From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 23 Aug 2011 13:29:49 +0200
Subject: [refpolicy] [PATCH 1/1] Support LDAPS for nsswitch-related network
	activity
Message-ID: <20110823112949.GA6050@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Systems that use LDAPS (LDAP over SSL/TLS) for their sysnet_* activities
currently fail since these domains do not allow proper access to the random
devices (needed for SSL/TLS). This patch adds this privilege to
sysnet_use_ldap.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/sysnetwork.if |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index ff80d0a..4c87a08 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -698,6 +698,10 @@ interface(`sysnet_use_ldap',`
 	corenet_sendrecv_ldap_client_packets($1)
 
 	sysnet_read_config($1)
+
+	# Support for LDAPS
+	dev_read_rand($1)
+	dev_read_urand($1)
 ')
 
 ########################################
-- 
1.7.3.4