Resubmitting Likewise policy with suggested changes.
Signed-off-by: Scott Salley <[email protected]>
---
policy/modules/services/likewise.fc | 65 ++++++++
policy/modules/services/likewise.if | 231 ++++++++++++++++++++++++++++
policy/modules/services/likewise.te | 286 +++++++++++++++++++++++++++++++++++
policy/modules/system/authlogin.if | 4 +
4 files changed, 586 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/services/likewise.fc
create mode 100644 policy/modules/services/likewise.if
create mode 100644 policy/modules/services/likewise.te
diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
new file mode 100644
index 0000000..d065e58
--- /dev/null
+++ b/policy/modules/services/likewise.fc
@@ -0,0 +1,65 @@
+
+/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
+
+
+/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+
+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+
+/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+
+/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+
+/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+
+/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+
+/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+
+
+/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+
+/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+
+/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+
+/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+
+/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+
+/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
+/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
new file mode 100644
index 0000000..9294528
--- /dev/null
+++ b/policy/modules/services/likewise.if
@@ -0,0 +1,231 @@
+## <summary>Likewise policy.</summary>
+
+########################################
+## <summary>
+## Execute daemon in the likewise domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_initrc_domtrans',`
+ gen_require(`
+ type likewise_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, likewise_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Connect to dcerpcd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_dcerpcd',`
+ gen_require(`
+ type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+')
+
+########################################
+## <summary>
+## Connect to eventlogd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_eventlogd',`
+ gen_require(`
+ type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
+')
+
+########################################
+## <summary>
+## Connect to lsassd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lsassd',`
+ gen_require(`
+ type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+')
+
+########################################
+## <summary>
+## Connect to lwiod.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lwiod',`
+ gen_require(`
+ type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+')
+
+########################################
+## <summary>
+## Connect to netlogond.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_netlogond',`
+ gen_require(`
+ type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
+')
+
+########################################
+## <summary>
+## Connect to lwregd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lwregd',`
+ gen_require(`
+ type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+')
+
+########################################
+## <summary>
+## Manage /etc/likewise-open.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_manage_etc_files',`
+ gen_require(`
+ type likewise_etc_t;
+ ')
+
+ allow $1 likewise_etc_t:dir search_dir_perms;
+ manage_files_pattern($1, likewise_etc_t, likewise_etc_t)
+')
+
+########################################
+## <summary>
+## Grant likewise daemons a common set of rules
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain of daemon process.
+## </summary>
+## </param>
+## <param name="executable">
+## <summary>
+## Type of daemon executable files.
+## </summary>
+## </param>
+## <param name="pid">
+## <summary>
+## Type of pid file created by daemon.
+## </summary>
+## </param>
+## <param name="socket">
+## <summary>
+## Type of daemon communication socket.
+## </summary>
+## </param>
+## <param name="files">
+## <summary>
+## Files managed by the daemon.
+## </summary>
+## </param>
+interface(`likewise_daemon',`
+ gen_require(`
+ type likewise_etc_t, likewise_var_lib_t;
+ ')
+
+ # Mark $1 as domain and $2 as an entrypoint into that domain.
+ init_daemon_domain($1, $2)
+
+ # Mark $3 as a pid file and allow it to be creat/read/write by $1
+ files_pid_file($3)
+ manage_files_pattern($1, $3, $3)
+ files_pid_filetrans($1, $3, file)
+
+ # Mark $4 as a socket for client access
+ files_type($4)
+ filetrans_pattern($1,likewise_var_lib_t,$4, sock_file)
+ manage_sock_files_pattern($1,likewise_var_lib_t,$4)
+ manage_files_pattern($1,$4,$4)
+
+ # Mark $5 as files, privately managed under /var/lib/likewise-open
+ files_type($5)
+ allow $1 likewise_var_lib_t:dir setattr;
+ allow $1 $5:file manage_file_perms;
+ allow $1 $5:dir manage_dir_perms;
+ allow $1 $5:sock_file manage_sock_file_perms;
+
+ filetrans_pattern($1,likewise_var_lib_t,$5, {file dir})
+
+ allow $1 self:process { signal_perms getsched setsched };
+ allow $1 self:fifo_file rw_fifo_file_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ # Read /etc
+ files_read_etc_files($1)
+
+ # Permit use of syslog
+ logging_send_syslog_msg($1)
+
+ # Permit use of locale
+ miscfiles_read_localization($1)
+
+ # Permit use of dev random/urandom
+ dev_read_urand($1)
+ dev_read_rand($1)
+')
+
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
new file mode 100644
index 0000000..c4f2e19
--- /dev/null
+++ b/policy/modules/services/likewise.te
@@ -0,0 +1,286 @@
+
+policy_module(likewise, 1.0.0)
+
+#################################
+#
+# Declarations
+#
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+type likewise_krb5_affinity_t;
+files_type(likewise_krb5_affinity_t)
+
+#################################
+#
+# Declarations for dcerpcd
+#
+type dcerpcd_t;
+type dcerpcd_exec_t;
+type dcerpcd_var_run_t;
+type dcerpcd_var_socket_t;
+type dcerpcd_var_lib_t;
+
+#################################
+#
