From 79e1e4efb9a0b5d90de23afbe9fb708e10a0d902 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Mon, 17 Dec 2012 21:06:29 +0100 Subject: [PATCH] NSCD related changes in various policy modules Use nscd_use instead of nscd_socket_use. This conditionally allows nscd_shm_use Remove the nscd_socket_use from ssh_keygen since it was redundant already allowed by auth_use_nsswitch Had to make some ssh_keysign_t rules unconditional else nscd_use(ssh_keysign_t) would not build (nested booleans) but that does not matter, the only actual domain transition to ssh_keysign_t is conditional so the other unconditional ssh_keygen_t rules are conditional in practice Signed-off-by: Dominick Grift --- policy/modules/admin/bootloader.te | 2 +- policy/modules/services/ssh.te | 20 ++++++-------------- policy/modules/system/authlogin.te | 4 ++-- policy/modules/system/clock.te | 2 +- policy/modules/system/getty.te | 2 +- policy/modules/system/hotplug.te | 2 +- policy/modules/system/init.if | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/ipsec.te | 2 +- policy/modules/system/locallogin.te | 4 ++-- policy/modules/system/modutils.te | 2 +- policy/modules/system/sysnetwork.if | 2 +- 12 files changed, 19 insertions(+), 27 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index eeb8e69d9..8f55b4fe9 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -203,7 +203,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(bootloader_t) + nscd_use(bootloader_t) ') optional_policy(` diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index d440e3bf0..6b47da676 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -200,21 +200,17 @@ optional_policy(` # ssh_keysign_t local policy # -tunable_policy(`allow_ssh_keysign',` - allow ssh_keysign_t self:capability { setgid setuid }; - allow ssh_keysign_t self:unix_stream_socket create_socket_perms; +allow ssh_keysign_t self:capability { setgid setuid }; +allow ssh_keysign_t self:unix_stream_socket create_socket_perms; - allow ssh_keysign_t sshd_key_t:file { getattr read }; +allow ssh_keysign_t sshd_key_t:file { getattr read }; - dev_read_urand(ssh_keysign_t) +dev_read_urand(ssh_keysign_t) - files_read_etc_files(ssh_keysign_t) -') +files_read_etc_files(ssh_keysign_t) optional_policy(` - tunable_policy(`allow_ssh_keysign',` - nscd_socket_use(ssh_keysign_t) - ') + nscd_use(ssh_keysign_t) ') ################################# @@ -328,10 +324,6 @@ logging_send_syslog_msg(ssh_keygen_t) userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) -optional_policy(` - nscd_socket_use(ssh_keygen_t) -') - optional_policy(` seutil_sigchld_newrole(ssh_keygen_t) ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 4dfa3da64..49e5f6791 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -397,7 +397,7 @@ ifdef(`distro_ubuntu',` ') optional_policy(` - nscd_socket_use(utempter_t) + nscd_use(utempter_t) ') optional_policy(` @@ -447,7 +447,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(nsswitch_domain) + nscd_use(nsswitch_domain) ') optional_policy(` diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index 711b998c0..3928e71d4 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -65,7 +65,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(hwclock_t) + nscd_use(hwclock_t) ') optional_policy(` diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index fd100fcfe..9db083e7e 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -125,7 +125,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(getty_t) + nscd_use(getty_t) ') optional_policy(` diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index b2e41cc7f..f0f991ba2 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -168,7 +168,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(hotplug_t) + nscd_use(hotplug_t) ') optional_policy(` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 3f0c2d34d..24e7804cd 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -234,7 +234,7 @@ interface(`init_daemon_domain',` ') optional_policy(` - nscd_socket_use($1) + nscd_use($1) ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 7a5d3e4c0..fd6b9e14a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -208,7 +208,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(init_t) + nscd_use(init_t) ') optional_policy(` diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index df56407fc..3de809630 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -326,7 +326,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(ipsec_mgmt_t) + nscd_use(ipsec_mgmt_t) ') ######################################## diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 9fd5be7b2..cf279a02d 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -181,7 +181,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(local_login_t) + nscd_use(local_login_t) ') optional_policy(` @@ -262,5 +262,5 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(sulogin_t) + nscd_use(sulogin_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 79d3e6521..203d216c2 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -205,7 +205,7 @@ optional_policy(` ') optional_policy(` - nscd_socket_use(insmod_t) + nscd_use(insmod_t) ') optional_policy(` diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index fcefe614a..694452668 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -699,7 +699,7 @@ interface(`sysnet_dns_name_resolve',` ') optional_policy(` - nscd_socket_use($1) + nscd_use($1) ') ')