From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 05 Mar 2010 15:04:28 -0500
Subject: [refpolicy] [PATCH 1/1] Initial Likewise Open support
In-Reply-To: <4B915292.4000702@likewise.com>
References: <4B915292.4000702@likewise.com>
Message-ID: <1267819468.12171.86.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2010-03-05 at 10:50 -0800, Scott Salley wrote:
> Likewise Open allows Linux,Unix, and Mac machines to 
> join Active Directory and securely authenticate users.

Thanks for the submission.  Overall it looks pretty good.  There are a
couple technical issues, but mostly there are stylistic issues.
Comments appear inline.

> Signed-off-by: Scott Salley <ssalley@likewise.com>
> ---
>  policy/modules/services/likewise.fc |   72 +++++++++
>  policy/modules/services/likewise.if |  220 ++++++++++++++++++++++++++++
>  policy/modules/services/likewise.te |  273 +++++++++++++++++++++++++++++++++++
>  policy/modules/system/authlogin.if  |    4 +
>  4 files changed, 569 insertions(+), 0 deletions(-)
>  create mode 100644 policy/modules/services/likewise.fc
>  create mode 100644 policy/modules/services/likewise.if
>  create mode 100644 policy/modules/services/likewise.te
> 
> diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
> new file mode 100644
> index 0000000..2e4eb86
> --- /dev/null
> +++ b/policy/modules/services/likewise.fc
> @@ -0,0 +1,72 @@
> +
> +#
> +# /etc
> +#
> +/etc/rc\.d/init\.d/dcerpcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/eventlogd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lsassd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwiod	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwregd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwsmd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/netlogond	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/srvsvcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +
> +/etc/likewise-open(/.*)?		gen_context(system_u:object_r:likewise_etc_t,s0)
> +
> +#
> +# /usr
> +#
> +/usr/sbin/dcerpcd	--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
> +/usr/sbin/eventlogd	--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
> +/usr/sbin/lsassd	--	gen_context(system_u:object_r:lsassd_exec_t,s0)
> +/usr/sbin/lwiod		--	gen_context(system_u:object_r:lwiod_exec_t,s0)
> +/usr/sbin/lwregd	--	gen_context(system_u:object_r:lwregd_exec_t,s0)
> +/usr/sbin/lwsmd		--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
> +/usr/sbin/netlogond	--	gen_context(system_u:object_r:netlogond_exec_t,s0)
> +/usr/sbin/srvsvcd	--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
> +
> +#
> +# /var
> +#
> +/var/lib/likewise-open(/.*)?			gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/db	-d		gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/run	-d		gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/rpc	-d		gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +
> +/var/lib/likewise-open/krb5-affinity.conf	-- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
> +
> +/var/lib/likewise-open/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
> +
> +/var/lib/likewise-open/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
> +
> +/var/lib/likewise-open/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> +
> +/var/lib/likewise-open/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
> +
> +/var/lib/likewise-open/rpc/socket	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> +
> +
> +/var/run/lsassd.pid		--	gen_context(system_u:object_r:lsassd_var_run_t,s0)
> +/var/lib/likewise-open/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adcache\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adstate\.filedb	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/\.lsassd	-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
> +
> +/var/run/lwiod.pid		--	gen_context(system_u:object_r:lwiod_var_run_t,s0)
> +/var/lib/likewise-open/\.lwiod	-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
> +
> +/var/run/lwregd.pid		--	gen_context(system_u:object_r:lwregd_var_run_t,s0)
> +/var/lib/likewise-open/\.regsd	-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
> +/var/lib/likewise-open/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +/var/lib/likewise-open/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +
> +/var/lib/likewise-open/\.lwsm	-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
> +
> +/var/run/netlogond.pid	--	gen_context(system_u:object_r:netlogond_var_run_t,s0)
> +/var/lib/likewise-open/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
> +/var/lib/likewise-open/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
> +
> +/var/run/srvsvcd.pid	--	gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
> +
> +/etc/likewise-open/likewise-krb5-ad.conf	--	gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
> diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
> new file mode 100644
> index 0000000..cea6b44
> --- /dev/null
> +++ b/policy/modules/services/likewise.if
> @@ -0,0 +1,220 @@
> +## <summary>
> +##	Likewise -- Active Directory support for UNIX 
> +## </summary>
> +
> +
> +########################################
> +## <summary>
> +##	Execute daemon in the likewise domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.

