[selinux-policy: 653/3172] add samba
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:01:21 UTC 2010
commit 84c92239d4177e292ffc788fc7efbc5087d5acb8
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 14 18:33:53 2005 +0000
add samba
refpolicy/Changelog | 1 +
refpolicy/policy/modules/admin/logrotate.te | 4 +
refpolicy/policy/modules/kernel/filesystem.if | 18 +
refpolicy/policy/modules/services/cron.te | 6 +
refpolicy/policy/modules/services/samba.fc | 39 ++
refpolicy/policy/modules/services/samba.if | 243 +++++++++++++
refpolicy/policy/modules/services/samba.te | 467 +++++++++++++++++++++++++
refpolicy/policy/modules/system/files.fc | 1 +
refpolicy/policy/modules/system/files.if | 17 +
refpolicy/policy/modules/system/init.fc | 8 -
refpolicy/policy/modules/system/init.te | 4 +
refpolicy/policy/modules/system/mount.te | 4 +
refpolicy/policy/modules/system/userdomain.if | 112 ++++++
refpolicy/policy/modules/system/userdomain.te | 4 +
14 files changed, 920 insertions(+), 8 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ad14a2a..b63c5fe 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,7 @@
- Added policies:
ktalk
portmap
+ samba
zebra
* Wed Sep 07 2005 Chris PeBenito <selinux at tresys.com> - 20050907
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index c95e40f..0b9aeec 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -126,6 +126,10 @@ optional_policy(`hostname.te',`
hostname_exec(logrotate_t)
')
+optional_policy(`samba.te',`
+ samba_exec_log(logrotate_t)
+')
+
optional_policy(`mysql.te',`
mysql_read_config(logrotate_t)
mysql_search_db_dir(logrotate_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index cd29096..6a57c88 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -456,6 +456,24 @@ interface(`fs_search_cifs',`
########################################
## <summary>
+## List the contents of directories on a
+## CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+## The type of the domain reading the files.
+## </param>
+#
+interface(`fs_list_cifs',`
+ gen_require(`
+ type cifs_t;
+ class dir r_dir_perms;
+ ')
+
+ allow $1 cifs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
## Read files on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index d18945d..998f73c 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -329,6 +329,12 @@ optional_policy(`nscd.te',`
nscd_use_socket(system_crond_t)
')
+optional_policy(`samba.te',`
+ samba_read_config(system_crond_t)
+ samba_read_log(system_crond_t)
+ #samba_read_secrets(system_crond_t)
+')
+
optional_policy(`squid.te',`
# cjp: why?
squid_domtrans(system_crond_t)
diff --git a/refpolicy/policy/modules/services/samba.fc b/refpolicy/policy/modules/services/samba.fc
new file mode 100644
index 0000000..a4c187a
--- /dev/null
+++ b/refpolicy/policy/modules/services/samba.fc
@@ -0,0 +1,39 @@
+
+#
+# /etc
+#
+/etc/samba/MACHINE\.SID -- context_template(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb -- context_template(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd -- context_template(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)? context_template(system_u:object_r:samba_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/net -- context_template(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/smbmount -- context_template(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt -- context_template(system_u:object_r:smbmount_exec_t,s0)
+
+/usr/sbin/nmbd -- context_template(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd -- context_template(system_u:object_r:smbd_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0)
+
+/var/lib/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0)
+
+/var/log/samba(/.*)? context_template(system_u:object_r:samba_log_t,s0)
+
+/var/run/samba/brlock\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/connections\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/messages\.tdb -- context_template(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/namelist\.debug -- context_template(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd\.pid -- context_template(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/sessionid\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/smbd\.pid -- context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/unexpected\.tdb -- context_template(system_u:object_r:nmbd_var_run_t,s0)
+
+/var/spool/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0)
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
new file mode 100644
index 0000000..da8ca03
--- /dev/null
+++ b/refpolicy/policy/modules/services/samba.if
@@ -0,0 +1,243 @@
+## <summary>SMB and CIFS client/server programs for UNIX</summary>
+
+#######################################
+## <summary>
+## The per user domain template for the samba module.
+## </summary>
+## <desc>
+## <p>
+## This template allows smbd to manage files in
+## a user home directory, creating files with the
+## correct type.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+## The type of the user domain.
+## </param>
+## <param name="user_role">
+## The role associated with the user domain.
