nss_domain attribute patch 3, Miroslav Grepl

policy/modules/system/authlogin.te

@@ -5,6 +5,14 @@ policy_module(authlogin, 2.3.1)
 # Declarations
 #
 
+
+## <desc>
+## <p>
+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
+## </p>
+## </desc>
+gen_tunable(authlogin_nsswitch_use_ldap, false)
+
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
@@ -407,17 +415,23 @@ files_list_var_lib(nsswitch_domain)
 # read /etc/nsswitch.conf
 files_read_etc_files(nsswitch_domain)
 
-miscfiles_read_generic_certs(nsswitch_domain)
-
 sysnet_dns_name_resolve(nsswitch_domain)
-sysnet_use_ldap(nsswitch_domain)
 
-optional_policy(`
-	avahi_stream_connect(nsswitch_domain)
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+	files_list_var_lib(nsswitch_domain)
+
+	miscfiles_read_generic_certs(nsswitch_domain)
+	sysnet_use_ldap(nsswitch_domain)
 ')
 
 optional_policy(`
-	ldap_stream_connect(nsswitch_domain)
+	tunable_policy(`authlogin_nsswitch_use_ldap',`
+		ldap_stream_connect(nsswitch_domain)
+	')
+')
+
+optional_policy(`
+	avahi_stream_connect(nsswitch_domain)
 ')
 
 optional_policy(`