Nit: "Domain allowed access." is what we've been using.  This
description is an older one.

> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_initrc_domtrans',`
> +	gen_require(`
> +		type likewise_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, likewise_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Connect to dcerpcd.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_dcerpcd',`
> +	gen_require(`
> +		type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 likewise_var_lib_t:dir search_dir_perms;
> +	allow $1 dcerpcd_var_socket_t:sock_file unlink;

Generally we frown on this.  Normally interface shouldn't have side
effects.  This should only have rules sufficient for connecting to
dcerpcd, and deleting the sock_file shouldn't be included.

> +	stream_connect_pattern($1, dcerpcd_var_socket_t, dcerpcd_var_socket_t, dcerpcd_t)

I suspect you want likewise_var_lib_t as the second parameter, and then
the first allow statement could be dropped.  Similar comment for the
below stream_connect interfaces.

> +')
> +
> +########################################
> +## <summary>
> +##	Connect to eventlogd.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_eventlogd',`
> +	gen_require(`
> +		type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 likewise_var_lib_t:dir search_dir_perms;
> +	stream_connect_pattern($1, eventlogd_var_socket_t, eventlogd_var_socket_t, eventlogd_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Connect to lsassd.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lsassd',`
> +	gen_require(`
> +		type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 likewise_var_lib_t:dir search_dir_perms;
> +	stream_connect_pattern($1, lsassd_var_socket_t, lsassd_var_socket_t, lsassd_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Connect to lwiod.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lwiod',`
> +	gen_require(`
> +		type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 likewise_var_lib_t:dir search_dir_perms;
> +	stream_connect_pattern($1, lwiod_var_socket_t, lwiod_var_socket_t, lwiod_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Connect to netlogond.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_netlogond',`
> +	gen_require(`
> +		type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 likewise_var_lib_t:dir search_dir_perms;
> +	stream_connect_pattern($1, netlogond_var_socket_t, netlogond_var_socket_t, netlogond_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Connect to lwregd.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lwregd',`
> +	gen_require(`
> +		type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 likewise_var_lib_t:dir search_dir_perms;
> +	stream_connect_pattern($1, lwregd_var_socket_t, lwregd_var_socket_t, lwregd_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Read/write /etc/likewise-open.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_rw_etc',`

Should be likewise_rw_etc_files

> +	gen_require(`
> +		type likewise_etc_t;
> +	')
> +
> +	allow $1 likewise_etc_t:dir search_dir_perms;
> +	manage_files_pattern($1, likewise_etc_t, likewise_etc_t)

This is incorrect.  The verb in the interface name, along with the XML
docs say this is for read/write, but the implementation has manage,
which includes create/delete(unlink).  Either the implementation needs
to change manage_files_pattern to rw_files_pattern, or the XML needs to
be fixed and interface name needs to change to
likewise_manage_etc_files.

> +')
> +
> +
> +# This interace grants the likewise daemons a common set of rules.
> +# daemon domain (lwregd_t):                   $1
> +# daemon executable (lwregd_exec_t):          $2
> +# daemon pid (lwregd_var_run_t):              $3
> +# daemon client socket (lwregd_var_socket_t): $4
> +# daemon privately managed files in /var/lib/likewise-open: $5

This needs to be turned into appropriate XML documentation.

> +interface(`likewise_daemon',`
> +	gen_require(`
> +		type likewise_etc_t, likewise_var_lib_t;
> +	')
> +
> +        # Mark $1 as domain and $2 as an entrypoint into that domain.
> +	init_daemon_domain($1, $2)

Nit: use tabs instead of spaces

> +        # Mark $3 as a pid file and allow it to be creat/read/write by $1
> +	files_pid_file($3)
> +	manage_files_pattern($1, $3, $3)
> +	files_pid_filetrans($1, $3, file)

Alternatively you could use derived types, and just specify a prefix so
the naming is easily consistent.  eg:

type $1_var_run_t;
files_pid_file($1_var_run_t)

see rpc_domain_template() rpc.if and it's callers in rpc.te for an
example.

