From: domg472@gmail.com (Dominick Grift) Date: Sat, 06 Mar 2010 10:32:08 +0100 Subject: [refpolicy] [PATCH 1/1] Likewise policy In-Reply-To: <4B91B87B.9010001@likewise.com> References: <4B91B87B.9010001@likewise.com> Message-ID: <4B922118.6050902@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 03/06/2010 03:05 AM, Scott Salley wrote: > Resubmitting Likewise policy with suggested changes. Have you checked whether this actually builds? There are some syntax errors in there that cause this to not compile. Also you did you remove the policy for lsassd to: - relabel to home_root_t - read write keytab Some comments inline > > Signed-off-by: Scott Salley > --- > policy/modules/services/likewise.fc | 65 ++++++++ > policy/modules/services/likewise.if | 231 ++++++++++++++++++++++++++++ > policy/modules/services/likewise.te | 286 +++++++++++++++++++++++++++++++++++ > policy/modules/system/authlogin.if | 4 + > 4 files changed, 586 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/services/likewise.fc > create mode 100644 policy/modules/services/likewise.if > create mode 100644 policy/modules/services/likewise.te > > diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc > new file mode 100644 > index 0000000..d065e58 > --- /dev/null > +++ b/policy/modules/services/likewise.fc > @@ -0,0 +1,65 @@ > + > +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > + > +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) > + > + > +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) > +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) > +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) > +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) > +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) > +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) > +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) > +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) > + > + > +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) > +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) > +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) > +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) > + > +/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) > + > +/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) > + > +/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) > + > +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) > + > +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) > + > +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) > + > + > +/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) > +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) > + > +/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) > +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) > + > +/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) > +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) > +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) > +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) > + > +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) > + > +/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) > +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) > +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) > + > +/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) > + > +/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) The file context entries should be sorted in the following manner: 1. alphabetically by path, then 2. by increasing depth, then 3. entries with metacharacters (.*, ?, [a-z], etc.) first and exact matches last see: http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide > diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if > new file mode 100644 > index 0000000..9294528 > --- /dev/null > +++ b/policy/modules/services/likewise.if > @@ -0,0 +1,231 @@ > +## Likewise policy. > + > +######################################## > +## > +## Execute daemon in the likewise domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_initrc_domtrans',` > + gen_require(` > + type likewise_initrc_exec_t; > + ') > + > + init_labeled_script_domtrans($1, likewise_initrc_exec_t) > +') > + Is this interface used by anything? > +######################################## > +## > +## Connect to dcerpcd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_dcerpcd',` > + gen_require(` > + type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) > +') > + > +######################################## > +## > +## Connect to eventlogd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_eventlogd',` > + gen_require(` > + type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) > +') > + > +######################################## > +## > +## Connect to lsassd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_lsassd',` > + gen_require(` > + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) > +') > + > +######################################## > +## > +## Connect to lwiod. