[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Sat, 25 Feb 2017 14:52:09
Message-Id:	`1488034253.8e14efe4abf1297f7c8c341d7690802f82d798a2.perfinion@gentoo`

1

commit:     8e14efe4abf1297f7c8c341d7690802f82d798a2

2

Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>

3

AuthorDate: Tue Feb 21 08:29:50 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb 25 14:50:53 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e14efe4

7

8

patch for samba

9

10

I merged the types nmbd_var_run_t and smbd_var_run_t because nmbd_t and smbd_t

11

interacted with each other so much there was no benefit in separating them.

12

13

Also added a tunable for reading /etc/shadow because on one of my systems I

14

couldn't get samba working without it.  Maybe I misconfigured samba, but

15

others will do the same and we need to give users the choice.

16

17

Description: samba patches

18

Author: Russell Coker <russell <AT> coker.com.au>

19

Last-Update: 2017-02-21

20

21

 policy/modules/contrib/samba.fc | 30 +++++++++---------

22

 policy/modules/contrib/samba.te | 69 ++++++++++++++++++++++++-----------------

23

 2 files changed, 55 insertions(+), 44 deletions(-)

24

25

diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc

26

index d227fd82..753a009c 100644

27

--- a/policy/modules/contrib/samba.fc

28

+++ b/policy/modules/contrib/samba.fc

29

@@ -31,21 +31,21 @@

30

31

 /var/nmbd(/.*)?	gen_context(system_u:object_r:samba_var_t,s0)

32

33

-/run/nmbd(/.*)?	gen_context(system_u:object_r:nmbd_var_run_t,s0)

34

-/run/samba/nmbd(/.*)?	gen_context(system_u:object_r:nmbd_var_run_t,s0)

35

-

36

-/run/samba(/.*)?	gen_context(system_u:object_r:smbd_var_run_t,s0)

37

-/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)

38

-/run/samba/connections\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)

39

-/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)

40

-/run/samba/locking\.tdb --	gen_context(system_u:object_r:smbd_var_run_t,s0)

41

-/run/samba/messages\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)

42

-/run/samba/namelist\.debug	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)

43

-/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)

44

-/run/samba/sessionid\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)

45

-/run/samba/share_info\.tdb	--	gen_context(system_u:object_r:smbd_var_run_t,s0)

46

-/run/samba/smbd\.pid	--	gen_context(system_u:object_r:smbd_var_run_t,s0)

47

-/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:nmbd_var_run_t,s0)

48

+/run/nmbd(/.*)?	gen_context(system_u:object_r:samba_var_run_t,s0)

49

+/run/samba/nmbd(/.*)?	gen_context(system_u:object_r:samba_var_run_t,s0)

50

+

51

+/run/samba(/.*)?	gen_context(system_u:object_r:samba_var_run_t,s0)

52

+/run/samba/brlock\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)

53

+/run/samba/connections\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)

54

+/run/samba/gencache\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)

55

+/run/samba/locking\.tdb --	gen_context(system_u:object_r:samba_var_run_t,s0)

56

+/run/samba/messages\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)

57

+/run/samba/namelist\.debug	--	gen_context(system_u:object_r:samba_var_run_t,s0)

58

+/run/samba/nmbd\.pid	--	gen_context(system_u:object_r:samba_var_run_t,s0)

59

+/run/samba/sessionid\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)

60

+/run/samba/share_info\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)

61

+/run/samba/smbd\.pid	--	gen_context(system_u:object_r:samba_var_run_t,s0)

62

+/run/samba/unexpected\.tdb	--	gen_context(system_u:object_r:samba_var_run_t,s0)

63

64

 /run/winbindd(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)

65

 /run/samba/winbindd(/.*)?	gen_context(system_u:object_r:winbind_var_run_t,s0)

66

67

diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te

68

index e7dae973..6f314b0c 100644

69

--- a/policy/modules/contrib/samba.te

70

+++ b/policy/modules/contrib/samba.te

71

@@ -6,6 +6,14 @@ policy_module(samba, 1.20.0)

72

#

73

74

 ## <desc>

75

+##      <p>

76

+##      Determine whether smbd_t can

77

+##      read shadow files.

