From: ssalley@likewise.com (Scott Salley)
Date: Wed, 10 Mar 2010 15:46:53 -0800
Subject: [refpolicy] [PATCH 1/1] Likewise Open policy (3rd submitted version)
Message-ID: <4B982F6D.1020004@likewise.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I've done my best to incorporate the changes and suggestions made by the list.

Changes since last mail:

* Based the bulk of this patch on the mail from Dominick Grift.
** Added suggested interface files_relabelto_home.
** Added suggested interface kerberos_rw_keytab.
** Re-ordered most of the lines.
** Removed types that don't appear to be used.

* Added port 135 as 'epmap' as that seems to be the most common abbreviation that is also accurate.

Testing:
This patch was applied to a Fedora 12 system and Likewise Open
was able to install, join the domain, and authenticate domain users.

Signed-off-by: Scott Salley <ssalley@likewise.com>
---
 policy/modules/kernel/corenetwork.te.in |    1 +
 policy/modules/kernel/files.if          |   18 ++
 policy/modules/services/kerberos.if     |   20 ++
 policy/modules/services/likewise.fc     |   54 ++++
 policy/modules/services/likewise.if     |   27 ++
 policy/modules/services/likewise.te     |  465 +++++++++++++++++++++++++++++++
 policy/modules/system/authlogin.if      |    4 +
 7 files changed, 589 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/services/likewise.fc
 create mode 100644 policy/modules/services/likewise.if
 create mode 100644 policy/modules/services/likewise.te

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index f199aa3..9a5a82a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -97,6 +97,7 @@ network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0,
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
 network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmap, tcp,135,s0, udp,135,s0)
 network_port(fingerd, tcp,79,s0)
 network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
 network_port(ftp_data, tcp,20,s0)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 83d26a5..03a8781 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2923,6 +2923,24 @@ interface(`files_dontaudit_getattr_home_dir',`
 
 ########################################
 ## <summary>
+##	Relabel to user home root (/home).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_home',`
+	gen_require(`
+		type home_root_t;
+	')
+
+	allow $1 home_root_t:dir relabelto;
+')
+
+########################################
+## <summary>
 ##	Search home directories root (/home).
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index db5ca26..d3cedf6 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -195,6 +195,26 @@ interface(`kerberos_read_keytab',`
 