> +	# Mark $4 as a socket for client access 
> +	files_type($4)
> +	filetrans_pattern($1,likewise_var_lib_t,$4, sock_file)
> +	manage_sock_files_pattern($1,likewise_var_lib_t,$4)
> +	manage_files_pattern($1,$4,$4)
> +
> +	# Mark $5 as files, privately managed under /var/lib/likewise-open
> +	files_type($5)
> +	allow $1 likewise_var_lib_t:dir manage_file_perms;

The domains can really add and remove directories with this shared type?
Also, it doesn't look like this type is used beyond this statement.  If
the shared directory type isn't created or deleted, the more
general /var/lib type is probably sufficient, instead of adding a new
type, especially considering the filetrans below.

> +	allow $1 $5:file manage_file_perms;
> +	allow $1 $5:dir manage_dir_perms;
> +	allow $1 $5:sock_file manage_sock_file_perms;
> +
> +	filetrans_pattern($1,likewise_var_lib_t,$5, {file dir})
> +
> +	allow $1 self:process { signal_perms getsched setsched };
> +	allow $1 self:fifo_file rw_fifo_file_perms;
> +	allow $1 self:unix_dgram_socket create_socket_perms;
> +	allow $1 self:unix_stream_socket create_stream_socket_perms;
> +	allow $1 $4:unix_stream_socket create_stream_socket_perms;

This last line looks incorrect.  In your above comments,
lwregd_var_socket_t is an example and I see a sock_file labeled with
this type in the .fc file.  The line should probably be removed.

> +	allow $1 self:tcp_socket create_stream_socket_perms;
> +	allow $1 self:udp_socket create_socket_perms;
> +
> +	# Read /etc
> +	files_read_etc_files($1)
> +
> +	# Permit use of syslog
> +	logging_send_syslog_msg($1)
> +
> +	# Permit use of locale
> +	miscfiles_read_localization($1)
> +
> +	# Permit use of dev random/urandom
> +	dev_read_urand($1)
> +	dev_read_rand($1)
> +')
> +
> diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
> new file mode 100644
> index 0000000..cf59f42
> --- /dev/null
> +++ b/policy/modules/services/likewise.te
> @@ -0,0 +1,273 @@
> +
> +policy_module(likewise, 1.12.0)
> +
> +#################################
> +#
> +# Declarations
> +#
> +
> +# dcerpcd domain:
> +type dcerpcd_t;
> +# The type of the /usr/sbin/dcerpcd executable:
> +type dcerpcd_exec_t;
> +# PID file /var/run/dcerpcd.pid
> +type dcerpcd_var_run_t;
> +# Socket for client access /var/lib/likewise-open/. FIXME
> +type dcerpcd_var_socket_t;
> +# dcerpcd specific files
> +type dcerpcd_var_lib_t;
> +
> +likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(dcerpcd_t)
> +corenet_tcp_bind_reserved_port(dcerpcd_t)
> +corenet_tcp_connect_generic_port(dcerpcd_t)
> +corenet_udp_bind_generic_node(dcerpcd_t)
> +corenet_udp_bind_reserved_port(dcerpcd_t)
> +
> +# Permit use of Likewise Open Registry
> +likewise_stream_connect_lwregd(dcerpcd_t)
> +
> +
> +# eventlogd domain:
> +type eventlogd_t;
> +# The type of the /usr/sbin/eventlogd executable:
> +type eventlogd_exec_t;
> +# PID file /var/run/eventlogd.pid
> +type eventlogd_var_run_t;
> +# Socket for client access /var/lib/likewise-open/. FIXME
> +type eventlogd_var_socket_t;
> +# dcerpcd specific files
> +type eventlogd_var_lib_t;

Please move the declarations up to the top of the .te file (same thing
for later declarations).  Also don't forget the comment headers for each
of the domains (like the declarations one above, right after the
policy_module() statement).

