[selinux-policy: 653/3172] add samba

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:01:21 UTC 2010 

commit 84c92239d4177e292ffc788fc7efbc5087d5acb8
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Sep 14 18:33:53 2005 +0000

    add samba

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/admin/logrotate.te   |    4 +
 refpolicy/policy/modules/kernel/filesystem.if |   18 +
 refpolicy/policy/modules/services/cron.te     |    6 +
 refpolicy/policy/modules/services/samba.fc    |   39 ++
 refpolicy/policy/modules/services/samba.if    |  243 +++++++++++++
 refpolicy/policy/modules/services/samba.te    |  467 +++++++++++++++++++++++++
 refpolicy/policy/modules/system/files.fc      |    1 +
 refpolicy/policy/modules/system/files.if      |   17 +
 refpolicy/policy/modules/system/init.fc       |    8 -
 refpolicy/policy/modules/system/init.te       |    4 +
 refpolicy/policy/modules/system/mount.te      |    4 +
 refpolicy/policy/modules/system/userdomain.if |  112 ++++++
 refpolicy/policy/modules/system/userdomain.te |    4 +
 14 files changed, 920 insertions(+), 8 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index ad14a2a..b63c5fe 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,7 @@
 - Added policies:
 	ktalk
 	portmap
+	samba
 	zebra
 
 * Wed Sep 07 2005 Chris PeBenito <selinux at tresys.com> - 20050907
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
index c95e40f..0b9aeec 100644
--- a/refpolicy/policy/modules/admin/logrotate.te
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -126,6 +126,10 @@ optional_policy(`hostname.te',`
 	hostname_exec(logrotate_t)
 ')
 
+optional_policy(`samba.te',`
+	samba_exec_log(logrotate_t)
+')
+
 optional_policy(`mysql.te',`
 	mysql_read_config(logrotate_t)
 	mysql_search_db_dir(logrotate_t)
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index cd29096..6a57c88 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -456,6 +456,24 @@ interface(`fs_search_cifs',`
 
 ########################################
 ## <summary>
+##	List the contents of directories on a
+##	CIFS or SMB filesystem.
+## </summary>
+## <param name="domain">
+##	The type of the domain reading the files.
+## </param>
+#
+interface(`fs_list_cifs',`
+	gen_require(`
+		type cifs_t;
+		class dir r_dir_perms;
+	')
+
+	allow $1 cifs_t:dir r_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Read files on a CIFS or SMB filesystem.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index d18945d..998f73c 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -329,6 +329,12 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_crond_t)
 ')
 
