nscd.te

policy_module(nscd, 1.16.0)

gen_require(`
	class nscd all_nscd_perms;
')

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Determine whether confined applications
##	can use nscd shared memory.
##	</p>
## </desc>
gen_tunable(nscd_use_shm, false)

attribute_role nscd_roles;

type nscd_var_run_t;
files_pid_file(nscd_var_run_t)
init_daemon_pid_file(nscd_var_run_t, dir, "nscd")

type nscd_t;
type nscd_exec_t;
init_daemon_domain(nscd_t, nscd_exec_t)
role nscd_roles types nscd_t;

type nscd_initrc_exec_t;
init_script_file(nscd_initrc_exec_t)

type nscd_log_t;
logging_log_file(nscd_log_t)

type nscd_unit_t;
init_unit_file(nscd_unit_t)

########################################
#
# Local policy
#

allow nscd_t self:capability { kill setgid setuid };
dontaudit nscd_t self:capability sys_tty_config;
allow nscd_t self:process { getattr getcap setcap setsched signal_perms };
allow nscd_t self:fifo_file read_fifo_file_perms;
allow nscd_t self:unix_stream_socket { accept listen };
allow nscd_t self:netlink_selinux_socket create_socket_perms;

allow nscd_t self:nscd { admin getstat };

allow nscd_t nscd_log_t:file { append_file_perms create_file_perms setattr_file_perms };
logging_log_filetrans(nscd_t, nscd_log_t, file)

manage_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
manage_sock_files_pattern(nscd_t, nscd_var_run_t, nscd_var_run_t)
files_pid_filetrans(nscd_t, nscd_var_run_t, { file sock_file })

can_exec(nscd_t, nscd_exec_t)

kernel_list_proc(nscd_t)
kernel_read_kernel_sysctls(nscd_t)
kernel_read_network_state(nscd_t)
kernel_read_proc_symlinks(nscd_t)

corecmd_search_bin(nscd_t)

dev_read_sysfs(nscd_t)
dev_read_rand(nscd_t)
dev_read_urand(nscd_t)

domain_search_all_domains_state(nscd_t)
domain_use_interactive_fds(nscd_t)

files_read_generic_tmp_symlinks(nscd_t)
files_read_etc_runtime_files(nscd_t)

fs_getattr_all_fs(nscd_t)
fs_search_auto_mountpoints(nscd_t)
fs_list_inotifyfs(nscd_t)

auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)

corenet_all_recvfrom_unlabeled(nscd_t)
corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_generic_if(nscd_t)
corenet_tcp_sendrecv_generic_node(nscd_t)

corenet_sendrecv_all_client_packets(nscd_t)
corenet_tcp_connect_all_ports(nscd_t)
corenet_tcp_sendrecv_all_ports(nscd_t)

corenet_rw_tun_tap_dev(nscd_t)

selinux_get_fs_mount(nscd_t)
selinux_validate_context(nscd_t)
selinux_compute_access_vector(nscd_t)
selinux_compute_create_context(nscd_t)
selinux_compute_relabel_context(nscd_t)
selinux_compute_user_contexts(nscd_t)

logging_send_audit_msgs(nscd_t)
logging_send_syslog_msg(nscd_t)

miscfiles_read_localization(nscd_t)

seutil_read_config(nscd_t)
seutil_read_default_contexts(nscd_t)
seutil_sigchld_newrole(nscd_t)

userdom_dontaudit_use_user_terminals(nscd_t)
userdom_dontaudit_use_unpriv_user_fds(nscd_t)
userdom_dontaudit_search_user_home_dirs(nscd_t)

optional_policy(`
	accountsd_dontaudit_rw_fifo_file(nscd_t)
')

optional_policy(`
	cron_read_system_job_tmp_files(nscd_t)
')

optional_policy(`
	tunable_policy(`samba_domain_controller',`
		samba_append_log(nscd_t)
		samba_dontaudit_use_fds(nscd_t)
	')

	samba_read_config(nscd_t)
	samba_read_var_files(nscd_t)
')

optional_policy(`
	udev_read_db(nscd_t)
')

optional_policy(`
	xen_dontaudit_rw_unix_stream_sockets(nscd_t)
	xen_append_log(nscd_t)
')