From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mummy.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id m6IIYTuj010021 for ; Fri, 18 Jul 2008 14:34:29 -0400 Received: from cdptpa-omtalb.mail.rr.com (jazzhorn.ncsc.mil [144.51.5.9]) by mummy.ncsc.mil (8.12.10/8.12.10) with ESMTP id m6IIYR29020080 for ; Fri, 18 Jul 2008 18:34:27 GMT Message-ID: <4880E2DB.7040202@kutulu.org> Date: Fri, 18 Jul 2008 14:37:15 -0400 From: Mike Edenfield MIME-Version: 1.0 To: "Christopher J. PeBenito" CC: SELinux Mailing List Subject: Re: refpolicy patch: samba enhancements References: <487BB78D.6080500@kutulu.org> <1216393143.21191.155.camel@gorn> <4880D35C.8060302@kutulu.org> <1216405172.21191.179.camel@gorn> In-Reply-To: <1216405172.21191.179.camel@gorn> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Christopher J. PeBenito wrote: > On Fri, 2008-07-18 at 13:31 -0400, Mike Edenfield wrote: >> Christopher J. PeBenito wrote: >>> On Mon, 2008-07-14 at 16:31 -0400, Mike Edenfield wrote: >>>> +tunable_policy(`samba_create_home_dirs',` >>>> + unprivuser_home_filetrans_home_dir(smbd_t) >>>> + unprivuser_manage_home_dirs(smbd_t) >>> I think we want this to be unprivuser_create_home_dirs(), which would >>> need to be added. >> That was my first instinct but I didn't see one already present, so I >> just copied what I found for oddjob_mkhomedir. >> >> I'll define a new interface for this -- I assume that's probably a >> separate patch? > > No, its fine to include it in this one. > >> And I should convert the sysadm role and oddjob type to >> use the interface? > > Sysadm is fine as is, since it already has broad powers for managing > users. I'm not sure about the oddjob usage; you'd have to check the > programs features to see if it does other things in addition to just > creating the dirs. > The reason I mentioned it is because both sysadm and oddjob use the same two interfaces I put in the samba patch. In fact, I don't see anywhere in the ref policy that manage_home_dirs is ever used without the filetrans interface right before it. This leads me to suggest that I just add a call to home_filetrans_home_dir inside manage_home_dirs, since it seems to be almost a prerequisite anyway. I just checked oddjob -- it calls a series of related interfaces, which sysadm and the samba policy already also called, so perhaps all of these can be put into a "create_home_directories" interface and simplify the policy in three places: unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t) unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t) unprivuser_manage_home_content_files(oddjob_mkhomedir_t) unprivuser_manage_home_dirs(oddjob_mkhomedir_t) unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t,notdevfile_class_set) --Mike -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.