]>
Commit | Line | Data |
---|---|---|
219e9a4f | 1 | policy_module(authlogin, 2.2.1) |
960373dd | 2 | |
3ba13bbf CP |
3 | ######################################## |
4 | # | |
5 | # Declarations | |
6 | # | |
7bba9d31 | 7 | |
b82eab39 DW |
8 | ## <desc> |
9 | ## <p> | |
10 | ## Allow users to login using a radius server | |
11 | ## </p> | |
12 | ## </desc> | |
13 | gen_tunable(authlogin_radius, false) | |
14 | ||
685dcdde DW |
15 | ## <desc> |
16 | ## <p> | |
17 | ## Allow users to login using a sssd server | |
18 | ## </p> | |
19 | ## </desc> | |
cafbe02a | 20 | gen_tunable(authlogin_nsswitch_use_ldap, false) |
685dcdde | 21 | |
7bba9d31 CP |
22 | attribute can_read_shadow_passwords; |
23 | attribute can_write_shadow_passwords; | |
24 | attribute can_relabelto_shadow_passwords; | |
3eaa9939 | 25 | attribute polydomain; |
11578593 | 26 | attribute nsswitch_domain;< |
7bba9d31 | 27 | |
30425aa8 CP |
28 | type auth_cache_t; |
29 | logging_log_file(auth_cache_t) | |
30 | ||
11578593 DW |
31 | type auth_home_t; |
32 | userdom_user_home_content(auth_home_t) | |
33 | ||
296273a7 | 34 | type chkpwd_t, can_read_shadow_passwords; |
3ba13bbf | 35 | type chkpwd_exec_t; |
296273a7 | 36 | typealias chkpwd_t alias { user_chkpwd_t staff_chkpwd_t sysadm_chkpwd_t }; |
83e254b2 | 37 | typealias chkpwd_t alias { auditadm_chkpwd_t secadm_chkpwd_t system_chkpwd_t }; |
296273a7 CP |
38 | application_domain(chkpwd_t, chkpwd_exec_t) |
39 | role system_r types chkpwd_t; | |
3ba13bbf CP |
40 | |
41 | type faillog_t; | |
c9428d33 | 42 | logging_log_file(faillog_t) |
ae0426c7 | 43 | mls_trusted_object(faillog_t) |
3ba13bbf | 44 | |
b4cd1533 | 45 | type lastlog_t; |
c9428d33 | 46 | logging_log_file(lastlog_t) |
b4cd1533 | 47 | |
e070dd2d | 48 | type login_exec_t; |
d46cfe45 | 49 | application_executable_file(login_exec_t) |
3ba13bbf | 50 | |
f0574fa9 | 51 | type pam_console_t; |
07d6e32f | 52 | type pam_console_exec_t; |
3f67f722 | 53 | init_system_domain(pam_console_t, pam_console_exec_t) |
75a10baf CP |
54 | role system_r types pam_console_t; |
55 | ||
493d6c4a | 56 | type pam_t; |
c9428d33 | 57 | domain_type(pam_t) |
3ce6cb4a | 58 | role system_r types pam_t; |
3ba13bbf | 59 | |
07d6e32f | 60 | type pam_exec_t; |
3f67f722 | 61 | domain_entry_file(pam_t, pam_exec_t) |
07d6e32f | 62 | |
3ba13bbf | 63 | type pam_tmp_t; |
c9428d33 | 64 | files_tmp_file(pam_tmp_t) |
3ba13bbf | 65 | |
493d6c4a | 66 | type pam_var_console_t; |
947d0c53 | 67 | files_pid_file(pam_var_console_t) |
3ba13bbf CP |
68 | |
69 | type pam_var_run_t; | |
c9428d33 | 70 | files_pid_file(pam_var_run_t) |
3ba13bbf CP |
71 | |
72 | type shadow_t; | |
6f11d6b8 | 73 | files_security_file(shadow_t) |
3ba13bbf | 74 | neverallow ~can_read_shadow_passwords shadow_t:file read; |
a1f94a34 CP |
75 | neverallow ~can_write_shadow_passwords shadow_t:file { create write }; |
76 | neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto; | |
3ba13bbf | 77 | |
9cb77bf5 | 78 | type passwd_file_t; |
79 | files_type(passwd_file_t) | |
80 | ||
7d4161cd CP |
81 | type updpwd_t; |