 ########################################
 ## <summary>
+##	Read/Write the kerberos key table.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`kerberos_rw_keytab',`
+	gen_require(`
+		type krb5_keytab_t;
+	')
+
+	files_search_etc($1)
+	allow $1 krb5_keytab_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create a derived type for kerberos keytab
 ## </summary>
 ## <param name="prefix">
diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
new file mode 100644
index 0000000..6d29b1e
--- /dev/null
+++ b/policy/modules/services/likewise.fc
@@ -0,0 +1,54 @@
+/etc/likewise-open(/.*)?		gen_context(system_u:object_r:likewise_etc_t,s0)
+/etc/likewise-open/.pstore.lock	--	gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/etc/likewise-open/likewise-krb5-ad.conf	--	gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
+
+/etc/rc\.d/init\.d/dcerpcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/usr/sbin/dcerpcd	--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd	--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd	--	gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod	--	gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd	--	gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd	--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond	--	gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd	--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+/var/lib/likewise-open(/.*)?		gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd	-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwiod	-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise-open/\.regsd	-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/\.lwsm	-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise-open/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/\.ntlmd	-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise-open/krb5-affinity.conf	--	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise-open/krb5ccr_lsass	--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise-open/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/db	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise-open/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/rpc	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise-open/rpc/socket	-s	gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
+/var/lib/likewise-open/run	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/run/eventlogd.pid	--	gen_context(system_u:object_r:eventlogd_var_run_t,s0)
+/var/run/lsassd.pid	--	gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/run/lwiod.pid	--	gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/run/lwregd.pid	--	gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/run/netlogond.pid	--	gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/run/srvsvcd.pid	--	gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
new file mode 100644
index 0000000..6b1568d
--- /dev/null
+++ b/policy/modules/services/likewise.if
@@ -0,0 +1,27 @@
+## <summary>Likewise Active Directory support for UNIX.</summary>
+## <desc>
+##     <p>
+##     Likewise Open is a free, open source application that joins Linux, Unix,
+##     and Mac machines to Microsoft Active Directory to securely authenticate
+##     users with their domain credentials.
+##     </p>
+## </desc>
+
+########################################
+## <summary>
+##	Connect to lsassd.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`likewise_stream_connect_lsassd',`
+	gen_require(`
+		type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+')
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
new file mode 100644
index 0000000..4cfd8cf
--- /dev/null
+++ b/policy/modules/services/likewise.te
@@ -0,0 +1,465 @@
+
+policy_module(likewise, 1.0.0)
+
+#################################
+#
+# Likewise global personal declarations.
+#
+
+attribute likewise_domains;
+
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+#############################
+#
+# Likewise dcerpcd personal declarations.
+#
+
+type dcerpcd_t, likewise_domains;
+type dcerpcd_exec_t;
