From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 17 Mar 2010 09:31:02 -0400
Subject: [refpolicy] [ Likewise patch RETRY(1) 1/1] Likewise policy.
In-Reply-To: <20100315171331.GA8740@localhost.localdomain>
References: <20100315171331.GA8740@localhost.localdomain>
Message-ID: <1268832662.13301.36.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2010-03-15 at 18:13 +0100, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <domg472@gmail.com>

Merged.  Added additional style fixes.

> ---
> :100644 100644 f199aa3... 9a5a82a... M	policy/modules/kernel/corenetwork.te.in
> :100644 100644 83d26a5... 03a8781... M	policy/modules/kernel/files.if
> :100644 100644 db5ca26... d3cedf6... M	policy/modules/services/kerberos.if
> :000000 100644 0000000... 6d29b1e... A	policy/modules/services/likewise.fc
> :000000 100644 0000000... 549da5d... A	policy/modules/services/likewise.if
> :000000 100644 0000000... 731399f... A	policy/modules/services/likewise.te
> :100644 100644 b193dd8... 8fa6e24... M	policy/modules/system/authlogin.if
>  policy/modules/kernel/corenetwork.te.in |    1 +
>  policy/modules/kernel/files.if          |   18 ++
>  policy/modules/services/kerberos.if     |   20 ++
>  policy/modules/services/likewise.fc     |   54 ++++++
>  policy/modules/services/likewise.if     |  105 +++++++++++
>  policy/modules/services/likewise.te     |  289 +++++++++++++++++++++++++++++++
>  policy/modules/system/authlogin.if      |    4 +
>  7 files changed, 491 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index f199aa3..9a5a82a 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -97,6 +97,7 @@ network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0,
>  network_port(dict, tcp,2628,s0)
>  network_port(distccd, tcp,3632,s0)
>  network_port(dns, udp,53,s0, tcp,53,s0)
> +network_port(epmap, tcp,135,s0, udp,135,s0)
>  network_port(fingerd, tcp,79,s0)
>  network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
>  network_port(ftp_data, tcp,20,s0)
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 83d26a5..03a8781 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -2923,6 +2923,24 @@ interface(`files_dontaudit_getattr_home_dir',`
>  
>  ########################################
>  ## <summary>
> +##	Relabel to user home root (/home).
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`files_relabelto_home',`
> +	gen_require(`
> +		type home_root_t;
> +	')
> +
> +	allow $1 home_root_t:dir relabelto;
> +')
> +
> +########################################
> +## <summary>
>  ##	Search home directories root (/home).
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
> index db5ca26..d3cedf6 100644
> --- a/policy/modules/services/kerberos.if
> +++ b/policy/modules/services/kerberos.if
> @@ -195,6 +195,26 @@ interface(`kerberos_read_keytab',`
>  
>  ########################################
>  ## <summary>
> +##	Read/Write the kerberos key table.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kerberos_rw_keytab',`
> +	gen_require(`
> +		type krb5_keytab_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 krb5_keytab_t:file rw_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create a derived type for kerberos keytab
>  ## </summary>
>  ## <param name="prefix">
> diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
> new file mode 100644
> index 0000000..6d29b1e
> --- /dev/null
> +++ b/policy/modules/services/likewise.fc
> @@ -0,0 +1,54 @@
> +/etc/likewise-open(/.*)?		gen_context(system_u:object_r:likewise_etc_t,s0)
> +/etc/likewise-open/.pstore.lock	--	gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
> +/etc/likewise-open/likewise-krb5-ad.conf	--	gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
> +
> +/etc/rc\.d/init\.d/dcerpcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/eventlogd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lsassd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwiod	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwregd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/lwsmd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/netlogond	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/srvsvcd	--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
