1 |
commit: e316570abbb74fb6aba0d62157b9842d9a910fc7 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Jul 10 17:20:47 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Jul 10 17:20:47 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e316570a |
7 |
|
8 |
Adding auth_nss_domain patch |
9 |
|
10 |
--- |
11 |
policy/modules/kernel/files.fc | 2 + |
12 |
policy/modules/system/authlogin.if | 49 ++------------------------ |
13 |
policy/modules/system/authlogin.te | 68 ++++++++++++++++++++++++++++++++++++ |
14 |
3 files changed, 73 insertions(+), 46 deletions(-) |
15 |
|
16 |
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc |
17 |
index 75ceae3..90a8226 100644 |
18 |
--- a/policy/modules/kernel/files.fc |
19 |
+++ b/policy/modules/kernel/files.fc |
20 |
@@ -54,6 +54,8 @@ ifdef(`distro_suse',` |
21 |
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) |
22 |
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0) |
23 |
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) |
24 |
+/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0) |
25 |
+/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) |
26 |
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0) |
27 |
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0) |
28 |
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0) |
29 |
|
30 |
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if |
31 |
index 6ce867a..8989233 100644 |
32 |
--- a/policy/modules/system/authlogin.if |
33 |
+++ b/policy/modules/system/authlogin.if |
34 |
@@ -1717,54 +1717,11 @@ interface(`auth_relabel_login_records',` |
35 |
## <infoflow type="both" weight="10"/> |
36 |
# |
37 |
interface(`auth_use_nsswitch',` |
38 |
- |
39 |
- files_list_var_lib($1) |
40 |
- |
41 |
- # read /etc/nsswitch.conf |
42 |
- files_read_etc_files($1) |
43 |
- |
44 |
- miscfiles_read_generic_certs($1) |
45 |
- |
46 |
- sysnet_dns_name_resolve($1) |
47 |
- sysnet_use_ldap($1) |
48 |
- |
49 |
- optional_policy(` |
50 |
- avahi_stream_connect($1) |
51 |
- ') |
52 |
- |
53 |
- optional_policy(` |
54 |
- ldap_stream_connect($1) |
55 |
- ') |
56 |
- |
57 |
- optional_policy(` |
58 |
- likewise_stream_connect_lsassd($1) |
59 |
- ') |
60 |
- |
61 |
- optional_policy(` |
62 |
- kerberos_use($1) |
63 |
- ') |
64 |
- |
65 |
- optional_policy(` |
66 |
- nis_use_ypbind($1) |
67 |
- ') |
68 |
- |
69 |
- optional_policy(` |
70 |
- nscd_socket_use($1) |
71 |
- ') |
72 |
- |
73 |
- optional_policy(` |
74 |
- nslcd_stream_connect($1) |
75 |
- ') |
76 |
- |
77 |
- optional_policy(` |
78 |
- sssd_stream_connect($1) |
79 |
+ gen_require(` |
80 |
+ attribute nsswitch_domain; |
81 |
') |
82 |
|
83 |
- optional_policy(` |
84 |
- samba_stream_connect_winbind($1) |
85 |
- samba_read_var_files($1) |
86 |
- samba_dontaudit_write_var_files($1) |
87 |
- ') |
88 |
+ typeattribute $1 nsswitch_domain; |
89 |
') |
90 |
|
91 |
######################################## |
92 |
|
93 |
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te |
94 |
index 6a96393..312da5d 100644 |
95 |
--- a/policy/modules/system/authlogin.te |
96 |
+++ b/policy/modules/system/authlogin.te |
97 |
@@ -5,9 +5,18 @@ policy_module(authlogin, 2.3.0) |
98 |
# Declarations |
99 |
# |
100 |
|
101 |
+## <desc> |
102 |
+## <p> |
103 |
+## Allow users to resolve user passwd entries directly from ldap rather |
104 |
+## than using an sssd server |
105 |
+## </p> |
106 |
+## </desc> |
107 |
+gen_tunable(authlogin_nsswitch_use_ldap, false) |
108 |
+ |
109 |
attribute can_read_shadow_passwords; |
110 |
attribute can_write_shadow_passwords; |
111 |
attribute can_relabelto_shadow_passwords; |
112 |
+attribute nsswitch_domain; |
113 |
|
114 |
type auth_cache_t; |
115 |
logging_log_file(auth_cache_t) |
116 |
@@ -395,3 +404,62 @@ optional_policy(` |
117 |
xserver_use_xdm_fds(utempter_t) |
118 |
xserver_rw_xdm_pipes(utempter_t) |
119 |
') |
120 |
+ |
121 |
+######################################### |
122 |
+# |
123 |
+# nsswitch_domain local policy |
124 |
+# |
125 |
+ |
126 |
+files_list_var_lib(nsswitch_domain) |
127 |
+ |
128 |
+# read /etc/nsswitch.conf |
129 |
+files_read_etc_files(nsswitch_domain) |
130 |
+ |
131 |
+sysnet_dns_name_resolve(nsswitch_domain) |
132 |
+ |
133 |
+tunable_policy(`authlogin_nsswitch_use_ldap',` |
134 |
+ files_list_var_lib(nsswitch_domain) |
135 |
+ |
136 |
+ miscfiles_read_generic_certs(nsswitch_domain) |
137 |
+ sysnet_use_ldap(nsswitch_domain) |
138 |
+') |
139 |
+ |
140 |
+optional_policy(` |
141 |
+ tunable_policy(`authlogin_nsswitch_use_ldap',` |
142 |
+ ldap_stream_connect(nsswitch_domain) |
143 |
+ ') |
144 |
+') |
145 |
+ |
146 |
+optional_policy(` |
147 |
+ avahi_stream_connect(nsswitch_domain) |
148 |
+') |
149 |
+ |
150 |
+optional_policy(` |
151 |
+ likewise_stream_connect_lsassd(nsswitch_domain) |
152 |
+') |
153 |
+ |
154 |
+optional_policy(` |
155 |
+ kerberos_use(nsswitch_domain) |
156 |
+') |
157 |
+ |
158 |
+optional_policy(` |
159 |
+ nis_use_ypbind(nsswitch_domain) |
160 |
+') |
161 |
+ |
162 |
+optional_policy(` |
163 |
+ nscd_socket_use(nsswitch_domain) |
164 |
+') |
165 |
+ |
166 |
+optional_policy(` |
167 |
+ nslcd_stream_connect(nsswitch_domain) |
168 |
+') |
169 |
+ |
170 |
+optional_policy(` |
171 |
+ sssd_stream_connect(nsswitch_domain) |
172 |
+') |
173 |
+ |
174 |
+optional_policy(` |
175 |
+ samba_stream_connect_winbind(nsswitch_domain) |
176 |
+ samba_read_var_files(nsswitch_domain) |
177 |
+ samba_dontaudit_write_var_files(nsswitch_domain) |
178 |
+') |