From: mgrepl@redhat.com (Miroslav Grepl)
Date: Tue, 10 Jul 2012 14:38:23 +0200
Subject: [refpolicy] [Patch 4/4] Implementation of nsswitch_domain
	attribute
In-Reply-To: <4FFC220F.3090007@tresys.com>
References: <4FF2DB28.5030701@redhat.com> <4FFC1AE5.3000303@tresys.com>
	<4FFC1C8B.60503@redhat.com> <4FFC2007.6090602@tresys.com>
	<4FFC20F7.2000808@redhat.com> <4FFC220F.3090007@tresys.com>
Message-ID: <4FFC223F.5060109@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/10/2012 02:37 PM, Christopher J. PeBenito wrote:
> On 07/10/12 08:32, Miroslav Grepl wrote:
>> On 07/10/2012 02:28 PM, Christopher J. PeBenito wrote:
>>> On 07/10/12 08:14, Miroslav Grepl wrote:
>>>> On 07/10/2012 02:07 PM, Christopher J. PeBenito wrote:
>>>>> On 07/03/12 07:44, Miroslav Grepl wrote:
>>>>>> * Add ldap_stream_connect() interface for domains which need it
>>>>> Since this is in the nsswitch patch set, I assume this access is for nsswitch.  Why not put it in authlogin and use the attribute?
>>>> The problem is we have now
>>>>
>>>> optional_policy(`
>>>>       tunable_policy(`authlogin_nsswitch_use_ldap',`
>>>>           ldap_stream_connect(nsswitch_domain)
>>>>       ')
>>>> ')
>>>>
>>>> but these domains need this access without this boolean.
>>> So this is not actually related to the nsswitch patches?
>> previously , ldap_stream_connect() was allowed by default (where auth_use_nsswitch() was used) without the authlogin_nsswitch_use_ldap boolean. If we now add this boolean, it will not be allowed by default it will break these domains.
> Ok, I get it.  These domains actually need the access unconditionally, but it was obscured by auth_use_nsswitch() always having ldap_stream_connect().  Right?
>
Yes.