> +
> +/usr/sbin/dcerpcd	--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
> +/usr/sbin/eventlogd	--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
> +/usr/sbin/lsassd	--	gen_context(system_u:object_r:lsassd_exec_t,s0)
> +/usr/sbin/lwiod	--	gen_context(system_u:object_r:lwiod_exec_t,s0)
> +/usr/sbin/lwregd	--	gen_context(system_u:object_r:lwregd_exec_t,s0)
> +/usr/sbin/lwsmd	--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
> +/usr/sbin/netlogond	--	gen_context(system_u:object_r:netlogond_exec_t,s0)
> +/usr/sbin/srvsvcd	--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
> +
> +/var/lib/likewise-open(/.*)?		gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/\.lsassd	-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
> +/var/lib/likewise-open/\.lwiod	-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
> +/var/lib/likewise-open/\.regsd	-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
> +/var/lib/likewise-open/\.lwsm	-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
> +/var/lib/likewise-open/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
> +/var/lib/likewise-open/\.ntlmd	-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
> +/var/lib/likewise-open/krb5-affinity.conf	--	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
> +/var/lib/likewise-open/krb5ccr_lsass	--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
> +/var/lib/likewise-open/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
> +/var/lib/likewise-open/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +/var/lib/likewise-open/db	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
> +/var/lib/likewise-open/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adcache\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/lsass-adstate\.filedb	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
> +/var/lib/likewise-open/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
> +/var/lib/likewise-open/rpc	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
> +/var/lib/likewise-open/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
> +/var/lib/likewise-open/rpc/socket	-s	gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
> +/var/lib/likewise-open/run	-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
> +/var/lib/likewise-open/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
> +
> +/var/run/eventlogd.pid	--	gen_context(system_u:object_r:eventlogd_var_run_t,s0)
> +/var/run/lsassd.pid	--	gen_context(system_u:object_r:lsassd_var_run_t,s0)
> +/var/run/lwiod.pid	--	gen_context(system_u:object_r:lwiod_var_run_t,s0)
> +/var/run/lwregd.pid	--	gen_context(system_u:object_r:lwregd_var_run_t,s0)
> +/var/run/netlogond.pid	--	gen_context(system_u:object_r:netlogond_var_run_t,s0)
> +/var/run/srvsvcd.pid	--	gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
> +
> diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
> new file mode 100644
> index 0000000..549da5d
> --- /dev/null
> +++ b/policy/modules/services/likewise.if
> @@ -0,0 +1,105 @@
> +## <summary>Likewise Active Directory support for UNIX.</summary>
> +## <desc>
> +##     <p>
> +##     Likewise Open is a free, open source application that joins Linux, Unix,
> +##     and Mac machines to Microsoft Active Directory to securely authenticate
> +##     users with their domain credentials.
> +##     </p>
> +## </desc>
> +
> +#######################################
> +## <summary>
> +##	The template to define a likewise domain.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	This template creates a domain to be used for
> +##	a new likewise daemon.
> +##	</p>
> +## </desc>
> +## <param name="userdomain_prefix">
> +##	<summary>
> +##	The type of daemon to be used.
