Sssd patch from Dan Walsh.

policy/modules/services/sssd.fc

@@ -4,6 +4,8 @@
 
 /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
 
-/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_log_t,s0)
 
 /var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)

policy/modules/services/sssd.if

@@ -36,6 +36,25 @@ interface(`sssd_initrc_domtrans',`
 	init_labeled_script_domtrans($1, sssd_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Read sssd public files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+	gen_require(`
+		type sssd_public_t;
+	')
+
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
 ########################################
 ## <summary>
 ##	Read sssd PID files.
@@ -93,6 +112,25 @@ interface(`sssd_search_lib',`
 	files_search_var_lib($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search sssd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_search_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
 ########################################
 ## <summary>
 ##	Read sssd lib files.
@@ -196,16 +234,13 @@ interface(`sssd_stream_connect',`
 #
 interface(`sssd_admin',`
 	gen_require(`
-		type sssd_t;
+		type sssd_t, sssd_public_t;
+		type sssd_initrc_exec_t;
 	')
 
 	allow $1 sssd_t:process { ptrace signal_perms getattr };
 	read_files_pattern($1, sssd_t, sssd_t)
 
-	gen_require(`
-		type sssd_initrc_exec_t;
-	')
-
 	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
@@ -215,4 +250,6 @@ interface(`sssd_admin',`
 	sssd_manage_pids($1)
 
 	sssd_manage_lib_files($1)
+
+	admin_pattern($1, sssd_public_t)
 ')

policy/modules/services/sssd.te

@@ -1,5 +1,5 @@
 
-policy_module(sssd, 1.0.1)
+policy_module(sssd, 1.0.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(sssd_t, sssd_exec_t)
 type sssd_initrc_exec_t;
 init_script_file(sssd_initrc_exec_t)
 
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
 type sssd_var_lib_t;
 files_type(sssd_var_lib_t)
 
@@ -26,11 +29,14 @@ files_pid_file(sssd_var_run_t)
 #
 # sssd local policy
 #
-allow sssd_t self:capability { sys_nice setgid setuid };
-allow sssd_t self:process { setsched signal getsched };
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
 allow sssd_t self:fifo_file rw_file_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -49,12 +55,21 @@ corecmd_exec_bin(sssd_t)
 
 dev_read_urand(sssd_t)
 
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
 files_list_tmp(sssd_t)
 files_read_etc_files(sssd_t)
 files_read_usr_files(sssd_t)
 
 fs_list_inotifyfs(sssd_t)
 
+selinux_validate_context(sssd_t)
+
+seutil_read_file_contexts(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
 auth_use_nsswitch(sssd_t)
 auth_domtrans_chk_passwd(sssd_t)
 auth_domtrans_upd_passwd(sssd_t)
@@ -70,3 +85,7 @@ optional_policy(`
 	dbus_system_bus_client(sssd_t)
 	dbus_connect_system_bus(sssd_t)
 ')
+
+optional_policy(`
+	kerberos_manage_host_rcache(sssd_t)
+')