1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
|
## <summary>Name service cache daemon</summary>
########################################
## <summary>
## Send generic signals to NSCD.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_signal',`
gen_require(`
type nscd_t;
')
allow $1 nscd_t:process signal;
')
########################################
## <summary>
## Execute NSCD in the nscd domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`nscd_domtrans',`
gen_require(`
type nscd_t, nscd_exec_t;
')
corecmd_search_sbin($1)
domain_auto_trans($1,nscd_exec_t,nscd_t)
allow $1 nscd_t:fd use;
allow nscd_t $1:fd use;
allow nscd_t $1:fifo_file rw_file_perms;
allow nscd_t $1:process sigchld;
')
########################################
## <summary>
## Allow the specified domain to execute nscd
## in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_exec',`
gen_require(`
type nscd_exec_t;
')
can_exec($1,nscd_exec_t)
')
########################################
## <summary>
## Use NSCD services by connecting using
## a unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_socket_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 nscd_t:unix_stream_socket connectto;
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_t:fd use;
dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
files_search_pids($1)
allow $1 nscd_var_run_t:dir r_dir_perms;
allow $1 nscd_var_run_t:sock_file rw_file_perms;
dontaudit $1 nscd_var_run_t:file { getattr read };
')
########################################
## <summary>
## Use NSCD services by mapping the database from
## an inherited NSCD file descriptor.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_shm_use',`
gen_require(`
type nscd_t, nscd_var_run_t;
class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost };
')
allow $1 nscd_var_run_t:dir r_dir_perms;
allow $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
# Receive fd from nscd and map the backing file with read access.
allow $1 nscd_t:fd use;
# cjp: these were originally inherited from the
# nscd_socket_domain macro. need to investigate
# if they are all actually required
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 nscd_t:unix_stream_socket connectto;
allow $1 nscd_var_run_t:sock_file rw_file_perms;
files_search_pids($1)
allow $1 nscd_t:nscd { getpwd getgrp gethost };
dontaudit $1 nscd_var_run_t:file { getattr read };
')
########################################
## <summary>
## Read NSCD pid file.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_read_pid',`
gen_require(`
type nscd_var_run_t;
')
files_search_pids($1)
allow $1 nscd_var_run_t:dir search;
allow $1 nscd_var_run_t:file { getattr read };
')
########################################
## <summary>
## Unconfined access to NSCD services.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`nscd_unconfined',`
gen_require(`
type nscd_t;
class nscd all_nscd_perms;
')
allow $1 nscd_t:nscd *;
')
|
