[selinux-policy] - Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 13:59:41 UTC 2010 

commit 6f256d240d9eeda161bc2f798431a6ef901cce5d
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Oct 7 09:59:45 2010 -0400

    - Allow smbd to use sys_admin
    - Remove duplicate file context for tcfmgr

 policy-F14.patch    |   18 +++++-------------
 selinux-policy.spec |    6 +++++-
 2 files changed, 10 insertions(+), 14 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index b7c8372..7ac41af 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7236,7 +7236,7 @@ index 82842a0..369c3b5 100644
  		dbus_system_bus_client($1_wm_t)
  		dbus_session_bus_client($1_wm_t)
 diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..217bd0d 100644
+index 0eb1d97..46af2a4 100644
 --- a/policy/modules/kernel/corecommands.fc
 +++ b/policy/modules/kernel/corecommands.fc
 @@ -9,8 +9,11 @@
@@ -7340,15 +7340,7 @@ index 0eb1d97..217bd0d 100644
  /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
  /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +273,7 @@ ifdef(`distro_gentoo',`
- /usr/share/shorewall-lite(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall6-lite(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/texmf/texconfig/tcfmgr --	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/turboprint/lib(/.*)?	--	gen_context(system_u:object_r:bin_t,s0)
- /usr/share/vhostmd/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
- 
-@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
  /usr/share/texmf/web2c/mktexdir	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexnam	--	gen_context(system_u:object_r:bin_t,s0)
  /usr/share/texmf/web2c/mktexupd	--	gen_context(system_u:object_r:bin_t,s0)
@@ -7356,7 +7348,7 @@ index 0eb1d97..217bd0d 100644
  ')
  
  ifdef(`distro_suse', `
-@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -30960,7 +30952,7 @@ index 82cb169..9e72970 100644
 +	admin_pattern($1, samba_unconfined_script_exec_t)
  ')
 diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..8e36be0 100644
+index e30bb63..6e627d6 100644
 --- a/policy/modules/services/samba.te
 +++ b/policy/modules/services/samba.te
 @@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -30978,7 +30970,7 @@ index e30bb63..8e36be0 100644
  # smbd Local policy
  #
 -allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
  dontaudit smbd_t self:capability sys_tty_config;
  allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow smbd_t self:process setrlimit;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c26a444..de35d49 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.5
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,10 @@ exit 0
 %endif
 
 %changelog
+* Thu Oct 7 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-12
+- Allow smbd to use sys_admin
+- Remove duplicate file context for tcfmgr
+
 * Wed Oct 6 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-11
 - Fix fusefs handling
 - Do not allow sandbox to manage nsplugin_rw_t

More information about the scm-commits mailing list