[selinux-policy: 1573/3172] add nscd_socket_use() to auth_use_nsswitch() since it caches nss lookups.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:21:11 UTC 2010
commit 3ef029db7c23b10f917f7f5c3884a7fae596a2ec
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Aug 22 19:37:56 2006 +0000
add nscd_socket_use() to auth_use_nsswitch() since it caches nss lookups.
Changelog | 1 +
policy/modules/admin/su.if | 8 --------
policy/modules/admin/usermanage.te | 10 ----------
policy/modules/services/apache.te | 5 -----
policy/modules/services/dbus.te | 6 ------
policy/modules/services/dovecot.te | 10 ----------
policy/modules/services/ftp.te | 4 ----
policy/modules/services/hal.te | 8 --------
policy/modules/services/mysql.te | 8 --------
policy/modules/services/ntp.te | 12 ------------
policy/modules/services/pegasus.te | 4 ----
policy/modules/services/procmail.te | 4 ----
policy/modules/services/pyzor.te | 4 ----
policy/modules/services/samba.te | 8 --------
policy/modules/services/xfs.te | 4 ----
policy/modules/system/authlogin.if | 31 +++++++++++--------------------
policy/modules/system/authlogin.te | 7 +------
policy/modules/system/selinuxutil.te | 5 -----
policy/modules/system/udev.te | 20 +++-----------------
19 files changed, 16 insertions(+), 143 deletions(-)
---
diff --git a/Changelog b/Changelog
index 4418061..2438d0b 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Add nscd_socket_use() to auth_use_nsswitch().
- Remove old selopt rules.
- Full support for netfilter_contexts.
- MRTG patch for daemon operation from Stefan.
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 5fb85ce..6c493c7 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -119,10 +119,6 @@ template(`su_restricted_domain_template', `
kerberos_use($1_su_t)
')
- optional_policy(`
- nscd_socket_use($1_su_t)
- ')
-
ifdef(`TODO',`
# Caused by su - init scripts
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
@@ -302,10 +298,6 @@ template(`su_per_userdomain_template',`
kerberos_use($1_su_t)
')
- optional_policy(`
- nscd_socket_use($1_su_t)
- ')
-
# Modify .Xauthority file (via xauth program).
optional_policy(`
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 0cc9adc..ee65a1e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -256,12 +256,7 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(groupadd_t)
-')
-
-optional_policy(`
nscd_exec(groupadd_t)
- nscd_socket_use(groupadd_t)
')
optional_policy(`
@@ -531,12 +526,7 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(useradd_t)
-')
-
-optional_policy(`
nscd_exec(useradd_t)
- nscd_socket_use(useradd_t)
')
optional_policy(`
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 6e7669f..2b6db56 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -268,7 +268,6 @@ miscfiles_read_certs(httpd_t)
seutil_dontaudit_search_config(httpd_t)
-sysnet_use_ldap(httpd_t)
sysnet_read_config(httpd_t)
userdom_use_unpriv_users_fds(httpd_t)
@@ -412,10 +411,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(httpd_t)
-')
-
-optional_policy(`
openca_domtrans(httpd_t)
openca_signal(httpd_t)
openca_sigstop(httpd_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1be84ef..a20b9f2 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -38,7 +38,6 @@ allow system_dbusd_t self:dbus { send_msg acquire_svc };
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow system_dbusd_t self:netlink_route_socket r_netlink_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
@@ -103,7 +102,6 @@ libs_use_shared_libs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
-miscfiles_read_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
@@ -131,10 +129,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(system_dbusd_t)
-')
-
-optional_policy(`
sysnet_domtrans_dhcpc(system_dbusd_t)
')
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 642e3ce..dca87b9 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -193,8 +193,6 @@ miscfiles_read_localization(dovecot_auth_t)
seutil_dontaudit_search_config(dovecot_auth_t)
-sysnet_dns_name_resolve(dovecot_auth_t)
-
optional_policy(`
kerberos_use(dovecot_auth_t)
')
@@ -202,11 +200,3 @@ optional_policy(`
optional_policy(`
logging_send_syslog_msg(dovecot_auth_t)
')
-
-optional_policy(`
- nis_use_ypbind(dovecot_auth_t)
-')
-
-optional_policy(`
- nscd_socket_use(dovecot_auth_t)
-')
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index ce3c62a..4c862e6 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -244,10 +244,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(ftpd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 8c7a872..9bccaa9 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -210,14 +210,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(hald_t)
-')
-
-optional_policy(`
- nscd_socket_use(hald_t)
-')
-
-optional_policy(`
ntp_domtrans(hald_t)
')
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 052381d..252f035 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -124,14 +124,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(mysqld_t)
-')
-
-optional_policy(`
- nscd_socket_use(mysqld_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(mysqld_t)
')
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index f684714..d68749a 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -139,18 +139,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(ntpd_t)
-')
-
-optional_policy(`