+optional_policy(`samba.te',`
+	samba_read_config(system_crond_t)
+	samba_read_log(system_crond_t)
+	#samba_read_secrets(system_crond_t)
+')
+
 optional_policy(`squid.te',`
 	# cjp: why?
 	squid_domtrans(system_crond_t)
diff --git a/refpolicy/policy/modules/services/samba.fc b/refpolicy/policy/modules/services/samba.fc
new file mode 100644
index 0000000..a4c187a
--- /dev/null
+++ b/refpolicy/policy/modules/services/samba.fc
@@ -0,0 +1,39 @@
+
+#
+# /etc
+#
+/etc/samba/MACHINE\.SID		--	context_template(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/secrets\.tdb		--	context_template(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/smbpasswd		--	context_template(system_u:object_r:samba_secrets_t,s0)
+/etc/samba(/.*)?			context_template(system_u:object_r:samba_etc_t,s0)
+
+#
+# /usr
+#
+/usr/bin/net			--	context_template(system_u:object_r:samba_net_exec_t,s0)
+/usr/bin/smbmount		--	context_template(system_u:object_r:smbmount_exec_t,s0)
+/usr/bin/smbmnt			--	context_template(system_u:object_r:smbmount_exec_t,s0)
+
+/usr/sbin/nmbd			--	context_template(system_u:object_r:nmbd_exec_t,s0)
+/usr/sbin/smbd			--	context_template(system_u:object_r:smbd_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/samba(/.*)?			context_template(system_u:object_r:samba_var_t,s0)
+
+/var/lib/samba(/.*)?			context_template(system_u:object_r:samba_var_t,s0)
+
+/var/log/samba(/.*)?			context_template(system_u:object_r:samba_log_t,s0)
+
+/var/run/samba/brlock\.tdb	--	context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/connections\.tdb	--	context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/locking\.tdb 	--	context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/messages\.tdb	--	context_template(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/namelist\.debug	--	context_template(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/nmbd\.pid	--	context_template(system_u:object_r:nmbd_var_run_t,s0)
+/var/run/samba/sessionid\.tdb	--	context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/smbd\.pid	--	context_template(system_u:object_r:smbd_var_run_t,s0)
+/var/run/samba/unexpected\.tdb	--	context_template(system_u:object_r:nmbd_var_run_t,s0)
+
+/var/spool/samba(/.*)?			context_template(system_u:object_r:samba_var_t,s0)
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
new file mode 100644
index 0000000..da8ca03
--- /dev/null
+++ b/refpolicy/policy/modules/services/samba.if
@@ -0,0 +1,243 @@
+## <summary>SMB and CIFS client/server programs for UNIX</summary>
+
+#######################################
+## <summary>
+##	The per user domain template for the samba module.
+## </summary>
+## <desc>
+##	<p>
+##	This template allows smbd to manage files in
+##	a user home directory, creating files with the
+##	correct type.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="user_domain">
+##	The type of the user domain.
+## </param>
+## <param name="user_role">
+##	The role associated with the user domain.
+## </param>
+#
+template(`samba_per_userdomain_template',`
+	optional_policy(`
+		gen_require(`
+			type smbd_t;
+		')
+
+		userdom_manage_user_home_subdir_files($1,smbd_t)
+		userdom_manage_user_home_subdir_symlinks($1,smbd_t)
+		userdom_manage_user_home_subdir_sockets($1,smbd_t)
+		userdom_manage_user_home_subdir_pipes($1,smbd_t)
+		userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+	')
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_net domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`samba_domtrans_net',`
+	gen_require(`
+		type samba_net_t, samba_net_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1,samba_net_exec_t,samba_net_t)
+
+	allow $1 samba_net_t:fd use;
+	allow samba_net_t $1:fd use;
+	allow samba_net_t $1:fifo_file rw_file_perms;
+	allow samba_net_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute samba net in the samba_net domain, and
+##	allow the specified role the samba_net domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the samba_net domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the samba_net domain to use.
+## </param>
+#
+interface(`samba_run_net',`
+	gen_require(`
+		type samba_net_t;
+		class chr_file rw_term_perms;
+	')
+
+	samba_domtrans_net($1)
+	role $2 types samba_net_t;
+	allow samba_net_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute smbmount in the smbmount domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`samba_domtrans_smbmount',`
+	gen_require(`
+		type smbmount_t, smbmount_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	corecmd_search_bin($1)
+	domain_auto_trans($1,smbmount_exec_t,smbmount_t)
+
+	allow $1 smbmount_t:fd use;
+	allow smbmount_t $1:fd use;
+	allow smbmount_t $1:fifo_file rw_file_perms;
+	allow smbmount_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	samba configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_read_config',`
+	gen_require(`
+		type samba_etc_t;
+		class file { read getattr lock };
+	')
+