> +likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(eventlogd_t)
> +corenet_tcp_bind_reserved_port(eventlogd_t)
> +corenet_udp_bind_generic_node(eventlogd_t)
> +corenet_udp_bind_reserved_port(eventlogd_t)
> +
> +likewise_stream_connect_lwregd(eventlogd_t)
> +likewise_stream_connect_dcerpcd(eventlogd_t)
> +
> +
> +
> +# lsassd domain:
> +type lsassd_t;
> +# The type of the /usr/sbin/lsassd executable:
> +type lsassd_exec_t;
> +# PID file /var/run/lsassd.pid
> +type lsassd_var_run_t;
> +# Socket for client access /var/lib/likewise-open/.lsassd
> +type lsassd_var_socket_t;
> +# lsassd specific files
> +type lsassd_var_lib_t;
>+
> +likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t)
> +
> +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
> +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
> +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
> +# Because lsassd calls access(), we need these two
> +corecmd_exec_bin(lsassd_t);
> +corecmd_exec_shell(lsassd_t);
> +
> +kerberos_use(lsassd_t)
> +
> +corenet_tcp_connect_reserved_port(lsassd_t)
> +corenet_tcp_sendrecv_all_reserved_ports(lsassd_t)
> +sysnet_use_ldap(lsassd_t)
> +sysnet_read_config(lsassd_t)
> +
> +kernel_read_system_state(lsassd_t)
> +kernel_getattr_proc_files(lsassd_t)
> +kernel_list_all_proc(lsassd_t)
> +kernel_list_proc(lsassd_t)
> +
> +files_manage_generic_tmp_dirs(lsassd_t)
> +files_manage_generic_tmp_files(lsassd_t)
> +gen_require(`
> +	type krb5_keytab_t;
> +')
> +allow lsassd_t krb5_keytab_t:file {read lock getattr write open};

Requiring/using a type from another module explicitly like this is not
allowed upstream.  If an appropriate interface doesn't exist in the
kerberos module, please add it.

> +domain_obj_id_change_exemption(lsassd_t)
> +selinux_get_fs_mount(lsassd_t)
> +selinux_validate_context(lsassd_t)
> +seutil_read_config(lsassd_t)
> +seutil_read_default_contexts(lsassd_t)
> +seutil_read_file_contexts(lsassd_t)
> +seutil_run_semanage(lsassd_t, lsassd_t)
> +
> +userdom_home_filetrans_user_home_dir(lsassd_t)
> +userdom_manage_home_role(system_r, lsassd_t)

This interface isn't intended to be used like this.  Instead use
something like userdom_manage_user_home_content_files().

> +#gen_require(`
> +#	type home_root_t;
> +#')
> +allow lsassd_t home_root_t:dir relabelto;

Same thing as above type require/usage.

> +likewise_stream_connect_lwregd(lsassd_t)
> +likewise_stream_connect_netlogond(lsassd_t)
> +likewise_stream_connect_lwiod(lsassd_t)
> +likewise_stream_connect_eventlogd(lsassd_t)
> +likewise_stream_connect_dcerpcd(lsassd_t)
> +
> +likewise_rw_etc(lsassd_t)
> +files_manage_etc_files(lsassd_t)
> +files_manage_etc_symlinks(lsassd_t)
> +files_manage_etc_runtime_files(lsassd_t)
> +allow lsassd_t netlogond_var_lib_t:file read_file_perms;
> +allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
> +
> +#
> +# lwiod domain:
> +#
> +type lwiod_t;
> +# The type of the /usr/sbin/lwiod executable:
> +type lwiod_exec_t;
> +# PID file /var/run/lwiod.pid
> +type lwiod_var_run_t;
> +# Socket for client access /var/lib/likewise-open/.lwiod
> +type lwiod_var_socket_t;
> +# lwiod specific files
> +type lwiod_var_lib_t;
> +
> +likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t)
> +
> +
> +kerberos_rw_config(lwiod_t)
> +kerberos_use(lwiod_t)
> +allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
> +allow lwiod_t netlogond_var_lib_t:file read_file_perms;
> +
> +corenet_tcp_bind_generic_node(lwiod_t)
> +corenet_tcp_bind_smbd_port(lwiod_t)
> +corenet_tcp_connect_smbd_port(lwiod_t)
> +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> +sysnet_read_config(lwiod_t)
> +
> +likewise_stream_connect_lwregd(lwiod_t)
> +likewise_stream_connect_lsassd(lwiod_t)
> +
> +
> +# lwregd domain
> +type lwregd_t;
> +# The type of the /usr/sbin/lwregd executable:
> +type lwregd_exec_t;
> +# PID file /var/run/lwregd.pid
> +type lwregd_var_run_t;
> +# Socket for client access /var/lib/likewise-open/.regsd
> +type lwregd_var_socket_t;
> +# Registry specific files, like /var/run/likewise-open/db/regcache.db
> +type lwregd_var_lib_t;
> +
> +likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t)
> +
> +# lwsmd domain:
> +type lwsmd_t;
> +# The type of the /usr/sbin/lwsmd executable:
> +type lwsmd_exec_t;
> +# PID file /var/run/??.pid
> +type lwsmd_var_run_t;
> +# Socket for client access /var/lib/likewise-open/.lwsm
> +type lwsmd_var_socket_t;
> +# Netlogond specific files
> +type lwsmd_var_lib_t;
> +
> +likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(lwsmd_t)
> +corenet_tcp_bind_reserved_port(lwsmd_t)
> +corenet_tcp_bind_smbd_port(lwsmd_t)
> +corenet_udp_bind_generic_node(lwsmd_t)
> +corenet_udp_bind_reserved_port(lwsmd_t)
> +likewise_rw_etc(lwsmd_t)
> +
> +likewise_stream_connect_lwiod(lwsmd_t)
> +likewise_stream_connect_lwregd(lwsmd_t)
> +
> +# When lwsmd starts the daemons, transition to their context:
> +domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t)
> +domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t)
> +domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t)
> +domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t)
> +domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t)
> +domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t)
> +domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t)
> +
> +allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh noatsecure };
> +allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh noatsecure };
> +allow lwsmd_t lsassd_t:process { signal siginh rlimitinh noatsecure };
> +allow lwsmd_t lwiod_t:process { signal siginh rlimitinh noatsecure };
> +allow lwsmd_t lwregd_t:process { signal siginh rlimitinh noatsecure };
> +allow lwsmd_t netlogond_t:process { signal siginh rlimitinh noatsecure };
> +allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh noatsecure };