78

+##      </p>

79

+## </desc>

80

+gen_tunable(samba_read_shadow, false)

81

+

82

+## <desc>

83

 ##	<p>

84

 ##	Determine whether samba can modify

85

 ##	public files used for public file

86

@@ -104,8 +112,9 @@ type nmbd_t;

87

 type nmbd_exec_t;

88

 init_daemon_domain(nmbd_t, nmbd_exec_t)

89

90

-type nmbd_var_run_t;

91

-files_pid_file(nmbd_var_run_t)

92

+type samba_var_run_t;

93

+typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };

94

+files_pid_file(samba_var_run_t)

95

96

 type samba_etc_t;

97

 files_config_file(samba_etc_t)

98

@@ -151,9 +160,6 @@ files_type(smbd_keytab_t)

99

 type smbd_tmp_t;

100

 files_tmp_file(smbd_tmp_t)

101

102

-type smbd_var_run_t;

103

-files_pid_file(smbd_var_run_t)

104

-

105

 type smbmount_t;

106

 type smbmount_exec_t;

107

 application_domain(smbmount_t, smbmount_exec_t)

108

@@ -305,16 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)

109

 manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)

110

 files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })

111

112

-manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)

113

-manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)

114

-manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)

115

-files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })

116

+manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t)

117

+manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)

118

+manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)

119

+files_pid_filetrans(smbd_t, samba_var_run_t, { dir file })

120

121

 allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;

122

 stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)

123

124

-allow smbd_t nmbd_var_run_t:file read_file_perms;

125

-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)

126

+stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t)

127

128

 kernel_getattr_core_if(smbd_t)

129

 kernel_getattr_message_if(smbd_t)

130

@@ -377,6 +382,11 @@ auth_domtrans_upd_passwd(smbd_t)

131

 auth_manage_cache(smbd_t)

132

 auth_write_login_records(smbd_t)

133

134

+auth_can_read_shadow_passwords(smbd_t)

135

+tunable_policy(`samba_read_shadow',`

136

+	auth_tunable_read_shadow(smbd_t)

137

+')

138

+

139

 init_rw_utmp(smbd_t)

140

141

 logging_search_logs(smbd_t)

142

@@ -519,11 +529,10 @@ allow nmbd_t self:tcp_socket { accept listen };

143

 allow nmbd_t self:unix_dgram_socket sendto;

144

 allow nmbd_t self:unix_stream_socket { accept connectto listen };

145

146

-manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)

147

-manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)

148

-manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)

149

-files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })

150

-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)

151

+manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)

152

+manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)

153

+manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)

154

+files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file })

155

156

 read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)

157

 read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)

158

@@ -542,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")

159

160

 allow nmbd_t { swat_t smbcontrol_t }:process signal;

161

162

-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;

163

+allow nmbd_t samba_var_run_t:dir rw_dir_perms;

164

165

 kernel_getattr_core_if(nmbd_t)

166

 kernel_getattr_message_if(nmbd_t)

167

@@ -567,6 +576,8 @@ corenet_sendrecv_smbd_client_packets(nmbd_t)

168

 corenet_tcp_connect_smbd_port(nmbd_t)

169

 corenet_tcp_sendrecv_smbd_port(nmbd_t)

170

171

+corecmd_search_bin(nmbd_t)

172

+dev_read_urand(nmbd_t)

173

 dev_read_sysfs(nmbd_t)

174

 dev_getattr_mtrr_dev(nmbd_t)

175

176

@@ -618,7 +629,7 @@ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;

177

 allow smbcontrol_t self:process { signal signull };

178

179

 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };

180

-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })

181

+read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t)

182

183

 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)

184

185

@@ -733,8 +744,8 @@ allow swat_t self:unix_stream_socket connectto;

186

187

 allow swat_t { nmbd_t smbd_t }:process { signal signull };

188

189

-allow swat_t smbd_var_run_t:file read_file_perms;

190

-allow swat_t smbd_var_run_t:file { lock delete_file_perms };

191

+allow swat_t samba_var_run_t:file read_file_perms;

192

+allow swat_t samba_var_run_t:file { lock delete_file_perms };

193

194

 rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)

195

 read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)

196

@@ -766,8 +777,8 @@ read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)

197

 allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };

198

 allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };

199

200

-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)

201

-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)

202

+read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t)

203

+stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t)

