- Allow nsswitch apps to read samba_var_t

2007-09-25 13:30:08 +00:00 · 2007-09-25 13:30:08 +00:00 · fb11ad6653
commit fb11ad6653
parent f5018f18f8
2 changed files with 70 additions and 25 deletions
--- a/policy-20070703.patch
+++ b/policy-20070703.patch
@ -2658,11 +2658,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.0.8/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc	2007-09-18 20:56:27.000000000 -0400
-@@ -210,6 +210,7 @@
+++ serefpolicy-3.0.8/policy/modules/kernel/files.fc	2007-09-25 09:00:58.000000000 -0400
+@@ -209,7 +209,8 @@
+ /usr/lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /usr/lost\+found/.*		<<none>>
 
- /usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+-/usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+#/usr/share(/.*)?/lib(64)?(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 +/usr/share/doc(/.*)?/README.*	gen_context(system_u:object_r:usr_t,s0)
 
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
@ -8514,8 +8516,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 /var/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
 --- nsaserefpolicy/policy/modules/services/samba.if	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.if	2007-09-17 16:20:18.000000000 -0400
-@@ -349,6 +349,7 @@
+++ serefpolicy-3.0.8/policy/modules/services/samba.if	2007-09-24 17:17:53.000000000 -0400
+@@ -332,6 +332,25 @@
+ 
+ ########################################
+ ## <summary>
+##	dontaudit the specified domain to
+##	write samba /var files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_dontaudit_write_var_files',`
+	gen_require(`
+		type samba_var_t;
+	')
+
+	dontaudit $1 samba_var_t:file write;
+')
+
+########################################
+## <summary>
+ ##	Allow the specified domain to
+ ##	read and write samba /var files.
+ ## </summary>
+@@ -349,6 +368,7 @@
 	files_search_var($1)
 	files_search_var_lib($1)
 	manage_files_pattern($1,samba_var_t,samba_var_t)
@ -8523,7 +8551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
 ')
 
 ########################################
-@@ -493,3 +494,102 @@
+@@ -493,3 +513,102 @@
 	allow $1 samba_var_t:dir search_dir_perms;
 	stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
 ')
@ -10428,7 +10456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-09-24 10:44:04.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-09-24 17:17:30.000000000 -0400
@@ -26,7 +26,8 @@
 	type $1_chkpwd_t, can_read_shadow_passwords;
 	application_domain($1_chkpwd_t,chkpwd_exec_t)
@ -10620,7 +10648,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlo
 	files_list_var_lib($1)
 
 	miscfiles_read_certs($1)
-@@ -1381,3 +1453,163 @@
+@@ -1347,6 +1419,8 @@
+ 
+ 	optional_policy(`
+ 		samba_stream_connect_winbind($1)
+		samba_read_var_files($1)
+		samba_dontaudit_write_var_files($1)
+ 	')
+ ')
+ 
+@@ -1381,3 +1455,163 @@
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
@ -13644,8 +13681,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-09-21 06:44:58.000000000 -0400
-@@ -5,28 +5,36 @@
+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-09-24 17:02:03.000000000 -0400
+@@ -5,28 +5,38 @@
 #
 # Declarations
 #
@ -13683,13 +13720,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 # Local policy
 #
 
+dontaudit unconfined_t self:dir write;
+
 +allow unconfined_t self:system syslog_read;
 +dontaudit unconfined_t self:capability sys_module;
 +
 domtrans_pattern(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
 
 files_create_boot_flag(unconfined_t)
-@@ -35,6 +43,7 @@
+@@ -35,6 +45,7 @@
 mcs_ptrace_all(unconfined_t)
 
 init_run_daemon(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -13697,7 +13736,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 
-@@ -42,37 +51,30 @@
+@@ -42,37 +53,30 @@
 logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 
 mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -13715,17 +13754,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 
 optional_policy(`
 -	ada_domtrans(unconfined_t)
-')
-
-optional_policy(`
-	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
-	# this is disallowed usage:
-	unconfined_domain(httpd_unconfined_script_t)
 +	ada_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
 
 optional_policy(`
+-	apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+-	apache_per_role_template(unconfined,unconfined_t,unconfined_r)
+-	# this is disallowed usage:
+-	unconfined_domain(httpd_unconfined_script_t)
+-')
+-
+-optional_policy(`
 -	bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 +	bootloader_run(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
 ')
@ -13743,7 +13782,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -118,11 +120,11 @@
+@@ -118,11 +122,11 @@
 ')
 
 optional_policy(`
@ -13757,7 +13796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -134,11 +136,7 @@
+@@ -134,11 +138,7 @@
 ')
 
 optional_policy(`
@ -13770,7 +13809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -155,32 +153,23 @@
+@@ -155,32 +155,23 @@
 
 optional_policy(`
 	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@ -13807,7 +13846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 optional_policy(`
-@@ -205,11 +194,18 @@
+@@ -205,11 +196,18 @@
 ')
 
 optional_policy(`
@ -13828,7 +13867,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
 ')
 
 ########################################
-@@ -225,8 +221,20 @@
+@@ -225,8 +223,20 @@
 
 	init_dbus_chat_script(unconfined_execmem_t)
 	unconfined_dbus_chat(unconfined_execmem_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -272,6 +272,7 @@ exit 0
 %if %{BUILD_TARGETED}
 %package targeted
 Summary: SELinux targeted base policy
+Provides: selinux-policy-base
 Group: System Environment/Base
 Obsoletes: selinux-policy-targeted-sources < 2
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@ -315,6 +316,7 @@ exit 0
 %package olpc 
 Summary: SELinux olpc base policy
 Group: System Environment/Base
+Provides: selinux-policy-base
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
 Requires(pre): coreutils
 Requires(pre): selinux-policy = %{version}-%{release}
@ -339,6 +341,7 @@ exit 0
 %package mls 
 Summary: SELinux mls base policy
 Group: System Environment/Base
+Provides: selinux-policy-base
 Obsoletes: selinux-policy-mls-sources < 2
 Requires: policycoreutils-newrole >= %{POLICYCOREUTILSVER} setransd
 Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
@ -362,6 +365,9 @@ exit 0
 %endif

 %changelog
+* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-12
+- Allow nsswitch apps to read samba_var_t
+
 * Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-11
 - Fix maxima