+	files_search_etc($1)
+	allow $1 samba_etc_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write samba configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_rw_config',`
+	gen_require(`
+		type samba_etc_t;
+		class file rw_file_perms;
+	')
+
+	files_search_etc($1)
+	allow $1 samba_etc_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read samba's log files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_read_log',`
+	gen_require(`
+		type samba_log_t;
+		class file { read getattr lock };
+	')
+
+	logging_search_logs($1)
+	allow $1 samba_log_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+##	Execute samba log in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`samba_exec_log',`
+	gen_require(`
+		type samba_log_t;
+	')
+
+	logging_search_logs($1)
+	can_exec($1,samba_log_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read samba's secrets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_read_secrets',`
+	gen_require(`
+		type samba_secrets_t;
+		class file { read getattr lock };
+	')
+
+	files_search_etc($1)
+	allow $1 samba_secrets_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_write_smbmount_tcp_socket',`
+	gen_require(`
+		type smbmount_t;
+		class tcp_socket write;
+	')
+
+	allow $1 smbmount_t:tcp_socket write;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read and write to smbmount tcp sockets.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`samba_rw_smbmount_tcp_socket',`
+	gen_require(`
+		type smbmount_t;
+		class tcp_socket { read write };
+	')
+
+	allow $1 smbmount_t:tcp_socket { read write };
+')
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
new file mode 100644
index 0000000..c56c5a3
--- /dev/null
+++ b/refpolicy/policy/modules/services/samba.te
@@ -0,0 +1,467 @@
+
+policy_module(samba,1.0)
+
+#################################
+#
+# Declarations
+#
+
+type nmbd_t;
+type nmbd_exec_t;
+init_daemon_domain(nmbd_t,nmbd_exec_t)
+
+type nmbd_var_run_t;
+files_pid_file(nmbd_var_run_t)
+
+type samba_etc_t; #, usercanread;
+files_type(samba_etc_t)
+
+type samba_log_t, logfile;
+files_type(samba_log_t)
+
+type samba_net_t;
+domain_type(samba_net_t)
+
+type samba_net_exec_t;
+domain_entry_file(samba_net_t,samba_net_exec_t)
+
+type samba_net_tmp_t;
+files_tmp_file(samba_net_tmp_t)
+
+type samba_secrets_t;
+files_type(samba_secrets_t)
+
+type samba_share_t; #, customizable;
+files_type(samba_share_t)
+
+type samba_var_t;
+files_type(samba_var_t)
+
+type smbd_t;
+type smbd_exec_t;
+init_daemon_domain(smbd_t,smbd_exec_t)
+
+type smbd_tmp_t;
+files_tmp_file(smbd_tmp_t)
+
+type smbd_var_run_t;
+files_pid_file(smbd_var_run_t)
+
+type smbmount_t;
+domain_type(smbmount_t)
+
+type smbmount_exec_t;
+domain_entry_file(smbmount_t,smbmount_exec_t)
+
+########################################
+#
+# Samba net local policy
+#
+
+allow samba_net_t self:unix_dgram_socket create_socket_perms;
+allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+allow samba_net_t self:udp_socket create_socket_perms;
+allow samba_net_t self:tcp_socket create_socket_perms;
+
+allow samba_net_t samba_etc_t:file r_file_perms;
+
+allow samba_net_t samba_secrets_t:file create_file_perms;
+allow samba_net_t samba_etc_t:dir rw_dir_perms;
+type_transition samba_net_t samba_etc_t:file samba_secrets_t;
+
+allow samba_net_t samba_net_tmp_t:dir create_dir_perms;
+allow samba_net_t samba_net_tmp_t:file create_file_perms;
+files_create_tmp_files(samba_net_t, samba_net_tmp_t, { file dir })
+
+allow samba_net_t samba_var_t:dir rw_dir_perms;
+allow samba_net_t samba_var_t:lnk_file create_lnk_perms;
+allow samba_net_t samba_var_t:file create_lnk_perms;
+
+kernel_read_proc_symlinks(samba_net_t)
+
+corenet_tcp_sendrecv_all_if(samba_net_t)
+corenet_udp_sendrecv_all_if(samba_net_t)
+corenet_raw_sendrecv_all_if(samba_net_t)
+corenet_tcp_sendrecv_all_nodes(samba_net_t)
+corenet_udp_sendrecv_all_nodes(samba_net_t)
+corenet_raw_sendrecv_all_nodes(samba_net_t)
+corenet_tcp_sendrecv_all_ports(samba_net_t)
+corenet_udp_sendrecv_all_ports(samba_net_t)
+corenet_tcp_bind_all_nodes(samba_net_t)
+corenet_udp_bind_all_nodes(samba_net_t)
+corenet_tcp_connect_smbd_port(samba_net_t)
+
+dev_read_urand(samba_net_t)
+
+domain_use_wide_inherit_fd(samba_net_t)
+
+files_read_etc_files(samba_net_t)
+
+libs_use_ld_so(samba_net_t)
+libs_use_shared_libs(samba_net_t)
+
+miscfiles_read_localization(samba_net_t) 
+
+sysnet_read_config(samba_net_t)
+
+userdom_dontaudit_search_sysadm_home_dir(samba_net_t)
+
+optional_policy(`kerberos.te',`
+	kerberos_use(samba_net_t)
+')
+
+optional_policy(`ldap.te',`
+	allow samba_net_t self:tcp_socket create_socket_perms;
+	corenet_tcp_sendrecv_all_if(samba_net_t)
+	corenet_raw_sendrecv_all_if(samba_net_t)
+	corenet_tcp_sendrecv_all_nodes(samba_net_t)
+	corenet_raw_sendrecv_all_nodes(samba_net_t)
+	corenet_tcp_sendrecv_ldap_port(samba_net_t)
+	corenet_tcp_bind_all_nodes(samba_net_t)
+	sysnet_read_config(samba_net_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(samba_net_t)
