[DSE-User] SELinux on Wheezy: nslcd
Arno Schuring
aelschuring at hotmail.com
Wed Feb 8 23:10:58 UTC 2012
nslcd requires quite some modifications to make it work on my system,
but I don't think that my system deviates that much from the norm. Most
of the modifications stem from the fact that nslcd happens to be
running on the ldap server too.
Communication with the local ldap server goes through the unix socket,
the other server is contacted through a tls channel. There doesn't
appear to be a generic lib_use_ssl interface, so access to random() and
sysctl() is granted explicitly.
As previously announced, The /run context does not match /var/run
because /run/nslcd is created by the init script, not nslcd itself. The
init script context is not scrictly necessary but added for
completeness sake.
Regards,
Arno
-8<--
diff --git a/policy/modules/services/nslcd.fc b/policy/modules/services/nslcd.fc
index ce913b2..082e0a3 100644
--- a/policy/modules/services/nslcd.fc
+++ b/policy/modules/services/nslcd.fc
@@ -1,4 +1,7 @@
/etc/nss-ldapd.conf -- gen_context(system_u:object_r:nslcd_conf_t,s0)
/etc/rc\.d/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+/etc/init\.d/nslcd -- gen_context(system_u:object_r:nslcd_initrc_exec_t,s0)
+
/usr/sbin/nslcd -- gen_context(system_u:object_r:nslcd_exec_t,s0)
/var/run/nslcd(/.*)? gen_context(system_u:object_r:nslcd_var_run_t,s0)
+/run/nslcd/.* gen_context(system_u:object_r:nslcd_var_run_t,s0)
diff --git a/policy/modules/services/nslcd.te b/policy/modules/services/nslcd.te
index 4e28d58..10e415a 100644
--- a/policy/modules/services/nslcd.te
+++ b/policy/modules/services/nslcd.te
@@ -1,4 +1,4 @@
-policy_module(nslcd, 1.2.0)
+policy_module(nslcd, 1.2.2)
########################################
#
@@ -22,6 +22,9 @@ files_type(nslcd_conf_t)
#
# nslcd local policy
#
+dev_read_rand(nslcd_t)
+dev_read_urand(nslcd_t)
+kernel_read_crypto_sysctls(nslcd_t)
allow nslcd_t self:capability { setgid setuid dac_override };
allow nslcd_t self:process signal;
@@ -32,7 +35,7 @@ allow nslcd_t nslcd_conf_t:file read_file_perms;
manage_dirs_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
manage_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
manage_sock_files_pattern(nslcd_t, nslcd_var_run_t, nslcd_var_run_t)
-files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir })
+files_pid_filetrans(nslcd_t, nslcd_var_run_t, { file dir sock_file })
kernel_read_system_state(nslcd_t)
@@ -43,3 +46,8 @@ auth_use_nsswitch(nslcd_t)
logging_send_syslog_msg(nslcd_t)
miscfiles_read_localization(nslcd_t)
+miscfiles_read_generic_certs(nslcd_t)
+
+optional_policy(`
+ ldap_stream_connect(nslcd_t)
+')
More information about the Selinux-user
mailing list