1 |
commit: 6a618b390ef532879555dcfe450d46cb45c25bbc |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Jul 10 16:58:45 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Jul 10 16:58:45 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6a618b39 |
7 |
|
8 |
Backport nss_domain attribute patch |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/apache.te | 5 +++++ |
12 |
policy/modules/contrib/bind.te | 5 +++++ |
13 |
policy/modules/contrib/git.te | 6 ++++-- |
14 |
policy/modules/contrib/kerberos.te | 8 ++++++++ |
15 |
policy/modules/contrib/ldap.if | 5 ++--- |
16 |
policy/modules/contrib/nslcd.te | 4 ++++ |
17 |
policy/modules/contrib/samba.te | 8 ++++++++ |
18 |
policy/modules/contrib/sssd.te | 4 ++++ |
19 |
policy/modules/contrib/telepathy.if | 2 ++ |
20 |
policy/modules/contrib/telepathy.te | 2 -- |
21 |
policy/modules/contrib/virt.if | 2 ++ |
22 |
policy/modules/contrib/virt.te | 2 -- |
23 |
policy/modules/contrib/zarafa.te | 14 ++++++++++++-- |
24 |
13 files changed, 56 insertions(+), 11 deletions(-) |
25 |
|
26 |
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
27 |
index 18d4404..d2e9d62 100644 |
28 |
--- a/policy/modules/contrib/apache.te |
29 |
+++ b/policy/modules/contrib/apache.te |
30 |
@@ -561,6 +561,11 @@ optional_policy(` |
31 |
') |
32 |
|
33 |
optional_policy(` |
34 |
+ # needed by FreeIPA |
35 |
+ ldap_stream_connect(httpd_t) |
36 |
+') |
37 |
+ |
38 |
+optional_policy(` |
39 |
mailman_signal_cgi(httpd_t) |
40 |
mailman_domtrans_cgi(httpd_t) |
41 |
mailman_read_data_files(httpd_t) |
42 |
|
43 |
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te |
44 |
index 4deca04..0968cb4 100644 |
45 |
--- a/policy/modules/contrib/bind.te |
46 |
+++ b/policy/modules/contrib/bind.te |
47 |
@@ -171,6 +171,11 @@ optional_policy(` |
48 |
') |
49 |
|
50 |
optional_policy(` |
51 |
+ # needed by FreeIPA with DNS support |
52 |
+ ldap_stream_connect(named_t) |
53 |
+') |
54 |
+ |
55 |
+optional_policy(` |
56 |
# this seems like fds that arent being |
57 |
# closed. these should probably be |
58 |
# dontaudits instead. |
59 |
|
60 |
diff --git a/policy/modules/contrib/git.te b/policy/modules/contrib/git.te |
61 |
index 58c3c61..511175b 100644 |
62 |
--- a/policy/modules/contrib/git.te |
63 |
+++ b/policy/modules/contrib/git.te |
64 |
@@ -108,6 +108,8 @@ corenet_tcp_bind_git_port(git_session_t) |
65 |
corenet_tcp_sendrecv_git_port(git_session_t) |
66 |
corenet_sendrecv_git_server_packets(git_session_t) |
67 |
|
68 |
+auth_use_nsswitch(git_session_t) |
69 |
+ |
70 |
userdom_use_user_terminals(git_session_t) |
71 |
|
72 |
tunable_policy(`git_session_send_syslog_msg',` |
73 |
@@ -135,6 +137,8 @@ list_dirs_pattern(git_system_t, git_sys_content_t, git_sys_content_t) |
74 |
read_files_pattern(git_system_t, git_sys_content_t, git_sys_content_t) |
75 |
files_search_var_lib(git_system_t) |
76 |
|
77 |
+auth_use_nsswitch(git_system_t) |
78 |
+ |
79 |
logging_send_syslog_msg(git_system_t) |
80 |
|
81 |
tunable_policy(`git_system_enable_homedirs',` |
82 |
@@ -221,6 +225,4 @@ files_read_usr_files(git_daemon) |
83 |
|
84 |
fs_search_auto_mountpoints(git_daemon) |
85 |
|
86 |
-auth_use_nsswitch(git_daemon) |
87 |
- |
88 |
miscfiles_read_localization(git_daemon) |
89 |
|
90 |
diff --git a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te |
91 |
index 8edc29b..6a95faf 100644 |
92 |
--- a/policy/modules/contrib/kerberos.te |
93 |
+++ b/policy/modules/contrib/kerberos.te |
94 |
@@ -160,6 +160,10 @@ userdom_dontaudit_use_unpriv_user_fds(kadmind_t) |
95 |
userdom_dontaudit_search_user_home_dirs(kadmind_t) |
96 |
|
97 |
optional_policy(` |
98 |
+ ldap_stream_connect(kadmind_t) |
99 |
+') |