+')
+
+########################################
+#
+# smbd Local policy
+#
+allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
+dontaudit smbd_t self:capability sys_tty_config;
+allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow smbd_t self:fd use;
+allow smbd_t self:fifo_file rw_file_perms;
+allow smbd_t self:msg { send receive };
+allow smbd_t self:msgq create_msgq_perms;
+allow smbd_t self:sem create_sem_perms;
+allow smbd_t self:shm create_shm_perms;
+allow smbd_t self:sock_file r_file_perms;
+allow smbd_t self:tcp_socket create_stream_socket_perms;
+allow smbd_t self:udp_socket create_socket_perms;
+allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow smbd_t samba_etc_t:dir rw_dir_perms;
+allow smbd_t samba_etc_t:file r_file_perms;
+
+allow smbd_t samba_log_t:dir ra_dir_perms;
+dontaudit smbd_t samba_log_t:dir remove_name;
+allow smbd_t samba_log_t:file { create ra_file_perms };
+
+allow smbd_t samba_secrets_t:dir rw_dir_perms;
+allow smbd_t samba_secrets_t:file create_file_perms;
+type_transition smbd_t samba_etc_t:file samba_secrets_t;
+
+allow smbd_t samba_share_t:dir create_dir_perms;
+allow smbd_t samba_share_t:file create_file_perms;
+allow smbd_t samba_share_t:lnk_file create_lnk_perms;
+
+allow smbd_t samba_var_t:dir create_dir_perms;
+allow smbd_t samba_var_t:file create_file_perms;
+allow smbd_t samba_var_t:lnk_file create_lnk_perms;
+allow smbd_t samba_var_t:sock_file create_file_perms;
+
+allow smbd_t smbd_tmp_t:dir create_dir_perms;
+allow smbd_t smbd_tmp_t:file create_file_perms;
+files_create_tmp_files(smbd_t, smbd_tmp_t, { file dir })
+
+allow smbd_t nmbd_var_run_t:file rw_file_perms;
+
+allow smbd_t smbd_var_run_t:dir create_dir_perms;
+allow smbd_t smbd_var_run_t:file create_file_perms;
+allow smbd_t smbd_var_run_t:sock_file create_file_perms;
+files_create_pid(smbd_t,smbd_var_run_t)
+
+kernel_getattr_core(smbd_t)
+kernel_getattr_message_if(smbd_t)
+kernel_read_network_state(smbd_t)
+kernel_read_kernel_sysctl(smbd_t)
+kernel_read_software_raid_state(smbd_t)
+kernel_read_system_state(smbd_t)
+
+corenet_tcp_sendrecv_all_if(smbd_t)
+corenet_udp_sendrecv_all_if(smbd_t)
+corenet_raw_sendrecv_all_if(smbd_t)
+corenet_tcp_sendrecv_all_nodes(smbd_t)
+corenet_udp_sendrecv_all_nodes(smbd_t)
+corenet_raw_sendrecv_all_nodes(smbd_t)
+corenet_tcp_sendrecv_all_ports(smbd_t)
+corenet_udp_sendrecv_all_ports(smbd_t)
+corenet_tcp_bind_all_nodes(smbd_t)
+corenet_udp_bind_all_nodes(smbd_t)
+corenet_tcp_bind_smbd_port(smbd_t)
+corenet_tcp_connect_ipp_port(smbd_t)
+
+dev_read_sysfs(smbd_t)
+dev_read_urand(smbd_t)
+
+fs_getattr_all_fs(smbd_t)
+fs_search_auto_mountpoints(smbd_t)
+
+term_dontaudit_use_console(smbd_t)
+
+auth_domtrans_chk_passwd(smbd_t)
+
+domain_use_wide_inherit_fd(smbd_t)
+
+files_list_var_lib(smbd_t)
+files_read_etc_files(smbd_t)
+files_read_etc_runtime_files(smbd_t)
+files_read_usr_files(smbd_t)
+files_search_spool(smbd_t)
+
+init_use_fd(smbd_t)
+init_use_script_pty(smbd_t)
+
+libs_use_ld_so(smbd_t)
+libs_use_shared_libs(smbd_t)
+
+logging_search_logs(smbd_t)
+logging_send_syslog_msg(smbd_t)
+
+miscfiles_read_localization(smbd_t)
+
+mount_send_nfs_client_request(smbd_t)
+
+sysnet_read_config(smbd_t)
+
+userdom_dontaudit_search_sysadm_home_dir(smbd_t)
+userdom_dontaudit_use_unpriv_user_fd(smbd_t)
+userdom_use_unpriv_users_fd(smbd_t)
+
+ifdef(`targeted_policy', `
+	files_dontaudit_read_root_file(smbd_t)
+	term_dontaudit_use_generic_pty(smbd_t)
+	term_dontaudit_use_unallocated_tty(smbd_t)
+')
+
+optional_policy(`kerberos.te',`
+	kerberos_use(smbd_t)
+')
+
+optional_policy(`ldap.te',`
+	allow smbd_t self:tcp_socket create_socket_perms;
+	corenet_tcp_sendrecv_all_if(smbd_t)
+	corenet_raw_sendrecv_all_if(smbd_t)
+	corenet_tcp_sendrecv_all_nodes(smbd_t)
+	corenet_raw_sendrecv_all_nodes(smbd_t)
+	corenet_tcp_sendrecv_ldap_port(smbd_t)
+	corenet_tcp_bind_all_nodes(smbd_t)
+	sysnet_read_config(smbd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(smbd_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(smbd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(smbd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(smbd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(smbd_t)
+')
+can_winbind(smbd_t)
+')
+
+########################################
+#
+# nmbd Local policy
+#
+dontaudit nmbd_t self:capability sys_tty_config;
+allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow nmbd_t self:fd use;
+allow nmbd_t self:fifo_file rw_file_perms;
+allow nmbd_t self:msg { send receive };
+allow nmbd_t self:msgq create_msgq_perms;
+allow nmbd_t self:sem create_sem_perms;
+allow nmbd_t self:shm create_shm_perms;
+allow nmbd_t self:sock_file r_file_perms;
+allow nmbd_t self:tcp_socket create_stream_socket_perms;
+allow nmbd_t self:udp_socket create_socket_perms;
+allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
+
+allow nmbd_t nmbd_var_run_t:file create_file_perms;
