226 lines
6.7 KiB
Plaintext
226 lines
6.7 KiB
Plaintext
|
#DESC SAMBA - SMB file server
|
||
|
#
|
||
|
# Author: Ryan Bergauer (bergauer@rice.edu)
|
||
|
# X-Debian-Packages: samba
|
||
|
#
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Declarations for Samba
|
||
|
#
|
||
|
|
||
|
daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
|
||
|
daemon_domain(nmbd)
|
||
|
type samba_etc_t, file_type, sysadmfile, usercanread;
|
||
|
type samba_log_t, file_type, sysadmfile, logfile;
|
||
|
type samba_var_t, file_type, sysadmfile;
|
||
|
type samba_share_t, file_type, sysadmfile, customizable;
|
||
|
type samba_secrets_t, file_type, sysadmfile;
|
||
|
|
||
|
# for /var/run/samba/messages.tdb
|
||
|
allow smbd_t nmbd_var_run_t:file rw_file_perms;
|
||
|
|
||
|
allow smbd_t self:process setrlimit;
|
||
|
|
||
|
# not sure why it needs this
|
||
|
tmp_domain(smbd)
|
||
|
|
||
|
# Allow samba to search mnt_t for potential mounted dirs
|
||
|
allow smbd_t mnt_t:dir r_dir_perms;
|
||
|
|
||
|
ifdef(`crond.te', `
|
||
|
allow system_crond_t samba_etc_t:file { read getattr lock };
|
||
|
allow system_crond_t samba_log_t:file { read getattr lock };
|
||
|
#allow system_crond_t samba_secrets_t:file { read getattr lock };
|
||
|
')
|
||
|
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the smbd_t domain.
|
||
|
#
|
||
|
|
||
|
# Permissions normally found in every_domain.
|
||
|
general_domain_access(smbd_t)
|
||
|
general_proc_read_access(smbd_t)
|
||
|
|
||
|
allow smbd_t smbd_port_t:tcp_socket name_bind;
|
||
|
|
||
|
# Use capabilities.
|
||
|
allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
|
||
|
|
||
|
# Use the network.
|
||
|
can_network(smbd_t)
|
||
|
nsswitch_domain(smbd_t)
|
||
|
can_kerberos(smbd_t)
|
||
|
allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
|
||
|
|
||
|
allow smbd_t urandom_device_t:chr_file { getattr read };
|
||
|
|
||
|
# Permissions for Samba files in /etc/samba
|
||
|
# either allow read access to the directory or allow the auto_trans rule to
|
||
|
# allow creation of the secrets.tdb file and the MACHINE.SID file
|
||
|
#allow smbd_t samba_etc_t:dir { search getattr };
|
||
|
file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
|
||
|
|
||
|
allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
|
||
|
|
||
|
# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
|
||
|
allow smbd_t var_lib_t:dir search;
|
||
|
create_dir_file(smbd_t, samba_var_t)
|
||
|
|
||
|
# Needed for shared printers
|
||
|
allow smbd_t var_spool_t:dir search;
|
||
|
|
||
|
# Permissions to write log files.
|
||
|
allow smbd_t samba_log_t:file { create ra_file_perms };
|
||
|
allow smbd_t var_log_t:dir search;
|
||
|
allow smbd_t samba_log_t:dir ra_dir_perms;
|
||
|
dontaudit smbd_t samba_log_t:dir remove_name;
|
||
|
|
||
|
ifdef(`hide_broken_symptoms', `
|
||
|
dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr;
|
||
|
dontaudit smbd_t devpts_t:dir getattr;
|
||
|
')
|
||
|
allow smbd_t fs_t:filesystem quotaget;
|
||
|
|
||
|
allow smbd_t usr_t:file { getattr read };
|
||
|
|
||
|
# Access Samba shares.
|
||
|
create_dir_file(smbd_t, samba_share_t)
|
||
|
anonymous_domain(smbd)
|
||
|
|
||
|
ifdef(`logrotate.te', `
|
||
|
# the application should be changed
|
||
|
can_exec(logrotate_t, samba_log_t)
|
||
|
')
|
||
|
#################################
|
||
|
#
|
||
|
# Rules for the nmbd_t domain.
|
||
|
#
|
||
|
|
||
|
# Permissions normally found in every_domain.
|
||
|
general_domain_access(nmbd_t)
|
||
|
general_proc_read_access(nmbd_t)
|
||
|
|
||
|
allow nmbd_t nmbd_port_t:udp_socket name_bind;
|
||
|
|
||
|
# Use capabilities.
|
||
|
allow nmbd_t self:capability net_bind_service;
|
||
|
|
||
|
# Use the network.
|
||
|
can_network_server(nmbd_t)
|
||
|
|
||
|
# Permissions for Samba files in /etc/samba
|
||
|
allow nmbd_t samba_etc_t:file { getattr read };
|
||
|
allow nmbd_t samba_etc_t:dir { search getattr };
|
||
|
|
||
|
# Permissions for Samba cache files in /var/cache/samba
|
||
|
allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
|
||
|
allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
|
||
|
|
||
|
allow nmbd_t usr_t:file { getattr read };
