[selinux-policy: 1047/3172] add swat to samba, and fix an automount mistake

Thu Oct 7 20:35:25 UTC 2010

commit cbe3275e1b8cbceed55b02d9caf32b33d0883299
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Dec 9 21:07:30 2005 +0000

    add swat to samba, and fix an automount mistake

 refpolicy/Changelog                            |    1 +
 refpolicy/policy/modules/kernel/filesystem.if  |    2 +-
 refpolicy/policy/modules/services/automount.te |    2 +-
 refpolicy/policy/modules/services/samba.fc     |    1 +
 refpolicy/policy/modules/services/samba.te     |   77 +++++++++++++++++++++++-
 5 files changed, 80 insertions(+), 3 deletions(-)
---

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index d7cf04d..c760ebf 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add swat to samba module.
 - Miscellaneous fixes from Dan Walsh.
 - Added modules:
 	automount
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index d7b6423..a64164e 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2444,7 +2444,7 @@ interface(`fs_getattr_all_dirs',`
 		attribute filesystem_type;
 	')
 
-	allow $1 filesystem_type:dir search_dir_perms;
+	allow $1 filesystem_type:dir getattr;
 ')
 
 ########################################
diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te
index d1aeb62..f68c043 100644
--- a/refpolicy/policy/modules/services/automount.te
+++ b/refpolicy/policy/modules/services/automount.te
@@ -99,7 +99,7 @@ files_getattr_default_dir(automount_t)
 files_exec_etc_files(automount_t)
 
 fs_getattr_all_fs(automount_t)
-fs_getattr_all_files(automount_t)
+fs_getattr_all_dirs(automount_t)
 fs_search_auto_mountpoints(automount_t)
 fs_manage_auto_mountpoints(automount_t)
 
diff --git a/refpolicy/policy/modules/services/samba.fc b/refpolicy/policy/modules/services/samba.fc
index f076ffa..d0e6b6d 100644
--- a/refpolicy/policy/modules/services/samba.fc
+++ b/refpolicy/policy/modules/services/samba.fc
@@ -14,6 +14,7 @@
 /usr/bin/ntlm_auth		--	gen_context(system_u:object_r:winbind_helper_exec_t,s0)
 /usr/bin/smbmount		--	gen_context(system_u:object_r:smbmount_exec_t,s0)
 /usr/bin/smbmnt			--	gen_context(system_u:object_r:smbmount_exec_t,s0)
+/usr/sbin/swat			--	gen_context(system_u:object_r:swat_exec_t,s0)
 
 /usr/sbin/nmbd			--	gen_context(system_u:object_r:nmbd_exec_t,s0)
 /usr/sbin/smbd			--	gen_context(system_u:object_r:smbd_exec_t,s0)
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 5e7cdde..733dc4c 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
 
-policy_module(samba,1.1.0)
+policy_module(samba,1.1.1)
 
 #################################
 #
@@ -54,6 +54,17 @@ domain_type(smbmount_t)
 type smbmount_exec_t;
 domain_entry_file(smbmount_t,smbmount_exec_t)
 
+type swat_t;
+type swat_exec_t;
+inetd_service_domain(swat_t,swat_exec_t)
+role system_r types swat_t;
+
+type swat_tmp_t;
+files_tmp_file(swat_tmp_t)
+
+type swat_var_run_t;
+files_pid_file(swat_var_run_t)
+
 type winbind_t;
 type winbind_exec_t;
 init_daemon_domain(winbind_t,winbind_exec_t)
@@ -520,6 +531,70 @@ ifdef(`cups.te', `
 
 ########################################
 #
+# SWAT Local policy
+#
+
+allow swat_t self:capability { setuid setgid };
+allow swat_t self:process signal_perms;
+allow swat_t self:fifo_file rw_file_perms;
+allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow swat_t self:tcp_socket connected_stream_socket_perms;
+allow swat_t self:udp_socket create_socket_perms;
+
+allow swat_t swat_tmp_t:dir create_dir_perms;
+allow swat_t swat_tmp_t:file create_file_perms;
+files_create_tmp_files(swat_t, swat_tmp_t, { file dir })
+
+allow swat_t swat_var_run_t:file create_file_perms;
+allow swat_t swat_var_run_t:dir rw_dir_perms;
+files_create_pid(swat_t,swat_var_run_t)
+
+kernel_read_kernel_sysctl(swat_t)
+kernel_read_system_state(swat_t)
+kernel_read_network_state(swat_t)
+
+corenet_non_ipsec_sendrecv(swat_t)
+corenet_tcp_sendrecv_generic_if(swat_t)
+corenet_udp_sendrecv_generic_if(swat_t)
+corenet_raw_sendrecv_generic_if(swat_t)
+corenet_tcp_sendrecv_all_nodes(swat_t)
+corenet_udp_sendrecv_all_nodes(swat_t)
+corenet_raw_sendrecv_all_nodes(swat_t)
+corenet_tcp_sendrecv_all_ports(swat_t)
+corenet_udp_sendrecv_all_ports(swat_t)
+corenet_tcp_bind_all_nodes(swat_t)
+corenet_udp_bind_all_nodes(swat_t)
+
+dev_read_urand(swat_t)
+
+files_read_etc_files(swat_t)
+files_search_home(swat_t)
+
+fs_getattr_xattr_fs(swat_t)
+
+libs_use_ld_so(swat_t)
+libs_use_shared_libs(swat_t)
+
+logging_send_syslog_msg(swat_t)
+
+miscfiles_read_localization(swat_t)
+
+sysnet_read_config(swat_t)
+
+optional_policy(`kerberos',`
+	kerberos_use(swat_t)
+')
+
+optional_policy(`nis',`
+	nis_use_ypbind(swat_t)
+')
+
+optional_policy(`nscd',`
+	nscd_use_socket(swat_t)
+')
+
+########################################
+#
 # Winbind local policy
 #
 