+files_create_pid(nmbd_t,nmbd_var_run_t)
+
+allow nmbd_t samba_etc_t:dir { search getattr };
+allow nmbd_t samba_etc_t:file { getattr read };
+
+allow nmbd_t samba_log_t:dir ra_dir_perms;
+allow nmbd_t samba_log_t:file { create ra_file_perms };
+
+allow nmbd_t samba_var_t:dir rw_dir_perms;
+allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
+
+allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
+
+kernel_getattr_core(nmbd_t)
+kernel_getattr_message_if(nmbd_t)
+kernel_read_kernel_sysctl(nmbd_t)
+kernel_read_network_state(nmbd_t)
+kernel_read_software_raid_state(nmbd_t)
+kernel_read_system_state(nmbd_t)
+
+corenet_tcp_sendrecv_all_if(nmbd_t)
+corenet_raw_sendrecv_all_if(nmbd_t)
+corenet_tcp_sendrecv_all_nodes(nmbd_t)
+corenet_raw_sendrecv_all_nodes(nmbd_t)
+corenet_tcp_sendrecv_all_ports(nmbd_t)
+corenet_tcp_bind_all_nodes(nmbd_t)
+corenet_udp_bind_nmbd_port(nmbd_t)
+
+dev_read_sysfs(nmbd_t)
+
+fs_getattr_all_fs(nmbd_t)
+fs_search_auto_mountpoints(nmbd_t)
+
+term_dontaudit_use_console(nmbd_t)
+
+domain_use_wide_inherit_fd(nmbd_t)
+
+files_read_usr_files(nmbd_t)
+files_read_etc_files(nmbd_t)
+
+init_use_fd(nmbd_t)
+init_use_script_pty(nmbd_t)
+
+libs_use_ld_so(nmbd_t)
+libs_use_shared_libs(nmbd_t)
+
+logging_search_logs(nmbd_t)
+logging_send_syslog_msg(nmbd_t)
+
+miscfiles_read_localization(nmbd_t)
+
+sysnet_read_config(nmbd_t)
+
+userdom_dontaudit_search_sysadm_home_dir(nmbd_t)
+userdom_dontaudit_use_unpriv_user_fd(nmbd_t)
+userdom_use_unpriv_users_fd(nmbd_t)
+
+ifdef(`targeted_policy', `
+	files_dontaudit_read_root_file(nmbd_t)
+	term_dontaudit_use_generic_pty(nmbd_t)
+	term_dontaudit_use_unallocated_tty(nmbd_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(nmbd_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(nmbd_t)
+')
+
+optional_policy(`udev.te', `
+	udev_read_db(nmbd_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(nmbd_t)
+')
+')
+
+########################################
+#
+# smbmount Local policy
+#
+allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
+allow smbmount_t self:process { fork signal_perms };
+allow smbmount_t self:tcp_socket create_stream_socket_perms;
+allow smbmount_t self:udp_socket connect;
+allow smbmount_t self:unix_dgram_socket create_socket_perms;
+allow smbmount_t self:unix_stream_socket create_socket_perms;
+
+allow smbmount_t samba_etc_t:dir r_dir_perms;
+allow smbmount_t samba_etc_t:file r_file_perms;
+
+can_exec(smbmount_t, smbmount_exec_t)
+
+allow smbmount_t samba_log_t:dir r_dir_perms; 
+allow smbmount_t samba_log_t:file create_file_perms;
+
+allow smbmount_t samba_secrets_t:file create_file_perms;
+
+allow smbmount_t samba_var_t:dir rw_dir_perms;
+allow smbmount_t samba_var_t:file create_file_perms;
+allow smbmount_t samba_var_t:lnk_file create_lnk_perms;
+
+kernel_read_system_state(smbmount_t)
+
+corenet_tcp_sendrecv_all_if(smbmount_t)
+corenet_raw_sendrecv_all_if(smbmount_t)
+corenet_udp_sendrecv_all_if(smbmount_t)
+corenet_tcp_sendrecv_all_nodes(smbmount_t)
+corenet_raw_sendrecv_all_nodes(smbmount_t)
+corenet_udp_sendrecv_all_nodes(smbmount_t)
+corenet_tcp_sendrecv_all_ports(smbmount_t)
+corenet_udp_sendrecv_all_ports(smbmount_t)
+corenet_tcp_bind_all_nodes(smbmount_t)
+corenet_udp_bind_all_nodes(smbmount_t)
+corenet_tcp_connect_all_ports(smbmount_t)
+
+fs_getattr_cifs(smbmount_t)
+fs_mount_cifs(smbmount_t)
+fs_remount_cifs(smbmount_t)
+fs_unmount_cifs(smbmount_t)
+fs_list_cifs(smbmount_t)
+fs_read_cifs_files(smbmount_t)
+
+storage_raw_read_fixed_disk(smbmount_t)
+storage_raw_write_fixed_disk(smbmount_t)
+
+term_list_ptys(smbmount_t)
+term_use_controlling_term(smbmount_t)
+
+corecmd_list_bin(smbmount_t)
+
+files_list_mnt(smbmount_t)
+files_mounton_mnt(smbmount_t)
+files_manage_etc_runtime_files(smbmount_t)
+files_read_etc_files(smbmount_t)
+
+miscfiles_read_localization(smbmount_t)
+
+mount_use_fd(smbmount_t)
+mount_send_nfs_client_request(smbmount_t)
+
+libs_use_ld_so(smbmount_t)
+libs_use_shared_libs(smbmount_t)
+
+locallogin_use_fd(smbmount_t)
+
+logging_search_logs(smbmount_t)
+
+sysnet_read_config(smbmount_t)
+
+userdom_use_all_user_fd(smbmount_t)
+userdom_use_sysadm_tty(smbmount_t)
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(smbmount_t)
+')
+
+optional_policy(`nscd.te',`
+	nscd_use_socket(smbmount_t)
+')
+
+ifdef(`TODO',`
+ifdef(`cups.te', `
+	allow smbd_t cupsd_rw_etc_t:file { getattr read };
+')
+')
diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc
index 3430a3c..970538e 100644
--- a/refpolicy/policy/modules/system/files.fc
+++ b/refpolicy/policy/modules/system/files.fc
@@ -11,6 +11,7 @@ ifdef(`distro_redhat',`
 /fastboot 		--	context_template(system_u:object_r:etc_runtime_t,s0)
 /forcefsck 		--	context_template(system_u:object_r:etc_runtime_t,s0)
 /fsckoptions 		--	context_template(system_u:object_r:etc_runtime_t,s0)
+/halt			--	context_template(system_u:object_r:etc_runtime_t,s0)
 /poweroff		--	context_template(system_u:object_r:etc_runtime_t,s0)
 ')
 
