From: ssalley@likewise.com (Scott Salley)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Initial Likewise Open support
Date: Fri, 05 Mar 2010 10:50:58 -0800 [thread overview]
Message-ID: <4B915292.4000702@likewise.com> (raw)
Likewise Open allows Linux,Unix, and Mac machines to
join Active Directory and securely authenticate users.
Signed-off-by: Scott Salley <ssalley@likewise.com>
---
policy/modules/services/likewise.fc | 72 +++++++++
policy/modules/services/likewise.if | 220 ++++++++++++++++++++++++++++
policy/modules/services/likewise.te | 273 +++++++++++++++++++++++++++++++++++
policy/modules/system/authlogin.if | 4 +
4 files changed, 569 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/services/likewise.fc
create mode 100644 policy/modules/services/likewise.if
create mode 100644 policy/modules/services/likewise.te
diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
new file mode 100644
index 0000000..2e4eb86
--- /dev/null
+++ b/policy/modules/services/likewise.fc
@@ -0,0 +1,72 @@
+
+#
+# /etc
+#
+/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0)
+
+#
+# /usr
+#
+/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0)
+/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0)
+/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0)
+/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0)
+/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0)
+
+/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+
+/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+
+/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+
+/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+
+/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+
+/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+
+
+/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0)
+/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+
+/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0)
+/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+
+/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0)
+/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+
+/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+
+/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0)
+/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+
+/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0)
+
+/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
new file mode 100644
index 0000000..cea6b44
--- /dev/null
+++ b/policy/modules/services/likewise.if
@@ -0,0 +1,220 @@
+## <summary>
+## Likewise -- Active Directory support for UNIX
+## </summary>
+
+
+########################################
+## <summary>
+## Execute daemon in the likewise domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`likewise_initrc_domtrans',`
+ gen_require(`
+ type likewise_initrc_exec_t;
+ ')
+
+ init_labeled_script_domtrans($1, likewise_initrc_exec_t)
+')
+
+########################################
+## <summary>
+## Connect to dcerpcd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_dcerpcd',`
+ gen_require(`
+ type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 likewise_var_lib_t:dir search_dir_perms;
+ allow $1 dcerpcd_var_socket_t:sock_file unlink;
+ stream_connect_pattern($1, dcerpcd_var_socket_t, dcerpcd_var_socket_t, dcerpcd_t)
+')
+
+########################################
+## <summary>
+## Connect to eventlogd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_eventlogd',`
+ gen_require(`
+ type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 likewise_var_lib_t:dir search_dir_perms;
+ stream_connect_pattern($1, eventlogd_var_socket_t, eventlogd_var_socket_t, eventlogd_t)
+')
+
+########################################
+## <summary>
+## Connect to lsassd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lsassd',`
+ gen_require(`
+ type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 likewise_var_lib_t:dir search_dir_perms;
+ stream_connect_pattern($1, lsassd_var_socket_t, lsassd_var_socket_t, lsassd_t)
+')
+
+########################################
+## <summary>
+## Connect to lwiod.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lwiod',`
+ gen_require(`
+ type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 likewise_var_lib_t:dir search_dir_perms;
+ stream_connect_pattern($1, lwiod_var_socket_t, lwiod_var_socket_t, lwiod_t)
+')
+
+########################################
+## <summary>
+## Connect to netlogond.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_netlogond',`
+ gen_require(`
+ type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 likewise_var_lib_t:dir search_dir_perms;
+ stream_connect_pattern($1, netlogond_var_socket_t, netlogond_var_socket_t, netlogond_t)
+')
+
+########################################
+## <summary>
+## Connect to lwregd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_stream_connect_lwregd',`
+ gen_require(`
+ type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 likewise_var_lib_t:dir search_dir_perms;
+ stream_connect_pattern($1, lwregd_var_socket_t, lwregd_var_socket_t, lwregd_t)
+')
+
+########################################
+## <summary>
+## Read/write /etc/likewise-open.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`likewise_rw_etc',`
+ gen_require(`
+ type likewise_etc_t;
+ ')
+
+ allow $1 likewise_etc_t:dir search_dir_perms;
+ manage_files_pattern($1, likewise_etc_t, likewise_etc_t)
+')
+
+
+# This interace grants the likewise daemons a common set of rules.
