On Sat, 2005-06-18 at 11:24 -0700, lastic miles wrote:
> Hello!
>
> I found some things. With the command 'audit2allow'
> and the log I've got these rules:
>
> allow nmbd_t devpts_t:chr_file { read write };
> allow smbd_t devpts_t:chr_file { read write };
I don't like these two...
> allow smbd_t nscd_var_run_t:dir search;
Add nscd_client_domain to the daemon_domain call for smbd
> allow smbd_t samba_log_t:dir remove_name;
Samba's currently not allowed to delete logs - it seems this was
done on purpose. Why, I'm not sure - so you can't erase valuable
audit trail I suppose...
---
By the way, notice how samba doesn't use standard log macros for
this (append_logdir_domain). The only reason for this appears to
be that the type is shared across multiple types. This is not a very
good reason. IMHO we need to change all those log/var/etc macros
to address this issue. If you look at home_macros.te you'll see one
(rather ugly) way to address this - separate macro in one declaration
part, and another "access" part.
--
Ivan Gyurdiev <ivg2@xxxxxxxxxxx>
Cornell University
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