+# Declarations for eventlogd
+#
+type eventlogd_t;
+type eventlogd_exec_t;
+type eventlogd_var_run_t;
+type eventlogd_var_socket_t;
+type eventlogd_var_lib_t;
+
+#################################
+#
+# Declarations for lsassd
+#
+type lsassd_t;
+type lsassd_exec_t;
+type lsassd_var_run_t;
+type lsassd_var_socket_t;
+type lsassd_var_lib_t;
+
+#################################
+#
+# Declarations for lwiod
+#
+type lwiod_t;
+type lwiod_exec_t;
+type lwiod_var_run_t;
+type lwiod_var_socket_t;
+type lwiod_var_lib_t;
+
+#################################
+#
+# Declarations for lwregd
+#
+type lwregd_t;
+type lwregd_exec_t;
+type lwregd_var_run_t;
+type lwregd_var_socket_t;
+type lwregd_var_lib_t;
+
+#################################
+#
+# Declarations for lwsmd
+#
+type lwsmd_t;
+type lwsmd_exec_t;
+type lwsmd_var_run_t;
+type lwsmd_var_socket_t;
+type lwsmd_var_lib_t;
+
+#################################
+#
+# Declarations for netlogond
+#
+type netlogond_t;
+type netlogond_exec_t;
+type netlogond_var_run_t;
+type netlogond_var_socket_t;
+type netlogond_var_lib_t;
+
+#################################
+#
+# Declarations for srvsvcd
+#
+type srvsvcd_t;
+type srvsvcd_exec_t;
+type srvsvcd_var_run_t;
+type srvsvcd_var_socket_t;
+type srvsvcd_var_lib_t;
+
+#################################
+#
+# Likewise DCE/RPC service local policy
+#
+
+likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t)
+
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_reserved_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_reserved_port(dcerpcd_t)
+
+likewise_stream_connect_lwregd(dcerpcd_t)
+
+#################################
+#
+# Likewise Auditing and Logging service policy
+#
+
+likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t)
+
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_tcp_bind_reserved_port(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_reserved_port(eventlogd_t)
+
+likewise_stream_connect_lwregd(eventlogd_t)
+likewise_stream_connect_dcerpcd(eventlogd_t)
+
+#################################
+#
+# Likewise Authentication service local policy
+#
+
+likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t)
+
+allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
+allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+# Because lsassd calls access(), we need these two. It would be nice not to.
+corecmd_exec_bin(lsassd_t);
+corecmd_exec_shell(lsassd_t);
+
+kerberos_use(lsassd_t)
+
+corenet_tcp_connect_reserved_port(lsassd_t)
+corenet_tcp_sendrecv_all_reserved_ports(lsassd_t)
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+files_manage_generic_tmp_dirs(lsassd_t)
+files_manage_generic_tmp_files(lsassd_t)
+
+domain_obj_id_change_exemption(lsassd_t)
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_home_role(system_r, lsassd_t)
+
+likewise_stream_connect_lwregd(lsassd_t)
+likewise_stream_connect_netlogond(lsassd_t)
+likewise_stream_connect_lwiod(lsassd_t)
+likewise_stream_connect_eventlogd(lsassd_t)
+likewise_stream_connect_dcerpcd(lsassd_t)
+
+likewise_manage_etc_files(lsassd_t)
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+
+
+#################################
+#
+# Likewise I/O service local policy
+#
+
+likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t)
+
+kerberos_rw_config(lwiod_t)
+kerberos_use(lwiod_t)
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+sysnet_read_config(lwiod_t)
+
+likewise_stream_connect_lwregd(lwiod_t)
+likewise_stream_connect_lsassd(lwiod_t)
+
+#################################
+#
+# Likewise Registry server local policy
+#
+
+likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t)
+
+#################################
+#
+# Likewise Service Manager service local policy
+#
+
+likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t)
+
+corenet_tcp_bind_generic_node(lwsmd_t)
+corenet_tcp_bind_reserved_port(lwsmd_t)
+corenet_tcp_bind_smbd_port(lwsmd_t)
+corenet_udp_bind_generic_node(lwsmd_t)
+corenet_udp_bind_reserved_port(lwsmd_t)
+likewise_manage_etc_files(lwsmd_t)
+
+likewise_stream_connect_lwiod(lwsmd_t)
+likewise_stream_connect_lwregd(lwsmd_t)
+
+# When lwsmd starts the daemons, transition to their context:
+domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t)
+domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t)
+domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t)
+domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t)
+domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t)
+domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t)
+domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t)
+
+allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh };
+allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh };
+allow lwsmd_t lsassd_t:process { signal siginh rlimitinh };
+allow lwsmd_t lwiod_t:process { signal siginh rlimitinh };
+allow lwsmd_t lwregd_t:process { signal siginh rlimitinh };
+allow lwsmd_t netlogond_t:process { signal siginh rlimitinh };
+allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh };
+
+#################################
+#
+# Likewise DC location service local policy
+#
+
+likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t)
+
+allow netlogond_t self:capability {dac_override};
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+likewise_stream_connect_lwregd(netlogond_t)
+likewise_manage_etc_files(netlogond_t)
+
+#################################
+#
+# Likewise Srv service local policy
+#
+
+likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t)
+
+corenet_tcp_bind_generic_node(srvsvcd_t)
+corenet_tcp_bind_reserved_port(srvsvcd_t)
+
+kerberos_use(srvsvcd_t)
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+likewise_stream_connect_lwregd(srvsvcd_t)
+likewise_stream_connect_dcerpcd(srvsvcd_t)
+likewise_stream_connect_lwiod(srvsvcd_t)
+
+
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index b193dd8..41d6517 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1403,6 +1403,10 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
+ likewise_stream_connect_lsassd($1)
+ ')
+
+ optional_policy(`
nis_use_ypbind($1)
')
--
1.7.0.1.147.g6d84b
On 03/06/2010 03:05 AM, Scott Salley wrote:
> Resubmitting Likewise policy with suggested changes.
