* Add ldap_stream_connect() interface for domains which need it
http://mgrepl.fedorapeople.org/SELinux/F18/nsswitch_domain_part4.patch
On 07/03/12 07:44, Miroslav Grepl wrote:
> * Add ldap_stream_connect() interface for domains which need it
Since this is in the nsswitch patch set, I assume this access is for nsswitch. Why not put it in authlogin and use the attribute?
The other three patches are fine.
> diff --git a/apache.te b/apache.te
> index a36a01d..4b0f792 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -559,6 +559,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # needed by FreeIPA
> + ldap_stream_connect(httpd_t)
> +')
> +
> +optional_policy(`
> mailman_signal_cgi(httpd_t)
> mailman_domtrans_cgi(httpd_t)
> mailman_read_data_files(httpd_t)
> diff --git a/bind.te b/bind.te
> index 4deca04..0968cb4 100644
> --- a/bind.te
> +++ b/bind.te
> @@ -171,6 +171,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # needed by FreeIPA with DNS support
> + ldap_stream_connect(named_t)
> +')
> +
> +optional_policy(`
> # this seems like fds that arent being
> # closed. these should probably be
> # dontaudits instead.
> diff --git a/kerberos.te b/kerberos.te
> index 8edc29b..519d5fc 100644
> --- a/kerberos.te
> +++ b/kerberos.te
> @@ -160,6 +160,10 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
> userdom_dontaudit_search_user_home_dirs(kadmind_t)
>
> optional_policy(`
> + ldap_stream_connect(kadmind_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(kadmind_t)
> ')
>
> @@ -260,6 +264,10 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
> userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
>
> optional_policy(`
> + ldap_stream_connect(krb5kdc_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(krb5kdc_t)
> ')
>
> diff --git a/ldap.if b/ldap.if
> index 3aa8fa7..73fda9b 100644
> --- a/ldap.if
> +++ b/ldap.if
> @@ -69,8 +69,7 @@ interface(`ldap_stream_connect',`
> ')
>
> files_search_pids($1)
> - allow $1 slapd_var_run_t:sock_file write;
> - allow $1 slapd_t:unix_stream_socket connectto;
> + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
> ')
>
> ########################################
> diff --git a/nslcd.te b/nslcd.te
> index 4e28d58..d9854ff 100644
> --- a/nslcd.te
> +++ b/nslcd.te
> @@ -43,3 +43,7 @@ auth_use_nsswitch(nslcd_t)
> logging_send_syslog_msg(nslcd_t)
>
> miscfiles_read_localization(nslcd_t)
> +
> +optional_policy(`
> + ldap_stream_connect(nslcd_t)
> +')
> diff --git a/samba.te b/samba.te
> index fc22785..ca5c978 100644
> --- a/samba.te
> +++ b/samba.te
> @@ -219,6 +219,10 @@ userdom_use_user_terminals(samba_net_t)
> userdom_list_user_home_dirs(samba_net_t)
>
> optional_policy(`
> + ldap_stream_connect(samba_net_t)
> +')
> +
> +optional_policy(`
> pcscd_read_pub_files(samba_net_t)
> ')
>
> @@ -421,6 +425,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ldap_stream_connect(smbd_t)
> +')
> +
> +optional_policy(`
> lpd_exec_lpr(smbd_t)
> ')
>
> diff --git a/sssd.te b/sssd.te
> index 8ffa257..a1b61bc 100644
> --- a/sssd.te
> +++ b/sssd.te
> @@ -88,3 +88,7 @@ optional_policy(`
> optional_policy(`
> kerberos_manage_host_rcache(sssd_t)
> ')
> +
> +optional_policy(`
> + ldap_stream_connect(sssd_t)
> +')
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
> On 07/03/12 07:44, Miroslav Grepl wrote:
>> * Add ldap_stream_connect() interface for domains which need it
> Since this is in the nsswitch patch set, I assume this access is for nsswitch. Why not put it in authlogin and use the attribute?
