Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 37182 - net-fs/samba-2.2.x policy files
Summary: net-fs/samba-2.2.x policy files
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Chris PeBenito (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-01-04 04:58 UTC by petre rodan (RETIRED)
Modified: 2004-04-06 13:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
file contexts (samba.fc,1.42 KB, text/plain)
2004-01-04 04:59 UTC, petre rodan (RETIRED) 		Details
type enforcement (samba.te,3.02 KB, text/plain)
2004-01-04 04:59 UTC, petre rodan (RETIRED) 		Details
type enforcement (samba.te,3.19 KB, text/plain)
2004-03-29 22:21 UTC, petre rodan (RETIRED) 		Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description petre rodan (RETIRED) gentoo-dev 2004-01-04 04:58:49 UTC 
net-fs/samba-2.2.x policy files
Comment 1 petre rodan (RETIRED) gentoo-dev 2004-01-04 04:59:16 UTC 
Created attachment 23135 [details]
file contexts
Comment 2 petre rodan (RETIRED) gentoo-dev 2004-01-04 04:59:38 UTC 
Created attachment 23136 [details]
type enforcement
Comment 3 petre rodan (RETIRED) gentoo-dev 2004-01-11 08:27:55 UTC 
the following 3 lines are needed for samba 3.0.1 to work (tested with the 'smbpasswd' passdb backend):

# for /usr/lib/samba/*.dat
allow nmbd_t lib_t:file r_file_perms;
allow smbd_t lib_t:file r_file_perms;
Comment 4 Jack Wingard 2004-01-26 22:20:30 UTC 
it was only necessary for me to add:

allow nmbd_t lib_t:file { read getattr };
allow smbd_t var_log_t:file { append getattr };

for it to work for me
Comment 5 petre rodan (RETIRED) gentoo-dev 2004-01-27 00:11:59 UTC 
Jack:

you should relabel files in /var/lib, /var/run, /var/log, /var/cache, /etc/samba and /usr/sbin after you've installed the policy files.

for i in /var/lib /var/run /var/log /var/cache /etc/samba /usr/sbin; do
/usr/sbin/setfiles /etc/security/selinux/src/policy/file_contexts/file_contexts $i
done

and after you've done this, there shouldn't be any avc deny on starting samba.

bye,
peter
Comment 6 Kurt Lieber (RETIRED) gentoo-dev 2004-03-29 07:44:38 UTC 
updating component.
Comment 7 Chris PeBenito (RETIRED) gentoo-dev 2004-03-29 09:30:32 UTC 
Petre, please verify that this is still ok, and also check the current NSA samba policy to see if theres anything new, then I'll commit it.
Comment 8 petre rodan (RETIRED) gentoo-dev 2004-03-29 22:21:49 UTC 
Created attachment 28344 [details]
type enforcement


this is my latest te file. 
used with samba 2.2 for a very long time, tested with samba 3 acting as domain
controller for a few days.

the nsa policy also has 'can_ypbind(smbd_t)' which is defined in their
ypbind_macros.te, which seems to be missing from the gentoo policy tree. but I
never felt the need to use that macro anyhow :)

bye,
peter
Comment 9 Chris PeBenito (RETIRED) gentoo-dev 2004-03-30 12:12:59 UTC 
committed to policy cvs
Comment 10 petre rodan (RETIRED) gentoo-dev 2004-04-01 22:43:08 UTC 
I can't find any trace of sec-policy/selinux-samba in portage right now.
Comment 11 Chris PeBenito (RETIRED) gentoo-dev 2004-04-06 13:20:47 UTC 
selinux-samba-20040406 committed to portage