+# daemon domain (lwregd_t): $1
+# daemon executable (lwregd_exec_t): $2
+# daemon pid (lwregd_var_run_t): $3
+# daemon client socket (lwregd_var_socket_t): $4
+# daemon privately managed files in /var/lib/likewise-open: $5
+interface(`likewise_daemon',`
+ gen_require(`
+ type likewise_etc_t, likewise_var_lib_t;
+ ')
+
+ # Mark $1 as domain and $2 as an entrypoint into that domain.
+ init_daemon_domain($1, $2)
+
+ # Mark $3 as a pid file and allow it to be creat/read/write by $1
+ files_pid_file($3)
+ manage_files_pattern($1, $3, $3)
+ files_pid_filetrans($1, $3, file)
+
+ # Mark $4 as a socket for client access
+ files_type($4)
+ filetrans_pattern($1,likewise_var_lib_t,$4, sock_file)
+ manage_sock_files_pattern($1,likewise_var_lib_t,$4)
+ manage_files_pattern($1,$4,$4)
+
+ # Mark $5 as files, privately managed under /var/lib/likewise-open
+ files_type($5)
+ allow $1 likewise_var_lib_t:dir manage_file_perms;
+ allow $1 $5:file manage_file_perms;
+ allow $1 $5:dir manage_dir_perms;
+ allow $1 $5:sock_file manage_sock_file_perms;
+
+ filetrans_pattern($1,likewise_var_lib_t,$5, {file dir})
+
+ allow $1 self:process { signal_perms getsched setsched };
+ allow $1 self:fifo_file rw_fifo_file_perms;
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 $4:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
+
+ # Read /etc
+ files_read_etc_files($1)
+
+ # Permit use of syslog
+ logging_send_syslog_msg($1)
+
+ # Permit use of locale
+ miscfiles_read_localization($1)
+
+ # Permit use of dev random/urandom
+ dev_read_urand($1)
+ dev_read_rand($1)
+')
+
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
new file mode 100644
index 0000000..cf59f42
--- /dev/null
+++ b/policy/modules/services/likewise.te
@@ -0,0 +1,273 @@
+
+policy_module(likewise, 1.12.0)
+
+#################################
+#
+# Declarations
+#
+
+# dcerpcd domain:
+type dcerpcd_t;
+# The type of the /usr/sbin/dcerpcd executable:
+type dcerpcd_exec_t;
+# PID file /var/run/dcerpcd.pid
+type dcerpcd_var_run_t;
+# Socket for client access /var/lib/likewise-open/. FIXME
+type dcerpcd_var_socket_t;
+# dcerpcd specific files
+type dcerpcd_var_lib_t;
+
+likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t)
+
+corenet_tcp_bind_generic_node(dcerpcd_t)
+corenet_tcp_bind_reserved_port(dcerpcd_t)
+corenet_tcp_connect_generic_port(dcerpcd_t)
+corenet_udp_bind_generic_node(dcerpcd_t)
+corenet_udp_bind_reserved_port(dcerpcd_t)
+
+# Permit use of Likewise Open Registry
+likewise_stream_connect_lwregd(dcerpcd_t)
+
+
+# eventlogd domain:
+type eventlogd_t;
+# The type of the /usr/sbin/eventlogd executable:
+type eventlogd_exec_t;
+# PID file /var/run/eventlogd.pid
+type eventlogd_var_run_t;
+# Socket for client access /var/lib/likewise-open/. FIXME
+type eventlogd_var_socket_t;
+# dcerpcd specific files
+type eventlogd_var_lib_t;
+
+likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t)
+
+corenet_tcp_bind_generic_node(eventlogd_t)
+corenet_tcp_bind_reserved_port(eventlogd_t)
+corenet_udp_bind_generic_node(eventlogd_t)
+corenet_udp_bind_reserved_port(eventlogd_t)
+
+likewise_stream_connect_lwregd(eventlogd_t)
+likewise_stream_connect_dcerpcd(eventlogd_t)
+
+
+
+# lsassd domain:
+type lsassd_t;
+# The type of the /usr/sbin/lsassd executable:
+type lsassd_exec_t;
+# PID file /var/run/lsassd.pid
+type lsassd_var_run_t;
+# Socket for client access /var/lib/likewise-open/.lsassd
+type lsassd_var_socket_t;
+# lsassd specific files
+type lsassd_var_lib_t;
+
+likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t)
