[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
Date:	Tue, 10 Jul 2012 17:22:31
Message-Id:	`1341940847.e316570abbb74fb6aba0d62157b9842d9a910fc7.SwifT@gentoo`

1

commit:     e316570abbb74fb6aba0d62157b9842d9a910fc7

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Tue Jul 10 17:20:47 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Jul 10 17:20:47 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e316570a

7

8

Adding auth_nss_domain patch

9

10

---

11

 policy/modules/kernel/files.fc     |    2 +

12

 policy/modules/system/authlogin.if |   49 ++------------------------

13

 policy/modules/system/authlogin.te |   68 ++++++++++++++++++++++++++++++++++++

14

 3 files changed, 73 insertions(+), 46 deletions(-)

15

16

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc

17

index 75ceae3..90a8226 100644

18

--- a/policy/modules/kernel/files.fc

19

+++ b/policy/modules/kernel/files.fc

20

@@ -54,6 +54,8 @@ ifdef(`distro_suse',`

21

 /etc/killpower		--	gen_context(system_u:object_r:etc_runtime_t,s0)

22

 /etc/localtime		-l	gen_context(system_u:object_r:etc_t,s0)

23

 /etc/mtab		--	gen_context(system_u:object_r:etc_runtime_t,s0)

24

+/etc/mtab~[0-9]*	--	gen_context(system_u:object_r:etc_runtime_t,s0)

25

+/etc/mtab\.tmp		--	gen_context(system_u:object_r:etc_runtime_t,s0)

26

 /etc/mtab\.fuselock	--	gen_context(system_u:object_r:etc_runtime_t,s0)

27

 /etc/nohotplug		--	gen_context(system_u:object_r:etc_runtime_t,s0)

28

 /etc/nologin.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)

29

30

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if

31

index 6ce867a..8989233 100644

32

--- a/policy/modules/system/authlogin.if

33

+++ b/policy/modules/system/authlogin.if

34

@@ -1717,54 +1717,11 @@ interface(`auth_relabel_login_records',`

35

 ## <infoflow type="both" weight="10"/>

36

#

37

 interface(`auth_use_nsswitch',`

38

-

39

-	files_list_var_lib($1)

40

-

41

-	# read /etc/nsswitch.conf

42

-	files_read_etc_files($1)

43

-

44

-	miscfiles_read_generic_certs($1)

45

-

46

-	sysnet_dns_name_resolve($1)

47

-	sysnet_use_ldap($1)

48

-

49

-	optional_policy(`

50

-		avahi_stream_connect($1)

51

-	')

52

-

53

-	optional_policy(`

54

-		ldap_stream_connect($1)

55

-	')

56

-

57

- 	optional_policy(`

58

-		likewise_stream_connect_lsassd($1)

59

-	')

60

-

61

-	optional_policy(`

62

-		kerberos_use($1)

63

-	')

64

-

65

-	optional_policy(`

66

-		nis_use_ypbind($1)

67

-	')

68

-

69

-	optional_policy(`

70

-		nscd_socket_use($1)

71

-	')

72

-

73

-	optional_policy(`

74

-		nslcd_stream_connect($1)

75

-	')

76

-

77

-	optional_policy(`

78

-		sssd_stream_connect($1)

79

+	gen_require(`

80

+		attribute nsswitch_domain;

81

')

82

83

-	optional_policy(`

84

-		samba_stream_connect_winbind($1)

85

-		samba_read_var_files($1)

86

-		samba_dontaudit_write_var_files($1)

87

-	')

88

+	typeattribute $1 nsswitch_domain;

89

')

90

91

 ########################################

92

93

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te

94

index 6a96393..312da5d 100644

95

--- a/policy/modules/system/authlogin.te

96

+++ b/policy/modules/system/authlogin.te

97

@@ -5,9 +5,18 @@ policy_module(authlogin, 2.3.0)

98

 # Declarations

99

#

100

101

+## <desc>

102

+## <p>

103

+## Allow users to resolve user passwd entries directly from ldap rather

104

+## than using an sssd server

105

+## </p>

106

+## </desc>

107

+gen_tunable(authlogin_nsswitch_use_ldap, false)

