From: mgrepl@redhat.com (Miroslav Grepl)
Date: Tue, 10 Jul 2012 14:32:55 +0200
Subject: [refpolicy] [Patch 4/4] Implementation of nsswitch_domain
	attribute
In-Reply-To: <4FFC2007.6090602@tresys.com>
References: <4FF2DB28.5030701@redhat.com> <4FFC1AE5.3000303@tresys.com>
	<4FFC1C8B.60503@redhat.com> <4FFC2007.6090602@tresys.com>
Message-ID: <4FFC20F7.2000808@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/10/2012 02:28 PM, Christopher J. PeBenito wrote:
> On 07/10/12 08:14, Miroslav Grepl wrote:
>> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>>> * Add ldap_stream_connect() interface for domains which need it
>>> Since this is in the nsswitch patch set, I assume this access is for nsswitch.  Why not put it in authlogin and use the attribute?
>> The problem is we have now
>>
>> optional_policy(`
>>      tunable_policy(`authlogin_nsswitch_use_ldap',`
>>          ldap_stream_connect(nsswitch_domain)
>>      ')
>> ')
>>
>> but these domains need this access without this boolean.
> So this is not actually related to the nsswitch patches?
previously , ldap_stream_connect() was allowed by default (where 
auth_use_nsswitch() was used) without the authlogin_nsswitch_use_ldap 
boolean. If we now add this boolean, it will not be allowed by default 
it will break these domains.
>
>>> The other three patches are fine.
>>>
>>>> diff --git a/apache.te b/apache.te
>>>> index a36a01d..4b0f792 100644
>>>> --- a/apache.te
>>>> +++ b/apache.te
>>>> @@ -559,6 +559,11 @@ optional_policy(`
>>>>    ')
>>>>      optional_policy(`
>>>> +    # needed by FreeIPA
>>>> +    ldap_stream_connect(httpd_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>        mailman_signal_cgi(httpd_t)
>>>>        mailman_domtrans_cgi(httpd_t)
>>>>        mailman_read_data_files(httpd_t)
>>>> diff --git a/bind.te b/bind.te
>>>> index 4deca04..0968cb4 100644
>>>> --- a/bind.te
>>>> +++ b/bind.te
>>>> @@ -171,6 +171,11 @@ optional_policy(`
>>>>    ')
>>>>      optional_policy(`
>>>> +    # needed by FreeIPA with DNS support
>>>> +    ldap_stream_connect(named_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>        # this seems like fds that arent being
>>>>        # closed. these should probably be
>>>>        # dontaudits instead.
>>>> diff --git a/kerberos.te b/kerberos.te
>>>> index 8edc29b..519d5fc 100644
>>>> --- a/kerberos.te
>>>> +++ b/kerberos.te
>>>> @@ -160,6 +160,10 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
>>>>    userdom_dontaudit_search_user_home_dirs(kadmind_t)
>>>>      optional_policy(`
>>>> +    ldap_stream_connect(kadmind_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>        nis_use_ypbind(kadmind_t)
>>>>    ')
>>>>    @@ -260,6 +264,10 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
>>>>    userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
>>>>      optional_policy(`
>>>> +    ldap_stream_connect(krb5kdc_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>        nis_use_ypbind(krb5kdc_t)
>>>>    ')
>>>>    diff --git a/ldap.if b/ldap.if
>>>> index 3aa8fa7..73fda9b 100644
>>>> --- a/ldap.if
>>>> +++ b/ldap.if
>>>> @@ -69,8 +69,7 @@ interface(`ldap_stream_connect',`
>>>>        ')
>>>>          files_search_pids($1)
>>>> -    allow $1 slapd_var_run_t:sock_file write;
>>>> -    allow $1 slapd_t:unix_stream_socket connectto;
>>>> +    stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t)
>>>>    ')
>>>>      ########################################
>>>> diff --git a/nslcd.te b/nslcd.te
>>>> index 4e28d58..d9854ff 100644
>>>> --- a/nslcd.te
>>>> +++ b/nslcd.te
>>>> @@ -43,3 +43,7 @@ auth_use_nsswitch(nslcd_t)
>>>>    logging_send_syslog_msg(nslcd_t)
>>>>      miscfiles_read_localization(nslcd_t)
>>>> +
>>>> +optional_policy(`
>>>> +    ldap_stream_connect(nslcd_t)
>>>> +')
>>>> diff --git a/samba.te b/samba.te
>>>> index fc22785..ca5c978 100644
>>>> --- a/samba.te
>>>> +++ b/samba.te
>>>> @@ -219,6 +219,10 @@ userdom_use_user_terminals(samba_net_t)
>>>>    userdom_list_user_home_dirs(samba_net_t)
>>>>      optional_policy(`
>>>> +    ldap_stream_connect(samba_net_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>        pcscd_read_pub_files(samba_net_t)
>>>>    ')
>>>>    @@ -421,6 +425,10 @@ optional_policy(`
>>>>    ')
>>>>      optional_policy(`
>>>> +    ldap_stream_connect(smbd_t)
>>>> +')
>>>> +
>>>> +optional_policy(`
>>>>        lpd_exec_lpr(smbd_t)
>>>>    ')
>>>>    diff --git a/sssd.te b/sssd.te
>>>> index 8ffa257..a1b61bc 100644
>>>> --- a/sssd.te
>>>> +++ b/sssd.te
>>>> @@ -88,3 +88,7 @@ optional_policy(`
>>>>    optional_policy(`
>>>>        kerberos_manage_host_rcache(sssd_t)
>>>>    ')
>>>> +
>>>> +optional_policy(`
>>>> +    ldap_stream_connect(sssd_t)
>>>> +')
>>>
>>
>