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_lwiod',` > + gen_require(` > + type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) > +') > + > +######################################## > +## > +## Connect to netlogond. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_netlogond',` > + gen_require(` > + type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) > +') > + > +######################################## > +## > +## Connect to lwregd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_lwregd',` > + gen_require(` > + type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) > +') > + > +######################################## > +## > +## Manage /etc/likewise-open. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_manage_etc_files',` > + gen_require(` > + type likewise_etc_t; > + ') > + > + allow $1 likewise_etc_t:dir search_dir_perms; > + manage_files_pattern($1, likewise_etc_t, likewise_etc_t) > +') The manage files pattern already provides sufficient permission for domains to search likewise_etc_t. domains are not allowed to search /etc, use files_search_etc_files($1) > + > +######################################## > +## > +## Grant likewise daemons a common set of rules > +## > +## > +## > +## Domain of daemon process. > +## > +## > +## > +## > +## Type of daemon executable files. > +## > +## > +## > +## > +## Type of pid file created by daemon. > +## > +## > +## > +## > +## Type of daemon communication socket. > +## > +## > +## > +## > +## Files managed by the daemon. > +## > +## > +interface(`likewise_daemon',` > + gen_require(` > + type likewise_etc_t, likewise_var_lib_t; > + ') likewise_etc_t does not have to be required. > + > + # Mark $1 as domain and $2 as an entrypoint into that domain. > + init_daemon_domain($1, $2) > + > + # Mark $3 as a pid file and allow it to be creat/read/write by $1 > + files_pid_file($3) > + manage_files_pattern($1, $3, $3) > + files_pid_filetrans($1, $3, file) > + > + # Mark $4 as a socket for client access > + files_type($4) > + filetrans_pattern($1,likewise_var_lib_t,$4, sock_file) > + manage_sock_files_pattern($1,likewise_var_lib_t,$4) > + manage_files_pattern($1,$4,$4) > + > + # Mark $5 as files, privately managed under /var/lib/likewise-open > + files_type($5) > + allow $1 likewise_var_lib_t:dir setattr; > + allow $1 $5:file manage_file_perms; > + allow $1 $5:dir manage_dir_perms; > + allow $1 $5:sock_file manage_sock_file_perms; > + > + filetrans_pattern($1,likewise_var_lib_t,$5, {file dir}) > + > + allow $1 self:process { signal_perms getsched setsched }; > + allow $1 self:fifo_file rw_fifo_file_perms; > + allow $1 self:unix_dgram_socket create_socket_perms; > + allow $1 self:unix_stream_socket create_stream_socket_perms; > + allow $1 self:tcp_socket create_stream_socket_perms; > + allow $1 self:udp_socket create_socket_perms; > + > + # Read /etc > + files_read_etc_files($1) > + > + # Permit use of syslog > + logging_send_syslog_msg($1) > + > + # Permit use of locale > + miscfiles_read_localization($1) > + > + # Permit use of dev random/urandom > + dev_read_urand($1) > + dev_read_rand($1) > +') > + > diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te > new file mode 100644 > index 0000000..c4f2e19 > --- /dev/null > +++ b/policy/modules/services/likewise.te > @@ -0,0 +1,286 @@ > + > +policy_module(likewise, 1.0.0) > + > +################################# > +# > +# Declarations > +# > +type likewise_etc_t; > +files_config_file(likewise_etc_t) > + > +type likewise_initrc_exec_t; > +init_script_file(likewise_initrc_exec_t) > + > +type likewise_var_lib_t; > +files_type(likewise_var_lib_t) > + > +type likewise_pstore_lock_t; > +files_type(likewise_pstore_lock_t) > + > +type likewise_krb5_ad_t; > +files_type(likewise_krb5_ad_t) > + > +type