> +##	</summary>
> +## </param>
> +#
> +template(`likewise_domain_template',`
> +
> +	gen_require(`
> +		attribute likewise_domains;
> +		type likewise_var_lib_t;
> +	')
> +
> +	########################################
> +	#
> +	# Declarations
> +	#
> +
> +	type $1_t;
> +	type $1_exec_t;
> +	init_daemon_domain($1_t, $1_exec_t)
> +	domain_use_interactive_fds($1_t)
> +
> +	typeattribute $1_t likewise_domains;
> +
> +	type $1_var_run_t;
> +	files_pid_file($1_var_run_t)
> +
> +	type $1_var_socket_t;
> +	files_type($1_var_socket_t)
> +
> +	type $1_var_lib_t;
> +	files_type($1_var_lib_t)
> +
> +	####################################
> +	#
> +	# Local Policy
> +	#
> +
> +	allow $1_t self:process { signal_perms getsched setsched };
> +	allow $1_t self:fifo_file rw_fifo_file_perms;
> +	allow $1_t self:unix_dgram_socket create_socket_perms;
> +	allow $1_t self:unix_stream_socket create_stream_socket_perms;
> +	allow $1_t self:tcp_socket create_stream_socket_perms;
> +	allow $1_t self:udp_socket create_socket_perms;
> +
> +	allow $1_t likewise_var_lib_t:dir setattr;
> +
> +	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
> +	files_pid_filetrans($1_t, $1_var_run_t, file)
> +
> +	manage_files_pattern($1_t, likewise_var_lib_t, $1_var_lib_t)
> +	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_lib_t, file)
> +
> +	manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
> +	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
> +
> +	dev_read_rand($1_t)
> +	dev_read_urand($1_t)
> +
> +	files_read_etc_files($1_t)
> +	files_search_var_lib($1_t)
> +
> +	logging_send_syslog_msg($1_t)
> +
> +	miscfiles_read_localization($1_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Connect to lsassd.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`likewise_stream_connect_lsassd',`
> +	gen_require(`
> +		type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
> +	')
> +
> +	files_search_pids($1)
> +	stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
> +')
> diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
> new file mode 100644
> index 0000000..731399f
> --- /dev/null
> +++ b/policy/modules/services/likewise.te
> @@ -0,0 +1,289 @@
> +
> +policy_module(likewise, 1.0.0)
> +
> +#################################
> +#
> +# Likewise global personal declarations.
> +#
> +
> +attribute likewise_domains;
> +
> +type likewise_etc_t;
> +files_config_file(likewise_etc_t)
> +
> +type likewise_initrc_exec_t;
> +init_script_file(likewise_initrc_exec_t)
> +
> +type likewise_var_lib_t;
> +files_type(likewise_var_lib_t)
> +
> +type likewise_pstore_lock_t;
> +files_type(likewise_pstore_lock_t)
> +
> +type likewise_krb5_ad_t;
> +files_type(likewise_krb5_ad_t)
> +
> +#############################
> +#
> +# Likewise dcerpcd personal declarations.
> +#
> +
> +likewise_domain_template(dcerpcd)
> +
> +#############################
> +#
> +# Likewise eventlogd personal declarations.
> +#
> +
> +likewise_domain_template(eventlogd)
> +
> +#############################
> +#
> +# Likewise lsassd personal declarations.
> +#
> +
> +likewise_domain_template(lsassd)
> +
> +type lsassd_tmp_t;
> +files_tmp_file(lsassd_tmp_t)
> +
> +#############################
> +#
> +# Likewise lwiod personal declarations.
> +#
> +
> +likewise_domain_template(lwiod)
> +
> +#############################
> +#
> +# Likewise lwregd personal declarations.
> +#
> +
> +likewise_domain_template(lwregd)
> +
> +#############################
> +#
> +# Likewise lwsmd personal declarations.
> +#
> +
> +likewise_domain_template(lwsmd)
> +
> +#############################
> +#
> +# Likewise netlogond personal declarations.
> +#
> +
> +likewise_domain_template(netlogond)
> +
> +#############################
> +#
> +# Likewise srvsvcd personal declarations.
> +#
> +
> +likewise_domain_template(srvsvcd)
> +
> +##################################
> +#
> +# Likewise global personal policy.