+init_daemon_domain(dcerpcd_t, dcerpcd_exec_t)
+
+type dcerpcd_var_run_t;
+files_pid_file(dcerpcd_var_run_t)
+
+type dcerpcd_var_socket_t;
+files_type(dcerpcd_var_socket_t)
+
+type dcerpcd_var_lib_t;
+files_type(dcerpcd_var_lib_t)
+
+#############################
+#
+# Likewise eventlogd personal declarations.
+#
+
+type eventlogd_t, likewise_domains;
+type eventlogd_exec_t;
+init_daemon_domain(eventlogd_t, eventlogd_exec_t)
+
+type eventlogd_var_run_t;
+files_pid_file(eventlogd_var_run_t)
+
+type eventlogd_var_socket_t;
+files_type(eventlogd_var_socket_t)
+
+type eventlogd_var_lib_t;
+files_type(eventlogd_var_lib_t)
+
+#############################
+#
+# Likewise lsassd personal declarations.
+#
+
+type lsassd_t, likewise_domains;
+type lsassd_exec_t;
+init_daemon_domain(lsassd_t, lsassd_exec_t)
+
+type lsassd_var_run_t;
+files_pid_file(lsassd_var_run_t)
+
+type lsassd_var_socket_t;
+files_type(lsassd_var_socket_t)
+
+type lsassd_var_lib_t;
+files_type(lsassd_var_lib_t)
+
+type lsassd_tmp_t;
+files_tmp_file(lsassd_tmp_t)
+
+#############################
+#
+# Likewise lwiod personal declarations.
+#
+
+type lwiod_t, likewise_domains;
+type lwiod_exec_t;
+init_daemon_domain(lwiod_t, lwiod_exec_t)
+
+type lwiod_var_run_t;
+files_pid_file(lwiod_var_run_t)
+
+type lwiod_var_socket_t;
+files_type(lwiod_var_socket_t)
+
+type lwiod_var_lib_t;
+files_type(lwiod_var_lib_t)
+
+#############################
+#
+# Likewise lwregd personal declarations.
+#
+
+type lwregd_t, likewise_domains;
+type lwregd_exec_t;
+init_daemon_domain(lwregd_t, lwregd_exec_t)
+
+type lwregd_var_run_t;
+files_pid_file(lwregd_var_run_t)
+
+type lwregd_var_socket_t;
+files_type(lwregd_var_socket_t)
+
+type lwregd_var_lib_t;
+files_type(lwregd_var_lib_t)
+
+#############################
+#
+# Likewise lwsmd personal declarations.
+#
+
+type lwsmd_t, likewise_domains;
+type lwsmd_exec_t;
+init_daemon_domain(lwsmd_t, lwsmd_exec_t)
+
+type lwsmd_var_run_t;
+files_pid_file(lwsmd_var_run_t)
+
+type lwsmd_var_socket_t;
+files_type(lwsmd_var_socket_t)
+
+type lwsmd_var_lib_t;
+files_type(lwsmd_var_lib_t)
+
+#############################
+#
+# Likewise netlogond personal declarations.
+#
+
+type netlogond_t, likewise_domains;
+type netlogond_exec_t;
+init_daemon_domain(netlogond_t, netlogond_exec_t)
+
+type netlogond_var_run_t;
+files_pid_file(netlogond_var_run_t)
+
+type netlogond_var_socket_t;
+files_type(netlogond_var_socket_t)
+
+type netlogond_var_lib_t;
+files_type(netlogond_var_lib_t)
+
+#############################
+#
+# Likewise srvsvcd personal declarations.
+#
+
+type srvsvcd_t, likewise_domains;
+type srvsvcd_exec_t;
+init_daemon_domain(srvsvcd_t, srvsvcd_exec_t)
+
+type srvsvcd_var_run_t;
+files_pid_file(srvsvcd_var_run_t)
+
+type srvsvcd_var_socket_t;
+files_type(srvsvcd_var_socket_t)
+
+##################################
+#
+# Likewise global personal policy.
+
+allow likewise_domains self:process { signal_perms getsched setsched };
+allow likewise_domains self:fifo_file rw_fifo_file_perms;
+allow likewise_domains self:unix_dgram_socket create_socket_perms;
+allow likewise_domains self:unix_stream_socket create_stream_socket_perms;
+allow likewise_domains self:tcp_socket create_stream_socket_perms;
+allow likewise_domains self:udp_socket create_socket_perms;
+
+allow likewise_domains likewise_var_lib_t:dir setattr;
+
+dev_read_urand(likewise_domains)
+dev_read_rand(likewise_domains)
+
+files_read_etc_files(likewise_domains)
+
+logging_send_syslog_msg(likewise_domains)
+
+miscfiles_read_localization(likewise_domains)
+
+#################################
+#
+# Likewise dcerpcd personal policy
+#
+
+manage_files_pattern(dcerpcd_t, dcerpcd_var_run_t, dcerpcd_var_run_t)
+files_pid_filetrans(dcerpcd_t, dcerpcd_var_run_t, file)
+
+manage_files_pattern(dcerpcd_t, dcerpcd_var_lib_t, dcerpcd_var_lib_t)
+filetrans_pattern(dcerpcd_t,likewise_var_lib_t,dcerpcd_var_lib_t, file)
+
+manage_sock_files_pattern(dcerpcd_t,likewise_var_lib_t,dcerpcd_var_socket_t)
+filetrans_pattern(dcerpcd_t,likewise_var_lib_t,dcerpcd_var_socket_t, sock_file)
+
+stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(dcerpcd_t)
+corenet_all_recvfrom_unlabeled(dcerpcd_t)
+corenet_sendrecv_generic_client_packets(dcerpcd_t)
+corenet_sendrecv_generic_server_packets(dcerpcd_t)
+corenet_tcp_sendrecv_generic_if(dcerpcd_t)
+corenet_tcp_sendrecv_generic_node(dcerpcd_t)
+corenet_tcp_sendrecv_generic_port(dcerpcd_t)
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_epmap_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_epmap_port(dcerpcd_t)
+corenet_udp_sendrecv_generic_if(dcerpcd_t)
+corenet_udp_sendrecv_generic_node(dcerpcd_t)
+corenet_udp_sendrecv_generic_port(dcerpcd_t)
+
+#################################
+#
+# Likewise Auditing and Logging service policy
+#
+
+manage_files_pattern(eventlogd_t, eventlogd_var_run_t, eventlogd_var_run_t)
+files_pid_filetrans(eventlogd_t, eventlogd_var_run_t, file)
+
+manage_files_pattern(eventlogd_t, eventlogd_var_lib_t, eventlogd_var_lib_t)
+filetrans_pattern(eventlogd_t,likewise_var_lib_t,eventlogd_var_lib_t, file)
+
+manage_sock_files_pattern(eventlogd_t,likewise_var_lib_t,eventlogd_var_socket_t)
+filetrans_pattern(eventlogd_t,likewise_var_lib_t,eventlogd_var_socket_t, sock_file)
+
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(eventlogd_t)
+corenet_all_recvfrom_unlabeled(eventlogd_t)
+corenet_sendrecv_generic_server_packets(eventlogd_t)
+corenet_tcp_sendrecv_generic_if(eventlogd_t)
+corenet_tcp_sendrecv_generic_node(eventlogd_t)
+corenet_tcp_sendrecv_generic_port(eventlogd_t)
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_if(eventlogd_t)
+corenet_udp_sendrecv_generic_node(eventlogd_t)
+corenet_udp_sendrecv_generic_port(eventlogd_t)
+
+#################################
+#
+# Likewise Authentication service local policy
+#
+
+allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
+allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+
+manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)
+
+manage_files_pattern(lsassd_t, lsassd_var_run_t, lsassd_var_run_t)
+files_pid_filetrans(lsassd_t, lsassd_var_run_t, file)
+
+manage_files_pattern(lsassd_t, lsassd_var_lib_t, lsassd_var_lib_t)
+filetrans_pattern(lsassd_t, likewise_var_lib_t, lsassd_var_lib_t, file)
+
+manage_sock_files_pattern(lsassd_t, likewise_var_lib_t, lsassd_var_socket_t)
+filetrans_pattern(lsassd_t, likewise_var_lib_t, lsassd_var_socket_t, sock_file)
+
+manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t);
+files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)
+
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
+
+corecmd_exec_bin(lsassd_t)
+corecmd_exec_shell(lsassd_t)
+
+corenet_all_recvfrom_netlabel(lsassd_t)
+corenet_all_recvfrom_unlabeled(lsassd_t)
+corenet_tcp_sendrecv_generic_if(lsassd_t)
+corenet_tcp_sendrecv_generic_node(lsassd_t)
+corenet_tcp_sendrecv_generic_port(lsassd_t)
+corenet_tcp_bind_generic_node(lsassd_t)
+corenet_tcp_connect_epmap_port(lsassd_t)
+corenet_tcp_sendrecv_epmap_port(lsassd_t)
+
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+
+files_relabelto_home(lsassd_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+domain_obj_id_change_exemption(lsassd_t)
+
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, lsassd_t)
+
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_home_role(system_r, lsassd_t)
+
+optional_policy(`
+	kerberos_rw_keytab(lsassd_t)
+	kerberos_use(lsassd_t)
+')
+
+#################################
+#
+# Likewise I/O service local policy
+#
+allow lwiod_t self:capability {fowner chown fsetid dac_override };
+
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+manage_files_pattern(lwiod_t, lwiod_var_run_t, lwiod_var_run_t)
+files_pid_filetrans(lwiod_t, lwiod_var_run_t, file)
+
+manage_files_pattern(lwiod_t, lwiod_var_lib_t, lwiod_var_lib_t)
+filetrans_pattern(lwiod_t, likewise_var_lib_t, lwiod_var_lib_t, file)
+
+manage_sock_files_pattern(lwiod_t, likewise_var_lib_t, lwiod_var_socket_t)
+filetrans_pattern(lwiod_t, likewise_var_lib_t, lwiod_var_socket_t, sock_file)
+
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+
+corenet_all_recvfrom_netlabel(lwiod_t)
+corenet_all_recvfrom_unlabeled(lwiod_t)
