[selinux-policy] - Allow smbd to use sys_admin - Remove duplicate file context for tcfmgr
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 13:59:41 UTC 2010
commit 6f256d240d9eeda161bc2f798431a6ef901cce5d
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Oct 7 09:59:45 2010 -0400
- Allow smbd to use sys_admin
- Remove duplicate file context for tcfmgr
policy-F14.patch | 18 +++++-------------
selinux-policy.spec | 6 +++++-
2 files changed, 10 insertions(+), 14 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index b7c8372..7ac41af 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -7236,7 +7236,7 @@ index 82842a0..369c3b5 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 0eb1d97..217bd0d 100644
+index 0eb1d97..46af2a4 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -9,8 +9,11 @@
@@ -7340,15 +7340,7 @@ index 0eb1d97..217bd0d 100644
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +273,7 @@ ifdef(`distro_gentoo',`
- /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
- /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
-+/usr/share/texmf/texconfig/tcfmgr -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
- /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-
-@@ -314,6 +340,7 @@ ifdef(`distro_redhat', `
+@@ -314,6 +339,7 @@ ifdef(`distro_redhat', `
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0)
@@ -7356,7 +7348,7 @@ index 0eb1d97..217bd0d 100644
')
ifdef(`distro_suse', `
-@@ -340,3 +367,27 @@ ifdef(`distro_suse', `
+@@ -340,3 +366,27 @@ ifdef(`distro_suse', `
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -30960,7 +30952,7 @@ index 82cb169..9e72970 100644
+ admin_pattern($1, samba_unconfined_script_exec_t)
')
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
-index e30bb63..8e36be0 100644
+index e30bb63..6e627d6 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -152,9 +152,6 @@ domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
@@ -30978,7 +30970,7 @@ index e30bb63..8e36be0 100644
# smbd Local policy
#
-allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner kill setgid setuid sys_nice sys_admin sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
diff --git a/selinux-policy.spec b/selinux-policy.spec
index c26a444..de35d49 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.5
-Release: 11%{?dist}
+Release: 12%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -470,6 +470,10 @@ exit 0
%endif
%changelog
+* Thu Oct 7 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-12
+- Allow smbd to use sys_admin
+- Remove duplicate file context for tcfmgr
+
* Wed Oct 6 2010 Dan Walsh <dwalsh at redhat.com> 3.9.5-11
- Fix fusefs handling
- Do not allow sandbox to manage nsplugin_rw_t
More information about the scm-commits
mailing list