fc4 samba errors { read write } { search } { remove_name } - second part

[Ivan Gyurdiev]

On Sat, 2005-06-18 at 11:24 -0700, lastic miles wrote:
> Hello!
> 
> I found some things. With the command 'audit2allow'
> and the log I've got these rules:
> 
> allow nmbd_t devpts_t:chr_file { read write };
> allow smbd_t devpts_t:chr_file { read write };

I don't like these two... 

> allow smbd_t nscd_var_run_t:dir search;

Add nscd_client_domain to the daemon_domain call for smbd

> allow smbd_t samba_log_t:dir remove_name;

Samba's currently not allowed to delete logs - it seems this was
done on purpose. Why, I'm not sure - so you can't erase valuable
audit trail I suppose...

---

By the way, notice how samba doesn't use standard log macros for
this (append_logdir_domain). The only reason for this appears to 
be that the type is shared across multiple types. This is not a very
good reason. IMHO we need to change all those log/var/etc macros 
to address this issue. If you look at home_macros.te you'll see one
(rather ugly) way to address this - separate macro in one declaration
part, and another "access" part.

-- 
Ivan Gyurdiev <ivg2 at cornell.edu>
Cornell University