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 13d3883..9c57f5b 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1371,6 +1371,23 @@ interface(`files_list_mnt',`
 
 ########################################
 ## <summary>
+##	Mount a filesystem on /mnt.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_mounton_mnt',`
+	gen_require(`
+		type mnt_t;
+		class dir { search mounton };
+	')
+
+	allow $1 mnt_t:dir { search mounton };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete directories in /mnt.
 ## </summary>
 ## <param name="domain">
diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc
index c85ca5a..a89151f 100644
--- a/refpolicy/policy/modules/system/init.fc
+++ b/refpolicy/policy/modules/system/init.fc
@@ -1,13 +1,5 @@
 
 #
-# /
-#
-ifdef(`distro_redhat', `
-/\.autofsck		--	context_template(system_u:object_r:etc_runtime_t,s0)
-/halt			--	context_template(system_u:object_r:etc_runtime_t,s0)
-')
-
-#
 # /etc
 #
 /etc/init\.d/.*		--	context_template(system_u:object_r:initrc_exec_t,s0)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index ad8c451..9941b9c 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -490,6 +490,10 @@ optional_policy(`rpm.te',`
 	rpm_manage_db(initrc_t)
 ')
 
+optional_policy(`samba.te',`
+	samba_rw_config(initrc_t)
+')
+
 optional_policy(`squid.te',`
 	squid_read_config(initrc_t)
 	squid_manage_logs(initrc_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index 47c9f28..d7ecfc7 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -120,6 +120,10 @@ optional_policy(`rpm.te', `
 	rpm_rw_pipe(mount_t)
 ')
 
