* Allow winbindd to manage its own sockets
* Allow nbmd to rename log files
* Add new interface to encapsulate home directory creation.
* Provide tunable policy to allow samba to create home directories on
system without oddjobs PAM module.
Index: modules/services/samba.if
===================================================================
--- modules/services/samba.if (revision 2767)
+++ modules/services/samba.if (working copy)
@@ -484,17 +484,17 @@
## </param>
#
interface(`samba_stream_connect_winbind',`
- ifdef(`distro_redhat',`
- gen_require(`
- type samba_var_t, winbind_t, winbind_var_run_t;
- ')
+ gen_require(`
+ type samba_var_t, winbind_t, winbind_var_run_t;
+ ')
- files_search_pids($1)
- allow $1 samba_var_t:dir search_dir_perms;
- stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
- ',`
+ files_search_pids($1)
+ allow $1 samba_var_t:dir search_dir_perms;
+ stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t)
+
+ ifndef(`distro_redhat', `
gen_require(`
- type winbind_t, winbind_tmp_t;
+ type winbind_tmp_t;
')
# the default for the socket is (poorly named):
Index: modules/services/samba.te
===================================================================
--- modules/services/samba.te (revision 2767)
+++ modules/services/samba.te (working copy)
@@ -59,6 +59,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
+## <desc>
+## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
+## </desc>
+gen_tunable(samba_create_home_dirs, false)
+
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t, nmbd_exec_t)
@@ -379,6 +386,14 @@
unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
')
+tunable_policy(`samba_create_home_dirs',`
+ ifdef(`distro_redhat', `
+ refpolicywarn(`Use of samba_create_home_dirs is discouraged. Please use pam_oddjob_mkhomedir instead.')
+ ', `
+ unprivuser_create_home_dirs(smbd_t)
+ allow smbd_t self:capability chown;
+ ')
+')
########################################
#
# nmbd Local policy
@@ -404,8 +419,7 @@
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t)
-append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
-allow nmbd_t samba_log_t:file unlink;
+manage_files_pattern(nmbd_t, samba_log_t, samba_log_t)
read_files_pattern(nmbd_t, samba_log_t, samba_log_t)
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
@@ -675,6 +689,7 @@
manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
Index: modules/roles/unprivuser.if
===================================================================
--- modules/roles/unprivuser.if (revision 2767)
+++ modules/roles/unprivuser.if (working copy)
@@ -146,6 +146,22 @@
########################################
## <summary>
+## Create new home directories with the proper
+## home directory label.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`unprivuser_create_home_dirs',`
+ unprivuser_home_filetrans_home_dir($1)
+ unprivuser_manage_home_dirs($1)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## subdirectories of generic user
## home directories.
