[selinux-policy: 822/3172] fix most of samba
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:16:08 UTC 2010
commit 67167371a5ac3b5eb45fffa7300fc981d1acc34d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Oct 24 21:33:46 2005 +0000
fix most of samba
refpolicy/Makefile | 2 +-
refpolicy/policy/global_tunables | 7 +++
refpolicy/policy/modules/admin/firstboot.te | 16 ++++----
refpolicy/policy/modules/admin/usermanage.te | 6 +-
refpolicy/policy/modules/kernel/terminal.if | 1 +
refpolicy/policy/modules/services/ftp.te | 2 +-
refpolicy/policy/modules/services/samba.if | 12 +++--
refpolicy/policy/modules/services/samba.te | 18 +++++++-
refpolicy/policy/modules/services/squid.if | 57 +++++++++++++++++++++++++
refpolicy/policy/modules/system/miscfiles.if | 8 ++--
refpolicy/policy/modules/system/unconfined.te | 8 ++--
refpolicy/policy/modules/system/userdomain.if | 16 ++++----
refpolicy/policy/modules/system/userdomain.te | 16 +++++--
13 files changed, 127 insertions(+), 42 deletions(-)
---
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 6f3ac9f..c49cfdb 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -71,7 +71,7 @@ MONOLITHIC=y
PREFIX := /usr
BINDIR := $(PREFIX)/bin
SBINDIR := $(PREFIX)/sbin
-CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKPOLICY := /tmp/$(BINDIR)/checkpolicy
CHECKMODULE := $(BINDIR)/checkmodule
SEMOD_PKG := $(BINDIR)/semodule_package
LOADPOLICY := $(SBINDIR)/load_policy
diff --git a/refpolicy/policy/global_tunables b/refpolicy/policy/global_tunables
index 68f3292..a834ead 100644
--- a/refpolicy/policy/global_tunables
+++ b/refpolicy/policy/global_tunables
@@ -36,6 +36,10 @@ gen_tunable(allow_kerberos,false)
## Allow sasl to read shadow
gen_tunable(allow_saslauthd_read_shadow,false)
+## Allow samba to modify public files
+## used for public file transfer services.
+gen_tunable(allow_smbd_anon_write,false)
+
## allow host key based authentication
gen_tunable(allow_ssh_keysign,false)
@@ -110,6 +114,9 @@ gen_tunable(read_untrusted_content,false)
## Allow ssh to run from inetd instead of as a daemon.
gen_tunable(run_ssh_inetd,false)
+## Allow samba to export user home directories.
+gen_tunable(samba_enable_home_dirs,false)
+
## Allow user spamassassin clients to use the network.
gen_tunable(spamassassin_can_network,false)
diff --git a/refpolicy/policy/modules/admin/firstboot.te b/refpolicy/policy/modules/admin/firstboot.te
index 3b952d9..7534083 100644
--- a/refpolicy/policy/modules/admin/firstboot.te
+++ b/refpolicy/policy/modules/admin/firstboot.te
@@ -98,14 +98,14 @@ modutils_read_module_conf(firstboot_t)
modutils_read_mods_deps(firstboot_t)
# Add/remove user home directories
-userdom_create_user_home_dir(firstboot_t)
-userdom_manage_user_home_dir(firstboot_t)
-userdom_create_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
-userdom_manage_user_home_dirs(firstboot_t)
-userdom_manage_user_home_files(firstboot_t)
-userdom_manage_user_home_symlinks(firstboot_t)
-userdom_manage_user_home_pipes(firstboot_t)
-userdom_manage_user_home_sockets(firstboot_t)
+userdom_create_generic_user_home_dir(firstboot_t)
+userdom_manage_generic_user_home_dir(firstboot_t)
+userdom_create_generic_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+userdom_manage_generic_user_home_dirs(firstboot_t)
+userdom_manage_generic_user_home_files(firstboot_t)
+userdom_manage_generic_user_home_symlinks(firstboot_t)
+userdom_manage_generic_user_home_pipes(firstboot_t)
+userdom_manage_generic_user_home_sockets(firstboot_t)
ifdef(`targeted_policy',`
unconfined_domtrans(firstboot_t)
diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te
index 920f280..13690fe 100644
--- a/refpolicy/policy/modules/admin/usermanage.te
+++ b/refpolicy/policy/modules/admin/usermanage.te
@@ -517,9 +517,9 @@ userdom_use_unpriv_users_fd(useradd_t)
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dir(useradd_t)
# Add/remove user home directories
-userdom_create_user_home_dir(useradd_t)
-userdom_manage_user_home_dir(useradd_t)
-userdom_create_user_home(useradd_t,notdevfile_class_set)
+userdom_create_generic_user_home_dir(useradd_t)
+userdom_manage_generic_user_home_dir(useradd_t)
+userdom_create_generic_user_home(useradd_t,notdevfile_class_set)
mta_manage_spool(useradd_t)