+## </param>
+#
+template(`samba_per_userdomain_template',`
+ optional_policy(`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ userdom_manage_user_home_subdir_files($1,smbd_t)
+ userdom_manage_user_home_subdir_symlinks($1,smbd_t)
+ userdom_manage_user_home_subdir_sockets($1,smbd_t)
+ userdom_manage_user_home_subdir_pipes($1,smbd_t)
+ userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`samba_domtrans_net',`
+ gen_require(`
+ type samba_net_t, samba_net_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,samba_net_exec_t,samba_net_t)
+
+ allow $1 samba_net_t:fd use;
+ allow samba_net_t $1:fd use;
+ allow samba_net_t $1:fifo_file rw_file_perms;
+ allow samba_net_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute samba net in the samba_net domain, and
+## allow the specified role the samba_net domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="role">
+## The role to be allowed the samba_net domain.
+## </param>
+## <param name="terminal">
+## The type of the terminal allow the samba_net domain to use.
+## </param>
+#
+interface(`samba_run_net',`
+ gen_require(`
+ type samba_net_t;
+ class chr_file rw_term_perms;
+ ')
+
+ samba_domtrans_net($1)
+ role $2 types samba_net_t;
+ allow samba_net_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Execute smbmount in the smbmount domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`samba_domtrans_smbmount',`
+ gen_require(`
+ type smbmount_t, smbmount_exec_t;
+ class process sigchld;
+ class fd use;
+ class fifo_file rw_file_perms;
+ ')
+
+ corecmd_search_bin($1)
+ domain_auto_trans($1,smbmount_exec_t,smbmount_t)
+
+ allow $1 smbmount_t:fd use;
+ allow smbmount_t $1:fd use;
+ allow smbmount_t $1:fifo_file rw_file_perms;
+ allow smbmount_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## samba configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`samba_read_config',`
+ gen_require(`
+ type samba_etc_t;
+ class file { read getattr lock };
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_etc_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read
+## and write samba configuration files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`samba_rw_config',`
+ gen_require(`
+ type samba_etc_t;
+ class file rw_file_perms;
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's log files.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`samba_read_log',`
+ gen_require(`
+ type samba_log_t;
+ class file { read getattr lock };
+ ')
+
+ logging_search_logs($1)
+ allow $1 samba_log_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Execute samba log in the caller domain.
+## </summary>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+interface(`samba_exec_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ can_exec($1,samba_log_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read samba's secrets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`samba_read_secrets',`
+ gen_require(`
+ type samba_secrets_t;
+ class file { read getattr lock };
+ ')
+
+ files_search_etc($1)
+ allow $1 samba_secrets_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`samba_write_smbmount_tcp_socket',`
+ gen_require(`
+ type smbmount_t;
+ class tcp_socket write;
+ ')
+
+ allow $1 smbmount_t:tcp_socket write;
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read and write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`samba_rw_smbmount_tcp_socket',`
+ gen_require(`
+ type smbmount_t;
+ class tcp_socket { read write };
+ ')
+
+ allow $1 smbmount_t:tcp_socket { read write };
+')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
new file mode 100644
index 0000000..c56c5a3
--- /dev/null
+++ b/refpolicy/policy/modules/services/samba.te
@@ -0,0 +1,467 @@
+
+policy_module(samba,1.0)
+
+#################################
+#
+# Declarations
+#
+
+type nmbd_t;
+type nmbd_exec_t;
+init_daemon_domain(nmbd_t,nmbd_exec_t)
+
+type nmbd_var_run_t;
+files_pid_file(nmbd_var_run_t)
+
+type samba_etc_t; #, usercanread;