> +
> +#################################
> +#
> +# Likewise dcerpcd personal policy
> +#
> +
> +stream_connect_pattern(dcerpcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +
> +corenet_all_recvfrom_netlabel(dcerpcd_t)
> +corenet_all_recvfrom_unlabeled(dcerpcd_t)
> +corenet_sendrecv_generic_client_packets(dcerpcd_t)
> +corenet_sendrecv_generic_server_packets(dcerpcd_t)
> +corenet_tcp_sendrecv_generic_if(dcerpcd_t)
> +corenet_tcp_sendrecv_generic_node(dcerpcd_t)
> +corenet_tcp_sendrecv_generic_port(dcerpcd_t)
> +corenet_tcp_bind_generic_node(dcerpcd_t)
> +corenet_tcp_bind_epmap_port(dcerpcd_t)
> +corenet_tcp_connect_generic_port(dcerpcd_t)
> +corenet_udp_bind_generic_node(dcerpcd_t)
> +corenet_udp_bind_epmap_port(dcerpcd_t)
> +corenet_udp_sendrecv_generic_if(dcerpcd_t)
> +corenet_udp_sendrecv_generic_node(dcerpcd_t)
> +corenet_udp_sendrecv_generic_port(dcerpcd_t)
> +
> +#################################
> +#
> +# Likewise Auditing and Logging service policy
> +#
> +
> +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
> +stream_connect_pattern(eventlogd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +
> +corenet_all_recvfrom_netlabel(eventlogd_t)
> +corenet_all_recvfrom_unlabeled(eventlogd_t)
> +corenet_sendrecv_generic_server_packets(eventlogd_t)
> +corenet_tcp_sendrecv_generic_if(eventlogd_t)
> +corenet_tcp_sendrecv_generic_node(eventlogd_t)
> +corenet_tcp_sendrecv_generic_port(eventlogd_t)
> +corenet_tcp_bind_generic_node(eventlogd_t)
> +corenet_udp_bind_generic_node(eventlogd_t)
> +corenet_udp_sendrecv_generic_if(eventlogd_t)
> +corenet_udp_sendrecv_generic_node(eventlogd_t)
> +corenet_udp_sendrecv_generic_port(eventlogd_t)
> +
> +#################################
> +#
> +# Likewise Authentication service local policy
> +#
> +
> +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
> +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
> +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> +allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
> +allow lsassd_t netlogond_var_lib_t:file read_file_perms;
> +
> +manage_files_pattern(lsassd_t, likewise_etc_t, likewise_etc_t)
> +
> +manage_files_pattern(lsassd_t, lsassd_tmp_t, lsassd_tmp_t);
> +files_tmp_filetrans(lsassd_t, lsassd_tmp_t, file)
> +
> +stream_connect_pattern(lsassd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
> +stream_connect_pattern(lsassd_t, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t)
> +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
> +stream_connect_pattern(lsassd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +stream_connect_pattern(lsassd_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
> +
> +corecmd_exec_bin(lsassd_t)
> +corecmd_exec_shell(lsassd_t)
> +
> +corenet_all_recvfrom_netlabel(lsassd_t)
> +corenet_all_recvfrom_unlabeled(lsassd_t)
> +corenet_tcp_sendrecv_generic_if(lsassd_t)
> +corenet_tcp_sendrecv_generic_node(lsassd_t)
> +corenet_tcp_sendrecv_generic_port(lsassd_t)
> +corenet_tcp_bind_generic_node(lsassd_t)
> +corenet_tcp_connect_epmap_port(lsassd_t)
> +corenet_tcp_sendrecv_epmap_port(lsassd_t)
> +
> +files_manage_etc_files(lsassd_t)
> +files_manage_etc_symlinks(lsassd_t)
> +files_manage_etc_runtime_files(lsassd_t)
> +
> +files_relabelto_home(lsassd_t)
> +
> +kernel_read_system_state(lsassd_t)
> +kernel_getattr_proc_files(lsassd_t)
> +kernel_list_all_proc(lsassd_t)
> +kernel_list_proc(lsassd_t)
> +
> +domain_obj_id_change_exemption(lsassd_t)
> +
> +selinux_get_fs_mount(lsassd_t)
> +selinux_validate_context(lsassd_t)
> +
> +seutil_read_config(lsassd_t)
> +seutil_read_default_contexts(lsassd_t)
> +seutil_read_file_contexts(lsassd_t)