The problem is we have now
optional_policy(`
tunable_policy(`authlogin_nsswitch_use_ldap',`
ldap_stream_connect(nsswitch_domain)
')
')
but these domains need this access without this boolean.
>
> The other three patches are fine.
>
>> diff --git a/apache.te b/apache.te
>> index a36a01d..4b0f792 100644
>> --- a/apache.te
>> +++ b/apache.te
>> @@ -559,6 +559,11 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + # needed by FreeIPA
>> + ldap_stream_connect(httpd_t)
>> +')
>> +
>> +optional_policy(`
>> mailman_signal_cgi(httpd_t)
>> mailman_domtrans_cgi(httpd_t)
>> mailman_read_data_files(httpd_t)
>> diff --git a/bind.te b/bind.te
>> index 4deca04..0968cb4 100644
>> --- a/bind.te
>> +++ b/bind.te
>> @@ -171,6 +171,11 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + # needed by FreeIPA with DNS support
>> + ldap_stream_connect(named_t)
>> +')
>> +
>> +optional_policy(`
>> # this seems like fds that arent being
>> # closed. these should probably be
>> # dontaudits instead.
>> diff --git a/kerberos.te b/kerberos.te
>> index 8edc29b..519d5fc 100644
>> --- a/kerberos.te
>> +++ b/kerberos.te
>> @@ -160,6 +160,10 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
>> userdom_dontaudit_search_user_home_dirs(kadmind_t)
>>
>> optional_policy(`
>> + ldap_stream_connect(kadmind_t)
>> +')
>> +
>> +optional_policy(`
>> nis_use_ypbind(kadmind_t)
>> ')
>>
>> @@ -260,6 +264,10 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
>> userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
>>
>> optional_policy(`
>> + ldap_stream_connect(krb5kdc_t)
>> +')
>> +
>> +optional_policy(`
>> nis_use_ypbind(krb5kdc_t)
>> ')
>>
>> diff --git a/ldap.if b/ldap.if
>> index 3aa8fa7..73fda9b 100644
>> --- a/ldap.if
>> +++ b/ldap.if
>> @@ -69,8 +69,7 @@ interface(`ldap_stream_connect',`
>> ')
>>
>> files_search_pids($1)
>> - allow $1 slapd_var_run_t:sock_file write;
>> - allow $1 slapd_t:unix_stream_socket connectto;
>> + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
>> ')
>>
>> ########################################
>> diff --git a/nslcd.te b/nslcd.te
>> index 4e28d58..d9854ff 100644
>> --- a/nslcd.te
>> +++ b/nslcd.te
>> @@ -43,3 +43,7 @@ auth_use_nsswitch(nslcd_t)
>> logging_send_syslog_msg(nslcd_t)
>>
>> miscfiles_read_localization(nslcd_t)
>> +
>> +optional_policy(`
>> + ldap_stream_connect(nslcd_t)
>> +')
>> diff --git a/samba.te b/samba.te
>> index fc22785..ca5c978 100644
>> --- a/samba.te
>> +++ b/samba.te
>> @@ -219,6 +219,10 @@ userdom_use_user_terminals(samba_net_t)
>> userdom_list_user_home_dirs(samba_net_t)
>>
>> optional_policy(`
>> + ldap_stream_connect(samba_net_t)
>> +')
>> +
>> +optional_policy(`
>> pcscd_read_pub_files(samba_net_t)
>> ')
>>
>> @@ -421,6 +425,10 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>> + ldap_stream_connect(smbd_t)
>> +')
>> +
>> +optional_policy(`
>> lpd_exec_lpr(smbd_t)
>> ')
>>
>> diff --git a/sssd.te b/sssd.te
>> index 8ffa257..a1b61bc 100644
>> --- a/sssd.te
>> +++ b/sssd.te
>> @@ -88,3 +88,7 @@ optional_policy(`
>> optional_policy(`
>> kerberos_manage_host_rcache(sssd_t)
>> ')
>> +
>> +optional_policy(`
>> + ldap_stream_connect(sssd_t)
>> +')
>
>
On 07/10/12 08:14, Miroslav Grepl wrote:
> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>> * Add ldap_stream_connect() interface for domains which need it
>> Since this is in the nsswitch patch set, I assume this access is for nsswitch. Why not put it in authlogin and use the attribute?