+files_type(samba_etc_t)
+
+type samba_log_t, logfile;
+files_type(samba_log_t)
+
+type samba_net_t;
+domain_type(samba_net_t)
+
+type samba_net_exec_t;
+domain_entry_file(samba_net_t,samba_net_exec_t)
+
+type samba_net_tmp_t;
+files_tmp_file(samba_net_tmp_t)
+
+type samba_secrets_t;
+files_type(samba_secrets_t)
+
+type samba_share_t; #, customizable;
+files_type(samba_share_t)
+
+type samba_var_t;
+files_type(samba_var_t)
+
+type smbd_t;
+type smbd_exec_t;
+init_daemon_domain(smbd_t,smbd_exec_t)
+
+type smbd_tmp_t;
+files_tmp_file(smbd_tmp_t)
+
+type smbd_var_run_t;
+files_pid_file(smbd_var_run_t)
+
+type smbmount_t;
+domain_type(smbmount_t)
+
+type smbmount_exec_t;
+domain_entry_file(smbmount_t,smbmount_exec_t)
+
+########################################
+#
+# Samba net local policy
+#
+
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
+
+allow samba_net_t samba_etc_t:file r_file_perms;
+
+allow samba_net_t samba_secrets_t:file create_file_perms;
+allow samba_net_t samba_etc_t:dir rw_dir_perms;
+type_transition samba_net_t samba_etc_t:file samba_secrets_t;
+
+allow samba_net_t samba_net_tmp_t:dir create_dir_perms;
+allow samba_net_t samba_net_tmp_t:file create_file_perms;
+files_create_tmp_files(samba_net_t, samba_net_tmp_t, { file dir })
+
+allow samba_net_t samba_var_t:dir rw_dir_perms;
+allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
+allow samba_net_t samba_var_t:file create_lnk_perms;
+
+kernel_read_proc_symlinks(samba_net_t)
+
+corenet_tcp_sendrecv_all_if(samba_net_t)
+corenet_udp_sendrecv_all_if(samba_net_t)
+corenet_raw_sendrecv_all_if(samba_net_t)
+corenet_tcp_sendrecv_all_nodes(samba_net_t)
+corenet_udp_sendrecv_all_nodes(samba_net_t)
+corenet_raw_sendrecv_all_nodes(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_all_nodes(samba_net_t)
+corenet_udp_bind_all_nodes(samba_net_t)
+corenet_tcp_connect_smbd_port(samba_net_t)
+
+dev_read_urand(samba_net_t)
+
+domain_use_wide_inherit_fd(samba_net_t)
+
+files_read_etc_files(samba_net_t)
+
+libs_use_ld_so(samba_net_t)
+libs_use_shared_libs(samba_net_t)
+
+miscfiles_read_localization(samba_net_t)
+
+sysnet_read_config(samba_net_t)
+
+userdom_dontaudit_search_sysadm_home_dir(samba_net_t)
+
+optional_policy(`kerberos.te',`
+ kerberos_use(samba_net_t)
+')
+
+optional_policy(`ldap.te',`
+ allow samba_net_t self:tcp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if(samba_net_t)
+ corenet_raw_sendrecv_all_if(samba_net_t)
+ corenet_tcp_sendrecv_all_nodes(samba_net_t)
+ corenet_raw_sendrecv_all_nodes(samba_net_t)
+ corenet_tcp_sendrecv_ldap_port(samba_net_t)
+ corenet_tcp_bind_all_nodes(samba_net_t)
+ sysnet_read_config(samba_net_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(samba_net_t)
+')
+
+########################################
+#
+# smbd Local policy
+#
+allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
+dontaudit smbd_t self:capability sys_tty_config;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:fd use;
+allow smbd_t self:fifo_file rw_file_perms;
+allow smbd_t self:msg { send receive };
+allow smbd_t self:msgq create_msgq_perms;
+allow smbd_t self:sem create_sem_perms;
+allow smbd_t self:shm create_shm_perms;
+allow smbd_t self:sock_file r_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow smbd_t samba_etc_t:dir rw_dir_perms;
+allow smbd_t samba_etc_t:file r_file_perms;
+
+allow smbd_t samba_log_t:dir ra_dir_perms;
+dontaudit smbd_t samba_log_t:dir remove_name;
+allow smbd_t samba_log_t:file { create ra_file_perms };
+
+allow smbd_t samba_secrets_t:dir rw_dir_perms;
+allow smbd_t samba_secrets_t:file create_file_perms;
+type_transition smbd_t samba_etc_t:file samba_secrets_t;
+
+allow smbd_t samba_share_t:dir create_dir_perms;
+allow smbd_t samba_share_t:file create_file_perms;
+allow smbd_t samba_share_t:lnk_file create_lnk_perms;
+
+allow smbd_t samba_var_t:dir create_dir_perms;
+allow smbd_t samba_var_t:file create_file_perms;
+allow smbd_t samba_var_t:lnk_file create_lnk_perms;