108

+

109

 attribute can_read_shadow_passwords;

110

 attribute can_write_shadow_passwords;

111

 attribute can_relabelto_shadow_passwords;

112

+attribute nsswitch_domain;

113

114

 type auth_cache_t;

115

 logging_log_file(auth_cache_t)

116

@@ -395,3 +404,62 @@ optional_policy(`

117

 	xserver_use_xdm_fds(utempter_t)

118

 	xserver_rw_xdm_pipes(utempter_t)

119

')

120

+

121

+#########################################

122

+#

123

+# nsswitch_domain local policy

124

+#

125

+

126

+files_list_var_lib(nsswitch_domain)

127

+

128

+# read /etc/nsswitch.conf

129

+files_read_etc_files(nsswitch_domain)

130

+

131

+sysnet_dns_name_resolve(nsswitch_domain)

132

+

133

+tunable_policy(`authlogin_nsswitch_use_ldap',`

134

+	files_list_var_lib(nsswitch_domain)

135

+

136

+	miscfiles_read_generic_certs(nsswitch_domain)

137

+	sysnet_use_ldap(nsswitch_domain)

138

+')

139

+

140

+optional_policy(`

141

+	tunable_policy(`authlogin_nsswitch_use_ldap',`

142

+		 ldap_stream_connect(nsswitch_domain)

143

+	')

144

+')

145

+

146

+optional_policy(`

147

+	avahi_stream_connect(nsswitch_domain)

148

+')

149

+

150

+optional_policy(`

151

+	likewise_stream_connect_lsassd(nsswitch_domain)

152

+')

153

+

154

+optional_policy(`

155

+	kerberos_use(nsswitch_domain)

156

+')

157

+

158

+optional_policy(`

159

+	nis_use_ypbind(nsswitch_domain)

160

+')

161

+

162

+optional_policy(`

163

+	nscd_socket_use(nsswitch_domain)

164

+')

165

+

166

+optional_policy(`

167

+	nslcd_stream_connect(nsswitch_domain)

168

+')

169

+

170

+optional_policy(`

171

+	sssd_stream_connect(nsswitch_domain)

172

+')

173

+

174

+optional_policy(`

175

+	samba_stream_connect_winbind(nsswitch_domain)

176

+	samba_read_var_files(nsswitch_domain)

177

+	samba_dontaudit_write_var_files(nsswitch_domain)

178

+')

