Christopher J. PeBenito wrote:
> On Tue, 2007-03-06 at 13:43 -0500, Daniel J Walsh wrote:
>   
>> Christopher J. PeBenito wrote:
>>     
>>> On Mon, 2007-02-26 at 12:29 -0500, dwalsh@localhost.localdomain wrote:
>>>       
>>>> +',`
>>>> +    userdom_dontaudit_use_sysadm_ttys(nscd_t)
>>>> +    userdom_dontaudit_use_sysadm_ptys(nscd_t)
>>>>         
>>> This should go with a run interface, then you get the transition, the
>>> role and these dontaudits.
>>>   
>>>       
>> Ok how about this one.
>>     
>
> Yes, thats what I had in mind, but I thought that the purpose was that
> nscd was restarted from usermanage_t.  If so, the nscd_run() call should
> go in usermanage_run_useradd().  See rpm_run() for what I was thinking.
>
>   
>> +interface(`nscd_run',`
>> +       gen_require(`
>> +               type nscd_t;
>> +       ')
>> +
>> +       nscd_domtrans($1)
>> +       role $2 types nscd_t;
>> +       dontaudit nscd_t $3:chr_file rw_term_perms;
>> +')
>> +
>> --- nsaserefpolicy/policy/modules/system/userdomain.te  2007-02-19 11:32:53.000000000 -0500
>> +++ serefpolicy-2.5.8/policy/modules/system/userdomain.te       2007-03-06 13:33:25.000000000 -0500
>> @@ -423,6 +438,10 @@
>>         ')
>>  
>>         optional_policy(`
>> +               nscd_run(sysadm_t,sysadm_r,admin_terminal)
>> +       ')
>> +
>> +       optional_policy(`
>>                 usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
>>                 usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
>>                 usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal) 
>>     
Ok one more pass.