[selinux-policy: 1368/3172] fix bad rules in samba, bug 1623

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:03:43 UTC 2010 

commit eeb8ea4b81a2fed1e48d3a535e2024ff994145b0
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Apr 17 19:51:46 2006 +0000

    fix bad rules in samba, bug 1623

 refpolicy/policy/modules/kernel/filesystem.if |   19 +++++++++++++++++++
 refpolicy/policy/modules/services/samba.te    |   20 +++++++-------------
 2 files changed, 26 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 2f6ce0e..a4930d9 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2412,6 +2412,25 @@ interface(`fs_getattr_tmpfs_dirs',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to get the attributes
+##	of tmpfs directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_dontaudit_getattr_tmpfs_dirs',`
+	gen_require(`
+		type tmpfs_t;
+	')
+
+	dontaudit $1 tmpfs_t:dir getattr;
+')
+
+########################################
+## <summary>
 ##	Set the attributes of tmpfs directories.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index e836628..306e2ae 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -245,6 +245,7 @@ corenet_tcp_connect_smbd_port(smbd_t)
 
 dev_read_sysfs(smbd_t)
 dev_read_urand(smbd_t)
+dev_getattr_mtrr_dev(smbd_t)
 dev_dontaudit_getattr_usbfs_dirs(smbd_t)
 
 fs_getattr_all_fs(smbd_t)
@@ -286,6 +287,12 @@ userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
 userdom_dontaudit_use_unpriv_user_fds(smbd_t)
 userdom_use_unpriv_users_fds(smbd_t)
 
+ifdef(`hide_broken_symptoms', `
+	files_dontaudit_getattr_default_dirs(smbd_t)
+	files_dontaudit_getattr_boot_dirs(smbd_t)
+	fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
+')
+
 ifdef(`targeted_policy', `
 	files_dontaudit_read_root_files(smbd_t)
 	term_dontaudit_use_generic_ptys(smbd_t)
@@ -326,19 +333,6 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
 
-ifdef(`hide_broken_symptoms', `
-gen_require(`
-	type boot_t, default_t, tmpfs_t;
-')
-dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
-dontaudit smbd_t devpts_t:dir getattr;
-')
-
-gen_require(`
-	type mtrr_device_t;
-')
-allow smbd_t mtrr_device_t:file getattr;
-
 ########################################
 #
 # nmbd Local policy

More information about the scm-commits mailing list