[selinux-policy: 1978/3172] trunk: Samba/winbind update from Mike Edenfield.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:55:51 UTC 2010
commit b81bfc2651cb23ce958c531ab42552dc90b479a8
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Aug 5 12:54:11 2008 +0000
trunk: Samba/winbind update from Mike Edenfield.
Changelog | 1 +
policy/modules/roles/unprivuser.if | 19 +++++++++++++++++++
policy/modules/roles/unprivuser.te | 2 +-
policy/modules/services/samba.if | 18 +++++++++---------
policy/modules/services/samba.te | 19 ++++++++++++++++---
5 files changed, 46 insertions(+), 13 deletions(-)
---
diff --git a/Changelog b/Changelog
index 647ef43..23fab1a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Samba/winbind update from Mike Edenfield.
- Policy size optimization with a non-security file attribute from James
Carter.
- Database labeled networking update from KaiGai Kohei.
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
index c968955..8ac6b36 100644
--- a/policy/modules/roles/unprivuser.if
+++ b/policy/modules/roles/unprivuser.if
@@ -126,6 +126,25 @@ interface(`unprivuser_dontaudit_search_home_dirs',`
########################################
## <summary>
+## Create generic user home directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_create_home_dir',`
+ gen_require(`
+ type user_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete generic user
## home directories.
## </summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6a1254b..2092679 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,5 @@
-policy_module(unprivuser, 1.0.0)
+policy_module(unprivuser, 1.0.1)
# this module should be named user, but that is
# a compile error since user is a keyword.
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index b632cb4..e70d93f 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -484,17 +484,17 @@ interface(`samba_read_winbind_pid',`
## </param>
#
interface(`samba_stream_connect_winbind',`
- ifdef(`distro_redhat',`
- gen_require(`
- type samba_var_t, winbind_t, winbind_var_run_t;
- ')
+ gen_require(`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
- files_search_pids($1)
- allow $1 samba_var_t:dir search_dir_perms;
- stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
- ',`
+ files_search_pids($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+ ifndef(`distro_redhat',`
gen_require(`
- type winbind_t, winbind_tmp_t;
+ type winbind_tmp_t;
')
# the default for the socket is (poorly named):
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index a6ba34a..385389f 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba, 1.9.0)
+policy_module(samba, 1.9.1)
#################################
#
@@ -17,6 +17,13 @@ gen_tunable(allow_smbd_anon_write, false)
## <desc>
## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
+## </desc>
+gen_tunable(samba_create_home_dirs, false)
+
+## <desc>
+## <p>
## Allow samba to act as the domain controller, add users,
## groups and change passwords.
##
@@ -364,6 +371,12 @@ optional_policy(`
udev_read_db(smbd_t)
')
+tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
+ unprivuser_create_home_dir(smbd_t)
+ unprivuser_home_filetrans_home_dir(smbd_t)
+')
+
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
auth_read_all_files_except_shadow(smbd_t)
@@ -404,8 +417,7 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -675,6 +687,7 @@ logging_log_filetrans(winbind_t,winbind_log_t,file)
manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
More information about the scm-commits
mailing list