trunk: Samba/winbind update from Mike Edenfield.
This commit is contained in:
parent
3338f231d5
commit
b81bfc2651
@ -1,3 +1,4 @@
|
|||||||
|
- Samba/winbind update from Mike Edenfield.
|
||||||
- Policy size optimization with a non-security file attribute from James
|
- Policy size optimization with a non-security file attribute from James
|
||||||
Carter.
|
Carter.
|
||||||
- Database labeled networking update from KaiGai Kohei.
|
- Database labeled networking update from KaiGai Kohei.
|
||||||
|
@ -124,6 +124,25 @@ interface(`unprivuser_dontaudit_search_home_dirs',`
|
|||||||
dontaudit $1 user_home_t:dir search_dir_perms;
|
dontaudit $1 user_home_t:dir search_dir_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Create generic user home directories
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`unprivuser_create_home_dir',`
|
||||||
|
gen_require(`
|
||||||
|
type user_home_dir_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
files_search_home($1)
|
||||||
|
allow $1 user_home_dir_t:dir create_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Create, read, write, and delete generic user
|
## Create, read, write, and delete generic user
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(unprivuser, 1.0.0)
|
policy_module(unprivuser, 1.0.1)
|
||||||
|
|
||||||
# this module should be named user, but that is
|
# this module should be named user, but that is
|
||||||
# a compile error since user is a keyword.
|
# a compile error since user is a keyword.
|
||||||
|
@ -484,17 +484,17 @@ interface(`samba_read_winbind_pid',`
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`samba_stream_connect_winbind',`
|
interface(`samba_stream_connect_winbind',`
|
||||||
ifdef(`distro_redhat',`
|
gen_require(`
|
||||||
gen_require(`
|
type samba_var_t, winbind_t, winbind_var_run_t;
|
||||||
type samba_var_t, winbind_t, winbind_var_run_t;
|
')
|
||||||
')
|
|
||||||
|
|
||||||
files_search_pids($1)
|
files_search_pids($1)
|
||||||
allow $1 samba_var_t:dir search_dir_perms;
|
allow $1 samba_var_t:dir search_dir_perms;
|
||||||
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
|
||||||
',`
|
|
||||||
|
ifndef(`distro_redhat',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type winbind_t, winbind_tmp_t;
|
type winbind_tmp_t;
|
||||||
')
|
')
|
||||||
|
|
||||||
# the default for the socket is (poorly named):
|
# the default for the socket is (poorly named):
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
|
|
||||||
policy_module(samba, 1.9.0)
|
policy_module(samba, 1.9.1)
|
||||||
|
|
||||||
#################################
|
#################################
|
||||||
#
|
#
|
||||||
@ -15,6 +15,13 @@ policy_module(samba, 1.9.0)
|
|||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(allow_smbd_anon_write, false)
|
gen_tunable(allow_smbd_anon_write, false)
|
||||||
|
|
||||||
|
## <desc>
|
||||||
|
## <p>
|
||||||
|
## Allow samba to create new home directories (e.g. via PAM)
|
||||||
|
## </p>
|
||||||
|
## </desc>
|
||||||
|
gen_tunable(samba_create_home_dirs, false)
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow samba to act as the domain controller, add users,
|
## Allow samba to act as the domain controller, add users,
|
||||||
@ -364,6 +371,12 @@ optional_policy(`
|
|||||||
udev_read_db(smbd_t)
|
udev_read_db(smbd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
tunable_policy(`samba_create_home_dirs',`
|
||||||
|
allow smbd_t self:capability chown;
|
||||||
|
unprivuser_create_home_dir(smbd_t)
|
||||||
|
unprivuser_home_filetrans_home_dir(smbd_t)
|
||||||
|
')
|
||||||
|
|
||||||
tunable_policy(`samba_export_all_ro',`
|
tunable_policy(`samba_export_all_ro',`
|
||||||
fs_read_noxattr_fs_files(smbd_t)
|
fs_read_noxattr_fs_files(smbd_t)
|
||||||
auth_read_all_files_except_shadow(smbd_t)
|
auth_read_all_files_except_shadow(smbd_t)
|
||||||
@ -404,8 +417,7 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file)
|
|||||||
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
|
||||||
|
|
||||||
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
allow nmbd_t samba_log_t:file unlink;
|
|
||||||
|
|
||||||
read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
|
||||||
@ -675,6 +687,7 @@ logging_log_filetrans(winbind_t,winbind_log_t,file)
|
|||||||
|
|
||||||
manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||||
manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||||
|
manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
|
||||||
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
|
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
|
||||||
|
|
||||||
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user