> The problem is we have now
>
> optional_policy(`
> tunable_policy(`authlogin_nsswitch_use_ldap',`
> ldap_stream_connect(nsswitch_domain)
> ')
> ')
>
> but these domains need this access without this boolean.
So this is not actually related to the nsswitch patches?
>> The other three patches are fine.
>>
>>> diff --git a/apache.te b/apache.te
>>> index a36a01d..4b0f792 100644
>>> --- a/apache.te
>>> +++ b/apache.te
>>> @@ -559,6 +559,11 @@ optional_policy(`
>>> ')
>>> optional_policy(`
>>> + # needed by FreeIPA
>>> + ldap_stream_connect(httpd_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> mailman_signal_cgi(httpd_t)
>>> mailman_domtrans_cgi(httpd_t)
>>> mailman_read_data_files(httpd_t)
>>> diff --git a/bind.te b/bind.te
>>> index 4deca04..0968cb4 100644
>>> --- a/bind.te
>>> +++ b/bind.te
>>> @@ -171,6 +171,11 @@ optional_policy(`
>>> ')
>>> optional_policy(`
>>> + # needed by FreeIPA with DNS support
>>> + ldap_stream_connect(named_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> # this seems like fds that arent being
>>> # closed. these should probably be
>>> # dontaudits instead.
>>> diff --git a/kerberos.te b/kerberos.te
>>> index 8edc29b..519d5fc 100644
>>> --- a/kerberos.te
>>> +++ b/kerberos.te
>>> @@ -160,6 +160,10 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
>>> userdom_dontaudit_search_user_home_dirs(kadmind_t)
>>> optional_policy(`
>>> + ldap_stream_connect(kadmind_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> nis_use_ypbind(kadmind_t)
>>> ')
>>> @@ -260,6 +264,10 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
>>> userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
>>> optional_policy(`
>>> + ldap_stream_connect(krb5kdc_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> nis_use_ypbind(krb5kdc_t)
>>> ')
>>> diff --git a/ldap.if b/ldap.if
>>> index 3aa8fa7..73fda9b 100644
>>> --- a/ldap.if
>>> +++ b/ldap.if
>>> @@ -69,8 +69,7 @@ interface(`ldap_stream_connect',`
>>> ')
>>> files_search_pids($1)
>>> - allow $1 slapd_var_run_t:sock_file write;
>>> - allow $1 slapd_t:unix_stream_socket connectto;
>>> + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
>>> ')
>>> ########################################
>>> diff --git a/nslcd.te b/nslcd.te
>>> index 4e28d58..d9854ff 100644
>>> --- a/nslcd.te
>>> +++ b/nslcd.te
>>> @@ -43,3 +43,7 @@ auth_use_nsswitch(nslcd_t)
>>> logging_send_syslog_msg(nslcd_t)
>>> miscfiles_read_localization(nslcd_t)
>>> +
>>> +optional_policy(`
>>> + ldap_stream_connect(nslcd_t)
>>> +')
>>> diff --git a/samba.te b/samba.te
>>> index fc22785..ca5c978 100644
>>> --- a/samba.te
>>> +++ b/samba.te
>>> @@ -219,6 +219,10 @@ userdom_use_user_terminals(samba_net_t)
>>> userdom_list_user_home_dirs(samba_net_t)
>>> optional_policy(`
>>> + ldap_stream_connect(samba_net_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> pcscd_read_pub_files(samba_net_t)
>>> ')
>>> @@ -421,6 +425,10 @@ optional_policy(`
>>> ')
>>> optional_policy(`
>>> + ldap_stream_connect(smbd_t)
>>> +')
>>> +
>>> +optional_policy(`
>>> lpd_exec_lpr(smbd_t)
>>> ')
>>> diff --git a/sssd.te b/sssd.te
>>> index 8ffa257..a1b61bc 100644
>>> --- a/sssd.te
>>> +++ b/sssd.te
>>> @@ -88,3 +88,7 @@ optional_policy(`
>>> optional_policy(`
>>> kerberos_manage_host_rcache(sssd_t)
>>> ')
>>> +
>>> +optional_policy(`
>>> + ldap_stream_connect(sssd_t)
>>> +')
>>
>>
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/10/2012 02:28 PM, Christopher J. PeBenito wrote:
> On 07/10/12 08:14, Miroslav Grepl wrote:
>> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>>> * Add ldap_stream_connect() interface for domains which need it
>>> Since this is in the nsswitch patch set, I assume this access is for nsswitch. Why not put it in authlogin and use the attribute?
