diff --git a/Changelog b/Changelog index 647ef43..23fab1a 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Samba/winbind update from Mike Edenfield. - Policy size optimization with a non-security file attribute from James Carter. - Database labeled networking update from KaiGai Kohei. diff --git a/policy/modules/roles/unprivuser.if b/policy/modules/roles/unprivuser.if index c968955..8ac6b36 100644 --- a/policy/modules/roles/unprivuser.if +++ b/policy/modules/roles/unprivuser.if @@ -126,6 +126,25 @@ interface(`unprivuser_dontaudit_search_home_dirs',` ######################################## ## +## Create generic user home directories +## +## +## +## Domain allowed access. +## +## +# +interface(`unprivuser_create_home_dir',` + gen_require(` + type user_home_dir_t; + ') + + files_search_home($1) + allow $1 user_home_dir_t:dir create_dir_perms; +') + +######################################## +## ## Create, read, write, and delete generic user ## home directories. ## diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 6a1254b..2092679 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,5 @@ -policy_module(unprivuser, 1.0.0) +policy_module(unprivuser, 1.0.1) # this module should be named user, but that is # a compile error since user is a keyword. diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index b632cb4..e70d93f 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -484,17 +484,17 @@ interface(`samba_read_winbind_pid',` ## # interface(`samba_stream_connect_winbind',` - ifdef(`distro_redhat',` - gen_require(` - type samba_var_t, winbind_t, winbind_var_run_t; - ') + gen_require(` + type samba_var_t, winbind_t, winbind_var_run_t; + ') - files_search_pids($1) - allow $1 samba_var_t:dir search_dir_perms; - stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) - ',` + files_search_pids($1) + allow $1 samba_var_t:dir search_dir_perms; + stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) + + ifndef(`distro_redhat',` gen_require(` - type winbind_t, winbind_tmp_t; + type winbind_tmp_t; ') # the default for the socket is (poorly named): diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index a6ba34a..385389f 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba, 1.9.0) +policy_module(samba, 1.9.1) ################################# # @@ -17,6 +17,13 @@ gen_tunable(allow_smbd_anon_write, false) ## ##

+## Allow samba to create new home directories (e.g. via PAM) +##

+## +gen_tunable(samba_create_home_dirs, false) + +## +##

## Allow samba to act as the domain controller, add users, ## groups and change passwords. ## @@ -364,6 +371,12 @@ optional_policy(` udev_read_db(smbd_t) ') +tunable_policy(`samba_create_home_dirs',` + allow smbd_t self:capability chown; + unprivuser_create_home_dir(smbd_t) + unprivuser_home_filetrans_home_dir(smbd_t) +') + tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) auth_read_all_files_except_shadow(smbd_t) @@ -404,8 +417,7 @@ files_pid_filetrans(nmbd_t, nmbd_var_run_t, file) read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) manage_dirs_pattern(nmbd_t, samba_log_t, samba_log_t) -append_files_pattern(nmbd_t, samba_log_t, samba_log_t) -allow nmbd_t samba_log_t:file unlink; +manage_files_pattern(nmbd_t, samba_log_t, samba_log_t) read_files_pattern(nmbd_t, samba_log_t, samba_log_t) create_files_pattern(nmbd_t, samba_log_t, samba_log_t) @@ -675,6 +687,7 @@ logging_log_filetrans(winbind_t,winbind_log_t,file) manage_dirs_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) +manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)