+allow smbd_t samba_var_t:sock_file create_file_perms;
+
+allow smbd_t smbd_tmp_t:dir create_dir_perms;
+allow smbd_t smbd_tmp_t:file create_file_perms;
+files_create_tmp_files(smbd_t, smbd_tmp_t, { file dir })
+
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t smbd_var_run_t:dir create_dir_perms;
+allow smbd_t smbd_var_run_t:file create_file_perms;
+allow smbd_t smbd_var_run_t:sock_file create_file_perms;
+files_create_pid(smbd_t,smbd_var_run_t)
+
+kernel_getattr_core(smbd_t)
+kernel_getattr_message_if(smbd_t)
+kernel_read_network_state(smbd_t)
+kernel_read_kernel_sysctl(smbd_t)
+kernel_read_software_raid_state(smbd_t)
+kernel_read_system_state(smbd_t)
+
+corenet_tcp_sendrecv_all_if(smbd_t)
+corenet_udp_sendrecv_all_if(smbd_t)
+corenet_raw_sendrecv_all_if(smbd_t)
+corenet_tcp_sendrecv_all_nodes(smbd_t)
+corenet_udp_sendrecv_all_nodes(smbd_t)
+corenet_raw_sendrecv_all_nodes(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
+corenet_tcp_bind_all_nodes(smbd_t)
+corenet_udp_bind_all_nodes(smbd_t)
+corenet_tcp_bind_smbd_port(smbd_t)
+corenet_tcp_connect_ipp_port(smbd_t)
+
+dev_read_sysfs(smbd_t)
+dev_read_urand(smbd_t)
+
+fs_getattr_all_fs(smbd_t)
+fs_search_auto_mountpoints(smbd_t)
+
+term_dontaudit_use_console(smbd_t)
+
+auth_domtrans_chk_passwd(smbd_t)
+
+domain_use_wide_inherit_fd(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_files(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_read_usr_files(smbd_t)
+files_search_spool(smbd_t)
+
+init_use_fd(smbd_t)
+init_use_script_pty(smbd_t)
+
+libs_use_ld_so(smbd_t)
+libs_use_shared_libs(smbd_t)
+
+logging_search_logs(smbd_t)
+logging_send_syslog_msg(smbd_t)
+
+miscfiles_read_localization(smbd_t)
+
+mount_send_nfs_client_request(smbd_t)
+
+sysnet_read_config(smbd_t)
+
+userdom_dontaudit_search_sysadm_home_dir(smbd_t)
+userdom_dontaudit_use_unpriv_user_fd(smbd_t)
+userdom_use_unpriv_users_fd(smbd_t)
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_file(smbd_t)
+ term_dontaudit_use_generic_pty(smbd_t)
+ term_dontaudit_use_unallocated_tty(smbd_t)
+')
+
+optional_policy(`kerberos.te',`
+ kerberos_use(smbd_t)
+')
+
+optional_policy(`ldap.te',`
+ allow smbd_t self:tcp_socket create_socket_perms;
+ corenet_tcp_sendrecv_all_if(smbd_t)
+ corenet_raw_sendrecv_all_if(smbd_t)
+ corenet_tcp_sendrecv_all_nodes(smbd_t)
+ corenet_raw_sendrecv_all_nodes(smbd_t)
+ corenet_tcp_sendrecv_ldap_port(smbd_t)
+ corenet_tcp_bind_all_nodes(smbd_t)
+ sysnet_read_config(smbd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(smbd_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(smbd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(smbd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(smbd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(smbd_t)
+')
+can_winbind(smbd_t)
+')
+
+########################################
+#
+# nmbd Local policy
+#
+dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow nmbd_t self:fd use;
+allow nmbd_t self:fifo_file rw_file_perms;
+allow nmbd_t self:msg { send receive };
+allow nmbd_t self:msgq create_msgq_perms;
+allow nmbd_t self:sem create_sem_perms;
+allow nmbd_t self:shm create_shm_perms;
+allow nmbd_t self:sock_file r_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow nmbd_t nmbd_var_run_t:file create_file_perms;
+files_create_pid(nmbd_t,nmbd_var_run_t)
+
+allow nmbd_t samba_etc_t:dir { search getattr };
+allow nmbd_t samba_etc_t:file { getattr read };
+
+allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t samba_log_t:file { create ra_file_perms };
+
+allow nmbd_t samba_var_t:dir rw_dir_perms;
+allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
+
+allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
+kernel_getattr_core(nmbd_t)
+kernel_getattr_message_if(nmbd_t)
+kernel_read_kernel_sysctl(nmbd_t)
+kernel_read_network_state(nmbd_t)
+kernel_read_software_raid_state(nmbd_t)
+kernel_read_system_state(nmbd_t)
+
+corenet_tcp_sendrecv_all_if(nmbd_t)
+corenet_raw_sendrecv_all_if(nmbd_t)