204

205

 samba_domtrans_smbd(swat_t)

206

 samba_domtrans_nmbd(swat_t)

207

@@ -852,8 +863,8 @@ allow winbind_t self:tcp_socket { accept listen };

208

209

 allow winbind_t nmbd_t:process { signal signull };

210

211

-allow winbind_t nmbd_var_run_t:file read_file_perms;

212

-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)

213

+allow winbind_t samba_var_run_t:file read_file_perms;

214

+stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t)

215

216

 allow winbind_t samba_etc_t:dir list_dir_perms;

217

 read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)

218

@@ -885,15 +896,15 @@ manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)

219

 manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)

220

 files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })

221

222

-manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)

223

+manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t)

224

 manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)

225

 manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)

226

 files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })

227

-filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)

228

+filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir)

229

230

-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)

231

-manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)

232

-manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)

233

+manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t)

234

+manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)

235

+manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)

236

237

 kernel_read_network_state(winbind_t)

238

 kernel_read_kernel_sysctls(winbind_t)

1	commit: 8e14efe4abf1297f7c8c341d7690802f82d798a2
2	Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3	AuthorDate: Tue Feb 21 08:29:50 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 25 14:50:53 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e14efe4
7
8	patch for samba
9
10	I merged the types nmbd_var_run_t and smbd_var_run_t because nmbd_t and smbd_t
11	interacted with each other so much there was no benefit in separating them.
12
13	Also added a tunable for reading /etc/shadow because on one of my systems I
14	couldn't get samba working without it. Maybe I misconfigured samba, but
15	others will do the same and we need to give users the choice.
16
17	Description: samba patches
18	Author: Russell Coker <russell <AT> coker.com.au>
19	Last-Update: 2017-02-21
20
21	policy/modules/contrib/samba.fc \| 30 +++++++++---------
22	policy/modules/contrib/samba.te \| 69 ++++++++++++++++++++++++-----------------
23	2 files changed, 55 insertions(+), 44 deletions(-)
24
25	diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
26	index d227fd82..753a009c 100644
27	--- a/policy/modules/contrib/samba.fc
28	+++ b/policy/modules/contrib/samba.fc
29	@@ -31,21 +31,21 @@
30
31	/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
32
33	-/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
34	-/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0)
35	-
36	-/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0)
37	-/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
38	-/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
39	-/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
40	-/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
41	-/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
42	-/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
43	-/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
44	-/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
45	-/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
46	-/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0)
47	-/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0)
48	+/run/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
49	+/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
50	+
51	+/run/samba(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0)
52	+/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
53	+/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
54	+/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
55	+/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
56	+/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
57	+/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_var_run_t,s0)
58	+/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0)
59	+/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
60	+/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
61	+/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0)
62	+/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0)
63
64	/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
65	/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
66
67	diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
68	index e7dae973..6f314b0c 100644
69	--- a/policy/modules/contrib/samba.te
70	+++ b/policy/modules/contrib/samba.te
71	@@ -6,6 +6,14 @@ policy_module(samba, 1.20.0)
72	#
73
74	## <desc>
75	+## <p>
76	+## Determine whether smbd_t can
77	+## read shadow files.
78	+## </p>
79	+## </desc>
80	+gen_tunable(samba_read_shadow, false)
81	+
82	+## <desc>
83	## <p>
84	## Determine whether samba can modify
85	## public files used for public file
86	@@ -104,8 +112,9 @@ type nmbd_t;
87	type nmbd_exec_t;
88	init_daemon_domain(nmbd_t, nmbd_exec_t)
89
90	-type nmbd_var_run_t;
91	-files_pid_file(nmbd_var_run_t)
92	+type samba_var_run_t;
93	+typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t };
94	+files_pid_file(samba_var_run_t)
95
96	type samba_etc_t;
97	files_config_file(samba_etc_t)
98	@@ -151,9 +160,6 @@ files_type(smbd_keytab_t)
99	type smbd_tmp_t;
100	files_tmp_file(smbd_tmp_t)
101
102	-type smbd_var_run_t;
103	-files_pid_file(smbd_var_run_t)
104	-
105	type smbmount_t;
106	type smbmount_exec_t;
107	application_domain(smbmount_t, smbmount_exec_t)
108	@@ -305,16 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