82 | type updpwd_exec_t; | |
83 | domain_type(updpwd_t) | |
3f67f722 | 84 | domain_entry_file(updpwd_t, updpwd_exec_t) |
df28a0c4 | 85 | domain_obj_id_change_exemption(updpwd_t) |
7d4161cd CP |
86 | role system_r types updpwd_t; |
87 | ||
493d6c4a | 88 | type utempter_t; |
3ba13bbf | 89 | type utempter_exec_t; |
3f67f722 | 90 | application_domain(utempter_t, utempter_exec_t) |
3ba13bbf | 91 | |
7b062eac CP |
92 | # |
93 | # var_auth_t is the type of /var/lib/auth, usually | |
94 | # used for auth data in pam_able | |
95 | # | |
96 | type var_auth_t; | |
97 | files_type(var_auth_t) | |
98 | ||
b4cd1533 | 99 | type wtmp_t; |
c9428d33 | 100 | logging_log_file(wtmp_t) |
3ba13bbf | 101 | |
296273a7 CP |
102 | ######################################## |
103 | # | |
104 | # Check password local policy | |
105 | # | |
106 | ||
107 | allow chkpwd_t self:capability { dac_override setuid }; | |
108 | dontaudit chkpwd_t self:capability sys_tty_config; | |
3eaa9939 | 109 | allow chkpwd_t self:process { getattr signal }; |
296273a7 CP |
110 | |
111 | allow chkpwd_t shadow_t:file read_file_perms; | |
112 | files_list_etc(chkpwd_t) | |
113 | ||
baa87c93 | 114 | kernel_read_crypto_sysctls(chkpwd_t) |
296273a7 CP |
115 | # is_selinux_enabled |
116 | kernel_read_system_state(chkpwd_t) | |
117 | ||
118 | domain_dontaudit_use_interactive_fds(chkpwd_t) | |
119 | ||
120 | dev_read_rand(chkpwd_t) | |
121 | dev_read_urand(chkpwd_t) | |
122 | ||
123 | files_read_etc_files(chkpwd_t) | |
124 | # for nscd | |
125 | files_dontaudit_search_var(chkpwd_t) | |
30d41f14 DW |
126 | files_read_usr_symlinks(chkpwd_t) |
127 | files_list_tmp(chkpwd_t) | |
296273a7 CP |
128 | |
129 | fs_dontaudit_getattr_xattr_fs(chkpwd_t) | |
130 | ||
153ed875 | 131 | term_dontaudit_use_console(chkpwd_t) |
296273a7 CP |
132 | term_dontaudit_use_unallocated_ttys(chkpwd_t) |
133 | term_dontaudit_use_generic_ptys(chkpwd_t) | |
153ed875 | 134 | term_dontaudit_use_all_ptys(chkpwd_t) |
296273a7 CP |
135 | |
136 | auth_use_nsswitch(chkpwd_t) | |
137 | ||
138 | logging_send_audit_msgs(chkpwd_t) | |
139 | logging_send_syslog_msg(chkpwd_t) | |
140 | ||
141 | miscfiles_read_localization(chkpwd_t) | |
142 | ||
143 | seutil_read_config(chkpwd_t) | |
144 | seutil_dontaudit_use_newrole_fds(chkpwd_t) | |
145 | ||
6d51b2fc | 146 | userdom_dontaudit_use_user_ttys(chkpwd_t) |
296273a7 CP |
147 | |
148 | ifdef(`distro_ubuntu',` | |
149 | optional_policy(` | |
150 | unconfined_domain(chkpwd_t) | |
151 | ') | |
152 | ') | |
153 | ||
153ed875 CP |
154 | optional_policy(` |
155 | # apache leaks file descriptors | |
156 | apache_dontaudit_rw_tcp_sockets(chkpwd_t) | |
157 | ') | |
158 | ||
296273a7 CP |
159 | optional_policy(` |
160 | kerberos_use(chkpwd_t) | |
161 | ') | |
5b4ff3a1 | 162 | |
153ed875 CP |
163 | optional_policy(` |
164 | nis_authenticate(chkpwd_t) | |
165 | ') | |
166 | ||
3ba13bbf CP |
167 | ######################################## |
168 | # | |
3ce6cb4a | 169 | # PAM local policy |
3ba13bbf | 170 | # |
3ce6cb4a | 171 | |