- nscd_socket_use(ntpd_t)
-')
-
-optional_policy(`
- samba_stream_connect_winbind(ntpd_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(ntpd_t)
')
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index 7769803..d8596ea 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -138,10 +138,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(pegasus_t)
-')
-
-optional_policy(`
rpm_exec(pegasus_t)
')
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 812f9cd..bf1e99c 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -87,10 +87,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(procmail_t)
-')
-
-optional_policy(`
# for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 547a1c7..f433f2c 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -126,7 +126,3 @@ ifdef(`targeted_policy',`
optional_policy(`
logging_send_syslog_msg(pyzord_t)
')
-
-optional_policy(`
- nscd_socket_use(pyzord_t)
-')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 37ae73e..0a4cca7 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -322,14 +322,6 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(smbd_t)
-')
-
-optional_policy(`
- nscd_socket_use(smbd_t)
-')
-
-optional_policy(`
rpc_search_nfs_state_data(smbd_t)
')
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index 2a4da55..a7b4e7e 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -90,10 +90,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- nis_use_ypbind(xfs_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(xfs_t)
')
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 29e1a77..51428d5 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -40,40 +40,26 @@ template(`authlogin_common_auth_domain_template',`
dev_read_rand($1_chkpwd_t)
dev_read_urand($1_chkpwd_t)
+ files_read_etc_files($1_chkpwd_t)
+ # for nscd
+ files_dontaudit_search_var($1_chkpwd_t)
+
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
+ auth_use_nsswitch($1_chkpwd_t)
+
libs_use_ld_so($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t)
- files_read_etc_files($1_chkpwd_t)
- # for nscd
- files_dontaudit_search_var($1_chkpwd_t)
-
logging_send_syslog_msg($1_chkpwd_t)
- miscfiles_read_certs($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
seutil_read_config($1_chkpwd_t)
- sysnet_dns_name_resolve($1_chkpwd_t)
- sysnet_use_ldap($1_chkpwd_t)
-
optional_policy(`
kerberos_use($1_chkpwd_t)
')
-
- optional_policy(`
- nis_use_ypbind($1_chkpwd_t)
- ')
-
- optional_policy(`
- nscd_socket_use($1_chkpwd_t)
- ')
-
- optional_policy(`
- samba_stream_connect_winbind($1_chkpwd_t)
- ')
')
#######################################
@@ -121,6 +107,7 @@ template(`authlogin_per_userdomain_template',`
role $3 types $1_chkpwd_t;
role $3 types system_chkpwd_t;
+ # cjp: is this really needed?
allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
dontaudit $2 shadow_t:file { getattr read };
@@ -1341,6 +1328,10 @@ interface(`auth_use_nsswitch',`
')
optional_policy(`
+ nscd_socket_use($1)
+ ')
+
+ optional_policy(`
samba_stream_connect_winbind($1)
')
')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 5b93838..56a7b51 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,5 +1,5 @@
-policy_module(authlogin,1.3.10)
+policy_module(authlogin,1.3.11)
########################################
#
@@ -214,7 +214,6 @@ libs_use_shared_libs(pam_console_t)
logging_send_syslog_msg(pam_console_t)
miscfiles_read_localization(pam_console_t)
-miscfiles_read_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
@@ -237,10 +236,6 @@ optional_policy(`
')
optional_policy(`
- nscd_socket_use(pam_console_t)
-')
-
-optional_policy(`
seutil_sigchld_newrole(pam_console_t)
')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 19bc01f..ec991b1 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -550,7 +550,6 @@ allow semanage_t self:capability { dac_override audit_write };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
-allow semanage_t self:netlink_route_socket r_netlink_socket_perms;
allow semanage_t policy_config_t:file { read write };
@@ -614,10 +613,6 @@ ifdef(`targeted_policy',`
userdom_read_generic_user_home_content_files(semanage_t)
')
-optional_policy(`
- nscd_socket_use(semanage_t)
-')
-
########################################
#
# Setfiles local policy
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 785bc3c..1006bf0 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -99,6 +99,8 @@ selinux_compute_create_context(udev_t)
selinux_compute_relabel_context(udev_t)
selinux_compute_user_contexts(udev_t)
+auth_read_pam_console_data(udev_t)
+auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
corecmd_exec_all_executables(udev_t)
@@ -138,6 +140,7 @@ seutil_read_file_contexts(udev_t)
seutil_domtrans_restorecon(udev_t)
sysnet_domtrans_ifconfig(udev_t)
+sysnet_domtrans_dhcpc(udev_t)
userdom_use_sysadm_ttys(udev_t)
userdom_dontaudit_search_all_users_home_content(udev_t)
@@ -164,11 +167,6 @@ ifdef(`targeted_policy',`
')
optional_policy(`
- auth_read_pam_console_data(udev_t)
- auth_domtrans_pam_console(udev_t)
-')
-
-optional_policy(`
consoletype_exec(udev_t)
')
@@ -185,17 +183,5 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(udev_t)
-')
-
-optional_policy(`
- nscd_socket_use(udev_t)
-')
-
-optional_policy(`
- sysnet_domtrans_dhcpc(udev_t)
-')
-
-optional_policy(`
xserver_read_xdm_pid(udev_t)
')
More information about the scm-commits
mailing list