[selinux-policy: 1047/3172] add swat to samba, and fix an automount mistake
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:35:25 UTC 2010
commit cbe3275e1b8cbceed55b02d9caf32b33d0883299
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Dec 9 21:07:30 2005 +0000
add swat to samba, and fix an automount mistake
refpolicy/Changelog | 1 +
refpolicy/policy/modules/kernel/filesystem.if | 2 +-
refpolicy/policy/modules/services/automount.te | 2 +-
refpolicy/policy/modules/services/samba.fc | 1 +
refpolicy/policy/modules/services/samba.te | 77 +++++++++++++++++++++++-
5 files changed, 80 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index d7cf04d..c760ebf 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add swat to samba module.
- Miscellaneous fixes from Dan Walsh.
- Added modules:
automount
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index d7b6423..a64164e 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2444,7 +2444,7 @@ interface(`fs_getattr_all_dirs',`
attribute filesystem_type;
')
- allow $1 filesystem_type:dir search_dir_perms;
+ allow $1 filesystem_type:dir getattr;
')
########################################
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index d1aeb62..f68c043 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -99,7 +99,7 @@ files_getattr_default_dir(automount_t)
files_exec_etc_files(automount_t)
fs_getattr_all_fs(automount_t)
-fs_getattr_all_files(automount_t)
+fs_getattr_all_dirs(automount_t)
fs_search_auto_mountpoints(automount_t)
fs_manage_auto_mountpoints(automount_t)
diff --git a/refpolicy/policy/modules/services/samba.fc b/refpolicy/policy/modules/services/samba.fc
index f076ffa..d0e6b6d 100644
--- a/refpolicy/policy/modules/services/samba.fc
+++ b/refpolicy/policy/modules/services/samba.fc
@@ -14,6 +14,7 @@
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
/usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0)
/usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0)
/usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0)
/usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 5e7cdde..733dc4c 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.1.0)
+policy_module(samba,1.1.1)
#################################
#
@@ -54,6 +54,17 @@ domain_type(smbmount_t)
type smbmount_exec_t;
domain_entry_file(smbmount_t,smbmount_exec_t)
+type swat_t;
+type swat_exec_t;
+inetd_service_domain(swat_t,swat_exec_t)
+role system_r types swat_t;
+
+type swat_tmp_t;
+files_tmp_file(swat_tmp_t)
+
+type swat_var_run_t;
+files_pid_file(swat_var_run_t)
+
type winbind_t;
type winbind_exec_t;
init_daemon_domain(winbind_t,winbind_exec_t)
@@ -520,6 +531,70 @@ ifdef(`cups.te', `
########################################
#
+# SWAT Local policy
+#
+
+allow swat_t self:capability { setuid setgid };
+allow swat_t self:process signal_perms;
+allow swat_t self:fifo_file rw_file_perms;
+allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow swat_t self:tcp_socket connected_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
+
+allow swat_t swat_tmp_t:dir create_dir_perms;
+allow swat_t swat_tmp_t:file create_file_perms;
+files_create_tmp_files(swat_t, swat_tmp_t, { file dir })
+
+allow swat_t swat_var_run_t:file create_file_perms;
+allow swat_t swat_var_run_t:dir rw_dir_perms;
+files_create_pid(swat_t,swat_var_run_t)
+
+kernel_read_kernel_sysctl(swat_t)
+kernel_read_system_state(swat_t)
+kernel_read_network_state(swat_t)
+
+corenet_non_ipsec_sendrecv(swat_t)
+corenet_tcp_sendrecv_generic_if(swat_t)
+corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
+corenet_tcp_sendrecv_all_nodes(swat_t)
+corenet_udp_sendrecv_all_nodes(swat_t)
+corenet_raw_sendrecv_all_nodes(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
+corenet_tcp_bind_all_nodes(swat_t)
+corenet_udp_bind_all_nodes(swat_t)
+
+dev_read_urand(swat_t)
+
+files_read_etc_files(swat_t)
+files_search_home(swat_t)
+
+fs_getattr_xattr_fs(swat_t)
+
+libs_use_ld_so(swat_t)
+libs_use_shared_libs(swat_t)
+
+logging_send_syslog_msg(swat_t)
+
+miscfiles_read_localization(swat_t)
+
+sysnet_read_config(swat_t)
+
+optional_policy(`kerberos',`
+ kerberos_use(swat_t)
+')
+
+optional_policy(`nis',`
+ nis_use_ypbind(swat_t)
+')
+
+optional_policy(`nscd',`
+ nscd_use_socket(swat_t)
+')
+
+########################################
+#
# Winbind local policy
#
More information about the scm-commits
mailing list