trunk: Samba/winbind update from Mike Edenfield.

This commit is contained in:
Chris PeBenito 2008-08-05 12:54:11 +00:00
parent 3338f231d5
commit b81bfc2651
5 changed files with 46 additions and 13 deletions

View File

@ -1,3 +1,4 @@
- Samba/winbind update from Mike Edenfield.
- Policy size optimization with a non-security file attribute from James
Carter.
- Database labeled networking update from KaiGai Kohei.

View File

@ -124,6 +124,25 @@ interface(`unprivuser_dontaudit_search_home_dirs',`
dontaudit $1 user_home_t:dir search_dir_perms;
')
########################################
## <summary>
## Create generic user home directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unprivuser_create_home_dir',`
gen_require(`
type user_home_dir_t;
')
files_search_home($1)
allow $1 user_home_dir_t:dir create_dir_perms;
')
########################################
## <summary>
## Create, read, write, and delete generic user

View File

@ -1,5 +1,5 @@
policy_module(unprivuser, 1.0.0)
policy_module(unprivuser, 1.0.1)
# this module should be named user, but that is
# a compile error since user is a keyword.

View File

@ -484,17 +484,17 @@ interface(`samba_read_winbind_pid',`
## </param>
#
interface(`samba_stream_connect_winbind',`
ifdef(`distro_redhat',`
gen_require(`
type samba_var_t, winbind_t, winbind_var_run_t;
')
gen_require(`
type samba_var_t, winbind_t, winbind_var_run_t;
')
files_search_pids($1)
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
',`
files_search_pids($1)
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
ifndef(`distro_redhat',`
gen_require(`
type winbind_t, winbind_tmp_t;
type winbind_tmp_t;
')
# the default for the socket is (poorly named):

View File

@ -1,5 +1,5 @@
policy_module(samba, 1.9.0)
policy_module(samba, 1.9.1)
#################################
#
@ -15,6 +15,13 @@ policy_module(samba, 1.9.0)
## </desc>
gen_tunable(allow_smbd_anon_write, false)
## <desc>
## <p>
## Allow samba to create new home directories (e.g. via PAM)
## </p>
## </desc>
gen_tunable(samba_create_home_dirs, false)
## <desc>
## <p>
## Allow samba to act as the domain controller, add users,
@ -364,6 +371,12 @@ optional_policy(`
udev_read_db(smbd_t)
')
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
unprivuser_create_home_dir(smbd_t)
unprivuser_home_filetrans_home_dir(smbd_t)
')
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
auth_read_all_files_except_shadow(smbd_t)
@ -404,8 +417,7 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
allow nmbd_t samba_log_t:file unlink;
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
@ -675,6 +687,7 @@ logging_log_filetrans(winbind_t,winbind_log_t,file)
manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)