On Mon, 2008-02-04 at 09:03 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stefan Schulze Frielinghaus wrote:
> > On Debian machines smbd needs append rights for samba logfiles.
> >
> In Fedora smbd_t needs manage_files_pattern on smbd_log_t. Our samba
> developers informed me that this is ok, since these are not security
> relevent log files.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkenGyIACgkQrlYvE4MpobMFSgCcCAOhKW0zrOmRyf/6zifGOBj0
> IGcAoJ4dsNctCyp4k7LdaLbu468xbiK4
> =iw9h
> -----END PGP SIGNATURE-----
OK than we can easily substitute create_files_pattern with
manage_files_pattern. Attached patch should do that.
--- /usr/src/refpolicy-20071214/policy/modules/services/samba.te 2007-12-14 15:23:18.000000000 +0100
+++ policy/modules/services/samba.te 2008-02-04 15:59:56.000000000 +0100
@@ -222,7 +222,7 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