|
||
|
|
||
|
# Permissions to write log files.
|
||
|
allow nmbd_t samba_log_t:file { create ra_file_perms };
|
||
|
allow nmbd_t var_log_t:dir search;
|
||
|
allow nmbd_t samba_log_t:dir ra_dir_perms;
|
||
|
allow nmbd_t etc_t:file { getattr read };
|
||
|
ifdef(`cups.te', `
|
||
|
allow smbd_t cupsd_rw_etc_t:file { getattr read };
|
||
|
')
|
||
|
# Needed for winbindd
|
||
|
allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
|
||
|
|
||
|
# Support Samba sharing of home directories
|
||
|
bool samba_enable_home_dirs false;
|
||
|
|
||
|
ifdef(`mount.te', `
|
||
|
#
|
||
|
# Domain for running smbmount
|
||
|
#
|
||
|
|
||
|
# Derive from app. domain. Transition from mount.
|
||
|
application_domain(smbmount, `, fs_domain, nscd_client_domain')
|
||
|
domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
|
||
|
|
||
|
# Capabilities
|
||
|
# FIXME: is all of this really necessary?
|
||
|
allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
|
||
|
|
||
|
# Access samba config
|
||
|
allow smbmount_t samba_etc_t:file r_file_perms;
|
||
|
allow smbmount_t samba_etc_t:dir r_dir_perms;
|
||
|
allow initrc_t samba_etc_t:file rw_file_perms;
|
||
|
|
||
|
# Write samba log
|
||
|
allow smbmount_t samba_log_t:file create_file_perms;
|
||
|
allow smbmount_t samba_log_t:dir r_dir_perms;
|
||
|
|
||
|
# Write stuff in var
|
||
|
allow smbmount_t var_log_t:dir r_dir_perms;
|
||
|
rw_dir_create_file(smbmount_t, samba_var_t)
|
||
|
|
||
|
# Access mtab
|
||
|
file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
|
||
|
|
||
|
# Read nsswitch.conf
|
||
|
allow smbmount_t etc_t:file r_file_perms;
|
||
|
|
||
|
# Networking
|
||
|
can_network(smbmount_t)
|
||
|
allow smbmount_t port_type:tcp_socket name_connect;
|
||
|
can_ypbind(smbmount_t)
|
||
|
allow smbmount_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow smbmount_t self:unix_stream_socket create_socket_perms;
|
||
|
allow kernel_t smbmount_t:tcp_socket { read write };
|
||
|
allow userdomain smbmount_t:tcp_socket write;
|
||
|
|
||
|
# Proc
|
||
|
# FIXME: is this necessary?
|
||
|
r_dir_file(smbmount_t, proc_t)
|
||
|
|
||
|
# Fork smbmnt
|
||
|
allow smbmount_t bin_t:dir r_dir_perms;
|
||
|
can_exec(smbmount_t, smbmount_exec_t)
|
||
|
allow smbmount_t self:process { fork signal_perms };
|
||
|
|
||
|
# Mount
|
||
|
allow smbmount_t cifs_t:filesystem mount_fs_perms;
|
||
|
allow smbmount_t cifs_t:dir r_dir_perms;
|
||
|
allow smbmount_t mnt_t:dir r_dir_perms;
|
||
|
allow smbmount_t mnt_t:dir mounton;
|
||
|
|
||
|
# Terminal
|
||
|
read_locale(smbmount_t)
|
||
|
access_terminal(smbmount_t, sysadm)
|
||
|
allow smbmount_t userdomain:fd use;
|
||
|
allow smbmount_t local_login_t:fd use;
|
||
|
')
|
||
|
# Derive from app. domain. Transition from mount.
|
||
|
application_domain(samba_net, `, nscd_client_domain')
|
||
|
role system_r types samba_net_t;
|
||
|
in_user_role(samba_net_t)
|
||
|
file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
|
||
|
read_locale(samba_net_t)
|
||
|
allow samba_net_t samba_etc_t:file r_file_perms;
|
||
|
r_dir_file(samba_net_t, samba_var_t)
|
||
|
can_network_udp(samba_net_t)
|
||
|
access_terminal(samba_net_t, sysadm)
|
||
|
allow samba_net_t self:unix_dgram_socket create_socket_perms;
|
||
|
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
rw_dir_create_file(samba_net_t, samba_var_t)
|
||
|
allow samba_net_t etc_t:file { getattr read };
|
||
|
can_network_client(samba_net_t)
|
||
|
allow samba_net_t smbd_port_t:tcp_socket name_connect;
|
||
|
can_ldap(samba_net_t)
|
||
|
can_kerberos(samba_net_t)
|
||
|
allow samba_net_t urandom_device_t:chr_file r_file_perms;
|
||
|
allow samba_net_t proc_t:dir search;
|
||
|
allow samba_net_t proc_t:lnk_file read;
|
||
|
allow samba_net_t self:dir search;
|
||
|
allow samba_net_t self:file read;
|
||
|
allow samba_net_t self:process signal;
|
||
|
tmp_domain(samba_net)
|
||
|
dontaudit samba_net_t sysadm_home_dir_t:dir search;
|
||
|
allow samba_net_t privfd:fd use;
|