+optional_policy(`samba.te',`
+	samba_domtrans_smbmount(mount_t)
+')
+
 ifdef(`TODO',`
 # this goes to the nfs/rpc module
 files_mountpoint(var_lib_nfs_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 375092f..0e91736 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1014,6 +1014,118 @@ template(`userdom_manage_user_home_subdir_symlinks',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete named pipes
+##	in a user home subdirectory.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete named pipes
+##	in a user home subdirectory.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+template(`userdom_manage_user_home_subdir_pipes',`
+	gen_require(`
+		class dir rw_dir_perms;
+		class fifo_file create_file_perms;
+	')
+
+	files_search_home($2)
+	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_t:dir rw_dir_perms;
+	allow $2 $1_home_t:fifo_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete named sockets
+##	in a user home subdirectory.
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete named sockets
+##	in a user home subdirectory.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+template(`userdom_manage_user_home_subdir_sockets',`
+	gen_require(`
+		class dir rw_dir_perms;
+		class sock_file create_file_perms;
+	')
+
+	files_search_home($2)
+	allow $2 $1_home_dir_t:dir search;
+	allow $2 $1_home_t:dir rw_dir_perms;
+	allow $2 $1_home_t:sock_file create_file_perms;
+')
+
+########################################
+## <summary>
+##	
+## </summary>
+## <desc>
+##	<p>
+##	Create, read, write, and delete named sockets
+##	in a user home subdirectory.
+##	</p>
+##	<p>
+##	This is a templated interface, and should only
+##	be called from a per-userdomain template.
+##	</p>
+## </desc>
+## <param name="userdomain_prefix">
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+## </param>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="object_class" optional="true">
+##	The class of the object to be created.  If not
+##	specified, file is used.
+## </param>
+#
+template(`userdom_create_user_home',`
+	gen_require(`
+		class dir rw_dir_perms;
+	')
+
+	files_search_home($2)
+
+	allow $2 $1_home_dir_t:dir rw_dir_perms;
+
+	ifelse(`$3',`',`
+		type_transition $2 $1_home_dir_t:file $1_home_t;
+	',`
+		type_transition $2 $1_home_dir_t:$3 $1_home_t;
+	')
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete user
 ##	temporary directories.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 1719c11..8438dd5 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -202,6 +202,10 @@ ifdef(`targeted_policy',`
 		rpm_run(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`samba.te',`
+		samba_run_net(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`selinuxutil.te',`
 		seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal)
 		seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)

More information about the scm-commits mailing list