Have you checked whether this actually builds?
There are some syntax errors in there that cause this to not compile.
Also you did you remove the policy for lsassd to:
- relabel to home_root_t
- read write keytab
Some comments inline
>
> Signed-off-by: Scott Salley <[email protected]>
> ---
> policy/modules/services/likewise.fc | 65 ++++++++
> policy/modules/services/likewise.if | 231 ++++++++++++++++++++++++++++
> policy/modules/services/likewise.te | 286 +++++++++++++++++++++++++++++++++++
> policy/modules/system/authlogin.if | 4 +
> 4 files changed, 586 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/likewise.fc
> create mode 100644 policy/modules/services/likewise.if
> create mode 100644 policy/modules/services/likewise.te
>
> diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
> new file mode 100644
> index 0000000..d065e58
> --- /dev/null
> +++ b/policy/modules/services/likewise.fc
> @@ -0,0 +1,65 @@
> +
> +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +
> +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
> +
> +
> +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
> +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
> +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
> +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
> +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
> +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
> +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
> +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
> +
> +
> +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +
> +/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
> +
> +/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
> +
> +/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
> +
> +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> +
> +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
> +
> +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> +
> +
> +/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
> +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
> +
> +/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
> +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
> +
> +/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
> +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
> +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +
> +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
> +
> +/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
> +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
> +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
> +
> +/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
> +
> +/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
The file context entries should be sorted in the following manner:
1. alphabetically by path, then
2. by increasing depth, then
3. entries with metacharacters (.*, ?, [a-z], etc.) first and exact
matches last
see: http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide
> diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
> new file mode 100644
> index 0000000..9294528
> --- /dev/null
> +++ b/policy/modules/services/likewise.if
> @@ -0,0 +1,231 @@
> +## <summary>Likewise policy.</summary>
> +
> +########################################
> +## <summary>
> +## Execute daemon in the likewise domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_initrc_domtrans',`
> + gen_require(`
> + type likewise_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, likewise_initrc_exec_t)
> +')
> +
Is this interface used by anything?
> +########################################
> +## <summary>
> +## Connect to dcerpcd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_dcerpcd',`
> + gen_require(`
> + type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to eventlogd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_eventlogd',`
> + gen_require(`
> + type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to lsassd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lsassd',`
> + gen_require(`
> + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to lwiod.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lwiod',`
> + gen_require(`
> + type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to netlogond.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_netlogond',`
> + gen_require(`
> + type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to lwregd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lwregd',`
> + gen_require(`
> + type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage /etc/likewise-open.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_manage_etc_files',`
> + gen_require(`
> + type likewise_etc_t;
> + ')
> +
> + allow $1 likewise_etc_t:dir search_dir_perms;
> + manage_files_pattern($1, likewise_etc_t, likewise_etc_t)
> +')
The manage files pattern already provides sufficient permission for
domains to search likewise_etc_t.
domains are not allowed to search /etc, use files_search_etc_files($1)
> +
> +########################################
> +## <summary>
> +## Grant likewise daemons a common set of rules
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain of daemon process.
> +## </summary>
> +## </param>
> +## <param name="executable">
> +## <summary>
> +## Type of daemon executable files.
> +## </summary>
> +## </param>
> +## <param name="pid">
> +## <summary>
> +## Type of pid file created by daemon.
> +## </summary>
> +## </param>
> +## <param name="socket">
> +## <summary>
> +## Type of daemon communication socket.
> +## </summary>
> +## </param>
> +## <param name="files">
> +## <summary>
> +## Files managed by the daemon.
> +## </summary>
> +## </param>
> +interface(`likewise_daemon',`
> + gen_require(`
> + type likewise_etc_t, likewise_var_lib_t;
> + ')
likewise_etc_t does not have to be required.
> +
> + # Mark $1 as domain and $2 as an entrypoint into that domain.