>> The problem is we have now
>>
>> optional_policy(`
>> tunable_policy(`authlogin_nsswitch_use_ldap',`
>> ldap_stream_connect(nsswitch_domain)
>> ')
>> ')
>>
>> but these domains need this access without this boolean.
> So this is not actually related to the nsswitch patches?
previously , ldap_stream_connect() was allowed by default (where
auth_use_nsswitch() was used) without the authlogin_nsswitch_use_ldap
boolean. If we now add this boolean, it will not be allowed by default
it will break these domains.
>
>>> The other three patches are fine.
>>>
>>>> diff --git a/apache.te b/apache.te
>>>> index a36a01d..4b0f792 100644
>>>> --- a/apache.te
>>>> +++ b/apache.te
>>>> @@ -559,6 +559,11 @@ optional_policy(`
>>>> ')
>>>> optional_policy(`
>>>> + # needed by FreeIPA
>>>> + ldap_stream_connect(httpd_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> mailman_signal_cgi(httpd_t)
>>>> mailman_domtrans_cgi(httpd_t)
>>>> mailman_read_data_files(httpd_t)
>>>> diff --git a/bind.te b/bind.te
>>>> index 4deca04..0968cb4 100644
>>>> --- a/bind.te
>>>> +++ b/bind.te
>>>> @@ -171,6 +171,11 @@ optional_policy(`
>>>> ')
>>>> optional_policy(`
>>>> + # needed by FreeIPA with DNS support
>>>> + ldap_stream_connect(named_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> # this seems like fds that arent being
>>>> # closed. these should probably be
>>>> # dontaudits instead.
>>>> diff --git a/kerberos.te b/kerberos.te
>>>> index 8edc29b..519d5fc 100644
>>>> --- a/kerberos.te
>>>> +++ b/kerberos.te
>>>> @@ -160,6 +160,10 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
>>>> userdom_dontaudit_search_user_home_dirs(kadmind_t)
>>>> optional_policy(`
>>>> + ldap_stream_connect(kadmind_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> nis_use_ypbind(kadmind_t)
>>>> ')
>>>> @@ -260,6 +264,10 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
>>>> userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
>>>> optional_policy(`
>>>> + ldap_stream_connect(krb5kdc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> nis_use_ypbind(krb5kdc_t)
>>>> ')
>>>> diff --git a/ldap.if b/ldap.if
>>>> index 3aa8fa7..73fda9b 100644
>>>> --- a/ldap.if
>>>> +++ b/ldap.if
>>>> @@ -69,8 +69,7 @@ interface(`ldap_stream_connect',`
>>>> ')
>>>> files_search_pids($1)
>>>> - allow $1 slapd_var_run_t:sock_file write;
>>>> - allow $1 slapd_t:unix_stream_socket connectto;
>>>> + stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
>>>> ')
>>>> ########################################
>>>> diff --git a/nslcd.te b/nslcd.te
>>>> index 4e28d58..d9854ff 100644
>>>> --- a/nslcd.te
>>>> +++ b/nslcd.te
>>>> @@ -43,3 +43,7 @@ auth_use_nsswitch(nslcd_t)
>>>> logging_send_syslog_msg(nslcd_t)
>>>> miscfiles_read_localization(nslcd_t)
>>>> +
>>>> +optional_policy(`
>>>> + ldap_stream_connect(nslcd_t)
>>>> +')
>>>> diff --git a/samba.te b/samba.te
>>>> index fc22785..ca5c978 100644
>>>> --- a/samba.te
>>>> +++ b/samba.te
>>>> @@ -219,6 +219,10 @@ userdom_use_user_terminals(samba_net_t)
>>>> userdom_list_user_home_dirs(samba_net_t)