+corenet_tcp_sendrecv_all_nodes(nmbd_t)
+corenet_raw_sendrecv_all_nodes(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_tcp_bind_all_nodes(nmbd_t)
+corenet_udp_bind_nmbd_port(nmbd_t)
+
+dev_read_sysfs(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
+
+term_dontaudit_use_console(nmbd_t)
+
+domain_use_wide_inherit_fd(nmbd_t)
+
+files_read_usr_files(nmbd_t)
+files_read_etc_files(nmbd_t)
+
+init_use_fd(nmbd_t)
+init_use_script_pty(nmbd_t)
+
+libs_use_ld_so(nmbd_t)
+libs_use_shared_libs(nmbd_t)
+
+logging_search_logs(nmbd_t)
+logging_send_syslog_msg(nmbd_t)
+
+miscfiles_read_localization(nmbd_t)
+
+sysnet_read_config(nmbd_t)
+
+userdom_dontaudit_search_sysadm_home_dir(nmbd_t)
+userdom_dontaudit_use_unpriv_user_fd(nmbd_t)
+userdom_use_unpriv_users_fd(nmbd_t)
+
+ifdef(`targeted_policy', `
+ files_dontaudit_read_root_file(nmbd_t)
+ term_dontaudit_use_generic_pty(nmbd_t)
+ term_dontaudit_use_unallocated_tty(nmbd_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(nmbd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(nmbd_t)
+')
+
+optional_policy(`udev.te', `
+ udev_read_db(nmbd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(nmbd_t)
+')
+')
+
+########################################
+#
+# smbmount Local policy
+#
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+
+allow smbmount_t samba_etc_t:dir r_dir_perms;
+allow smbmount_t samba_etc_t:file r_file_perms;
+
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir r_dir_perms;
+allow smbmount_t samba_log_t:file create_file_perms;
+
+allow smbmount_t samba_secrets_t:file create_file_perms;
+
+allow smbmount_t samba_var_t:dir rw_dir_perms;
+allow smbmount_t samba_var_t:file create_file_perms;
+allow smbmount_t samba_var_t:lnk_file create_lnk_perms;
+
+kernel_read_system_state(smbmount_t)
+
+corenet_tcp_sendrecv_all_if(smbmount_t)
+corenet_raw_sendrecv_all_if(smbmount_t)
+corenet_udp_sendrecv_all_if(smbmount_t)
+corenet_tcp_sendrecv_all_nodes(smbmount_t)
+corenet_raw_sendrecv_all_nodes(smbmount_t)
+corenet_udp_sendrecv_all_nodes(smbmount_t)
+corenet_tcp_sendrecv_all_ports(smbmount_t)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_all_nodes(smbmount_t)
+corenet_udp_bind_all_nodes(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
+
+fs_getattr_cifs(smbmount_t)
+fs_mount_cifs(smbmount_t)
+fs_remount_cifs(smbmount_t)
+fs_unmount_cifs(smbmount_t)
+fs_list_cifs(smbmount_t)
+fs_read_cifs_files(smbmount_t)
+
+storage_raw_read_fixed_disk(smbmount_t)
+storage_raw_write_fixed_disk(smbmount_t)
+
+term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
+
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_read_etc_files(smbmount_t)
+
+miscfiles_read_localization(smbmount_t)
+
+mount_use_fd(smbmount_t)
+mount_send_nfs_client_request(smbmount_t)
+
+libs_use_ld_so(smbmount_t)
+libs_use_shared_libs(smbmount_t)
+
+locallogin_use_fd(smbmount_t)
+
+logging_search_logs(smbmount_t)
+
+sysnet_read_config(smbmount_t)
+
+userdom_use_all_user_fd(smbmount_t)
+userdom_use_sysadm_tty(smbmount_t)
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(smbmount_t)
+')
+
+optional_policy(`nscd.te',`
+ nscd_use_socket(smbmount_t)
+')
+
+ifdef(`TODO',`
+ifdef(`cups.te', `
+ allow smbd_t cupsd_rw_etc_t:file { getattr read };
+')
+')
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
index 3430a3c..970538e 100644
--- a/refpolicy/policy/modules/system/files.fc
+++ b/refpolicy/policy/modules/system/files.fc
@@ -11,6 +11,7 @@ ifdef(`distro_redhat',`
/fastboot -- context_template(system_u:object_r:etc_runtime_t,s0)
/forcefsck -- context_template(system_u:object_r:etc_runtime_t,s0)
/fsckoptions -- context_template(system_u:object_r:etc_runtime_t,s0)
+/halt -- context_template(system_u:object_r:etc_runtime_t,s0)
/poweroff -- context_template(system_u:object_r:etc_runtime_t,s0)
')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 13d3883..9c57f5b 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1371,6 +1371,23 @@ interface(`files_list_mnt',`