> + init_daemon_domain($1, $2)
> +
> + # Mark $3 as a pid file and allow it to be creat/read/write by $1
> + files_pid_file($3)
> + manage_files_pattern($1, $3, $3)
> + files_pid_filetrans($1, $3, file)
> +
> + # Mark $4 as a socket for client access
> + files_type($4)
> + filetrans_pattern($1,likewise_var_lib_t,$4, sock_file)
> + manage_sock_files_pattern($1,likewise_var_lib_t,$4)
> + manage_files_pattern($1,$4,$4)
> +
> + # Mark $5 as files, privately managed under /var/lib/likewise-open
> + files_type($5)
> + allow $1 likewise_var_lib_t:dir setattr;
> + allow $1 $5:file manage_file_perms;
> + allow $1 $5:dir manage_dir_perms;
> + allow $1 $5:sock_file manage_sock_file_perms;
> +
> + filetrans_pattern($1,likewise_var_lib_t,$5, {file dir})
> +
> + allow $1 self:process { signal_perms getsched setsched };
> + allow $1 self:fifo_file rw_fifo_file_perms;
> + allow $1 self:unix_dgram_socket create_socket_perms;
> + allow $1 self:unix_stream_socket create_stream_socket_perms;
> + allow $1 self:tcp_socket create_stream_socket_perms;
> + allow $1 self:udp_socket create_socket_perms;
> +
> + # Read /etc
> + files_read_etc_files($1)
> +
> + # Permit use of syslog
> + logging_send_syslog_msg($1)
> +
> + # Permit use of locale
> + miscfiles_read_localization($1)
> +
> + # Permit use of dev random/urandom
> + dev_read_urand($1)
> + dev_read_rand($1)
> +')
> +
> diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
> new file mode 100644
> index 0000000..c4f2e19
> --- /dev/null
> +++ b/policy/modules/services/likewise.te
> @@ -0,0 +1,286 @@
> +
> +policy_module(likewise, 1.0.0)
> +
> +#################################
> +#
> +# Declarations
> +#
> +type likewise_etc_t;
> +files_config_file(likewise_etc_t)
> +
> +type likewise_initrc_exec_t;
> +init_script_file(likewise_initrc_exec_t)
> +
> +type likewise_var_lib_t;
> +files_type(likewise_var_lib_t)
> +
> +type likewise_pstore_lock_t;
> +files_type(likewise_pstore_lock_t)
> +
> +type likewise_krb5_ad_t;
> +files_type(likewise_krb5_ad_t)
> +
> +type likewise_krb5_affinity_t;
> +files_type(likewise_krb5_affinity_t)
> +
Somw of the above types do not have a file context specification in
likewise.fc
> +#################################
> +#
> +# Declarations for dcerpcd
> +#
> +type dcerpcd_t;
> +type dcerpcd_exec_t;
> +type dcerpcd_var_run_t;
> +type dcerpcd_var_socket_t;
> +type dcerpcd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for eventlogd
> +#
> +type eventlogd_t;
> +type eventlogd_exec_t;
> +type eventlogd_var_run_t;
> +type eventlogd_var_socket_t;
> +type eventlogd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lsassd
> +#
> +type lsassd_t;
> +type lsassd_exec_t;
> +type lsassd_var_run_t;
> +type lsassd_var_socket_t;
> +type lsassd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lwiod
> +#
> +type lwiod_t;
> +type lwiod_exec_t;
> +type lwiod_var_run_t;
> +type lwiod_var_socket_t;
> +type lwiod_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lwregd
> +#
> +type lwregd_t;
> +type lwregd_exec_t;
> +type lwregd_var_run_t;
> +type lwregd_var_socket_t;
> +type lwregd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lwsmd
> +#
> +type lwsmd_t;
> +type lwsmd_exec_t;
> +type lwsmd_var_run_t;
> +type lwsmd_var_socket_t;
> +type lwsmd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for netlogond
> +#
> +type netlogond_t;
> +type netlogond_exec_t;
> +type netlogond_var_run_t;
> +type netlogond_var_socket_t;
> +type netlogond_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for srvsvcd
> +#
> +type srvsvcd_t;
> +type srvsvcd_exec_t;
> +type srvsvcd_var_run_t;
> +type srvsvcd_var_socket_t;
> +type srvsvcd_var_lib_t;
> +
> +#################################
> +#
> +# Likewise DCE/RPC service local policy
> +#
> +
> +likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(dcerpcd_t)
> +corenet_tcp_bind_reserved_port(dcerpcd_t)
> +corenet_tcp_connect_generic_port(dcerpcd_t)
> +corenet_udp_bind_generic_node(dcerpcd_t)
> +corenet_udp_bind_reserved_port(dcerpcd_t)
The networking block is missing to interface calls to ensure compatibility.