>>>> optional_policy(`
>>>> + ldap_stream_connect(samba_net_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> pcscd_read_pub_files(samba_net_t)
>>>> ')
>>>> @@ -421,6 +425,10 @@ optional_policy(`
>>>> ')
>>>> optional_policy(`
>>>> + ldap_stream_connect(smbd_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>> lpd_exec_lpr(smbd_t)
>>>> ')
>>>> diff --git a/sssd.te b/sssd.te
>>>> index 8ffa257..a1b61bc 100644
>>>> --- a/sssd.te
>>>> +++ b/sssd.te
>>>> @@ -88,3 +88,7 @@ optional_policy(`
>>>> optional_policy(`
>>>> kerberos_manage_host_rcache(sssd_t)
>>>> ')
>>>> +
>>>> +optional_policy(`
>>>> + ldap_stream_connect(sssd_t)
>>>> +')
>>>
>>
>
On 07/10/12 08:32, Miroslav Grepl wrote:
> On 07/10/2012 02:28 PM, Christopher J. PeBenito wrote:
>> On 07/10/12 08:14, Miroslav Grepl wrote:
>>> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>>>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>>>> * Add ldap_stream_connect() interface for domains which need it
>>>> Since this is in the nsswitch patch set, I assume this access is for nsswitch. Why not put it in authlogin and use the attribute?
>>> The problem is we have now
>>>
>>> optional_policy(`
>>> tunable_policy(`authlogin_nsswitch_use_ldap',`
>>> ldap_stream_connect(nsswitch_domain)
>>> ')
>>> ')
>>>
>>> but these domains need this access without this boolean.
>> So this is not actually related to the nsswitch patches?
> previously , ldap_stream_connect() was allowed by default (where auth_use_nsswitch() was used) without the authlogin_nsswitch_use_ldap boolean. If we now add this boolean, it will not be allowed by default it will break these domains.
Ok, I get it. These domains actually need the access unconditionally, but it was obscured by auth_use_nsswitch() always having ldap_stream_connect(). Right?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/10/2012 02:37 PM, Christopher J. PeBenito wrote:
> On 07/10/12 08:32, Miroslav Grepl wrote:
>> On 07/10/2012 02:28 PM, Christopher J. PeBenito wrote:
>>> On 07/10/12 08:14, Miroslav Grepl wrote:
>>>> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>>>>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>>>>> * Add ldap_stream_connect() interface for domains which need it
>>>>> Since this is in the nsswitch patch set, I assume this access is for nsswitch. Why not put it in authlogin and use the attribute?
>>>> The problem is we have now
>>>>
>>>> optional_policy(`
>>>> tunable_policy(`authlogin_nsswitch_use_ldap',`
>>>> ldap_stream_connect(nsswitch_domain)
>>>> ')
>>>> ')
>>>>
>>>> but these domains need this access without this boolean.
>>> So this is not actually related to the nsswitch patches?
>> previously , ldap_stream_connect() was allowed by default (where auth_use_nsswitch() was used) without the authlogin_nsswitch_use_ldap boolean. If we now add this boolean, it will not be allowed by default it will break these domains.
> Ok, I get it. These domains actually need the access unconditionally, but it was obscured by auth_use_nsswitch() always having ldap_stream_connect(). Right?
>
Yes.