rpms/samba/devel samba.spec,1.103,1.104 smb.conf.default,1.7,1.8

Thu Apr 5 14:26:27 UTC 2007

Author: ssorce

Update of /cvs/dist/rpms/samba/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv26585

Modified Files:
	samba.spec smb.conf.default 
Log Message:

More work to get SELinux and Samba work well together.
SELinux policies have been updated to make samba work ok as a Domain
Controller, meanwhile we established a directories where scripts can be
installed and run unconfined from smbd.

The default smb.conf now contains some more information on how to modify
some relevant selinux options to make samba work.




Index: samba.spec
===================================================================
RCS file: /cvs/dist/rpms/samba/devel/samba.spec,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -r1.103 -r1.104

--- samba.spec	3 Apr 2007 14:18:24 -0000	1.103
+++ samba.spec	5 Apr 2007 14:26:25 -0000	1.104
@@ -584,6 +584,7 @@
 %attr(700,root,root) %dir /var/lib/samba/private
 %dir /var/run/winbindd
 %attr(750,root,wbpriv) %dir /var/lib/samba/winbindd_privileged
+%dir /var/lib/samba/scripts
 %config(noreplace) %{_sysconfdir}/samba/smb.conf
 %config(noreplace) %{_sysconfdir}/samba/lmhosts
 %config(noreplace) %{_sysconfdir}/sysconfig/samba
@@ -631,6 +632,11 @@
 #%{_includedir}/libmsrpc.h
 
 %changelog
+* Wed Apr 4 2007 Simo Sorce <ssorce at redhat.com>
+- fixes in smb.conf
+- advice in smb.conf to put scripts in /var/lib/samba/scripts
+- create /var/lib/samba/scripts so that selinux can be happy
+
 * Tue Apr 03 2007 Guenther Deschner <gdeschner at redhat.com> 3.0.24-11.fc7
 - enable PAM and NSS dlopen checks during build
 - fix unresolved symbols in libnss_wins.so (bug #198230)


Index: smb.conf.default
===================================================================
RCS file: /cvs/dist/rpms/samba/devel/smb.conf.default,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- smb.conf.default	30 Mar 2007 13:02:19 -0000	1.7
+++ smb.conf.default	5 Apr 2007 14:26:25 -0000	1.8
@@ -19,6 +19,39 @@
 # NOTE: Whenever you modify this file you should run the command "testparm"
 # to check that you have not made any basic syntactic errors. 
 #
+#---------------
+# SELINUX NOTES:
+#
+# If you want to use the useradd/groupadd family of binaries please run:
+# setsebool -P samba_domain_controller on
+#
+# If you want to share home directories via samba please run:
+# setsebool -P samba_enable_home_dirs on
+#
+# If you create a new directory you want to share you should mark it as
+# "samba-share_t" so that selinux will let you write into it.
+# Make sure not to do that on system directories as they may already have
+# been marked with othe SELinux labels.
+#
+# Use ls -ldZ /path to see which context a directory has
+#
+# Set labels only on directories you created!
+# To set a label use the following: chcon -t samba_share_t /path
+#
+# If you need to share a system created directory you can use one of the
+# following (read-only/read-write):
+# setsebool -P samba_export_all_ro on
+# or
+# setsebool -P samba_export_all_rw on
+#
+# If you want to run scripts (preexec/root prexec/print command/...) please
+# put them into the /var/lib/samba/scripts directory so that smbd will be
+# allowed to run them.
+# Make sure you COPY them and not MOVE them so that the right SELinux context
+# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
+#
+#--------------
+#
 #======================= Global Settings =====================================
 	
 [global]
@@ -132,9 +165,9 @@
 	
 ;	add user script = /usr/sbin/useradd "%u" -n -g users
 ;	add group script = /usr/sbin/groupadd "%g"
-;	add machine script = /usr/sbin/adduser -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
+;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
 ;	delete user script = /usr/sbin/userdel "%u"
-;	delete user from group script = /usr/sbin/deluser "%u" "%g"
+;	delete user from group script = /usr/sbin/userdel "%u" "%g"
 ;	delete group script = /usr/sbin/groupdel "%g"
 	
 	


