[selinux-policy: 2361/3172] Sssd patch from Dan Walsh.

Thu Oct 7 22:29:36 UTC 2010

commit f3890b25db2615b0beef79b7f2a62407a70b2516
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jan 7 09:00:59 2010 -0500

    Sssd patch from Dan Walsh.

 policy/modules/services/sssd.fc |    5 ++++-
 policy/modules/services/sssd.if |   20 +++++++++++++++++++-
 policy/modules/services/sssd.te |   12 ++++++++++--
 3 files changed, 33 insertions(+), 4 deletions(-)
---

diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
index f2b7dbf..2aad570 100644
--- a/policy/modules/services/sssd.fc
+++ b/policy/modules/services/sssd.fc
@@ -1,6 +1,9 @@
-/etc/rc.d/init.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd	--	gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
 
 /usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
 
 /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
+/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+
 /var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 62d8b99..47913d6 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -20,6 +20,24 @@ interface(`sssd_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute sssd server in the sssd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_initrc_domtrans',`
+	gen_require(`
+		type sssd_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, sssd_initrc_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read sssd PID files.
 ## </summary>
 ## <param name="domain">
@@ -156,7 +174,7 @@ interface(`sssd_stream_connect',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an sssd environment
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 59777c9..059bb6f 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -1,5 +1,5 @@
 
-policy_module(sssd, 1.0.0)
+policy_module(sssd, 1.0.1)
 
 ########################################
 #
@@ -16,6 +16,9 @@ init_script_file(sssd_initrc_exec_t)
 type sssd_var_lib_t;
 files_type(sssd_var_lib_t)
 
+type sssd_var_log_t;
+logging_log_file(sssd_var_log_t)
+
 type sssd_var_run_t;
 files_pid_file(sssd_var_run_t)
 
@@ -23,7 +26,7 @@ files_pid_file(sssd_var_run_t)
 #
 # sssd local policy
 #
-allow sssd_t self:capability { sys_nice setuid };
+allow sssd_t self:capability { sys_nice setgid setuid };
 allow sssd_t self:process { setsched signal getsched };
 allow sssd_t self:fifo_file rw_file_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -33,6 +36,9 @@ manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
 
+manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
+logging_log_filetrans(sssd_t, sssd_var_log_t, file)
+
 manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
 files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -47,6 +53,8 @@ files_list_tmp(sssd_t)
 files_read_etc_files(sssd_t)
 files_read_usr_files(sssd_t)
 
+fs_list_inotifyfs(sssd_t)
+
 auth_use_nsswitch(sssd_t)
 auth_domtrans_chk_passwd(sssd_t)
 auth_domtrans_upd_passwd(sssd_t)