9d3bdc25 | 172 | allow pam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
3ce6cb4a CP |
173 | dontaudit pam_t self:capability sys_tty_config; |
174 | ||
175 | allow pam_t self:fd use; | |
dd822947 | 176 | allow pam_t self:fifo_file rw_file_perms; |
9262d3c9 | 177 | allow pam_t self:unix_dgram_socket create_socket_perms; |
dd822947 | 178 | allow pam_t self:unix_stream_socket rw_stream_socket_perms; |
3ce6cb4a CP |
179 | allow pam_t self:unix_dgram_socket sendto; |
180 | allow pam_t self:unix_stream_socket connectto; | |
dd822947 CP |
181 | allow pam_t self:shm create_shm_perms; |
182 | allow pam_t self:sem create_sem_perms; | |
183 | allow pam_t self:msgq create_msgq_perms; | |
3ce6cb4a CP |
184 | allow pam_t self:msg { send receive }; |
185 | ||
3f67f722 CP |
186 | delete_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) |
187 | read_files_pattern(pam_t, pam_var_run_t, pam_var_run_t) | |
ba1a545f | 188 | files_list_pids(pam_t) |
3ce6cb4a | 189 | |
ba1a545f CP |
190 | allow pam_t pam_tmp_t:dir manage_dir_perms; |
191 | allow pam_t pam_tmp_t:file manage_file_perms; | |
103fe280 | 192 | files_tmp_filetrans(pam_t, pam_tmp_t, { file dir }) |
3ce6cb4a | 193 | |
7d4161cd CP |
194 | auth_use_nsswitch(pam_t) |
195 | ||
3ce6cb4a CP |
196 | kernel_read_system_state(pam_t) |
197 | ||
2acba7bb CP |
198 | files_read_etc_files(pam_t) |
199 | ||
ab940a4c CP |
200 | fs_search_auto_mountpoints(pam_t) |
201 | ||
7d4161cd CP |
202 | miscfiles_read_localization(pam_t) |
203 | ||
c3c753f7 CP |
204 | term_use_all_ttys(pam_t) |
205 | term_use_all_ptys(pam_t) | |
3ce6cb4a | 206 | |
68228b33 | 207 | init_dontaudit_rw_utmp(pam_t) |
3ce6cb4a | 208 | |
c9428d33 | 209 | logging_send_syslog_msg(pam_t) |
3ce6cb4a | 210 | |
12cf805e CP |
211 | ifdef(`distro_ubuntu',` |
212 | optional_policy(` | |
213 | unconfined_domain(pam_t) | |
214 | ') | |
215 | ') | |
216 | ||
bb7170f6 | 217 | optional_policy(` |
1c1ac67f | 218 | locallogin_use_fds(pam_t) |
3ce6cb4a CP |
219 | ') |
220 | ||
75a10baf CP |
221 | ######################################## |
222 | # | |
223 | # PAM console local policy | |
224 | # | |
225 | ||
226 | allow pam_console_t self:capability { chown fowner fsetid }; | |
227 | dontaudit pam_console_t self:capability sys_tty_config; | |
228 | ||
229 | allow pam_console_t self:process { sigchld sigkill sigstop signull signal }; | |
230 | ||
231 | # for /var/run/console.lock checking | |
3f67f722 CP |
232 | read_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) |
233 | read_lnk_files_pattern(pam_console_t, pam_var_console_t, pam_var_console_t) | |
77f6e2cd | 234 | dontaudit pam_console_t pam_var_console_t:file write; |
75a10baf | 235 | |
445522dc | 236 | kernel_read_kernel_sysctls(pam_console_t) |
1c1ac67f | 237 | kernel_use_fds(pam_console_t) |
0907bda1 CP |
238 | # Read /proc/meminfo |
239 | kernel_read_system_state(pam_console_t) | |
75a10baf | 240 | |
d35c621e | 241 | dev_read_sysfs(pam_console_t) |
207c4763 CP |
242 | dev_getattr_apm_bios_dev(pam_console_t) |
243 | dev_setattr_apm_bios_dev(pam_console_t) | |
02bcb8b3 CP |
