I apologize if I'm not doing this right, I'm kinda new at this...
I have made some changes to the SELinux policy for our intranet servers
that I thought might be useful to a broader audience. Included below is
a patch to the latest refpolicy. This has been tested on the Gentoo
systems we have here; I don't have easy access to other SELinux systems
at the moment. It does the following:
* Updates samba_stream_connect_winbind to match the observed behavior of
winbind
* Gives winbind access to delete its own sockets
* Gives nmbd access to fully manage (i.e. rename) log files
* Adds a tunable that lets samba create home directories via pam_mkhomedir
Index: policy/modules/services/samba.if
===================================================================
--- policy/modules/services/samba.if (revision 2758)
+++ policy/modules/services/samba.if (working copy)
@@ -484,17 +484,19 @@
## </param>
#
interface(`samba_stream_connect_winbind',`
- ifdef(`distro_redhat',`
- gen_require(`
- type samba_var_t, winbind_t, winbind_var_run_t;
- ')
+ gen_require(`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
- files_search_pids($1)
- allow $1 samba_var_t:dir search_dir_perms;
- stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
- ',`
+ files_search_pids($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
+
+ ifdef(`distro_redhat',`', `
gen_require(`
- type winbind_t, winbind_tmp_t;
+ type winbind_tmp_t;
')
# the default for the socket is (poorly named):
Index: policy/modules/services/samba.te
===================================================================
--- policy/modules/services/samba.te (revision 2758)
+++ policy/modules/services/samba.te (working copy)
@@ -59,6 +59,13 @@
## </desc>
gen_tunable(samba_share_nfs,false)
+## <desc>
+## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
+## </desc>
+gen_tunable(samba_create_home_dirs,false)
+
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)
@@ -379,6 +386,14 @@
unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
')
+tunable_policy(`samba_create_home_dirs',`
+ unprivuser_home_filetrans_home_dir(smbd_t)
+ unprivuser_manage_home_dirs(smbd_t)
+
+ allow smbd_t self:capability chown;
+')
########################################
#
# nmbd Local policy
@@ -404,7 +419,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:file unlink;
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -675,6 +690,7 @@
manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
+manage_sock_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