########################################
## <summary>
+## Mount a filesystem on /mnt.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`files_mounton_mnt',`
+ gen_require(`
+ type mnt_t;
+ class dir { search mounton };
+ ')
+
+ allow $1 mnt_t:dir { search mounton };
+')
+
+########################################
+## <summary>
## Create, read, write, and delete directories in /mnt.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index c85ca5a..a89151f 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -1,13 +1,5 @@
#
-# /
-#
-ifdef(`distro_redhat', `
-/\.autofsck -- context_template(system_u:object_r:etc_runtime_t,s0)
-/halt -- context_template(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
# /etc
#
/etc/init\.d/.* -- context_template(system_u:object_r:initrc_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index ad8c451..9941b9c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -490,6 +490,10 @@ optional_policy(`rpm.te',`
rpm_manage_db(initrc_t)
')
+optional_policy(`samba.te',`
+ samba_rw_config(initrc_t)
+')
+
optional_policy(`squid.te',`
squid_read_config(initrc_t)
squid_manage_logs(initrc_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 47c9f28..d7ecfc7 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -120,6 +120,10 @@ optional_policy(`rpm.te', `
rpm_rw_pipe(mount_t)
')
+optional_policy(`samba.te',`
+ samba_domtrans_smbmount(mount_t)
+')
+
ifdef(`TODO',`
# this goes to the nfs/rpc module
files_mountpoint(var_lib_nfs_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 375092f..0e91736 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1014,6 +1014,118 @@ template(`userdom_manage_user_home_subdir_symlinks',`
########################################
## <summary>
+## Create, read, write, and delete named pipes
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete named pipes
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+template(`userdom_manage_user_home_subdir_pipes',`
+ gen_require(`
+ class dir rw_dir_perms;
+ class fifo_file create_file_perms;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete named sockets
+## in a user home subdirectory.
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete named sockets
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+#
+template(`userdom_manage_user_home_subdir_sockets',`
+ gen_require(`
+ class dir rw_dir_perms;
+ class sock_file create_file_perms;
+ ')
+
+ files_search_home($2)
+ allow $2 $1_home_dir_t:dir search;
+ allow $2 $1_home_t:dir rw_dir_perms;
+ allow $2 $1_home_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+##
+## </summary>
+## <desc>
+## <p>
+## Create, read, write, and delete named sockets
+## in a user home subdirectory.
+## </p>
+## <p>
+## This is a templated interface, and should only
+## be called from a per-userdomain template.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </param>
+## <param name="domain">
+## The type of the process performing this action.
+## </param>
+## <param name="object_class" optional="true">
+## The class of the object to be created. If not
+## specified, file is used.
+## </param>
+#
+template(`userdom_create_user_home',`
+ gen_require(`
+ class dir rw_dir_perms;
+ ')
+
+ files_search_home($2)
+
+ allow $2 $1_home_dir_t:dir rw_dir_perms;
+
+ ifelse(`$3',`',`
+ type_transition $2 $1_home_dir_t:file $1_home_t;
+ ',`
+ type_transition $2 $1_home_dir_t:$3 $1_home_t;
+ ')
+')
+
+########################################
+## <summary>
## Create, read, write, and delete user
## temporary directories.
## </summary>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 1719c11..8438dd5 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -202,6 +202,10 @@ ifdef(`targeted_policy',`
rpm_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`samba.te',`
+ samba_run_net(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`selinuxutil.te',`
seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)
More information about the scm-commits
mailing list