244 | dev_getattr_dri_dev(pam_console_t) |
245 | dev_setattr_dri_dev(pam_console_t) | |
7d4161cd CP |
246 | dev_getattr_input_dev(pam_console_t) |
247 | dev_setattr_input_dev(pam_console_t) | |
207c4763 CP |
248 | dev_getattr_framebuffer_dev(pam_console_t) |
249 | dev_setattr_framebuffer_dev(pam_console_t) | |
72492557 CP |
250 | dev_getattr_generic_usb_dev(pam_console_t) |
251 | dev_setattr_generic_usb_dev(pam_console_t) | |
207c4763 CP |
252 | dev_getattr_misc_dev(pam_console_t) |
253 | dev_setattr_misc_dev(pam_console_t) | |
254 | dev_getattr_mouse_dev(pam_console_t) | |
255 | dev_setattr_mouse_dev(pam_console_t) | |
256 | dev_getattr_power_mgmt_dev(pam_console_t) | |
257 | dev_setattr_power_mgmt_dev(pam_console_t) | |
7d4161cd CP |
258 | dev_getattr_printer_dev(pam_console_t) |
259 | dev_setattr_printer_dev(pam_console_t) | |
207c4763 CP |
260 | dev_getattr_scanner_dev(pam_console_t) |
261 | dev_setattr_scanner_dev(pam_console_t) | |
262 | dev_getattr_sound_dev(pam_console_t) | |
263 | dev_setattr_sound_dev(pam_console_t) | |
7a2f20a3 CP |
264 | dev_getattr_video_dev(pam_console_t) |
265 | dev_setattr_video_dev(pam_console_t) | |
cf6a7d89 CP |
266 | dev_getattr_xserver_misc_dev(pam_console_t) |
267 | dev_setattr_xserver_misc_dev(pam_console_t) | |
85a0f967 | 268 | dev_read_urand(pam_console_t) |
d35c621e | 269 | |
2acba7bb CP |
270 | files_read_etc_files(pam_console_t) |
271 | files_search_pids(pam_console_t) | |
272 | files_list_mnt(pam_console_t) | |
273 | files_dontaudit_search_isid_type_dirs(pam_console_t) | |
274 | # read /etc/mtab | |
275 | files_read_etc_runtime_files(pam_console_t) | |
276 | ||
277 | fs_list_auto_mountpoints(pam_console_t) | |
278 | fs_list_noxattr_fs(pam_console_t) | |
279 | fs_getattr_all_fs(pam_console_t) | |
280 | ||
f8233ab7 CP |
281 | mls_file_read_all_levels(pam_console_t) |
282 | mls_file_write_all_levels(pam_console_t) | |
85a0f967 | 283 | |
1815bad1 CP |
284 | storage_getattr_fixed_disk_dev(pam_console_t) |
285 | storage_setattr_fixed_disk_dev(pam_console_t) | |
286 | storage_getattr_removable_dev(pam_console_t) | |
287 | storage_setattr_removable_dev(pam_console_t) | |
288 | storage_getattr_scsi_generic_dev(pam_console_t) | |
289 | storage_setattr_scsi_generic_dev(pam_console_t) | |
75a10baf | 290 | |
0fd9dc55 | 291 | term_use_console(pam_console_t) |
c3c753f7 CP |
292 | term_use_all_ttys(pam_console_t) |
293 | term_use_all_ptys(pam_console_t) | |
0907bda1 | 294 | term_setattr_console(pam_console_t) |
0fd9dc55 CP |
295 | term_getattr_unallocated_ttys(pam_console_t) |
296 | term_setattr_unallocated_ttys(pam_console_t) | |
46551033 | 297 | term_use_unallocated_ttys(pam_console_t) |
75a10baf | 298 | |
77f6e2cd CP |
299 | auth_use_nsswitch(pam_console_t) |
300 | ||
15722ec9 | 301 | domain_use_interactive_fds(pam_console_t) |
75a10baf | 302 | |
1c1ac67f | 303 | init_use_fds(pam_console_t) |
1815bad1 | 304 | init_use_script_ptys(pam_console_t) |
d35c621e | 305 | |
c9428d33 | 306 | logging_send_syslog_msg(pam_console_t) |
75a10baf | 307 | |
85a0f967 | 308 | miscfiles_read_localization(pam_console_t) |
