trunk: Samba/winbind update from Mike Edenfield.
This commit is contained in:
parent
3338f231d5
commit
b81bfc2651
@ -1,3 +1,4 @@
|
||||
- Samba/winbind update from Mike Edenfield.
|
||||
- Policy size optimization with a non-security file attribute from James
|
||||
Carter.
|
||||
- Database labeled networking update from KaiGai Kohei.
|
||||
|
@ -124,6 +124,25 @@ interface(`unprivuser_dontaudit_search_home_dirs',`
|
||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create generic user home directories
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`unprivuser_create_home_dir',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
')
|
||||
|
||||
files_search_home($1)
|
||||
allow $1 user_home_dir_t:dir create_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create, read, write, and delete generic user
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unprivuser, 1.0.0)
|
||||
policy_module(unprivuser, 1.0.1)
|
||||
|
||||
# this module should be named user, but that is
|
||||
# a compile error since user is a keyword.
|
||||
|
@ -484,17 +484,17 @@ interface(`samba_read_winbind_pid',`
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_stream_connect_winbind',`
|
||||
ifdef(`distro_redhat',`
|
||||
gen_require(`
|
||||
type samba_var_t, winbind_t, winbind_var_run_t;
|
||||
')
|
||||
gen_require(`
|
||||
type samba_var_t, winbind_t, winbind_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 samba_var_t:dir search_dir_perms;
|
||||
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
||||
',`
|
||||
files_search_pids($1)
|
||||
allow $1 samba_var_t:dir search_dir_perms;
|
||||
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
gen_require(`
|
||||
type winbind_t, winbind_tmp_t;
|
||||
type winbind_tmp_t;
|
||||
')
|
||||
|
||||
# the default for the socket is (poorly named):
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(samba, 1.9.0)
|
||||
policy_module(samba, 1.9.1)
|
||||
|
||||
#################################
|
||||
#
|
||||
@ -15,6 +15,13 @@ policy_module(samba, 1.9.0)
|
||||
## </desc>
|
||||
gen_tunable(allow_smbd_anon_write, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow samba to create new home directories (e.g. via PAM)
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(samba_create_home_dirs, false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow samba to act as the domain controller, add users,
|
||||
@ -364,6 +371,12 @@ optional_policy(`
|
||||
udev_read_db(smbd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`samba_create_home_dirs',`
|
||||
allow smbd_t self:capability chown;
|
||||
unprivuser_create_home_dir(smbd_t)
|
||||
unprivuser_home_filetrans_home_dir(smbd_t)
|
||||
')
|
||||
|
||||
tunable_policy(`samba_export_all_ro',`
|
||||
fs_read_noxattr_fs_files(smbd_t)
|
||||
auth_read_all_files_except_shadow(smbd_t)
|
||||
@ -404,8 +417,7 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
|
||||
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||
|
||||
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||
append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||
allow nmbd_t samba_log_t:file unlink;
|
||||
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||
|
||||
read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||
@ -675,6 +687,7 @@ logging_log_filetrans(winbind_t,winbind_log_t,file)
|
||||
|
||||
manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||
manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||
manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
|
||||
|
||||
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||
|
Loading…
Reference in New Issue
Block a user