> +
> +likewise_stream_connect_lwregd(dcerpcd_t)
> +
> +#################################
> +#
> +# Likewise Auditing and Logging service policy
> +#
> +
> +likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(eventlogd_t)
> +corenet_tcp_bind_reserved_port(eventlogd_t)
> +corenet_udp_bind_generic_node(eventlogd_t)
> +corenet_udp_bind_reserved_port(eventlogd_t)
> +
The networking block is missing to interface calls to ensure compatibility.
> +likewise_stream_connect_lwregd(eventlogd_t)
> +likewise_stream_connect_dcerpcd(eventlogd_t)
> +
> +#################################
> +#
> +# Likewise Authentication service local policy
> +#
> +
> +likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t)
> +
> +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
> +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
> +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
> +# Because lsassd calls access(), we need these two. It would be nice not to.
> +corecmd_exec_bin(lsassd_t);
> +corecmd_exec_shell(lsassd_t);
syntax errors (;) causes this to not build.
> +
> +kerberos_use(lsassd_t)
> +
This is optional
> +corenet_tcp_connect_reserved_port(lsassd_t)
> +corenet_tcp_sendrecv_all_reserved_ports(lsassd_t)
> +sysnet_use_ldap(lsassd_t)
> +sysnet_read_config(lsassd_t)
The networking block is missing to interface calls to ensure compatibility.
> +
> +kernel_read_system_state(lsassd_t)
> +kernel_getattr_proc_files(lsassd_t)
> +kernel_list_all_proc(lsassd_t)
> +kernel_list_proc(lsassd_t)
> +
> +files_manage_generic_tmp_dirs(lsassd_t)
> +files_manage_generic_tmp_files(lsassd_t)
> +
I suspect that these directories and files should be owned by lsassd
> +domain_obj_id_change_exemption(lsassd_t)
> +selinux_get_fs_mount(lsassd_t)
> +selinux_validate_context(lsassd_t)
> +seutil_read_config(lsassd_t)
> +seutil_read_default_contexts(lsassd_t)
> +seutil_read_file_contexts(lsassd_t)
> +seutil_run_semanage(lsassd_t, lsassd_t)
> +
> +userdom_home_filetrans_user_home_dir(lsassd_t)
> +userdom_manage_home_role(system_r, lsassd_t)
> +
> +likewise_stream_connect_lwregd(lsassd_t)
> +likewise_stream_connect_netlogond(lsassd_t)
> +likewise_stream_connect_lwiod(lsassd_t)
> +likewise_stream_connect_eventlogd(lsassd_t)
> +likewise_stream_connect_dcerpcd(lsassd_t)
> +
> +likewise_manage_etc_files(lsassd_t)
> +files_manage_etc_files(lsassd_t)
> +files_manage_etc_symlinks(lsassd_t)
> +files_manage_etc_runtime_files(lsassd_t)
> +allow lsassd_t netlogond_var_lib_t:file read_file_perms;
> +allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
> +
> +
> +#################################
> +#
> +# Likewise I/O service local policy
> +#
> +
> +likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t)
> +
> +kerberos_rw_config(lwiod_t)
> +kerberos_use(lwiod_t)
Should be optional
> +allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
> +allow lwiod_t netlogond_var_lib_t:file read_file_perms;
> +
> +corenet_tcp_bind_generic_node(lwiod_t)
> +corenet_tcp_bind_smbd_port(lwiod_t)
> +corenet_tcp_connect_smbd_port(lwiod_t)
The networking block is missing to interface calls to ensure compatibility.
> +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> +sysnet_read_config(lwiod_t)
> +
> +likewise_stream_connect_lwregd(lwiod_t)
> +likewise_stream_connect_lsassd(lwiod_t)
> +
> +#################################
> +#
> +# Likewise Registry server local policy
> +#
> +
> +likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t)
> +
> +#################################
> +#
> +# Likewise Service Manager service local policy
> +#
> +
> +likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(lwsmd_t)
> +corenet_tcp_bind_reserved_port(lwsmd_t)
> +corenet_tcp_bind_smbd_port(lwsmd_t)
> +corenet_udp_bind_generic_node(lwsmd_t)
> +corenet_udp_bind_reserved_port(lwsmd_t)
The networking block is missing to interface calls to ensure compatibility.
> +likewise_manage_etc_files(lwsmd_t)
> +
> +likewise_stream_connect_lwiod(lwsmd_t)
> +likewise_stream_connect_lwregd(lwsmd_t)
> +
> +# When lwsmd starts the daemons, transition to their context:
> +domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t)
> +domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t)
> +domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t)
> +domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t)
> +domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t)
> +domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t)
> +domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t)
> +
> +allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t lsassd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t lwiod_t:process { signal siginh rlimitinh };
> +allow lwsmd_t lwregd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t netlogond_t:process { signal siginh rlimitinh };
> +allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh };
I suspect these can be removed. signal is already allowed and the other
permissions are rarely needed.
