NSCD related changes in various policy modules

Use nscd_use instead of nscd_socket_use. This conditionally allows nscd_shm_use Remove the nscd_socket_use from ssh_keygen since it was redundant already allowed by auth_use_nsswitch Had to make some ssh_keysign_t rules unconditional else nscd_use(ssh_keysign_t) would not build (nested booleans) but that does not matter, the only actual domain transition to ssh_keysign_t is conditional so the other unconditional ssh_keygen_t rules are conditional in practice Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-12-17 21:06:29 +01:00 · 2012-12-17 21:06:29 +01:00 · 79e1e4efb9
parent 8b3ffb9663
commit 79e1e4efb9
12 changed files with 19 additions and 27 deletions
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@ -203,7 +203,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(bootloader_t)
+	nscd_use(bootloader_t)
 ')

 optional_policy(`
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@ -200,21 +200,17 @@ optional_policy(`
 # ssh_keysign_t local policy
 #

-tunable_policy(`allow_ssh_keysign',`
-	allow ssh_keysign_t self:capability { setgid setuid };
-	allow ssh_keysign_t self:unix_stream_socket create_socket_perms;
+allow ssh_keysign_t self:capability { setgid setuid };
+allow ssh_keysign_t self:unix_stream_socket create_socket_perms;

-	allow ssh_keysign_t sshd_key_t:file { getattr read };
+allow ssh_keysign_t sshd_key_t:file { getattr read };

-	dev_read_urand(ssh_keysign_t)
+dev_read_urand(ssh_keysign_t)

-	files_read_etc_files(ssh_keysign_t)
-')
+files_read_etc_files(ssh_keysign_t)

 optional_policy(`
-	tunable_policy(`allow_ssh_keysign',`
-		nscd_socket_use(ssh_keysign_t)
-	')
+	nscd_use(ssh_keysign_t)
 ')

 #################################
@ -328,10 +324,6 @@ logging_send_syslog_msg(ssh_keygen_t)

 userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)

-optional_policy(`
-	nscd_socket_use(ssh_keygen_t)
-')
-
 optional_policy(`
 	seutil_sigchld_newrole(ssh_keygen_t)
 ')
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@ -397,7 +397,7 @@ ifdef(`distro_ubuntu',`
 ')

 optional_policy(`
-	nscd_socket_use(utempter_t)
+	nscd_use(utempter_t)
 ')

 optional_policy(`
@ -447,7 +447,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(nsswitch_domain)
+	nscd_use(nsswitch_domain)
 ')

 optional_policy(`
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@ -65,7 +65,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(hwclock_t)
+	nscd_use(hwclock_t)
 ')

 optional_policy(`
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@ -125,7 +125,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(getty_t)
+	nscd_use(getty_t)
 ')

 optional_policy(`
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@ -168,7 +168,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(hotplug_t)
+	nscd_use(hotplug_t)
 ')

 optional_policy(`
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@ -234,7 +234,7 @@ interface(`init_daemon_domain',`
 	')

 	optional_policy(`
-		nscd_socket_use($1)
+		nscd_use($1)
 	')
 ')

--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@ -208,7 +208,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(init_t)
+	nscd_use(init_t)
 ')

 optional_policy(`
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@ -326,7 +326,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(ipsec_mgmt_t)
+	nscd_use(ipsec_mgmt_t)
 ')

 ########################################
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@ -181,7 +181,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(local_login_t)
+	nscd_use(local_login_t)
 ')

 optional_policy(`
@ -262,5 +262,5 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(sulogin_t)
+	nscd_use(sulogin_t)
 ')
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@ -205,7 +205,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nscd_socket_use(insmod_t)
+	nscd_use(insmod_t)
 ')

 optional_policy(`
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@ -699,7 +699,7 @@ interface(`sysnet_dns_name_resolve',`
 	')

 	optional_policy(`
-		nscd_socket_use($1)
+		nscd_use($1)
 	')
 ')