diff options
author | Nathan Kinder <nkinder@redhat.com> | 2009-09-24 12:02:29 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2009-09-24 13:50:30 -0700 |
commit | ff7d08dc8bd356df7d29c771da420aec2e099e2d (patch) | |
tree | 54438d30fe23cf633260dc421fe17530d6c63a27 /selinux/dirsrv.te | |
parent | 64a62ff3bdf7bd7aea8dc4ffae3ffb130e5a34ea (diff) | |
download | ds-ff7d08dc8bd356df7d29c771da420aec2e099e2d.tar.gz ds-ff7d08dc8bd356df7d29c771da420aec2e099e2d.tar.xz ds-ff7d08dc8bd356df7d29c771da420aec2e099e2d.zip |
Allow anonymous access to be disabled.
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
Diffstat (limited to 'selinux/dirsrv.te')
-rw-r--r-- | selinux/dirsrv.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te index b40459b9..6dcabe1f 100644 --- a/selinux/dirsrv.te +++ b/selinux/dirsrv.te @@ -86,7 +86,7 @@ allow dirsrv_t self:fifo_file { read write }; # process stuff allow dirsrv_t self:process { getsched setsched signal_perms}; -allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override }; +allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override fowner }; # semaphores allow dirsrv_t self:sem all_sem_perms; |