109	manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
110	files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
111
112	-manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
113	-manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
114	-manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
115	-files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file })
116	+manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
117	+manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
118	+manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t)
119	+files_pid_filetrans(smbd_t, samba_var_run_t, { dir file })
120
121	allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms;
122	stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t)
123
124	-allow smbd_t nmbd_var_run_t:file read_file_perms;
125	-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
126	+stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t)
127
128	kernel_getattr_core_if(smbd_t)
129	kernel_getattr_message_if(smbd_t)
130	@@ -377,6 +382,11 @@ auth_domtrans_upd_passwd(smbd_t)
131	auth_manage_cache(smbd_t)
132	auth_write_login_records(smbd_t)
133
134	+auth_can_read_shadow_passwords(smbd_t)
135	+tunable_policy(`samba_read_shadow',`
136	+ auth_tunable_read_shadow(smbd_t)
137	+')
138	+
139	init_rw_utmp(smbd_t)
140
141	logging_search_logs(smbd_t)
142	@@ -519,11 +529,10 @@ allow nmbd_t self:tcp_socket { accept listen };
143	allow nmbd_t self:unix_dgram_socket sendto;
144	allow nmbd_t self:unix_stream_socket { accept connectto listen };
145
146	-manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t)
147	-manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
148	-manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t)
149	-files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file })
150	-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir)
151	+manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
152	+manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
153	+manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t)
154	+files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file })
155
156	read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
157	read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t)
158	@@ -542,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t, dir, "samba")
159
160	allow nmbd_t { swat_t smbcontrol_t }:process signal;
161
162	-allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
163	+allow nmbd_t samba_var_run_t:dir rw_dir_perms;
164
165	kernel_getattr_core_if(nmbd_t)
166	kernel_getattr_message_if(nmbd_t)
167	@@ -567,6 +576,8 @@ corenet_sendrecv_smbd_client_packets(nmbd_t)
168	corenet_tcp_connect_smbd_port(nmbd_t)
169	corenet_tcp_sendrecv_smbd_port(nmbd_t)
170
171	+corecmd_search_bin(nmbd_t)
172	+dev_read_urand(nmbd_t)
173	dev_read_sysfs(nmbd_t)
174	dev_getattr_mtrr_dev(nmbd_t)
175
176	@@ -618,7 +629,7 @@ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
177	allow smbcontrol_t self:process { signal signull };
178
179	allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
180	-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t })
181	+read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t)
182
183	manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
184
185	@@ -733,8 +744,8 @@ allow swat_t self:unix_stream_socket connectto;
186
187	allow swat_t { nmbd_t smbd_t }:process { signal signull };
188
189	-allow swat_t smbd_var_run_t:file read_file_perms;
190	-allow swat_t smbd_var_run_t:file { lock delete_file_perms };
191	+allow swat_t samba_var_run_t:file read_file_perms;
192	+allow swat_t samba_var_run_t:file { lock delete_file_perms };
193
194	rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
195	read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t)
196	@@ -766,8 +777,8 @@ read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
197	allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms };
198	allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms };
199
200	-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t)
201	-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
202	+read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t)
203	+stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t)
204
205	samba_domtrans_smbd(swat_t)
206	samba_domtrans_nmbd(swat_t)
207	@@ -852,8 +863,8 @@ allow winbind_t self:tcp_socket { accept listen };
208
209	allow winbind_t nmbd_t:process { signal signull };
210
211	-allow winbind_t nmbd_var_run_t:file read_file_perms;
212	-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t)
213	+allow winbind_t samba_var_run_t:file read_file_perms;
214	+stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t)
215
216	allow winbind_t samba_etc_t:dir list_dir_perms;
217	read_files_pattern(winbind_t, samba_etc_t, samba_etc_t)
218	@@ -885,15 +896,15 @@ manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
219	manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
220	files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
221
222	-manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t)
223	+manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t)
224	manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
225	manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
226	files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir })
227	-filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir)
228	+filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir)
229
230	-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
231	-manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
232	-manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t)
233	+manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
234	+manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
235	+manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t)
236
237	kernel_read_network_state(winbind_t)
238	kernel_read_kernel_sysctls(winbind_t)

Gentoo Archives: gentoo-commits