83406219 | 309 | miscfiles_read_generic_certs(pam_console_t) |
f0574fa9 | 310 | |
5e0da6a0 | 311 | seutil_read_file_contexts(pam_console_t) |
75a10baf | 312 | |
15722ec9 | 313 | userdom_dontaudit_use_unpriv_user_fds(pam_console_t) |
dc771ff4 | 314 | |
12cf805e CP |
315 | ifdef(`distro_ubuntu',` |
316 | optional_policy(` | |
317 | unconfined_domain(pam_console_t) | |
318 | ') | |
319 | ') | |
320 | ||
bb7170f6 | 321 | optional_policy(` |
f862c35c CP |
322 | gpm_getattr_gpmctl(pam_console_t) |
323 | gpm_setattr_gpmctl(pam_console_t) | |
324 | ') | |
325 | ||
bb7170f6 | 326 | optional_policy(` |
1c1ac67f | 327 | hotplug_use_fds(pam_console_t) |
c9428d33 | 328 | hotplug_dontaudit_search_config(pam_console_t) |
1e5c2a41 CP |
329 | ') |
330 | ||
bb7170f6 | 331 | optional_policy(` |
8fd36732 | 332 | seutil_sigchld_newrole(pam_console_t) |
75a10baf CP |
333 | ') |
334 | ||
bb7170f6 | 335 | optional_policy(` |
c9428d33 | 336 | udev_read_db(pam_console_t) |
75a10baf CP |
337 | ') |
338 | ||
3b914745 CP |
339 | optional_policy(` |
340 | xserver_read_xdm_pid(pam_console_t) | |
7d4161cd | 341 | xserver_dontaudit_write_log(pam_console_t) |
75a10baf | 342 | ') |
75a10baf | 343 | |
7d4161cd CP |
344 | ######################################## |
345 | # | |
346 | # updpwd local policy | |
347 | # | |
348 | ||
df28a0c4 | 349 | allow updpwd_t self:capability { chown dac_override }; |
7d4161cd | 350 | allow updpwd_t self:process setfscreate; |
0b36a214 | 351 | allow updpwd_t self:fifo_file rw_fifo_file_perms; |
7d4161cd CP |
352 | allow updpwd_t self:unix_stream_socket create_stream_socket_perms; |
353 | allow updpwd_t self:unix_dgram_socket create_socket_perms; | |
354 | ||
355 | kernel_read_system_state(updpwd_t) | |
356 | ||
df28a0c4 CP |
357 | dev_read_urand(updpwd_t) |
358 | ||
7d4161cd | 359 | files_manage_etc_files(updpwd_t) |
9cb77bf5 | 360 | auth_manage_passwd(updpwd_t) |
7d4161cd | 361 | |
7d4161cd CP |
362 | term_dontaudit_use_console(updpwd_t) |
363 | term_dontaudit_use_unallocated_ttys(updpwd_t) | |
364 | ||
365 | auth_manage_shadow(updpwd_t) | |
366 | auth_use_nsswitch(updpwd_t) | |
367 | ||
7d4161cd CP |
368 | logging_send_syslog_msg(updpwd_t) |
369 | ||
370 | miscfiles_read_localization(updpwd_t) | |
371 | ||
af2d8802 | 372 | userdom_use_inherited_user_terminals(updpwd_t) |
296273a7 | 373 | |
12cf805e CP |
374 | ifdef(`distro_ubuntu',` |
375 | optional_policy(` | |
376 | unconfined_domain(updpwd_t) | |
377 | ') | |
378 | ') | |
379 | ||
3ce6cb4a CP |
380 | ######################################## |
381 | # | |
382 | # Utempter local policy | |
383 | # | |
384 | ||
385 | allow utempter_t self:capability setgid; | |
0fd9dc55 | 386 | allow utempter_t self:unix_stream_socket create_stream_socket_perms; |
3ce6cb4a | 387 | |
dd822947 | 388 | allow utempter_t wtmp_t:file rw_file_perms; |
3ce6cb4a | 389 | |
77f6e2cd CP |
390 | dev_read_urand(utempter_t) |
391 | ||
2acba7bb CP |
392 | files_read_etc_files(utempter_t) |
393 | ||
c3c753f7 CP |
394 | term_getattr_all_ttys(utempter_t) |