likewise_krb5_affinity_t; > +files_type(likewise_krb5_affinity_t) > + Somw of the above types do not have a file context specification in likewise.fc > +################################# > +# > +# Declarations for dcerpcd > +# > +type dcerpcd_t; > +type dcerpcd_exec_t; > +type dcerpcd_var_run_t; > +type dcerpcd_var_socket_t; > +type dcerpcd_var_lib_t; > + > +################################# > +# > +# Declarations for eventlogd > +# > +type eventlogd_t; > +type eventlogd_exec_t; > +type eventlogd_var_run_t; > +type eventlogd_var_socket_t; > +type eventlogd_var_lib_t; > + > +################################# > +# > +# Declarations for lsassd > +# > +type lsassd_t; > +type lsassd_exec_t; > +type lsassd_var_run_t; > +type lsassd_var_socket_t; > +type lsassd_var_lib_t; > + > +################################# > +# > +# Declarations for lwiod > +# > +type lwiod_t; > +type lwiod_exec_t; > +type lwiod_var_run_t; > +type lwiod_var_socket_t; > +type lwiod_var_lib_t; > + > +################################# > +# > +# Declarations for lwregd > +# > +type lwregd_t; > +type lwregd_exec_t; > +type lwregd_var_run_t; > +type lwregd_var_socket_t; > +type lwregd_var_lib_t; > + > +################################# > +# > +# Declarations for lwsmd > +# > +type lwsmd_t; > +type lwsmd_exec_t; > +type lwsmd_var_run_t; > +type lwsmd_var_socket_t; > +type lwsmd_var_lib_t; > + > +################################# > +# > +# Declarations for netlogond > +# > +type netlogond_t; > +type netlogond_exec_t; > +type netlogond_var_run_t; > +type netlogond_var_socket_t; > +type netlogond_var_lib_t; > + > +################################# > +# > +# Declarations for srvsvcd > +# > +type srvsvcd_t; > +type srvsvcd_exec_t; > +type srvsvcd_var_run_t; > +type srvsvcd_var_socket_t; > +type srvsvcd_var_lib_t; > + > +################################# > +# > +# Likewise DCE/RPC service local policy > +# > + > +likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t) > + > +corenet_tcp_bind_generic_node(dcerpcd_t) > +corenet_tcp_bind_reserved_port(dcerpcd_t) > +corenet_tcp_connect_generic_port(dcerpcd_t) > +corenet_udp_bind_generic_node(dcerpcd_t) > +corenet_udp_bind_reserved_port(dcerpcd_t) The networking block is missing to interface calls to ensure compatibility. > + > +likewise_stream_connect_lwregd(dcerpcd_t) > + > +################################# > +# > +# Likewise Auditing and Logging service policy > +# > + > +likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t) > + > +corenet_tcp_bind_generic_node(eventlogd_t) > +corenet_tcp_bind_reserved_port(eventlogd_t) > +corenet_udp_bind_generic_node(eventlogd_t) > +corenet_udp_bind_reserved_port(eventlogd_t) > + The networking block is missing to interface calls to ensure compatibility. > +likewise_stream_connect_lwregd(eventlogd_t) > +likewise_stream_connect_dcerpcd(eventlogd_t) > + > +################################# > +# > +# Likewise Authentication service local policy > +# > + > +likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t) > + > +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time}; > +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto}; > +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; > +# Because lsassd calls access(), we need these two. It would be nice not to. > +corecmd_exec_bin(lsassd_t); > +corecmd_exec_shell(lsassd_t); syntax errors (;) causes this to not build. > + > +kerberos_use(lsassd_t) > + This is optional > +corenet_tcp_connect_reserved_port(lsassd_t) > +corenet_tcp_sendrecv_all_reserved_ports(lsassd_t) > +sysnet_use_ldap(lsassd_t) > +sysnet_read_config(lsassd_t) The networking block is missing to interface calls to ensure compatibility. > + > +kernel_read_system_state(lsassd_t) > +kernel_getattr_proc_files(lsassd_t) > +kernel_list_all_proc(lsassd_t) > +kernel_list_proc(lsassd_t) > + > +files_manage_generic_tmp_dirs(lsassd_t) > +files_manage_generic_tmp_files(lsassd_t) > + I suspect that these directories and files should be owned by lsassd > +domain_obj_id_change_exemption(lsassd_t) > +selinux_get_fs_mount(lsassd_t) > +selinux_validate_context(lsassd_t) > +seutil_read_config(lsassd_t) > +seutil_read_default_contexts(lsassd_t) > +seutil_read_file_contexts(lsassd_t) > +seutil_run_semanage(lsassd_t, lsassd_t) > + > +userdom_home_filetrans_user_home_dir(lsassd_t) > +userdom_manage_home_role(system_r, lsassd_t) > + > +likewise_stream_connect_lwregd(lsassd_t) > +likewise_stream_connect_netlogond(lsassd_t) > +likewise_stream_connect_lwiod(lsassd_t) > +likewise_stream_connect_eventlogd(lsassd_t) > +likewise_stream_connect_dcerpcd(lsassd_t) > + > +likewise_manage_etc_files(lsassd_t) > +files_manage_etc_files(lsassd_t) > +files_manage_etc_symlinks(lsassd_t) > +files_manage_etc_runtime_files(lsassd_t) > +allow lsassd_t netlogond_var_lib_t:file read_file_perms; > +allow lsassd_t likewise_krb5_ad_t:file read_file_perms; > + > + > +################################# > +# > +# Likewise I/O service local policy > +# > + > +likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t) > + > +kerberos_rw_config(lwiod_t) > +kerberos_use(lwiod_t) Should be optional > +allow lwiod_t likewise_krb5_ad_t:file read_file_perms; > +allow lwiod_t netlogond_var_lib_t:file read_file_perms; > + > +corenet_tcp_bind_generic_node(lwiod_t) > +corenet_tcp_bind_smbd_port(lwiod_t) > +corenet_tcp_connect_smbd_port(lwiod_t) The networking block is missing to interface calls to ensure compatibility. > +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; > + > +sysnet_read_config(lwiod_t) > + > +likewise_stream_connect_lwregd(lwiod_t) > +likewise_stream_connect_lsassd(lwiod_t) > + > +################################# > +# > +# Likewise Registry server local policy > +# > + > +likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t) > + > +################################# > +# > +# Likewise Service Manager service local policy > +# > + > +likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t) > + > +corenet_tcp_bind_generic_node(lwsmd_t) > +corenet_tcp_bind_reserved_port(lwsmd_t) > +corenet_tcp_bind_smbd_port(lwsmd_t) > +corenet_udp_bind_generic_node(lwsmd_t) > +corenet_udp_bind_reserved_port(lwsmd_t) The networking block is missing to interface calls to ensure compatibility. > +likewise_manage_etc_files(lwsmd_t) > + > +likewise_stream_connect_lwiod(lwsmd_t) > +likewise_stream_connect_lwregd(lwsmd_t) > + > +# When lwsmd starts the daemons, transition to their context: > +domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t) > +domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t) > +domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t) > +domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t) > +domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t) > +domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t) > +domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t) > + > +allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t lsassd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t lwiod_t:process { signal siginh rlimitinh }; > +allow lwsmd_t lwregd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t netlogond_t:process { signal siginh rlimitinh }; > +allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh }; I suspect these can be removed. signal is already allowed and the other permissions are rarely needed. > + > +################################# > +# > +# Likewise DC location service local policy > +# > + > +likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t) > + > +allow netlogond_t self:capability {dac_override}; > + > +sysnet_dns_name_resolve(netlogond_t) > +sysnet_use_ldap(netlogond_t) > + > +likewise_stream_connect_lwregd(netlogond_t) > +likewise_manage_etc_files(netlogond_t) > + > +################################# > +# > +# Likewise Srv service local policy > +# > + > +likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t) > + > +corenet_tcp_bind_generic_node(srvsvcd_t) > +corenet_tcp_bind_reserved_port(srvsvcd_t) > + The networking block is missing to interface calls to ensure compatibility. > +kerberos_use(srvsvcd_t) This is optional > + > +allow srvsvcd_t likewise_etc_t:dir search_dir_perms; > + > +likewise_stream_connect_lwregd(srvsvcd_t) > +likewise_stream_connect_dcerpcd(srvsvcd_t) > +likewise_stream_connect_lwiod(srvsvcd_t) > + > + > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if > index b193dd8..41d6517 100644 > --- a/policy/modules/system/authlogin.if > +++ b/policy/modules/system/authlogin.if > @@ -1403,6 +1403,10 @@ interface(`auth_use_nsswitch',` > ') > > optional_policy(` > + likewise_stream_connect_lsassd($1) > + ') > + > + optional_policy(` > nis_use_ypbind($1) > ') > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100306/f1983384/attachment.bin