+
+allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time};
+allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto};
+allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms;
+# Because lsassd calls access(), we need these two
+corecmd_exec_bin(lsassd_t);
+corecmd_exec_shell(lsassd_t);
+
+kerberos_use(lsassd_t)
+
+corenet_tcp_connect_reserved_port(lsassd_t)
+corenet_tcp_sendrecv_all_reserved_ports(lsassd_t)
+sysnet_use_ldap(lsassd_t)
+sysnet_read_config(lsassd_t)
+
+kernel_read_system_state(lsassd_t)
+kernel_getattr_proc_files(lsassd_t)
+kernel_list_all_proc(lsassd_t)
+kernel_list_proc(lsassd_t)
+
+files_manage_generic_tmp_dirs(lsassd_t)
+files_manage_generic_tmp_files(lsassd_t)
+gen_require(`
+ type krb5_keytab_t;
+')
+allow lsassd_t krb5_keytab_t:file {read lock getattr write open};
+
+domain_obj_id_change_exemption(lsassd_t)
+selinux_get_fs_mount(lsassd_t)
+selinux_validate_context(lsassd_t)
+seutil_read_config(lsassd_t)
+seutil_read_default_contexts(lsassd_t)
+seutil_read_file_contexts(lsassd_t)
+seutil_run_semanage(lsassd_t, lsassd_t)
+
+userdom_home_filetrans_user_home_dir(lsassd_t)
+userdom_manage_home_role(system_r, lsassd_t)
+#gen_require(`
+# type home_root_t;
+#')
+allow lsassd_t home_root_t:dir relabelto;
+
+likewise_stream_connect_lwregd(lsassd_t)
+likewise_stream_connect_netlogond(lsassd_t)
+likewise_stream_connect_lwiod(lsassd_t)
+likewise_stream_connect_eventlogd(lsassd_t)
+likewise_stream_connect_dcerpcd(lsassd_t)
+
+likewise_rw_etc(lsassd_t)
+files_manage_etc_files(lsassd_t)
+files_manage_etc_symlinks(lsassd_t)
+files_manage_etc_runtime_files(lsassd_t)
+allow lsassd_t netlogond_var_lib_t:file read_file_perms;
+allow lsassd_t likewise_krb5_ad_t:file read_file_perms;
+
+#
+# lwiod domain:
+#
+type lwiod_t;
+# The type of the /usr/sbin/lwiod executable:
+type lwiod_exec_t;
+# PID file /var/run/lwiod.pid
+type lwiod_var_run_t;
+# Socket for client access /var/lib/likewise-open/.lwiod
+type lwiod_var_socket_t;
+# lwiod specific files
+type lwiod_var_lib_t;
+
+likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t)
+
+
+kerberos_rw_config(lwiod_t)
+kerberos_use(lwiod_t)
+allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
+allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+
+corenet_tcp_bind_generic_node(lwiod_t)
+corenet_tcp_bind_smbd_port(lwiod_t)
+corenet_tcp_connect_smbd_port(lwiod_t)
+allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
+
+sysnet_read_config(lwiod_t)
+
+likewise_stream_connect_lwregd(lwiod_t)
+likewise_stream_connect_lsassd(lwiod_t)
+
+
+# lwregd domain
+type lwregd_t;
+# The type of the /usr/sbin/lwregd executable:
+type lwregd_exec_t;
+# PID file /var/run/lwregd.pid
+type lwregd_var_run_t;
+# Socket for client access /var/lib/likewise-open/.regsd
+type lwregd_var_socket_t;
+# Registry specific files, like /var/run/likewise-open/db/regcache.db
+type lwregd_var_lib_t;
+
+likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t)
+
+# lwsmd domain:
+type lwsmd_t;
+# The type of the /usr/sbin/lwsmd executable:
+type lwsmd_exec_t;
+# PID file /var/run/??.pid
+type lwsmd_var_run_t;
+# Socket for client access /var/lib/likewise-open/.lwsm
+type lwsmd_var_socket_t;
+# Netlogond specific files
+type lwsmd_var_lib_t;
+
+likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t)
+
+corenet_tcp_bind_generic_node(lwsmd_t)
+corenet_tcp_bind_reserved_port(lwsmd_t)
+corenet_tcp_bind_smbd_port(lwsmd_t)
+corenet_udp_bind_generic_node(lwsmd_t)
