[selinux-policy: 2593/3172] Sssd patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:50:36 UTC 2010 

commit 2b93b8858493fcc5a6feede3ac124e66229afe50
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Mar 29 14:08:52 2010 -0400

    Sssd patch from Dan Walsh.

 policy/modules/services/sssd.fc |    4 ++-
 policy/modules/services/sssd.if |   47 ++++++++++++++++++++++++++++++++++----
 policy/modules/services/sssd.te |   25 ++++++++++++++++++--
 3 files changed, 67 insertions(+), 9 deletions(-)
---
diff --git a/policy/modules/services/sssd.fc b/policy/modules/services/sssd.fc
index 2aad570..4271815 100644
--- a/policy/modules/services/sssd.fc
+++ b/policy/modules/services/sssd.fc
@@ -4,6 +4,8 @@
 
 /var/lib/sss(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
 
-/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_lib_t,s0)
+/var/lib/sss/pubconf(/.*)?	gen_context(system_u:object_r:sssd_public_t,s0)
+
+/var/log/sssd(/.*)?		gen_context(system_u:object_r:sssd_var_log_t,s0)
 
 /var/run/sssd.pid	--	gen_context(system_u:object_r:sssd_var_run_t,s0)
diff --git a/policy/modules/services/sssd.if b/policy/modules/services/sssd.if
index 47913d6..5eff513 100644
--- a/policy/modules/services/sssd.if
+++ b/policy/modules/services/sssd.if
@@ -38,6 +38,25 @@ interface(`sssd_initrc_domtrans',`
 
 ########################################
 ## <summary>
+##	Read sssd public files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sssd_read_public_files',`
+	gen_require(`
+		type sssd_public_t;
+	')
+
+	sssd_search_lib($1)
+	read_files_pattern($1, sssd_public_t, sssd_public_t)
+')
+
+########################################
+## <summary>
 ##	Read sssd PID files.
 ## </summary>
 ## <param name="domain">
@@ -95,6 +114,25 @@ interface(`sssd_search_lib',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search sssd lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sssd_dontaudit_search_lib',`
+	gen_require(`
+		type sssd_var_lib_t;
+	')
+
+	dontaudit $1 sssd_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
 ##	Read sssd lib files.
 ## </summary>
 ## <param name="domain">
@@ -196,16 +234,13 @@ interface(`sssd_stream_connect',`
 #
 interface(`sssd_admin',`
 	gen_require(`
-		type sssd_t;
+		type sssd_t, sssd_public_t;
+		type sssd_initrc_exec_t;
 	')
 
 	allow $1 sssd_t:process { ptrace signal_perms getattr };
 	read_files_pattern($1, sssd_t, sssd_t)
 
-	gen_require(`
-		type sssd_initrc_exec_t;
-	')
-
 	# Allow sssd_t to restart the apache service
 	sssd_initrc_domtrans($1)
 	domain_system_change_exemption($1)
@@ -215,4 +250,6 @@ interface(`sssd_admin',`
 	sssd_manage_pids($1)
 
 	sssd_manage_lib_files($1)
+
+	admin_pattern($1, sssd_public_t)
 ')
diff --git a/policy/modules/services/sssd.te b/policy/modules/services/sssd.te
index 059bb6f..d47425e 100644
--- a/policy/modules/services/sssd.te
+++ b/policy/modules/services/sssd.te
@@ -1,5 +1,5 @@
 
-policy_module(sssd, 1.0.1)
+policy_module(sssd, 1.0.2)
 
 ########################################
 #
@@ -13,6 +13,9 @@ init_daemon_domain(sssd_t, sssd_exec_t)
 type sssd_initrc_exec_t;
 init_script_file(sssd_initrc_exec_t)
 
+type sssd_public_t;
+files_pid_file(sssd_public_t)
+
 type sssd_var_lib_t;
 files_type(sssd_var_lib_t)
 
@@ -26,11 +29,14 @@ files_pid_file(sssd_var_run_t)
 #
 # sssd local policy
 #
-allow sssd_t self:capability { sys_nice setgid setuid };
-allow sssd_t self:process { setsched signal getsched };
+allow sssd_t self:capability { dac_read_search dac_override kill sys_nice setgid setuid };
+allow sssd_t self:process { setfscreate setsched sigkill signal getsched };
 allow sssd_t self:fifo_file rw_file_perms;
 allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
+manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
+manage_files_pattern(sssd_t, sssd_public_t, sssd_public_t)
+
 manage_dirs_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
 manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
@@ -49,12 +55,21 @@ corecmd_exec_bin(sssd_t)
 
 dev_read_urand(sssd_t)
 
+domain_read_all_domains_state(sssd_t)
+domain_obj_id_change_exemption(sssd_t)
+
 files_list_tmp(sssd_t)
 files_read_etc_files(sssd_t)
 files_read_usr_files(sssd_t)
 
 fs_list_inotifyfs(sssd_t)
 
+selinux_validate_context(sssd_t)
+
+seutil_read_file_contexts(sssd_t)
+
+mls_file_read_to_clearance(sssd_t)
+
 auth_use_nsswitch(sssd_t)
 auth_domtrans_chk_passwd(sssd_t)
 auth_domtrans_upd_passwd(sssd_t)
@@ -70,3 +85,7 @@ optional_policy(`
 	dbus_system_bus_client(sssd_t)
 	dbus_connect_system_bus(sssd_t)
 ')
+
+optional_policy(`
+	kerberos_manage_host_rcache(sssd_t)
+')

More information about the scm-commits mailing list