* [refpolicy] samba
@ 2008-02-03 9:07 Stefan Schulze Frielinghaus
2008-02-04 14:03 ` Daniel J Walsh
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Schulze Frielinghaus @ 2008-02-03 9:07 UTC (permalink / raw)
To: SE Linux, cpebenito
[-- Attachment #1: Type: text/plain, Size: 64 bytes --]
On Debian machines smbd needs append rights for samba logfiles.
[-- Attachment #2: samba.te.patch --]
[-- Type: text/x-patch, Size: 445 bytes --]
--- /usr/src/refpolicy-20071214/policy/modules/services/samba.te 2007-12-14 15:23:18.000000000 +0100
+++ policy/modules/services/samba.te 2008-02-03 10:02:54.000000000 +0100
@@ -223,6 +223,7 @@
create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
create_files_pattern(smbd_t,samba_log_t,samba_log_t)
+append_files_pattern(smbd_t,samba_log_t,samba_log_t)
allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [refpolicy] samba
2008-02-03 9:07 [refpolicy] samba Stefan Schulze Frielinghaus
@ 2008-02-04 14:03 ` Daniel J Walsh
2008-02-04 15:05 ` Stefan Schulze Frielinghaus
0 siblings, 1 reply; 4+ messages in thread
From: Daniel J Walsh @ 2008-02-04 14:03 UTC (permalink / raw)
To: Stefan Schulze Frielinghaus, SE Linux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stefan Schulze Frielinghaus wrote:
> On Debian machines smbd needs append rights for samba logfiles.
>
In Fedora smbd_t needs manage_files_pattern on smbd_log_t. Our samba
developers informed me that this is ok, since these are not security
relevent log files.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkenGyIACgkQrlYvE4MpobMFSgCcCAOhKW0zrOmRyf/6zifGOBj0
IGcAoJ4dsNctCyp4k7LdaLbu468xbiK4
=iw9h
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [refpolicy] samba
2008-02-04 14:03 ` Daniel J Walsh
@ 2008-02-04 15:05 ` Stefan Schulze Frielinghaus
2008-02-19 19:22 ` Christopher J. PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Stefan Schulze Frielinghaus @ 2008-02-04 15:05 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux, cpebenito
[-- Attachment #1: Type: text/plain, Size: 774 bytes --]
On Mon, 2008-02-04 at 09:03 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stefan Schulze Frielinghaus wrote:
> > On Debian machines smbd needs append rights for samba logfiles.
> >
> In Fedora smbd_t needs manage_files_pattern on smbd_log_t. Our samba
> developers informed me that this is ok, since these are not security
> relevent log files.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkenGyIACgkQrlYvE4MpobMFSgCcCAOhKW0zrOmRyf/6zifGOBj0
> IGcAoJ4dsNctCyp4k7LdaLbu468xbiK4
> =iw9h
> -----END PGP SIGNATURE-----
OK than we can easily substitute create_files_pattern with
manage_files_pattern. Attached patch should do that.
[-- Attachment #2: samba.te.patch --]
[-- Type: text/x-patch, Size: 503 bytes --]
--- /usr/src/refpolicy-20071214/policy/modules/services/samba.te 2007-12-14 15:23:18.000000000 +0100
+++ policy/modules/services/samba.te 2008-02-04 15:59:56.000000000 +0100
@@ -222,7 +222,7 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [refpolicy] samba
2008-02-04 15:05 ` Stefan Schulze Frielinghaus
@ 2008-02-19 19:22 ` Christopher J. PeBenito
0 siblings, 0 replies; 4+ messages in thread
From: Christopher J. PeBenito @ 2008-02-19 19:22 UTC (permalink / raw)
To: Stefan Schulze Frielinghaus; +Cc: Daniel J Walsh, SE Linux
On Mon, 2008-02-04 at 16:05 +0100, Stefan Schulze Frielinghaus wrote:
> On Mon, 2008-02-04 at 09:03 -0500, Daniel J Walsh wrote:
> > Stefan Schulze Frielinghaus wrote:
> > > On Debian machines smbd needs append rights for samba logfiles.
> > >
> > In Fedora smbd_t needs manage_files_pattern on smbd_log_t. Our
> samba
> > developers informed me that this is ok, since these are not security
> > relevent log files.
> OK than we can easily substitute create_files_pattern with
> manage_files_pattern. Attached patch should do that.
Merged.
>
>
>
>
>
> differences
> between files
> attachment
> (samba.te.patch)
>
> --- /usr/src/refpolicy-20071214/policy/modules/services/samba.te 2007-12-14 15:23:18.000000000 +0100
> +++ policy/modules/services/samba.te 2008-02-04 15:59:56.000000000
> +0100
> @@ -222,7 +222,7 @@
> allow smbd_t samba_etc_t:file { rw_file_perms setattr };
>
> create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
> -create_files_pattern(smbd_t,samba_log_t,samba_log_t)
> +manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
> allow smbd_t samba_log_t:dir setattr;
> dontaudit smbd_t samba_log_t:dir remove_name;
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2008-02-19 19:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-02-03 9:07 [refpolicy] samba Stefan Schulze Frielinghaus
2008-02-04 14:03 ` Daniel J Walsh
2008-02-04 15:05 ` Stefan Schulze Frielinghaus
2008-02-19 19:22 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.