> +
> +#################################
> +#
> +# Likewise DC location service local policy
> +#
> +
> +likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t)
> +
> +allow netlogond_t self:capability {dac_override};
> +
> +sysnet_dns_name_resolve(netlogond_t)
> +sysnet_use_ldap(netlogond_t)
> +
> +likewise_stream_connect_lwregd(netlogond_t)
> +likewise_manage_etc_files(netlogond_t)
> +
> +#################################
> +#
> +# Likewise Srv service local policy
> +#
> +
> +likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(srvsvcd_t)
> +corenet_tcp_bind_reserved_port(srvsvcd_t)
> +
The networking block is missing to interface calls to ensure compatibility.
> +kerberos_use(srvsvcd_t)
This is optional
> +
> +allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
> +
> +likewise_stream_connect_lwregd(srvsvcd_t)
> +likewise_stream_connect_dcerpcd(srvsvcd_t)
> +likewise_stream_connect_lwiod(srvsvcd_t)
> +
> +
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index b193dd8..41d6517 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1403,6 +1403,10 @@ interface(`auth_use_nsswitch',`
> ')
>
> optional_policy(`
> + likewise_stream_connect_lsassd($1)
> + ')
> +
> + optional_policy(`
> nis_use_ypbind($1)
> ')
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100306/f1983384/attachment.bin
On Fri, 2010-03-05 at 18:05 -0800, Scott Salley wrote:
> Resubmitting Likewise policy with suggested changes.
The likewise_daemon() interface should turn into a template like
rpc_domain_template().
> Signed-off-by: Scott Salley <[email protected]>
> ---
> policy/modules/services/likewise.fc | 65 ++++++++
> policy/modules/services/likewise.if | 231 ++++++++++++++++++++++++++++
> policy/modules/services/likewise.te | 286 +++++++++++++++++++++++++++++++++++
> policy/modules/system/authlogin.if | 4 +
> 4 files changed, 586 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/services/likewise.fc
> create mode 100644 policy/modules/services/likewise.if
> create mode 100644 policy/modules/services/likewise.te
>
> diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
> new file mode 100644
> index 0000000..d065e58
> --- /dev/null
> +++ b/policy/modules/services/likewise.fc
> @@ -0,0 +1,65 @@
> +
> +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +
> +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
> +
> +
> +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
> +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
> +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
> +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
> +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
> +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
> +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
> +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
> +
> +
> +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +
> +/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
> +
> +/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
> +
> +/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
> +
> +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> +
> +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
> +
> +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> +
> +
> +/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
> +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
> +
> +/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
> +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
> +
> +/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
> +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
> +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +
> +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
> +
> +/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
> +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
> +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
> +
> +/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
> +
> +/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
> diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
> new file mode 100644
> index 0000000..9294528
> --- /dev/null
> +++ b/policy/modules/services/likewise.if
> @@ -0,0 +1,231 @@
> +## <summary>Likewise policy.</summary>
> +
> +########################################
> +## <summary>
> +## Execute daemon in the likewise domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_initrc_domtrans',`
> + gen_require(`
> + type likewise_initrc_exec_t;
> + ')
> +
> + init_labeled_script_domtrans($1, likewise_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to dcerpcd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_dcerpcd',`
> + gen_require(`
> + type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to eventlogd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_eventlogd',`
> + gen_require(`
> + type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to lsassd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lsassd',`
> + gen_require(`
> + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to lwiod.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lwiod',`
> + gen_require(`
> + type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to netlogond.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_netlogond',`
> + gen_require(`
> + type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to lwregd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lwregd',`
> + gen_require(`
> + type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage /etc/likewise-open.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`likewise_manage_etc_files',`
> + gen_require(`
> + type likewise_etc_t;
> + ')
> +
> + allow $1 likewise_etc_t:dir search_dir_perms;
> + manage_files_pattern($1, likewise_etc_t, likewise_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +## Grant likewise daemons a common set of rules
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain of daemon process.
> +## </summary>
> +## </param>
> +## <param name="executable">
> +## <summary>
> +## Type of daemon executable files.
> +## </summary>
> +## </param>
> +## <param name="pid">
> +## <summary>
> +## Type of pid file created by daemon.
> +## </summary>
> +## </param>
> +## <param name="socket">
> +## <summary>
> +## Type of daemon communication socket.
> +## </summary>
> +## </param>
> +## <param name="files">
> +## <summary>
> +## Files managed by the daemon.
> +## </summary>
> +## </param>
> +interface(`likewise_daemon',`
> + gen_require(`
> + type likewise_etc_t, likewise_var_lib_t;
> + ')
> +
> + # Mark $1 as domain and $2 as an entrypoint into that domain.
