From 3ef029db7c23b10f917f7f5c3884a7fae596a2ec Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Aug 22 2006 19:37:56 +0000 Subject: add nscd_socket_use() to auth_use_nsswitch() since it caches nss lookups. --- diff --git a/Changelog b/Changelog index 4418061..2438d0b 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add nscd_socket_use() to auth_use_nsswitch(). - Remove old selopt rules. - Full support for netfilter_contexts. - MRTG patch for daemon operation from Stefan. diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 5fb85ce..6c493c7 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -119,10 +119,6 @@ template(`su_restricted_domain_template', ` kerberos_use($1_su_t) ') - optional_policy(` - nscd_socket_use($1_su_t) - ') - ifdef(`TODO',` # Caused by su - init scripts dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl }; @@ -302,10 +298,6 @@ template(`su_per_userdomain_template',` kerberos_use($1_su_t) ') - optional_policy(` - nscd_socket_use($1_su_t) - ') - # Modify .Xauthority file (via xauth program). optional_policy(` # file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 0cc9adc..ee65a1e 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -256,12 +256,7 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(groupadd_t) -') - -optional_policy(` nscd_exec(groupadd_t) - nscd_socket_use(groupadd_t) ') optional_policy(` @@ -531,12 +526,7 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(useradd_t) -') - -optional_policy(` nscd_exec(useradd_t) - nscd_socket_use(useradd_t) ') optional_policy(` diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 6e7669f..2b6db56 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -268,7 +268,6 @@ miscfiles_read_certs(httpd_t) seutil_dontaudit_search_config(httpd_t) -sysnet_use_ldap(httpd_t) sysnet_read_config(httpd_t) userdom_use_unpriv_users_fds(httpd_t) @@ -412,10 +411,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(httpd_t) -') - -optional_policy(` openca_domtrans(httpd_t) openca_signal(httpd_t) openca_sigstop(httpd_t) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 1be84ef..a20b9f2 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -38,7 +38,6 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc }; allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; allow system_dbusd_t self:unix_dgram_socket create_socket_perms; allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms; # Receive notifications of policy reloads and enforcing status changes. allow system_dbusd_t self:netlink_selinux_socket { create bind read }; @@ -103,7 +102,6 @@ libs_use_shared_libs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) miscfiles_read_localization(system_dbusd_t) -miscfiles_read_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) @@ -131,10 +129,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(system_dbusd_t) -') - -optional_policy(` sysnet_domtrans_dhcpc(system_dbusd_t) ') diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 642e3ce..dca87b9 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -193,8 +193,6 @@ miscfiles_read_localization(dovecot_auth_t) seutil_dontaudit_search_config(dovecot_auth_t) -sysnet_dns_name_resolve(dovecot_auth_t) - optional_policy(` kerberos_use(dovecot_auth_t) ') @@ -202,11 +200,3 @@ optional_policy(` optional_policy(` logging_send_syslog_msg(dovecot_auth_t) ') - -optional_policy(` - nis_use_ypbind(dovecot_auth_t) -') - -optional_policy(` - nscd_socket_use(dovecot_auth_t) -') diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te index ce3c62a..4c862e6 100644 --- a/policy/modules/services/ftp.te +++ b/policy/modules/services/ftp.te @@ -244,10 +244,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(ftpd_t) -') - -optional_policy(` seutil_sigchld_newrole(ftpd_t) ') diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te index 8c7a872..9bccaa9 100644 --- a/policy/modules/services/hal.te +++ b/policy/modules/services/hal.te @@ -210,14 +210,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(hald_t) -') - -optional_policy(` - nscd_socket_use(hald_t) -') - -optional_policy(` ntp_domtrans(hald_t) ') diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 052381d..252f035 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -124,14 +124,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(mysqld_t) -') - -optional_policy(` - nscd_socket_use(mysqld_t) -') - -optional_policy(` seutil_sigchld_newrole(mysqld_t) ') diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index f684714..d68749a 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -139,18 +139,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(ntpd_t) -') - -optional_policy(` - nscd_socket_use(ntpd_t) -') - -optional_policy(` - samba_stream_connect_winbind(ntpd_t) -') - -optional_policy(` seutil_sigchld_newrole(ntpd_t) ') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index 7769803..d8596ea 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -138,10 +138,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(pegasus_t) -') - -optional_policy(` rpm_exec(pegasus_t) ') diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te