> +seutil_run_semanage(lsassd_t, lsassd_t)
> +
> +sysnet_use_ldap(lsassd_t)
> +sysnet_read_config(lsassd_t)
> +
> +userdom_home_filetrans_user_home_dir(lsassd_t)
> +userdom_manage_home_role(system_r, lsassd_t)
> +
> +optional_policy(`
> +	kerberos_rw_keytab(lsassd_t)
> +	kerberos_use(lsassd_t)
> +')
> +
> +#################################
> +#
> +# Likewise I/O service local policy
> +#
> +
> +allow lwiod_t self:capability {fowner chown fsetid dac_override };
> +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
> +
> +allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
> +allow lwiod_t netlogond_var_lib_t:file read_file_perms;
> +
> +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
> +
> +corenet_all_recvfrom_netlabel(lwiod_t)
> +corenet_all_recvfrom_unlabeled(lwiod_t)
> +corenet_sendrecv_smbd_server_packets(lwiod_t)
> +corenet_sendrecv_smbd_client_packets(lwiod_t)
> +corenet_tcp_sendrecv_generic_if(lwiod_t)
> +corenet_tcp_sendrecv_generic_node(lwiod_t)
> +corenet_tcp_sendrecv_generic_port(lwiod_t)
> +corenet_tcp_bind_generic_node(lwiod_t)
> +corenet_tcp_bind_smbd_port(lwiod_t)
> +corenet_tcp_connect_smbd_port(lwiod_t)
> +
> +sysnet_read_config(lwiod_t)
> +
> +optional_policy(`
> +	kerberos_rw_config(lwiod_t)
> +	kerberos_use(lwiod_t)
> +')
> +
> +#################################
> +#
> +# Likewise Registry server local policy
> +#
> +
> +#################################
> +#
> +# Likewise Service Manager service local policy
> +#
> +
> +allow lwsmd_t likewise_domains:process signal;
> +
> +domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
> +domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
> +domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
> +domtrans_pattern(lwsmd_t, lwiod_exec_t, lwiod_t)
> +domtrans_pattern(lwsmd_t, lwregd_exec_t, lwregd_t)
> +domtrans_pattern(lwsmd_t, netlogond_exec_t, netlogond_t)
> +domtrans_pattern(lwsmd_t, srvsvcd_exec_t, srvsvcd_t)
> +
> +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
> +stream_connect_pattern(lwsmd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +
> +#################################
> +#
> +# Likewise DC location service local policy
> +#
> +
> +allow netlogond_t self:capability {dac_override};
> +
> +manage_files_pattern(netlogond_t, likewise_etc_t, likewise_etc_t)
> +
> +stream_connect_pattern(netlogond_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +
> +sysnet_dns_name_resolve(netlogond_t)
> +sysnet_use_ldap(netlogond_t)
> +
> +#################################
> +#
> +# Likewise Srv service local policy
> +#
> +
> +allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
> +
> +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t)
> +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t)
> +stream_connect_pattern(srvsvcd_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
> +
> +corenet_all_recvfrom_netlabel(srvsvcd_t)
> +corenet_all_recvfrom_unlabeled(srvsvcd_t)
> +corenet_sendrecv_generic_server_packets(srvsvcd_t)
> +corenet_tcp_sendrecv_generic_if(srvsvcd_t)
> +corenet_tcp_sendrecv_generic_node(srvsvcd_t)
> +corenet_tcp_sendrecv_generic_port(srvsvcd_t)
> +corenet_tcp_bind_generic_node(srvsvcd_t)
> +
> +optional_policy(`
> +	kerberos_use(srvsvcd_t)
> +')
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index b193dd8..8fa6e24 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -1402,6 +1402,10 @@ interface(`auth_use_nsswitch',`
>  		avahi_stream_connect($1)
>  	')
>  
> + 	optional_policy(`
> +		likewise_stream_connect_lsassd($1)
> +	')
> +
>  	optional_policy(`
>  		nis_use_ypbind($1)
>  	')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150