From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 17 Dec 2012 21:06:29 +0100 Subject: [refpolicy] [PATCH] NSCD related changes in various policy modules Message-ID: <1355774789-2659-1-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Use nscd_use instead of nscd_socket_use. This conditionally allows nscd_shm_use Remove the nscd_socket_use from ssh_keygen since it was redundant already allowed by auth_use_nsswitch Had to make some ssh_keysign_t rules unconditional else nscd_use(ssh_keysign_t) would not build (nested booleans) but that does not matter, the only actual domain transition to ssh_keysign_t is conditional so the other unconditional ssh_keygen_t rules are conditional in practice Signed-off-by: Dominick Grift diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index eeb8e69..8f55b4f 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -203,7 +203,7 @@ ') optional_policy(` - nscd_socket_use(bootloader_t) + nscd_use(bootloader_t) ') optional_policy(` diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index d440e3b..6b47da6 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -200,21 +200,17 @@ # ssh_keysign_t local policy # -tunable_policy(`allow_ssh_keysign',` - allow ssh_keysign_t self:capability { setgid setuid }; - allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +allow ssh_keysign_t self:capability { setgid setuid }; +allow ssh_keysign_t self:unix_stream_socket create_socket_perms; - allow ssh_keysign_t sshd_key_t:file { getattr read }; +allow ssh_keysign_t sshd_key_t:file { getattr read }; - dev_read_urand(ssh_keysign_t) +dev_read_urand(ssh_keysign_t) - files_read_etc_files(ssh_keysign_t) -') +files_read_etc_files(ssh_keysign_t) optional_policy(` - tunable_policy(`allow_ssh_keysign',` - nscd_socket_use(ssh_keysign_t) - ') + nscd_use(ssh_keysign_t) ') ################################# @@ -327,10 +323,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) - -optional_policy(` - nscd_socket_use(ssh_keygen_t) -') optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 4dfa3da..49e5f67 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -397,7 +397,7 @@ ') optional_policy(` - nscd_socket_use(utempter_t) + nscd_use(utempter_t) ') optional_policy(` @@ -447,7 +447,7 @@ ') optional_policy(` - nscd_socket_use(nsswitch_domain) + nscd_use(nsswitch_domain) ') optional_policy(` diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 711b998..3928e71 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -65,7 +65,7 @@ ') optional_policy(` - nscd_socket_use(hwclock_t) + nscd_use(hwclock_t) ') optional_policy(` diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index fd100fc..9db083e 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -125,7 +125,7 @@ ') optional_policy(` - nscd_socket_use(getty_t) + nscd_use(getty_t) ') optional_policy(` diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index b2e41cc..f0f991b 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -168,7 +168,7 @@ ') optional_policy(` - nscd_socket_use(hotplug_t) + nscd_use(hotplug_t) ') optional_policy(` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 3f0c2d3..24e7804 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -234,7 +234,7 @@ ') optional_policy(` - nscd_socket_use($1) + nscd_use($1) ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d073ad6..cbe19c9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -208,7 +208,7 @@ ') optional_policy(` - nscd_socket_use(init_t) + nscd_use(init_t) ') optional_policy(` diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index df56407..3de8096 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -326,7 +326,7 @@ ') optional_policy(` - nscd_socket_use(ipsec_mgmt_t) + nscd_use(ipsec_mgmt_t) ') ######################################## diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 9fd5be7..cf279a0 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -181,7 +181,7 @@ ') optional_policy(` - nscd_socket_use(local_login_t) + nscd_use(local_login_t) ') optional_policy(` @@ -262,5 +262,5 @@ ') optional_policy(` - nscd_socket_use(sulogin_t) + nscd_use(sulogin_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 79d3e65..203d216 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -205,7 +205,7 @@ ') optional_policy(` - nscd_socket_use(insmod_t) + nscd_use(insmod_t) ') optional_policy(` diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index fcefe61..6944526 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -699,7 +699,7 @@ ') optional_policy(` - nscd_socket_use($1) + nscd_use($1) ') ')