From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 10 Jul 2012 08:37:35 -0400
Subject: [refpolicy] [Patch 4/4] Implementation of nsswitch_domain
	attribute
In-Reply-To: <4FFC20F7.2000808@redhat.com>
References: <4FF2DB28.5030701@redhat.com> <4FFC1AE5.3000303@tresys.com>
	<4FFC1C8B.60503@redhat.com> <4FFC2007.6090602@tresys.com>
	<4FFC20F7.2000808@redhat.com>
Message-ID: <4FFC220F.3090007@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/10/12 08:32, Miroslav Grepl wrote:
> On 07/10/2012 02:28 PM, Christopher J. PeBenito wrote:
>> On 07/10/12 08:14, Miroslav Grepl wrote:
>>> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>>>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>>>> * Add ldap_stream_connect() interface for domains which need it
>>>> Since this is in the nsswitch patch set, I assume this access is for nsswitch.  Why not put it in authlogin and use the attribute?
>>> The problem is we have now
>>>
>>> optional_policy(`
>>>      tunable_policy(`authlogin_nsswitch_use_ldap',`
>>>          ldap_stream_connect(nsswitch_domain)
>>>      ')
>>> ')
>>>
>>> but these domains need this access without this boolean.
>> So this is not actually related to the nsswitch patches?
> previously , ldap_stream_connect() was allowed by default (where auth_use_nsswitch() was used) without the authlogin_nsswitch_use_ldap boolean. If we now add this boolean, it will not be allowed by default it will break these domains.

Ok, I get it.  These domains actually need the access unconditionally, but it was obscured by auth_use_nsswitch() always having ldap_stream_connect().  Right?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com