[selinux-policy: 1978/3172] trunk: Samba/winbind update from Mike Edenfield.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:55:51 UTC 2010 

commit b81bfc2651cb23ce958c531ab42552dc90b479a8
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Aug 5 12:54:11 2008 +0000

    trunk: Samba/winbind update from Mike Edenfield.

 Changelog                          |    1 +
 policy/modules/roles/unprivuser.if |   19 +++++++++++++++++++
 policy/modules/roles/unprivuser.te |    2 +-
 policy/modules/services/samba.if   |   18 +++++++++---------
 policy/modules/services/samba.te   |   19 ++++++++++++++++---
 5 files changed, 46 insertions(+), 13 deletions(-)
---
diff --git a/Changelog b/Changelog
index 647ef43..23fab1a 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Samba/winbind update from Mike Edenfield.
 - Policy size optimization with a non-security file attribute from James
   Carter.
 - Database labeled networking update from KaiGai Kohei.
diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if
index c968955..8ac6b36 100644
--- a/policy/modules/roles/unprivuser.if
+++ b/policy/modules/roles/unprivuser.if
@@ -126,6 +126,25 @@ interface(`unprivuser_dontaudit_search_home_dirs',`
 
 ########################################
 ## <summary>
+##	Create generic user home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`unprivuser_create_home_dir',`
+	gen_require(`
+		type user_home_dir_t;
+	')
+
+	files_search_home($1)
+	allow $1 user_home_dir_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete generic user
 ##	home directories.
 ## </summary>
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6a1254b..2092679 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,5 @@
 
-policy_module(unprivuser, 1.0.0)
+policy_module(unprivuser, 1.0.1)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index b632cb4..e70d93f 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -484,17 +484,17 @@ interface(`samba_read_winbind_pid',`
 ## </param>
 #
 interface(`samba_stream_connect_winbind',`
-	ifdef(`distro_redhat',`
-		gen_require(`
-			type samba_var_t, winbind_t, winbind_var_run_t;
-		')
+	gen_require(`
+		type samba_var_t, winbind_t, winbind_var_run_t;
+	')
 
-		files_search_pids($1)
-		allow $1 samba_var_t:dir search_dir_perms;
-		stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
-	',`
+	files_search_pids($1)
+	allow $1 samba_var_t:dir search_dir_perms;
+	stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+	
+	ifndef(`distro_redhat',`
 		gen_require(`
-			type winbind_t, winbind_tmp_t;
+		    type winbind_tmp_t;
 		')
 
 		# the default for the socket is (poorly named):
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index a6ba34a..385389f 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
 
-policy_module(samba, 1.9.0)
+policy_module(samba, 1.9.1)
 
 #################################
 #
@@ -17,6 +17,13 @@ gen_tunable(allow_smbd_anon_write, false)
 
 ## <desc>
 ## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
+## </desc>
+gen_tunable(samba_create_home_dirs, false)
+
+## <desc>
+## <p>
 ## Allow samba to act as the domain controller, add users,
 ## groups and change passwords.
 ## 
@@ -364,6 +371,12 @@ optional_policy(`
 	udev_read_db(smbd_t)
 ')
 
+tunable_policy(`samba_create_home_dirs',`
+	allow smbd_t self:capability chown;
+	unprivuser_create_home_dir(smbd_t)
+	unprivuser_home_filetrans_home_dir(smbd_t)
+')
+
 tunable_policy(`samba_export_all_ro',`
 	fs_read_noxattr_fs_files(smbd_t) 
 	auth_read_all_files_except_shadow(smbd_t)
@@ -404,8 +417,7 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
 
 manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 
 read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -675,6 +687,7 @@ logging_log_filetrans(winbind_t,winbind_log_t,file)
 
 manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
 manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
 files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
 
 manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)

More information about the scm-commits mailing list