From 81bca10b2888e28292a1ba2b18d5c10b5dbf9e3d Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Sep 08 2009 14:31:19 +0000
Subject: nslcd policy from dan.


---

diff --git a/Changelog b/Changelog
index d092330..9432eb1 100644
--- a/Changelog
+++ b/Changelog
@@ -12,6 +12,7 @@
 	gitosis (Miroslav Grepl)
 	hddtemp (Dan Walsh)
 	kdump (Dan Walsh)
+	nslcd (Dan Walsh)
 	shorewall (Dan Walsh)
 
 * Thu Jul 30 2009 Chris PeBenito <selinux@tresys.com> - 2.20090730
diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc
new file mode 100644
index 0000000..ce913b2
--- /dev/null
+++ b/policy/modules/services/nslcd.fc
@@ -0,0 +1,4 @@
+/etc/nss-ldapd.conf	--	gen_context(system_u:object_r:nslcd_conf_t,s0)
+/etc/rc\.d/init\.d/nslcd --	gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/usr/sbin/nslcd		--	gen_context(system_u:object_r:nslcd_exec_t,s0)
+/var/run/nslcd(/.*)?		gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/policy/modules/services/nslcd.if b/policy/modules/services/nslcd.if
new file mode 100644
index 0000000..8508977
--- /dev/null
+++ b/policy/modules/services/nslcd.if
@@ -0,0 +1,109 @@
+## <summary>nslcd - local LDAP name service daemon.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run nslcd.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`nslcd_domtrans',`
+	gen_require(`
+		type nslcd_t, nslcd_exec_t;
+	')
+
+	domtrans_pattern($1, nslcd_exec_t, nslcd_t)
+')
+
+########################################
+## <summary>
+##	Execute nslcd server in the nslcd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`nslcd_initrc_domtrans',`
+	gen_require(`
+		type nslcd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, nslcd_initrc_exec_t)
+')
+
+########################################
+## <summary>
+##	Read nslcd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nslcd_read_pid_files',`
+	gen_require(`
+		type nslcd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 nslcd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Connect to nslcd over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to connect.
+##	</summary>
+## </param>
+#
+interface(`nslcd_stream_connect',`
+	gen_require(`
+		type nslcd_t, nslcd_var_run_t;
+	')
+
+	stream_connect_pattern($1, nslcd_var_run_t, nslcd_var_run_t, nslcd_t)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an nslcd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`nslcd_admin',`
+	gen_require(`
+		type nslcd_t, nslcd_initrc_exec_t;
+	')
+
+	ps_process_pattern($1, nslcd_t)
+	allow $1 nslcd_t:process { ptrace signal_perms };
+
+	# Allow nslcd_t to restart the apache service
+	nslcd_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 nslcd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	allow $1 nslcd_conf_t:file read_file_perms;
+')
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
new file mode 100644
index 0000000..e93e1df
--- /dev/null
+++ b/policy/modules/services/nslcd.te
@@ -0,0 +1,44 @@
+
+policy_module(nslcd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type nslcd_t;
+type nslcd_exec_t;
+init_daemon_domain(nslcd_t, nslcd_exec_t)
+
+type nslcd_initrc_exec_t;
+init_script_file(nslcd_initrc_exec_t)
+
+type nslcd_var_run_t;
+files_pid_file(nslcd_var_run_t)
+
+type nslcd_conf_t;
+files_type(nslcd_conf_t)
+
+########################################
+#
+# nslcd local policy
+#
+
+allow nslcd_t self:capability { setgid setuid dac_override };
+allow nslcd_t self:process signal;
+allow nslcd_t self:unix_stream_socket create_stream_socket_perms;
+
+allow nslcd_t nslcd_conf_t:file read_file_perms;
+
+manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
+files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+
+files_read_etc_files(nslcd_t)
+
+auth_use_nsswitch(nslcd_t)
+
+logging_send_syslog_msg(nslcd_t)
+
+miscfiles_read_localization(nslcd_t)