> + init_daemon_domain($1, $2)
> +
> + # Mark $3 as a pid file and allow it to be creat/read/write by $1
> + files_pid_file($3)
> + manage_files_pattern($1, $3, $3)
> + files_pid_filetrans($1, $3, file)
> +
> + # Mark $4 as a socket for client access
> + files_type($4)
> + filetrans_pattern($1,likewise_var_lib_t,$4, sock_file)
> + manage_sock_files_pattern($1,likewise_var_lib_t,$4)
> + manage_files_pattern($1,$4,$4)
> +
> + # Mark $5 as files, privately managed under /var/lib/likewise-open
> + files_type($5)
> + allow $1 likewise_var_lib_t:dir setattr;
> + allow $1 $5:file manage_file_perms;
> + allow $1 $5:dir manage_dir_perms;
> + allow $1 $5:sock_file manage_sock_file_perms;
> +
> + filetrans_pattern($1,likewise_var_lib_t,$5, {file dir})
> +
> + allow $1 self:process { signal_perms getsched setsched };
> + allow $1 self:fifo_file rw_fifo_file_perms;
> + allow $1 self:unix_dgram_socket create_socket_perms;
> + allow $1 self:unix_stream_socket create_stream_socket_perms;
> + allow $1 self:tcp_socket create_stream_socket_perms;
> + allow $1 self:udp_socket create_socket_perms;
> +
> + # Read /etc
> + files_read_etc_files($1)
> +
> + # Permit use of syslog
> + logging_send_syslog_msg($1)
> +
> + # Permit use of locale
> + miscfiles_read_localization($1)
> +
> + # Permit use of dev random/urandom
> + dev_read_urand($1)
> + dev_read_rand($1)
> +')
> +
> diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
> new file mode 100644
> index 0000000..c4f2e19
> --- /dev/null
> +++ b/policy/modules/services/likewise.te
> @@ -0,0 +1,286 @@
> +
> +policy_module(likewise, 1.0.0)
> +
> +#################################
> +#
> +# Declarations
> +#
> +type likewise_etc_t;
> +files_config_file(likewise_etc_t)
> +
> +type likewise_initrc_exec_t;
> +init_script_file(likewise_initrc_exec_t)
> +
> +type likewise_var_lib_t;
> +files_type(likewise_var_lib_t)
> +
> +type likewise_pstore_lock_t;
> +files_type(likewise_pstore_lock_t)
> +
> +type likewise_krb5_ad_t;
> +files_type(likewise_krb5_ad_t)
> +
> +type likewise_krb5_affinity_t;
> +files_type(likewise_krb5_affinity_t)
> +
> +#################################
> +#
> +# Declarations for dcerpcd
> +#
> +type dcerpcd_t;
> +type dcerpcd_exec_t;
> +type dcerpcd_var_run_t;
> +type dcerpcd_var_socket_t;
> +type dcerpcd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for eventlogd
> +#
> +type eventlogd_t;
> +type eventlogd_exec_t;
> +type eventlogd_var_run_t;
> +type eventlogd_var_socket_t;
> +type eventlogd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lsassd
> +#
> +type lsassd_t;
> +type lsassd_exec_t;
> +type lsassd_var_run_t;
> +type lsassd_var_socket_t;
> +type lsassd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lwiod
> +#
> +type lwiod_t;
> +type lwiod_exec_t;
> +type lwiod_var_run_t;
> +type lwiod_var_socket_t;
> +type lwiod_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lwregd
> +#
> +type lwregd_t;
> +type lwregd_exec_t;
> +type lwregd_var_run_t;
> +type lwregd_var_socket_t;
> +type lwregd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for lwsmd
> +#
> +type lwsmd_t;
> +type lwsmd_exec_t;
> +type lwsmd_var_run_t;
> +type lwsmd_var_socket_t;
> +type lwsmd_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for netlogond
> +#
> +type netlogond_t;
> +type netlogond_exec_t;
> +type netlogond_var_run_t;
> +type netlogond_var_socket_t;
> +type netlogond_var_lib_t;
> +
> +#################################
> +#
> +# Declarations for srvsvcd
> +#
> +type srvsvcd_t;
> +type srvsvcd_exec_t;
> +type srvsvcd_var_run_t;
> +type srvsvcd_var_socket_t;
> +type srvsvcd_var_lib_t;
> +
> +#################################
> +#
> +# Likewise DCE/RPC service local policy
> +#
> +
> +likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(dcerpcd_t)
> +corenet_tcp_bind_reserved_port(dcerpcd_t)
> +corenet_tcp_connect_generic_port(dcerpcd_t)
> +corenet_udp_bind_generic_node(dcerpcd_t)
> +corenet_udp_bind_reserved_port(dcerpcd_t)
> +
> +likewise_stream_connect_lwregd(dcerpcd_t)
> +
> +#################################
> +#
> +# Likewise Auditing and Logging service policy
> +#
> +
> +likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(eventlogd_t)
> +corenet_tcp_bind_reserved_port(eventlogd_t)
> +corenet_udp_bind_generic_node(eventlogd_t)
> +corenet_udp_bind_reserved_port(eventlogd_t)
> +
> +likewise_stream_connect_lwregd(eventlogd_t)
> +likewise_stream_connect_dcerpcd(eventlogd_t)
> +
> +#################################
> +#
> +# Likewise Authentication service local policy
> +#
> +
> +likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t)
> +
> +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
> +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
> +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
> +# Because lsassd calls access(), we need these two. It would be nice not to.