100 |
+ |
101 |
+optional_policy(` |
102 |
nis_use_ypbind(kadmind_t) |
103 |
') |
104 |
|
105 |
@@ -260,6 +264,10 @@ userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) |
106 |
userdom_dontaudit_search_user_home_dirs(krb5kdc_t) |
107 |
|
108 |
optional_policy(` |
109 |
+ ldap_stream_connect(krb5kdc_t) |
110 |
+') |
111 |
+ |
112 |
+optional_policy(` |
113 |
nis_use_ypbind(krb5kdc_t) |
114 |
') |
115 |
|
116 |
|
117 |
diff --git a/policy/modules/contrib/ldap.if b/policy/modules/contrib/ldap.if |
118 |
index e131cfa..2532772 100644 |
119 |
--- a/policy/modules/contrib/ldap.if |
120 |
+++ b/policy/modules/contrib/ldap.if |
121 |
@@ -69,13 +69,12 @@ interface(`ldap_stream_connect',` |
122 |
') |
123 |
|
124 |
files_search_pids($1) |
125 |
- allow $1 slapd_var_run_t:sock_file write; |
126 |
- allow $1 slapd_t:unix_stream_socket connectto; |
127 |
+ stream_connect_pattern($1, slapd_var_run_t, slapd_var_run_t, slapd_t) |
128 |
') |
129 |
|
130 |
######################################## |
131 |
## <summary> |
132 |
-## All of the rules required to administrate |
133 |
+## All of the rules required to administrate |
134 |
## an ldap environment |
135 |
## </summary> |
136 |
## <param name="domain"> |
137 |
|
138 |
diff --git a/policy/modules/contrib/nslcd.te b/policy/modules/contrib/nslcd.te |
139 |
index 4e28d58..d4ee3f7 100644 |
140 |
--- a/policy/modules/contrib/nslcd.te |
141 |
+++ b/policy/modules/contrib/nslcd.te |
142 |
@@ -43,3 +43,7 @@ auth_use_nsswitch(nslcd_t) |
143 |
logging_send_syslog_msg(nslcd_t) |
144 |
|
145 |
miscfiles_read_localization(nslcd_t) |
146 |
+ |
147 |
+optional_policy(` |
148 |
+ ldap_stream_connect(nslcd_t) |
149 |
+') |
150 |
|
151 |
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te |
152 |
index 1ef8d5d..05e2463 100644 |
153 |
--- a/policy/modules/contrib/samba.te |
154 |
+++ b/policy/modules/contrib/samba.te |
155 |
@@ -219,6 +219,10 @@ userdom_use_user_terminals(samba_net_t) |
156 |
userdom_list_user_home_dirs(samba_net_t) |
157 |
|
158 |
optional_policy(` |
159 |
+ ldap_stream_connect(samba_net_t) |
160 |
+') |
161 |
+ |
162 |
+optional_policy(` |
163 |
pcscd_read_pub_files(samba_net_t) |
164 |
') |
165 |
|
166 |
@@ -421,6 +425,10 @@ optional_policy(` |
167 |
') |
168 |
|
169 |
optional_policy(` |
170 |
+ ldap_stream_connect(smbd_t) |
171 |
+') |
172 |
+ |
173 |
+optional_policy(` |
174 |
lpd_exec_lpr(smbd_t) |
175 |
') |
176 |
|
177 |
|
178 |
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te |
179 |
index 8ffa257..a1b61bc 100644 |
180 |
--- a/policy/modules/contrib/sssd.te |
181 |
+++ b/policy/modules/contrib/sssd.te |
182 |
@@ -88,3 +88,7 @@ optional_policy(` |
183 |
optional_policy(` |
184 |
kerberos_manage_host_rcache(sssd_t) |
185 |
') |
186 |
+ |
187 |
+optional_policy(` |
188 |
+ ldap_stream_connect(sssd_t) |
189 |
+') |
190 |
|
191 |
diff --git a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if |
192 |
index 6bf75ef..594be0f 100644 |
193 |
--- a/policy/modules/contrib/telepathy.if |
194 |
+++ b/policy/modules/contrib/telepathy.if |
195 |
@@ -24,6 +24,8 @@ template(`telepathy_domain_template',` |
196 |
|
197 |
type telepathy_$1_tmp_t; |
198 |
userdom_user_tmp_file(telepathy_$1_tmp_t) |
199 |
+ |
200 |
+ auth_use_nsswitch(telepathy_$1_t) |
201 |
') |
202 |
|
203 |
####################################### |
204 |
|
205 |
diff --git a/policy/modules/contrib/telepathy.te b/policy/modules/contrib/telepathy.te |
206 |
index ad6a38d..59809b7 100644 |
207 |
--- a/policy/modules/contrib/telepathy.te |
208 |
+++ b/policy/modules/contrib/telepathy.te |
209 |
@@ -367,8 +367,6 @@ kernel_read_system_state(telepathy_domain) |
210 |
|
211 |