index 812f9cd..bf1e99c 100644 --- a/policy/modules/services/procmail.te +++ b/policy/modules/services/procmail.te @@ -87,10 +87,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(procmail_t) -') - -optional_policy(` # for a bug in the postfix local program postfix_dontaudit_rw_local_tcp_sockets(procmail_t) postfix_dontaudit_use_fds(procmail_t) diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te index 547a1c7..f433f2c 100644 --- a/policy/modules/services/pyzor.te +++ b/policy/modules/services/pyzor.te @@ -126,7 +126,3 @@ ifdef(`targeted_policy',` optional_policy(` logging_send_syslog_msg(pyzord_t) ') - -optional_policy(` - nscd_socket_use(pyzord_t) -') diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 37ae73e..0a4cca7 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -322,14 +322,6 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(smbd_t) -') - -optional_policy(` - nscd_socket_use(smbd_t) -') - -optional_policy(` rpc_search_nfs_state_data(smbd_t) ') diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te index 2a4da55..a7b4e7e 100644 --- a/policy/modules/services/xfs.te +++ b/policy/modules/services/xfs.te @@ -90,10 +90,6 @@ ifdef(`targeted_policy',` ') optional_policy(` - nis_use_ypbind(xfs_t) -') - -optional_policy(` seutil_sigchld_newrole(xfs_t) ') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 29e1a77..51428d5 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -40,40 +40,26 @@ template(`authlogin_common_auth_domain_template',` dev_read_rand($1_chkpwd_t) dev_read_urand($1_chkpwd_t) + files_read_etc_files($1_chkpwd_t) + # for nscd + files_dontaudit_search_var($1_chkpwd_t) + fs_dontaudit_getattr_xattr_fs($1_chkpwd_t) + auth_use_nsswitch($1_chkpwd_t) + libs_use_ld_so($1_chkpwd_t) libs_use_shared_libs($1_chkpwd_t) - files_read_etc_files($1_chkpwd_t) - # for nscd - files_dontaudit_search_var($1_chkpwd_t) - logging_send_syslog_msg($1_chkpwd_t) - miscfiles_read_certs($1_chkpwd_t) miscfiles_read_localization($1_chkpwd_t) seutil_read_config($1_chkpwd_t) - sysnet_dns_name_resolve($1_chkpwd_t) - sysnet_use_ldap($1_chkpwd_t) - optional_policy(` kerberos_use($1_chkpwd_t) ') - - optional_policy(` - nis_use_ypbind($1_chkpwd_t) - ') - - optional_policy(` - nscd_socket_use($1_chkpwd_t) - ') - - optional_policy(` - samba_stream_connect_winbind($1_chkpwd_t) - ') ') ####################################### @@ -121,6 +107,7 @@ template(`authlogin_per_userdomain_template',` role $3 types $1_chkpwd_t; role $3 types system_chkpwd_t; + # cjp: is this really needed? allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; dontaudit $2 shadow_t:file { getattr read }; @@ -1341,6 +1328,10 @@ interface(`auth_use_nsswitch',` ') optional_policy(` + nscd_socket_use($1) + ') + + optional_policy(` samba_stream_connect_winbind($1) ') ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 5b93838..56a7b51 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.10) +policy_module(authlogin,1.3.11) ######################################## # @@ -214,7 +214,6 @@ libs_use_shared_libs(pam_console_t) logging_send_syslog_msg(pam_console_t) miscfiles_read_localization(pam_console_t) -miscfiles_read_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) @@ -237,10 +236,6 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(pam_console_t) -') - -optional_policy(` seutil_sigchld_newrole(pam_console_t) ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 19bc01f..ec991b1 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -550,7 +550,6 @@ allow semanage_t self:capability { dac_override audit_write }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; -allow semanage_t self:netlink_route_socket r_netlink_socket_perms; allow semanage_t policy_config_t:file { read write }; @@ -614,10 +613,6 @@ ifdef(`targeted_policy',` userdom_read_generic_user_home_content_files(semanage_t) ') -optional_policy(` - nscd_socket_use(semanage_t) -') - ######################################## # # Setfiles local policy diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 785bc3c..1006bf0 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -99,6 +99,8 @@ selinux_compute_create_context(udev_t) selinux_compute_relabel_context(udev_t) selinux_compute_user_contexts(udev_t) +auth_read_pam_console_data(udev_t) +auth_domtrans_pam_console(udev_t) auth_use_nsswitch(udev_t) corecmd_exec_all_executables(udev_t) @@ -138,6 +140,7 @@ seutil_read_file_contexts(udev_t) seutil_domtrans_restorecon(udev_t) sysnet_domtrans_ifconfig(udev_t) +sysnet_domtrans_dhcpc(udev_t) userdom_use_sysadm_ttys(udev_t) userdom_dontaudit_search_all_users_home_content(udev_t) @@ -164,11 +167,6 @@ ifdef(`targeted_policy',` ') optional_policy(` - auth_read_pam_console_data(udev_t) - auth_domtrans_pam_console(udev_t) -') - -optional_policy(` consoletype_exec(udev_t) ') @@ -185,17 +183,5 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(udev_t) -') - -optional_policy(` - nscd_socket_use(udev_t) -') - -optional_policy(` - sysnet_domtrans_dhcpc(udev_t) -') - -optional_policy(` xserver_read_xdm_pid(udev_t) ')