#
# Policy rules for NSC (Name Service Cache) Daemon
#

# Allow system call classes
-s cloneSys grant
-s ioctlSys grant
-s mprotectSys grant
-s openSys grant

# Allow socket creation
-c inet_dgram_socket_create grant
-c inet_stream_socket_create grant
-c unix_socket_create grant
-c unix_dgram_socket_bind grant
-c unix_dgram_socket_connect grant
-c unix_stream_socket_bind grant
-c unix_stream_socket_connect grant
-c unix_vmklink_socket_connect grant

# Allow bind to NSCD socket
-p unix_stream_socket_bind /var/run/nscd/socket grant

# Revoke bind/connect to vmwLocalSocketAuthentication
-p unix_stream_socket_connect vmwLocalSocketAuthentication revoke
-p unix_stream_socket_bind vmwLocalSocketAuthentication revoke

# Allow connect to local and remote hosts
-p inet_socket_connect loopback grant
-p inet_socket_connect nonloopback grant

# Deny everything
-r /
# except
-r /etc/hosts r
-r /etc/host.conf r
-r /etc/localtime r
-r /etc/nscd.conf r
-r /etc/nsswitch.conf r
-r /etc/resolv.conf r
-r /lib64 rx
-r /usr/lib/vmware/likewise rx
-r /usr/lib/vmware/nscd rx
-r /var/db/nscd/hosts w
-r /var/run/nscd/socket w
-r /var/run/nscd/nscd.pid rw
