-/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
-/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
-/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
-/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t, s0)
-/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
-/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
-/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
-/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/\.ntlmd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/krb5-affinity\.conf -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise-open/krb5ccr_lsass -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db/lwi_events\.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t,s0)
+/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:eventlogd_var_socket_t,s0)
+/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run/rpcdep\.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t,s0)

-/var/run/eventlogd.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0)
-/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
-/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
-/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
-/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
-/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+/var/run/eventlogd\.pid -- gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+/var/run/lsassd\.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/run/lwiod\.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/run/lwregd\.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/run/netlogond\.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/run/srvsvcd\.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)

diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 771e04b..200b58c 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -1,9 +1,10 @@
## <summary>Likewise Active Directory support for UNIX.</summary>
## <desc>
## <p>
-## Likewise Open is a free, open source application that joins Linux, Unix,
-## and Mac machines to Microsoft Active Directory to securely authenticate
-## users with their domain credentials.
+## Likewise Open is a free, open source application that
+## joins Linux, Unix, and Mac machines to Microsoft Active
+## Directory to securely authenticate users with their
+## domain credentials.
## </p>
## </desc>

@@ -24,7 +25,6 @@
## </param>
#
template(`likewise_domain_template',`
-
gen_require(`
attribute likewise_domains;
type likewise_var_lib_t;
@@ -87,7 +87,8 @@ template(`likewise_domain_template',`

########################################
## <summary>
-## Connect to lsassd.
+## Connect to lsassd on a unix stream
+## socket.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 5f2bded..fdcae6b 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -44,13 +44,14 @@ likewise_domain_template(srvsvcd)

#################################
#
-# Likewise dcerpcd personal policy
+# Likewise dcerpcd policy
#

stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)

corenet_all_recvfrom_netlabel(dcerpcd_t)
corenet_all_recvfrom_unlabeled(dcerpcd_t)
+corenet_sendrecv_epmap_server_packets(dcerpcd_t)
corenet_sendrecv_generic_client_packets(dcerpcd_t)
corenet_sendrecv_generic_server_packets(dcerpcd_t)
corenet_tcp_sendrecv_generic_if(dcerpcd_t)
@@ -61,6 +62,7 @@ corenet_tcp_bind_epmap_port(dcerpcd_t)
corenet_tcp_connect_generic_port(dcerpcd_t)
corenet_udp_bind_generic_node(dcerpcd_t)
corenet_udp_bind_epmap_port(dcerpcd_t)
+corenet_udp_sendrecv_epmap_port(dcerpcd_t)
corenet_udp_sendrecv_generic_if(dcerpcd_t)
corenet_udp_sendrecv_generic_node(dcerpcd_t)
corenet_udp_sendrecv_generic_port(dcerpcd_t)
@@ -87,7 +89,7 @@ corenet_udp_sendrecv_generic_port(eventlogd_t)

#################################
#
-# Likewise Authentication service local policy
+# Likewise Authentication service policy
#

allow lsassd_t self:capability { fowner chown fsetid dac_override sys_time };
@@ -118,6 +120,7 @@ corecmd_exec_shell(lsassd_t)

corenet_all_recvfrom_netlabel(lsassd_t)
corenet_all_recvfrom_unlabeled(lsassd_t)
+corenet_sendrecv_epmap_client_packets(lsassd_t)
corenet_tcp_sendrecv_generic_if(lsassd_t)
corenet_tcp_sendrecv_generic_node(lsassd_t)
corenet_tcp_sendrecv_generic_port(lsassd_t)
@@ -153,7 +156,7 @@ optional_policy(`

#################################
#
-# Likewise I/O service local policy
+# Likewise I/O service policy
#

allow lwiod_t self:capability { fowner chown fsetid dac_override };
@@ -169,12 +172,13 @@ corenet_all_recvfrom_netlabel(lwiod_t)
corenet_all_recvfrom_unlabeled(lwiod_t)
corenet_sendrecv_smbd_server_packets(lwiod_t)
corenet_sendrecv_smbd_client_packets(lwiod_t)
-corenet_tcp_sendrecv_generic_if(lwiod_t)
-corenet_tcp_sendrecv_generic_node(lwiod_t)
-corenet_tcp_sendrecv_generic_port(lwiod_t)
corenet_tcp_bind_generic_node(lwiod_t)
corenet_tcp_bind_smbd_port(lwiod_t)
corenet_tcp_connect_smbd_port(lwiod_t)
+corenet_tcp_sendrecv_generic_if(lwiod_t)
+corenet_tcp_sendrecv_generic_node(lwiod_t)
+corenet_tcp_sendrecv_generic_port(lwiod_t)
+corenet_tcp_sendrecv_smbd_port(lwiod_t)

sysnet_read_config(lwiod_t)

@@ -185,7 +189,7 @@ optional_policy(`

#################################
#
-# Likewise Service Manager service local policy
+# Likewise Service Manager service policy
#

allow lwsmd_t likewise_domains:process signal;
@@ -203,10 +207,10 @@ stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_

#################################
#
-# Likewise DC location service local policy
+# Likewise DC location service policy
#

-allow netlogond_t self:capability {dac_override};
+allow netlogond_t self:capability dac_override;

manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)

@@ -217,7 +221,7 @@ sysnet_use_ldap(netlogond_t)

#################################
#
-# Likewise Srv service local policy
+# Likewise Srv service policy
#

allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
@@ -229,10 +233,10 @@ stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwreg
corenet_all_recvfrom_netlabel(srvsvcd_t)
corenet_all_recvfrom_unlabeled(srvsvcd_t)
corenet_sendrecv_generic_server_packets(srvsvcd_t)
+corenet_tcp_bind_generic_node(srvsvcd_t)
corenet_tcp_sendrecv_generic_if(srvsvcd_t)
corenet_tcp_sendrecv_generic_node(srvsvcd_t)
corenet_tcp_sendrecv_generic_port(srvsvcd_t)
-corenet_tcp_bind_generic_node(srvsvcd_t)

optional_policy(`
kerberos_use(srvsvcd_t)
--
1.7.0.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/15c955fb/attachment.bin