+corenet_udp_bind_reserved_port(lwsmd_t)
+likewise_rw_etc(lwsmd_t)
+
+likewise_stream_connect_lwiod(lwsmd_t)
+likewise_stream_connect_lwregd(lwsmd_t)
+
+# When lwsmd starts the daemons, transition to their context:
+domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t)
+domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t)
+domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t)
+domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t)
+domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t)
+domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t)
+domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t)
+
+allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh noatsecure };
+allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh noatsecure };
+allow lwsmd_t lsassd_t:process { signal siginh rlimitinh noatsecure };
+allow lwsmd_t lwiod_t:process { signal siginh rlimitinh noatsecure };
+allow lwsmd_t lwregd_t:process { signal siginh rlimitinh noatsecure };
+allow lwsmd_t netlogond_t:process { signal siginh rlimitinh noatsecure };
+allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh noatsecure };
+
+# netlogond domain:
+type netlogond_t;
+# The type of the /usr/sbin/netlogond executable:
+type netlogond_exec_t;
+# PID file /var/run/??.pid
+type netlogond_var_run_t;
+# Socket for client access /var/lib/likewise-open/.netlogond
+type netlogond_var_socket_t;
+# Netlogond specific files
+type netlogond_var_lib_t;
+
+likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t)
+
+allow netlogond_t self:capability {dac_override};
+
+sysnet_dns_name_resolve(netlogond_t)
+sysnet_use_ldap(netlogond_t)
+
+likewise_stream_connect_lwregd(netlogond_t)
+
+likewise_rw_etc(netlogond_t)
+
+#
+# srvsvcd domain:
+#
+type srvsvcd_t;
+# The type of the /usr/sbin/srvsvcd executable:
+type srvsvcd_exec_t;
+# PID file /var/run/??.pid
+type srvsvcd_var_run_t;
+# Socket for client access /var/lib/likewise-open/.
+type srvsvcd_var_socket_t;
+# This may not actually exist
+type srvsvcd_var_lib_t;
+
+likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t)
+
+corenet_tcp_bind_generic_node(srvsvcd_t)
+corenet_tcp_bind_reserved_port(srvsvcd_t)
+
+kerberos_use(srvsvcd_t)
+
+allow srvsvcd_t likewise_etc_t:dir search_dir_perms;
+
+likewise_stream_connect_lwregd(srvsvcd_t)
+likewise_stream_connect_dcerpcd(srvsvcd_t)
+likewise_stream_connect_lwiod(srvsvcd_t)
+
+
+type likewise_etc_t;
+files_config_file(likewise_etc_t)
+
+type likewise_initrc_exec_t;
+init_script_file(likewise_initrc_exec_t)
+
+type likewise_var_lib_t;
+files_type(likewise_var_lib_t)
+
+type likewise_pstore_lock_t;
+files_type(likewise_pstore_lock_t)
+
+type likewise_krb5_ad_t;
+files_type(likewise_krb5_ad_t)
+
+type likewise_krb5_affinity_t;
+files_type(likewise_krb5_affinity_t)
+
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index b193dd8..499093a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1414,6 +1414,10 @@ interface(`auth_use_nsswitch',`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
')
+
+ optional_policy(`
+ likewise_stream_connect_lsassd($1)
+ ')
')
########################################
--
1.6.3.3
next reply other threads:[~2010-03-05 18:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-05 18:50 Scott Salley [this message]
2010-03-05 20:04 ` [refpolicy] [PATCH 1/1] Initial Likewise Open support Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B915292.4000702@likewise.com \
--to=ssalley@likewise.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.