From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 3 Jan 2013 10:54:32 -0500 Subject: [refpolicy] [PATCH] NSCD related changes in various policy modules In-Reply-To: <1355774789-2659-1-git-send-email-dominick.grift@gmail.com> References: <1355774789-2659-1-git-send-email-dominick.grift@gmail.com> Message-ID: <50E5A9B8.9000601@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/17/12 15:06, Dominick Grift wrote: > > Use nscd_use instead of nscd_socket_use. This conditionally allows > nscd_shm_use > > Remove the nscd_socket_use from ssh_keygen since it was redundant > already allowed by auth_use_nsswitch > > Had to make some ssh_keysign_t rules unconditional else > nscd_use(ssh_keysign_t) would not build (nested booleans) but that does > not matter, the only actual domain transition to ssh_keysign_t is > conditional so the other unconditional ssh_keygen_t rules are > conditional in practice Merged. > Signed-off-by: Dominick Grift > diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te > index eeb8e69..8f55b4f 100644 > --- a/policy/modules/admin/bootloader.te > +++ b/policy/modules/admin/bootloader.te > @@ -203,7 +203,7 @@ > ') > > optional_policy(` > - nscd_socket_use(bootloader_t) > + nscd_use(bootloader_t) > ') > > optional_policy(` > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index d440e3b..6b47da6 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -200,21 +200,17 @@ > # ssh_keysign_t local policy > # > > -tunable_policy(`allow_ssh_keysign',` > - allow ssh_keysign_t self:capability { setgid setuid }; > - allow ssh_keysign_t self:unix_stream_socket create_socket_perms; > +allow ssh_keysign_t self:capability { setgid setuid }; > +allow ssh_keysign_t self:unix_stream_socket create_socket_perms; > > - allow ssh_keysign_t sshd_key_t:file { getattr read }; > +allow ssh_keysign_t sshd_key_t:file { getattr read }; > > - dev_read_urand(ssh_keysign_t) > +dev_read_urand(ssh_keysign_t) > > - files_read_etc_files(ssh_keysign_t) > -') > +files_read_etc_files(ssh_keysign_t) > > optional_policy(` > - tunable_policy(`allow_ssh_keysign',` > - nscd_socket_use(ssh_keysign_t) > - ') > + nscd_use(ssh_keysign_t) > ') > > ################################# > @@ -327,10 +323,6 @@ > logging_send_syslog_msg(ssh_keygen_t) > > userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) > - > -optional_policy(` > - nscd_socket_use(ssh_keygen_t) > -') > > optional_policy(` > seutil_sigchld_newrole(ssh_keygen_t) > diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te > index 4dfa3da..49e5f67 100644 > --- a/policy/modules/system/authlogin.te > +++ b/policy/modules/system/authlogin.te > @@ -397,7 +397,7 @@ > ') > > optional_policy(` > - nscd_socket_use(utempter_t) > + nscd_use(utempter_t) > ') > > optional_policy(` > @@ -447,7 +447,7 @@ > ') > > optional_policy(` > - nscd_socket_use(nsswitch_domain) > + nscd_use(nsswitch_domain) > ') > > optional_policy(` > diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te > index 711b998..3928e71 100644 > --- a/policy/modules/system/clock.te > +++ b/policy/modules/system/clock.te > @@ -65,7 +65,7 @@ > ') > > optional_policy(` > - nscd_socket_use(hwclock_t) > + nscd_use(hwclock_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te > index fd100fc..9db083e 100644 > --- a/policy/modules/system/getty.te > +++ b/policy/modules/system/getty.te > @@ -125,7 +125,7 @@ > ') > > optional_policy(` > - nscd_socket_use(getty_t) > + nscd_use(getty_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te > index b2e41cc..f0f991b 100644 > --- a/policy/modules/system/hotplug.te > +++ b/policy/modules/system/hotplug.te > @@ -168,7 +168,7 @@ > ') > > optional_policy(` > - nscd_socket_use(hotplug_t) > + nscd_use(hotplug_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index 3f0c2d3..24e7804 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -234,7 +234,7 @@ > ') > > optional_policy(` > - nscd_socket_use($1) > + nscd_use($1) > ') > ') > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index d073ad6..cbe19c9 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -208,7 +208,7 @@ > ') > > optional_policy(` > - nscd_socket_use(init_t) > + nscd_use(init_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te > index df56407..3de8096 100644 > --- a/policy/modules/system/ipsec.te > +++ b/policy/modules/system/ipsec.te > @@ -326,7 +326,7 @@ > ') > > optional_policy(` > - nscd_socket_use(ipsec_mgmt_t) > + nscd_use(ipsec_mgmt_t) > ') > > ######################################## > diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te > index 9fd5be7..cf279a0 100644 > --- a/policy/modules/system/locallogin.te > +++ b/policy/modules/system/locallogin.te > @@ -181,7 +181,7 @@ > ') > > optional_policy(` > - nscd_socket_use(local_login_t) > + nscd_use(local_login_t) > ') > > optional_policy(` > @@ -262,5 +262,5 @@ > ') > > optional_policy(` > - nscd_socket_use(sulogin_t) > + nscd_use(sulogin_t) > ') > diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te > index 79d3e65..203d216 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -205,7 +205,7 @@ > ') > > optional_policy(` > - nscd_socket_use(insmod_t) > + nscd_use(insmod_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if > index fcefe61..6944526 100644 > --- a/policy/modules/system/sysnetwork.if > +++ b/policy/modules/system/sysnetwork.if > @@ -699,7 +699,7 @@ > ') > > optional_policy(` > - nscd_socket_use($1) > + nscd_use($1) > ') > ') > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com