From eeb8ea4b81a2fed1e48d3a535e2024ff994145b0 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mon, 17 Apr 2006 19:51:46 +0000 Subject: [PATCH] fix bad rules in samba, bug 1623 --- refpolicy/policy/modules/kernel/filesystem.if | 19 ++++++++++++++++++ refpolicy/policy/modules/services/samba.te | 20 +++++++------------ 2 files changed, 26 insertions(+), 13 deletions(-) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index 2f6ce0e4b..a4930d95b 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2410,6 +2410,25 @@ interface(`fs_getattr_tmpfs_dirs',` allow $1 tmpfs_t:dir getattr; ') +######################################## +## +## Do not audit attempts to get the attributes +## of tmpfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_dontaudit_getattr_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + + dontaudit $1 tmpfs_t:dir getattr; +') + ######################################## ## ## Set the attributes of tmpfs directories. diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index e83662812..306e2aec6 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -245,6 +245,7 @@ corenet_tcp_connect_smbd_port(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) +dev_getattr_mtrr_dev(smbd_t) dev_dontaudit_getattr_usbfs_dirs(smbd_t) fs_getattr_all_fs(smbd_t) @@ -286,6 +287,12 @@ userdom_dontaudit_search_sysadm_home_dirs(smbd_t) userdom_dontaudit_use_unpriv_user_fds(smbd_t) userdom_use_unpriv_users_fds(smbd_t) +ifdef(`hide_broken_symptoms', ` + files_dontaudit_getattr_default_dirs(smbd_t) + files_dontaudit_getattr_boot_dirs(smbd_t) + fs_dontaudit_getattr_tmpfs_dirs(smbd_t) +') + ifdef(`targeted_policy', ` files_dontaudit_read_root_files(smbd_t) term_dontaudit_use_generic_ptys(smbd_t) @@ -326,19 +333,6 @@ optional_policy(` udev_read_db(smbd_t) ') -ifdef(`hide_broken_symptoms', ` -gen_require(` - type boot_t, default_t, tmpfs_t; -') -dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr; -dontaudit smbd_t devpts_t:dir getattr; -') - -gen_require(` - type mtrr_device_t; -') -allow smbd_t mtrr_device_t:file getattr; - ######################################## # # nmbd Local policy