> +corecmd_exec_bin(lsassd_t);
> +corecmd_exec_shell(lsassd_t);
> +
> +kerberos_use(lsassd_t)
> +
> +corenet_tcp_connect_reserved_port(lsassd_t)
> +corenet_tcp_sendrecv_all_reserved_ports(lsassd_t)
> +sysnet_use_ldap(lsassd_t)
> +sysnet_read_config(lsassd_t)
> +
> +kernel_read_system_state(lsassd_t)
> +kernel_getattr_proc_files(lsassd_t)
> +kernel_list_all_proc(lsassd_t)
> +kernel_list_proc(lsassd_t)
> +
> +files_manage_generic_tmp_dirs(lsassd_t)
> +files_manage_generic_tmp_files(lsassd_t)
> +
> +domain_obj_id_change_exemption(lsassd_t)
> +selinux_get_fs_mount(lsassd_t)
> +selinux_validate_context(lsassd_t)
> +seutil_read_config(lsassd_t)
> +seutil_read_default_contexts(lsassd_t)
> +seutil_read_file_contexts(lsassd_t)
> +seutil_run_semanage(lsassd_t, lsassd_t)
> +
> +userdom_home_filetrans_user_home_dir(lsassd_t)
> +userdom_manage_home_role(system_r, lsassd_t)
> +
> +likewise_stream_connect_lwregd(lsassd_t)
> +likewise_stream_connect_netlogond(lsassd_t)
> +likewise_stream_connect_lwiod(lsassd_t)
> +likewise_stream_connect_eventlogd(lsassd_t)
> +likewise_stream_connect_dcerpcd(lsassd_t)
> +
> +likewise_manage_etc_files(lsassd_t)
> +files_manage_etc_files(lsassd_t)
> +files_manage_etc_symlinks(lsassd_t)
> +files_manage_etc_runtime_files(lsassd_t)
> +allow lsassd_t netlogond_var_lib_t:file read_file_perms;
> +allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
> +
> +
> +#################################
> +#
> +# Likewise I/O service local policy
> +#
> +
> +likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t)
> +
> +kerberos_rw_config(lwiod_t)
> +kerberos_use(lwiod_t)
> +allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
> +allow lwiod_t netlogond_var_lib_t:file read_file_perms;
> +
> +corenet_tcp_bind_generic_node(lwiod_t)
> +corenet_tcp_bind_smbd_port(lwiod_t)
> +corenet_tcp_connect_smbd_port(lwiod_t)
> +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> +sysnet_read_config(lwiod_t)
> +
> +likewise_stream_connect_lwregd(lwiod_t)
> +likewise_stream_connect_lsassd(lwiod_t)
> +
> +#################################
> +#
> +# Likewise Registry server local policy
> +#
> +
> +likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t)
> +
> +#################################
> +#
> +# Likewise Service Manager service local policy
> +#
> +
> +likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(lwsmd_t)
> +corenet_tcp_bind_reserved_port(lwsmd_t)
> +corenet_tcp_bind_smbd_port(lwsmd_t)
> +corenet_udp_bind_generic_node(lwsmd_t)
> +corenet_udp_bind_reserved_port(lwsmd_t)
> +likewise_manage_etc_files(lwsmd_t)
> +
> +likewise_stream_connect_lwiod(lwsmd_t)
> +likewise_stream_connect_lwregd(lwsmd_t)
> +
> +# When lwsmd starts the daemons, transition to their context:
> +domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t)
> +domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t)
> +domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t)
> +domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t)
> +domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t)
> +domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t)
> +domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t)
> +
> +allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t lsassd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t lwiod_t:process { signal siginh rlimitinh };
> +allow lwsmd_t lwregd_t:process { signal siginh rlimitinh };
> +allow lwsmd_t netlogond_t:process { signal siginh rlimitinh };
> +allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh };
> +
> +#################################
> +#
> +# Likewise DC location service local policy
> +#
> +
> +likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t)
> +
> +allow netlogond_t self:capability {dac_override};
> +
> +sysnet_dns_name_resolve(netlogond_t)
> +sysnet_use_ldap(netlogond_t)
> +
> +likewise_stream_connect_lwregd(netlogond_t)
> +likewise_manage_etc_files(netlogond_t)
> +
> +#################################
> +#
> +# Likewise Srv service local policy
> +#
> +
> +likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(srvsvcd_t)
> +corenet_tcp_bind_reserved_port(srvsvcd_t)
> +
> +kerberos_use(srvsvcd_t)
> +
> +allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
> +
> +likewise_stream_connect_lwregd(srvsvcd_t)
> +likewise_stream_connect_dcerpcd(srvsvcd_t)
> +likewise_stream_connect_lwiod(srvsvcd_t)
> +
> +
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index b193dd8..41d6517 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1403,6 +1403,10 @@ interface(`auth_use_nsswitch',`
> ')
>
> optional_policy(`
> + likewise_stream_connect_lsassd($1)
> + ')
> +
> + optional_policy(`
> nis_use_ypbind($1)
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150