18 lines
793 B
Markdown
18 lines
793 B
Markdown
# Dustin's SELinux Policy Modules
|
|
|
|
This is a collection of SELinux policy modules that fix or augment the default
|
|
SELinux policy for Fedora/RHEL.
|
|
|
|
## dch-samba
|
|
|
|
The SELinux reference policy does not have rules for the Samba Active Directory
|
|
Domain Controller ("samba4"). On Fedora/RHEL, `/usr/bin/samba` runs in
|
|
`unconfined_service_t`. This is fine for the DC functionality itself, but
|
|
breaks `winbindd`. The refpolicy does have rules for winbind, but they expect
|
|
it to run in its own domain, `winbind_t`. Since `winbindd` is started by
|
|
`samba` when running on a DC, it runs in `unconfined_service_t` as well.
|
|
|
|
The *dch-samba* policy module adds a couple of rules to allow `samba` to launch
|
|
`winbindd` in the correct domain, and fixes up a few other AVC denials that
|
|
come from doing this.
|