Does lwsmd really need all this signal and rlimit inheritance, along
with no AT_SECURE?

> +# netlogond domain:
> +type netlogond_t;
> +# The type of the /usr/sbin/netlogond executable:
> +type netlogond_exec_t;
> +# PID file /var/run/??.pid
> +type netlogond_var_run_t;
> +# Socket for client access /var/lib/likewise-open/.netlogond
> +type netlogond_var_socket_t;
> +# Netlogond specific files
> +type netlogond_var_lib_t;
> +
> +likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t)
> +
> +allow netlogond_t self:capability {dac_override};
> +
> +sysnet_dns_name_resolve(netlogond_t)
> +sysnet_use_ldap(netlogond_t)
> +
> +likewise_stream_connect_lwregd(netlogond_t)
> +
> +likewise_rw_etc(netlogond_t)
> +
> +#
> +# srvsvcd domain:
> +#
> +type srvsvcd_t;
> +# The type of the /usr/sbin/srvsvcd executable:
> +type srvsvcd_exec_t;
> +# PID file /var/run/??.pid
> +type srvsvcd_var_run_t;
> +# Socket for client access /var/lib/likewise-open/.
> +type srvsvcd_var_socket_t;
> +# This may not actually exist
> +type srvsvcd_var_lib_t;
> +
> +likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t)
> +
> +corenet_tcp_bind_generic_node(srvsvcd_t)
> +corenet_tcp_bind_reserved_port(srvsvcd_t)
> +
> +kerberos_use(srvsvcd_t)
> +	
> +allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
> +
> +likewise_stream_connect_lwregd(srvsvcd_t)
> +likewise_stream_connect_dcerpcd(srvsvcd_t)
> +likewise_stream_connect_lwiod(srvsvcd_t)
> +
> +
> +type likewise_etc_t;
> +files_config_file(likewise_etc_t)
> +
> +type likewise_initrc_exec_t;
> +init_script_file(likewise_initrc_exec_t)
> +
> +type likewise_var_lib_t;
> +files_type(likewise_var_lib_t)
> +
> +type likewise_pstore_lock_t;
> +files_type(likewise_pstore_lock_t)
> +
> +type likewise_krb5_ad_t;
> +files_type(likewise_krb5_ad_t)
> +
> +type likewise_krb5_affinity_t;
> +files_type(likewise_krb5_affinity_t)
> +
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index b193dd8..499093a 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1414,6 +1414,10 @@ interface(`auth_use_nsswitch',`
>  		samba_stream_connect_winbind($1)
>  		samba_read_var_files($1)
>  	')
> +
> +	optional_policy(`
> +		likewise_stream_connect_lsassd($1)
> +	')

This should be inserted between the optional blocks for the
avahi_stream_connect() and nis_use_ypbind() calls.

>  ')
>  
>  ########################################

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150