1	commit: e316570abbb74fb6aba0d62157b9842d9a910fc7
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Tue Jul 10 17:20:47 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Jul 10 17:20:47 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e316570a
7
8	Adding auth_nss_domain patch
9
10	---
11	policy/modules/kernel/files.fc \| 2 +
12	policy/modules/system/authlogin.if \| 49 ++------------------------
13	policy/modules/system/authlogin.te \| 68 ++++++++++++++++++++++++++++++++++++
14	3 files changed, 73 insertions(+), 46 deletions(-)
15
16	diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
17	index 75ceae3..90a8226 100644
18	--- a/policy/modules/kernel/files.fc
19	+++ b/policy/modules/kernel/files.fc
20	@@ -54,6 +54,8 @@ ifdef(`distro_suse',`
21	/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
22	/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
23	/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
24	+/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
25	+/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
26	/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
27	/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
28	/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
29
30	diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
31	index 6ce867a..8989233 100644
32	--- a/policy/modules/system/authlogin.if
33	+++ b/policy/modules/system/authlogin.if
34	@@ -1717,54 +1717,11 @@ interface(`auth_relabel_login_records',`
35	## <infoflow type="both" weight="10"/>
36	#
37	interface(`auth_use_nsswitch',`
38	-
39	- files_list_var_lib($1)
40	-
41	- # read /etc/nsswitch.conf
42	- files_read_etc_files($1)
43	-
44	- miscfiles_read_generic_certs($1)
45	-
46	- sysnet_dns_name_resolve($1)
47	- sysnet_use_ldap($1)
48	-
49	- optional_policy(`
50	- avahi_stream_connect($1)
51	- ')
52	-
53	- optional_policy(`
54	- ldap_stream_connect($1)
55	- ')
56	-
57	- optional_policy(`
58	- likewise_stream_connect_lsassd($1)
59	- ')
60	-
61	- optional_policy(`
62	- kerberos_use($1)
63	- ')
64	-
65	- optional_policy(`
66	- nis_use_ypbind($1)
67	- ')
68	-
69	- optional_policy(`
70	- nscd_socket_use($1)
71	- ')
72	-
73	- optional_policy(`
74	- nslcd_stream_connect($1)
75	- ')
76	-
77	- optional_policy(`
78	- sssd_stream_connect($1)
79	+ gen_require(`
80	+ attribute nsswitch_domain;
81	')
82
83	- optional_policy(`
84	- samba_stream_connect_winbind($1)
85	- samba_read_var_files($1)
86	- samba_dontaudit_write_var_files($1)
87	- ')
88	+ typeattribute $1 nsswitch_domain;
89	')
90
91	########################################
92
93	diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
94	index 6a96393..312da5d 100644
95	--- a/policy/modules/system/authlogin.te
96	+++ b/policy/modules/system/authlogin.te
97	@@ -5,9 +5,18 @@ policy_module(authlogin, 2.3.0)
98	# Declarations
99	#
100
101	+## <desc>
102	+## <p>
103	+## Allow users to resolve user passwd entries directly from ldap rather
104	+## than using an sssd server
105	+## </p>
106	+## </desc>
107	+gen_tunable(authlogin_nsswitch_use_ldap, false)
108	+
109	attribute can_read_shadow_passwords;
110	attribute can_write_shadow_passwords;
111	attribute can_relabelto_shadow_passwords;
112	+attribute nsswitch_domain;
113
114	type auth_cache_t;
115	logging_log_file(auth_cache_t)
116	@@ -395,3 +404,62 @@ optional_policy(`
117	xserver_use_xdm_fds(utempter_t)
118	xserver_rw_xdm_pipes(utempter_t)
119	')
120	+
121	+#########################################
122	+#
123	+# nsswitch_domain local policy
124	+#
125	+
126	+files_list_var_lib(nsswitch_domain)
127	+
128	+# read /etc/nsswitch.conf
129	+files_read_etc_files(nsswitch_domain)
130	+
131	+sysnet_dns_name_resolve(nsswitch_domain)
132	+
133	+tunable_policy(`authlogin_nsswitch_use_ldap',`
134	+ files_list_var_lib(nsswitch_domain)
135	+
136	+ miscfiles_read_generic_certs(nsswitch_domain)
137	+ sysnet_use_ldap(nsswitch_domain)
138	+')
139	+
140	+optional_policy(`
141	+ tunable_policy(`authlogin_nsswitch_use_ldap',`
142	+ ldap_stream_connect(nsswitch_domain)
143	+ ')
144	+')
145	+
146	+optional_policy(`
147	+ avahi_stream_connect(nsswitch_domain)
148	+')
149	+
150	+optional_policy(`
151	+ likewise_stream_connect_lsassd(nsswitch_domain)
152	+')
153	+
154	+optional_policy(`
155	+ kerberos_use(nsswitch_domain)
156	+')
157	+
158	+optional_policy(`
159	+ nis_use_ypbind(nsswitch_domain)
160	+')
161	+
162	+optional_policy(`
163	+ nscd_socket_use(nsswitch_domain)
164	+')
165	+
166	+optional_policy(`
167	+ nslcd_stream_connect(nsswitch_domain)
168	+')
169	+
170	+optional_policy(`
171	+ sssd_stream_connect(nsswitch_domain)
172	+')
173	+
174	+optional_policy(`
175	+ samba_stream_connect_winbind(nsswitch_domain)
176	+ samba_read_var_files(nsswitch_domain)
177	+ samba_dontaudit_write_var_files(nsswitch_domain)
178	+')

Gentoo Archives: gentoo-commits