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index ddac65b..fd5eced 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -332,6 +332,7 @@ interface(`term_use_generic_pty',`
')
dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
allow $1 devpts_t:chr_file { rw_term_perms lock append };
')
diff --git a/refpolicy/policy/modules/services/ftp.te b/refpolicy/policy/modules/services/ftp.te
index bce55f0..d3364c5 100644
--- a/refpolicy/policy/modules/services/ftp.te
+++ b/refpolicy/policy/modules/services/ftp.te
@@ -145,7 +145,7 @@ tunable_policy(`ftp_home_dir',`
userdom_manage_all_user_symlinks(ftpd_t)
ifdef(`targeted_policy',`
- userdom_create_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
+ userdom_create_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
')
')
diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if
index 8346be6..558b4ee 100644
--- a/refpolicy/policy/modules/services/samba.if
+++ b/refpolicy/policy/modules/services/samba.if
@@ -30,11 +30,13 @@ template(`samba_per_userdomain_template',`
type smbd_t;
')
- userdom_manage_user_home_subdir_files($1,smbd_t)
- userdom_manage_user_home_subdir_symlinks($1,smbd_t)
- userdom_manage_user_home_subdir_sockets($1,smbd_t)
- userdom_manage_user_home_subdir_pipes($1,smbd_t)
-# userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+ tunable_policy(`samba_enable_home_dirs',`
+ userdom_manage_user_home_subdir_files($1,smbd_t)
+ userdom_manage_user_home_subdir_symlinks($1,smbd_t)
+ userdom_manage_user_home_subdir_sockets($1,smbd_t)
+ userdom_manage_user_home_subdir_pipes($1,smbd_t)
+ userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+ ')
')
########################################
diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te
index 44119dc..c6e77e8 100644
--- a/refpolicy/policy/modules/services/samba.te
+++ b/refpolicy/policy/modules/services/samba.te
@@ -121,12 +121,19 @@ files_read_etc_files(samba_net_t)
libs_use_ld_so(samba_net_t)
libs_use_shared_libs(samba_net_t)
+logging_send_syslog_msg(samba_net_t)
+
miscfiles_read_localization(samba_net_t)
sysnet_read_config(samba_net_t)
userdom_dontaudit_search_sysadm_home_dir(samba_net_t)
+ifdef(`targeted_policy',`
+ term_use_generic_pty(samba_net_t)
+ term_use_unallocated_tty(samba_net_t)
+')
+
optional_policy(`kerberos.te',`
kerberos_use(samba_net_t)
')
@@ -254,6 +261,7 @@ logging_search_logs(smbd_t)
logging_send_syslog_msg(smbd_t)
miscfiles_read_localization(smbd_t)
+miscfiles_read_public_files(smbd_t)
mount_send_nfs_client_request(smbd_t)
@@ -269,6 +277,10 @@ ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_tty(smbd_t)
')
+tunable_policy(`allow_smbd_anon_write',`
+ miscfiles_manage_public_files(smbd_t)
+')
+
optional_policy(`kerberos.te',`
kerberos_use(smbd_t)
')
@@ -293,7 +305,6 @@ ifdef(`TODO',`
optional_policy(`rhgb.te',`
rhgb_domain(smbd_t)
')
-anonymous_domain(smbd)
ifdef(`hide_broken_symptoms', `
dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
dontaudit smbd_t devpts_t:dir getattr;
@@ -648,6 +659,7 @@ optional_policy(`nscd.te',`
nscd_use_socket(winbind_helper_t)
')
-ifdef(`TODO',`
-allow winbind_helper_t squid_log_t:file ra_file_perms;
+optional_policy(`squid.te',`
+ squid_read_log(winbind_helper_t)
+ squid_append_log(winbind_helper_t)
')
diff --git a/refpolicy/policy/modules/services/squid.if b/refpolicy/policy/modules/services/squid.if
index a5bdc54..397a3a6 100644
--- a/refpolicy/policy/modules/services/squid.if
+++ b/refpolicy/policy/modules/services/squid.if
@@ -66,6 +66,63 @@ interface(`squid_manage_logs',`
########################################
## <summary>
+## Append squid logs.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`squid_read_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 squid_log_t:dir search_dir_perms;
+ allow $1 squid_log_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+## Append squid logs.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`squid_append_log',`
+ gen_require(`
+ type squid_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 squid_log_t:dir search_dir_perms;
+ allow $1 squid_log_t:file { getattr append };
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## squid logs.
+## </summary>
+## <param name="domain">
+## Domain allowed access.