fs_search_auto_mountpoints(telepathy_domain) |
212 |
|
213 |
-auth_use_nsswitch(telepathy_domain) |
214 |
- |
215 |
miscfiles_read_localization(telepathy_domain) |
216 |
|
217 |
optional_policy(` |
218 |
|
219 |
diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if |
220 |
index 7c5d8d8..6f0736b 100644 |
221 |
--- a/policy/modules/contrib/virt.if |
222 |
+++ b/policy/modules/contrib/virt.if |
223 |
@@ -69,6 +69,8 @@ template(`virt_domain_template',` |
224 |
files_pid_filetrans($1_t, $1_var_run_t, { dir file }) |
225 |
stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) |
226 |
|
227 |
+ auth_use_nsswitch($1_t) |
228 |
+ |
229 |
optional_policy(` |
230 |
xserver_rw_shm($1_t) |
231 |
') |
232 |
|
233 |
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te |
234 |
index fadbd88..9101767 100644 |
235 |
--- a/policy/modules/contrib/virt.te |
236 |
+++ b/policy/modules/contrib/virt.te |
237 |
@@ -455,8 +455,6 @@ term_getattr_pty_fs(virt_domain) |
238 |
term_use_generic_ptys(virt_domain) |
239 |
term_use_ptmx(virt_domain) |
240 |
|
241 |
-auth_use_nsswitch(virt_domain) |
242 |
- |
243 |
logging_send_syslog_msg(virt_domain) |
244 |
|
245 |
miscfiles_read_localization(virt_domain) |
246 |
|
247 |
diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te |
248 |
index 9fb4747..1a7d9bf 100644 |
249 |
--- a/policy/modules/contrib/zarafa.te |
250 |
+++ b/policy/modules/contrib/zarafa.te |
251 |
@@ -41,6 +41,8 @@ manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t |
252 |
manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) |
253 |
files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) |
254 |
|
255 |
+auth_use_nsswitch(zarafa_deliver_t) |
256 |
+ |
257 |
######################################## |
258 |
# |
259 |
# zarafa_gateway local policy |
260 |
@@ -57,6 +59,8 @@ corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) |
261 |
corenet_tcp_bind_generic_node(zarafa_gateway_t) |
262 |
corenet_tcp_bind_pop_port(zarafa_gateway_t) |
263 |
|
264 |
+auth_use_nsswitch(zarafa_gateway_t) |
265 |
+ |
266 |
####################################### |
267 |
# |
268 |
# zarafa-ical local policy |
269 |
@@ -72,6 +76,8 @@ corenet_tcp_sendrecv_all_ports(zarafa_ical_t) |
270 |
corenet_tcp_bind_generic_node(zarafa_ical_t) |
271 |
corenet_tcp_bind_http_cache_port(zarafa_ical_t) |
272 |
|
273 |
+auth_use_nsswitch(zarafa_ical_t) |
274 |
+ |
275 |
###################################### |
276 |
# |
277 |
# zarafa-monitor local policy |
278 |
@@ -79,6 +85,8 @@ corenet_tcp_bind_http_cache_port(zarafa_ical_t) |
279 |
|
280 |
allow zarafa_monitor_t self:capability chown; |
281 |
|
282 |
+auth_use_nsswitch(zarafa_monitor_t) |
283 |
+ |
284 |
######################################## |
285 |
# |
286 |
# zarafa_server local policy |
287 |
@@ -107,6 +115,8 @@ corenet_tcp_bind_zarafa_port(zarafa_server_t) |
288 |
|
289 |
files_read_usr_files(zarafa_server_t) |
290 |
|
291 |
+auth_use_nsswitch(zarafa_server_t) |
292 |
+ |
293 |
logging_send_syslog_msg(zarafa_server_t) |
294 |
logging_send_audit_msgs(zarafa_server_t) |
295 |
|
296 |
@@ -136,6 +146,8 @@ corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) |
297 |
corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) |
298 |
corenet_tcp_connect_smtp_port(zarafa_spooler_t) |
299 |
|
300 |
+auth_use_nsswitch(zarafa_spooler_t) |
301 |
+ |
302 |
######################################## |
303 |
# |
304 |
# zarafa domains local policy |
305 |
@@ -156,6 +168,4 @@ kernel_read_system_state(zarafa_domain) |
306 |
|
307 |
files_read_etc_files(zarafa_domain) |
308 |
|
309 |
-auth_use_nsswitch(zarafa_domain) |
310 |
- |
311 |
miscfiles_read_localization(zarafa_domain) |