395 | term_getattr_all_ptys(utempter_t) | |
396 | term_dontaudit_use_all_ttys(utempter_t) | |
397 | term_dontaudit_use_all_ptys(utempter_t) | |
0fd9dc55 | 398 | term_dontaudit_use_ptmx(utempter_t) |
3ce6cb4a | 399 | |
8ee9e8d0 DW |
400 | auth_use_nsswitch(utempter_t) |
401 | ||
68228b33 | 402 | init_rw_utmp(utempter_t) |
3ce6cb4a | 403 | |
15722ec9 | 404 | domain_use_interactive_fds(utempter_t) |
3ce6cb4a | 405 | |
c9428d33 | 406 | logging_search_logs(utempter_t) |
3ce6cb4a | 407 | |
af2d8802 | 408 | userdom_use_inherited_user_terminals(utempter_t) |
3ce6cb4a | 409 | # Allow utemper to write to /tmp/.xses-* |
296273a7 | 410 | userdom_write_user_tmp_files(utempter_t) |
3ce6cb4a | 411 | |
12cf805e CP |
412 | ifdef(`distro_ubuntu',` |
413 | optional_policy(` | |
414 | unconfined_domain(utempter_t) | |
415 | ') | |
416 | ') | |
417 | ||
bb7170f6 | 418 | optional_policy(` |
1f6524ae CP |
419 | xserver_use_xdm_fds(utempter_t) |
420 | xserver_rw_xdm_pipes(utempter_t) | |
3ce6cb4a | 421 | ') |
3eaa9939 DW |
422 | |
423 | tunable_policy(`allow_polyinstantiation',` | |
424 | files_polyinstantiate_all(polydomain) | |
1a49cc1d | 425 | ') |
bd1bea03 | 426 | |
1a49cc1d | 427 | optional_policy(` |
bd1bea03 | 428 | tunable_policy(`allow_polyinstantiation',` |
1a49cc1d | 429 | namespace_init_domtrans(polydomain) |
bd1bea03 | 430 | ') |
3eaa9939 | 431 | ') |
ae68f77d | 432 | |
9cb77bf5 | 433 | |
434 | auth_read_passwd(nsswitch_domain) | |
435 | ||
ae68f77d DW |
436 | # read /etc/nsswitch.conf |
437 | files_read_etc_files(nsswitch_domain) | |
438 | ||
439 | sysnet_dns_name_resolve(nsswitch_domain) | |
440 | ||
441 | tunable_policy(`authlogin_nsswitch_use_ldap',` | |
442 | files_list_var_lib(nsswitch_domain) | |
443 | ||
444 | miscfiles_read_generic_certs(nsswitch_domain) | |
445 | sysnet_use_ldap(nsswitch_domain) | |
446 | ') | |
447 | ||
448 | optional_policy(` | |
449 | tunable_policy(`authlogin_nsswitch_use_ldap',` | |
450 | dirsrv_stream_connect(nsswitch_domain) | |
451 | ') | |
452 | ') | |
453 | ||
454 | optional_policy(` | |
455 | tunable_policy(`authlogin_nsswitch_use_ldap',` | |
456 | ldap_stream_connect(nsswitch_domain) | |
457 | ') | |
458 | ') | |
459 | ||
460 | optional_policy(` | |
461 | likewise_stream_connect_lsassd(nsswitch_domain) | |
462 | ') | |
463 | ||
464 | # can not wrap nis_use_ypbind or kerberos_use, but they both have booleans you can turn off. | |
465 | optional_policy(` | |
466 | kerberos_use(nsswitch_domain) | |
467 | ') | |
468 | ||
469 | optional_policy(` | |
470 | nis_use_ypbind(nsswitch_domain) | |
471 | ') | |
472 | ||
473 | optional_policy(` | |
474 | nscd_use(nsswitch_domain) | |
475 | ') | |
476 | ||
477 | optional_policy(` | |
478 | nslcd_stream_connect(nsswitch_domain) | |
479 | ') | |
480 | ||
481 | optional_policy(` | |
482 | sssd_stream_connect(nsswitch_domain) | |
483 | ') | |
484 | ||
485 | optional_policy(` | |
486 | samba_stream_connect_winbind(nsswitch_domain) | |
487 | samba_read_var_files(nsswitch_domain) | |
488 | samba_dontaudit_write_var_files(nsswitch_domain) | |
489 | ') |