+corenet_sendrecv_smbd_server_packets(lwiod_t)
+corenet_sendrecv_smbd_client_packets(lwiod_t)
+corenet_tcp_sendrecv_generic_if(lwiod_t)
+corenet_tcp_sendrecv_generic_node(lwiod_t)
+corenet_tcp_sendrecv_generic_port(lwiod_t)
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+
+sysnet_read_config(lwiod_t)
+
+optional_policy(`
+	kerberos_rw_config(lwiod_t)
+	kerberos_use(lwiod_t)
+')
+
+#################################
+#
+# Likewise Registry server local policy
+#
+manage_files_pattern(lwregd_t, lwregd_var_run_t, lwregd_var_run_t)
+files_pid_filetrans(lwregd_t, lwregd_var_run_t, file)
+
+manage_files_pattern(lwregd_t, lwregd_var_lib_t, lwregd_var_lib_t)
+filetrans_pattern(lwregd_t,likewise_var_lib_t,lwregd_var_lib_t, file)
+
+manage_sock_files_pattern(lwregd_t,likewise_var_lib_t,lwregd_var_socket_t)
+filetrans_pattern(lwregd_t,likewise_var_lib_t,lwregd_var_socket_t, sock_file)
+
+#################################
+#
+# Likewise Service Manager service local policy
+#
+allow lwsmd_t dcerpcd_t:process signal;
+allow lwsmd_t eventlogd_t:process signal;
+allow lwsmd_t lsassd_t:process signal;
+allow lwsmd_t lwiod_t:process signal;
+allow lwsmd_t lwregd_t:process signal;
+allow lwsmd_t netlogond_t:process signal;
+allow lwsmd_t srvsvcd_t:process signal;
+
+manage_files_pattern(lwsmd_t, lwsmd_var_run_t, lwsmd_var_run_t)
+files_pid_filetrans(lwsmd_t, lwsmd_var_run_t, file)
+
+manage_files_pattern(lwsmd_t, lwsmd_var_lib_t, lwsmd_var_lib_t)
+filetrans_pattern(lwsmd_t, likewise_var_lib_t, lwsmd_var_lib_t, file)
+
+manage_sock_files_pattern(lwsmd_t, likewise_var_lib_t, lwsmd_var_socket_t)
+filetrans_pattern(lwsmd_t, likewise_var_lib_t, lwsmd_var_socket_t, sock_file)
+
+domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
+domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
+domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
+domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
+domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
+domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
+domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)
+
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+#################################
+#
+# Likewise DC location service local policy
+#
+
+allow netlogond_t self:capability {dac_override};
+
+manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
+
+manage_files_pattern(netlogond_t, netlogond_var_run_t, netlogond_var_run_t)
+files_pid_filetrans(netlogond_t, netlogond_var_run_t, file)
+
+manage_files_pattern(netlogond_t, netlogond_var_lib_t, netlogond_var_lib_t)
+filetrans_pattern(netlogond_t,likewise_var_lib_t,netlogond_var_lib_t, file)
+
+manage_sock_files_pattern(netlogond_t,likewise_var_lib_t,netlogond_var_socket_t)
+filetrans_pattern(netlogond_t,likewise_var_lib_t,netlogond_var_socket_t, sock_file)
+
+stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+#################################
+#
+# Likewise Srv service local policy
+#
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+manage_files_pattern(srvsvcd_t, srvsvcd_var_run_t, srvsvcd_var_run_t)
+files_pid_filetrans(srvsvcd_t, srvsvcd_var_run_t, file)
+
+manage_sock_files_pattern(srvsvcd_t,likewise_var_lib_t,srvsvcd_var_socket_t)
+filetrans_pattern(srvsvcd_t,likewise_var_lib_t,srvsvcd_var_socket_t, sock_file)
+
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
+stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
+
+corenet_all_recvfrom_netlabel(srvsvcd_t)
+corenet_all_recvfrom_unlabeled(srvsvcd_t)
+corenet_sendrecv_generic_server_packets(srvsvcd_t)
+corenet_tcp_sendrecv_generic_if(srvsvcd_t)
+corenet_tcp_sendrecv_generic_node(srvsvcd_t)
+corenet_tcp_sendrecv_generic_port(srvsvcd_t)
+corenet_tcp_bind_generic_node(srvsvcd_t)
+
+optional_policy(`
+	kerberos_use(srvsvcd_t)
+')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index b193dd8..0981a2c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1407,6 +1407,10 @@ interface(`auth_use_nsswitch',`
 	')
 
 	optional_policy(`
+		likewise_stream_connect_lsassd($1)
+	')
+
+	optional_policy(`
 		nscd_socket_use($1)
 	')
 
-- 
1.7.0.1.147.g6d84b