+## </param>
+#
+interface(`squid_manage_logs',`
+ gen_require(`
+ type squid_log_t;
+ class dir rw_dir_perms;
+ class file create_file_perms;
+ ')
+
+ logging_search_logs($1)
+ allow $1 squid_log_t:dir rw_dir_perms;
+ allow $1 squid_log_t:file create_file_perms;
+')
+
+########################################
+## <summary>
## Use squid services by connecting over TCP.
## </summary>
## <param name="domain">
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index d8970e4..bd6cfae 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -183,12 +183,12 @@ interface(`miscfiles_manage_man_pages',`
#
interface(`miscfiles_read_public_files',`
gen_require(`
- type public_content_t;
+ type public_content_t, public_content_rw_t;
')
- allow $1 public_content_t:dir r_dir_perms;
- allow $1 public_content_t:file r_file_perms;
- allow $1 public_content_t:lnk_file { getattr read };
+ allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms;
+ allow $1 { public_content_t public_content_rw_t }:file r_file_perms;
+ allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read };
')
########################################
diff --git a/refpolicy/policy/modules/system/unconfined.te b/refpolicy/policy/modules/system/unconfined.te
index 6e5acc9..01962c1 100644
--- a/refpolicy/policy/modules/system/unconfined.te
+++ b/refpolicy/policy/modules/system/unconfined.te
@@ -35,16 +35,16 @@ ifdef(`targeted_policy',`
userdom_unconfined(unconfined_t)
+ optional_policy(`samba.te',`
+ samba_domtrans_net(unconfined_t)
+ ')
+
optional_policy(`su.te',`
su_per_userdomain_template(sysadm,unconfined_t,system_r)
')
ifdef(`TODO',`
- ifdef(`samba.te', `samba_domain(user)')
-
ifdef(`use_mcs',`
- domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
- can_exec(sysadm_su_t, bin_t)
rw_dir_create_file(sysadm_su_t, home_dir_type)
')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index a1b75af..57edcc1 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2058,7 +2058,7 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
## Domain allowed access.
## </param>
#
-interface(`userdom_create_user_home_dir',`
+interface(`userdom_create_generic_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
@@ -2075,7 +2075,7 @@ interface(`userdom_create_user_home_dir',`
## Domain allowed access.
## </param>
#
-interface(`userdom_manage_user_home_dir',`
+interface(`userdom_manage_generic_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
@@ -2096,7 +2096,7 @@ interface(`userdom_manage_user_home_dir',`
## If not specified, file is used.
## </param>
#
-interface(`userdom_create_user_home',`
+interface(`userdom_create_generic_user_home',`
gen_require(`
type user_home_dir_t, user_home_t;
')
@@ -2135,7 +2135,7 @@ interface(`userdom_dontaudit_search_user_home_dirs',`
## Domain allowed access.
## </param>
#
-interface(`userdom_manage_user_home_dirs',`
+interface(`userdom_manage_generic_user_home_dirs',`
gen_require(`
type user_home_t;
')
@@ -2152,7 +2152,7 @@ interface(`userdom_manage_user_home_dirs',`
## Domain allowed access.
## </param>
#
-interface(`userdom_manage_user_home_files',`
+interface(`userdom_manage_generic_user_home_files',`
gen_require(`
type user_home_t;
')
@@ -2170,7 +2170,7 @@ interface(`userdom_manage_user_home_files',`
## Domain allowed access.
## </param>
#
-interface(`userdom_manage_user_home_symlinks',`
+interface(`userdom_manage_generic_user_home_symlinks',`
gen_require(`
type user_home_t;
')
@@ -2188,7 +2188,7 @@ interface(`userdom_manage_user_home_symlinks',`
## Domain allowed access.
## </param>
#
-interface(`userdom_manage_user_home_pipes',`
+interface(`userdom_manage_generic_user_home_pipes',`
gen_require(`
type user_home_t;
')
@@ -2206,7 +2206,7 @@ interface(`userdom_manage_user_home_pipes',`
## Domain allowed access.
## </param>
#
-interface(`userdom_manage_user_home_sockets',`
+interface(`userdom_manage_generic_user_home_sockets',`
gen_require(`
type user_home_t;
')
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index e23c94d..dca39b7 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -71,9 +71,17 @@ ifdef(`targeted_policy',`
allow system_r sysadm_r;
allow system_r sysadm_r;
- ifdef(`TODO',`
- allow privhome home_root_t:dir { getattr search };
- file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
+ allow privhome user_home_t:dir manage_dir_perms;
+ allow privhome user_home_t:file create_file_perms;
+ allow privhome user_home_t:lnk_file create_lnk_perms;
+ allow privhome user_home_t:fifo_file create_file_perms;
+ allow privhome user_home_t:sock_file create_file_perms;
+ allow privhome user_home_dir_t:dir rw_dir_perms;
+ type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
+ files_search_home(privhome)
+
+ optional_policy(`samba.te',`
+ samba_per_userdomain_template(user)
')
',`
admin_user_template(sysadm)
@@ -95,9 +103,7 @@ ifdef(`targeted_policy',`
role_change(user,sysadm)
')
- ifdef(`TODO',`
allow privhome home_root_t:dir { getattr search };
- ')
########################################
#
More information about the scm-commits
mailing list