From e4184b665f1ca1f86fb7554095a73a71ad4a46ef Mon Sep 17 00:00:00 2001
From: guoxiaoqi <guoxiaoqi2@huawei.com>
Date: Tue, 25 Feb 2020 18:30:13 +0800
Subject: [PATCH] add allow to be access to sssd dir and file

Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
---
 policy/modules/admin/usermanage.te |  8 +++++
 policy/modules/contrib/sssd.if     | 72 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 43fed66..c8580a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -663,3 +663,11 @@ optional_policy(`
 optional_policy(`
 	stapserver_manage_lib(useradd_t)
 ')
+# avc for openEuler
+#sssd_var_lib_dir(groupadd_t)
+optional_policy(`
+	sssd_var_lib_map_file(groupadd_t)
+   sssd_var_lib_write_file(groupadd_t)
+   sssd_var_lib_map_file(useradd_t)
+   sssd_var_lib_write_file(useradd_t)
+')
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index 50eee3f..1b61ccd 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -576,3 +576,75 @@ interface(`sssd_admin',`
 	allow $1 sssd_unit_file_t:service all_service_perms;
 
 ')
+
+########################################
+## <summary>
+##      Allow to be access to sssd lib dir.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_dir',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:dir { add_name write };
+')
+
+########################################
+## <summary>
+##      Allow to map sssd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_map_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file map;
+')
+
+########################################
+## <summary>
+##      Allow to write sssd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_write_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file write;
+')
+
+########################################
+## <summary>
+##      Allow to create sssd lib files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow.
+##      </summary>
+## </param>
+#
+interface(`sssd_var_lib_create_file',`
+gen_require(`
+type sssd_var_lib_t;
+')
+
+allow $1 sssd_var_lib_t:file create;
+')
-- 
1.8.3.1