fix most of samba

refpolicy/Makefile

@@ -71,7 +71,7 @@ MONOLITHIC=y
 PREFIX := /usr
 BINDIR := $(PREFIX)/bin
 SBINDIR := $(PREFIX)/sbin
-CHECKPOLICY := $(BINDIR)/checkpolicy
+CHECKPOLICY := /tmp/$(BINDIR)/checkpolicy
 CHECKMODULE := $(BINDIR)/checkmodule
 SEMOD_PKG := $(BINDIR)/semodule_package
 LOADPOLICY := $(SBINDIR)/load_policy

refpolicy/policy/global_tunables

@@ -36,6 +36,10 @@ gen_tunable(allow_kerberos,false)
 ## Allow sasl to read shadow
 gen_tunable(allow_saslauthd_read_shadow,false)
 
+## Allow samba to modify public files
+## used for public file transfer services.
+gen_tunable(allow_smbd_anon_write,false)
+
 ## allow host key based authentication
 gen_tunable(allow_ssh_keysign,false)
 
@@ -110,6 +114,9 @@ gen_tunable(read_untrusted_content,false)
 ## Allow ssh to run from inetd instead of as a daemon.
 gen_tunable(run_ssh_inetd,false)
 
+## Allow samba to export user home directories.
+gen_tunable(samba_enable_home_dirs,false)
+
 ## Allow user spamassassin clients to use the network.
 gen_tunable(spamassassin_can_network,false)
 

refpolicy/policy/modules/admin/firstboot.te

@@ -98,14 +98,14 @@ modutils_read_module_conf(firstboot_t)
 modutils_read_mods_deps(firstboot_t)
 
 # Add/remove user home directories
-userdom_create_user_home_dir(firstboot_t)
+userdom_create_generic_user_home_dir(firstboot_t)
-userdom_manage_user_home_dir(firstboot_t)
+userdom_manage_generic_user_home_dir(firstboot_t)
-userdom_create_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
+userdom_create_generic_user_home(firstboot_t,{ dir file lnk_file fifo_file sock_file })
-userdom_manage_user_home_dirs(firstboot_t)
+userdom_manage_generic_user_home_dirs(firstboot_t)
-userdom_manage_user_home_files(firstboot_t)
+userdom_manage_generic_user_home_files(firstboot_t)
-userdom_manage_user_home_symlinks(firstboot_t)
+userdom_manage_generic_user_home_symlinks(firstboot_t)
-userdom_manage_user_home_pipes(firstboot_t)
+userdom_manage_generic_user_home_pipes(firstboot_t)
-userdom_manage_user_home_sockets(firstboot_t)
+userdom_manage_generic_user_home_sockets(firstboot_t)
 
 ifdef(`targeted_policy',`
 	unconfined_domtrans(firstboot_t)

refpolicy/policy/modules/admin/usermanage.te

@@ -517,9 +517,9 @@ userdom_use_unpriv_users_fd(useradd_t)
 # for when /root is the cwd
 userdom_dontaudit_search_sysadm_home_dir(useradd_t)
 # Add/remove user home directories
-userdom_create_user_home_dir(useradd_t)
+userdom_create_generic_user_home_dir(useradd_t)
-userdom_manage_user_home_dir(useradd_t)
+userdom_manage_generic_user_home_dir(useradd_t)
-userdom_create_user_home(useradd_t,notdevfile_class_set)
+userdom_create_generic_user_home(useradd_t,notdevfile_class_set)
 
 mta_manage_spool(useradd_t)
 

refpolicy/policy/modules/kernel/terminal.if

@@ -332,6 +332,7 @@ interface(`term_use_generic_pty',`
 	')
 
 	dev_list_all_dev_nodes($1)
+	allow $1 devpts_t:dir list_dir_perms;
 	allow $1 devpts_t:chr_file { rw_term_perms lock append };
 ')
 

refpolicy/policy/modules/services/ftp.te

@@ -145,7 +145,7 @@ tunable_policy(`ftp_home_dir',`
 	userdom_manage_all_user_symlinks(ftpd_t)
 
 	ifdef(`targeted_policy',`
-		userdom_create_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
+		userdom_create_generic_user_home(ftpd_t,{ dir file lnk_file sock_file fifo_file })
 	')
 ')
 

refpolicy/policy/modules/services/samba.if

@@ -30,11 +30,13 @@ template(`samba_per_userdomain_template',`
 		type smbd_t;
 	')
 
-	userdom_manage_user_home_subdir_files($1,smbd_t)
+	tunable_policy(`samba_enable_home_dirs',`
-	userdom_manage_user_home_subdir_symlinks($1,smbd_t)
+		userdom_manage_user_home_subdir_files($1,smbd_t)
-	userdom_manage_user_home_subdir_sockets($1,smbd_t)
+		userdom_manage_user_home_subdir_symlinks($1,smbd_t)
-	userdom_manage_user_home_subdir_pipes($1,smbd_t)
+		userdom_manage_user_home_subdir_sockets($1,smbd_t)
-#	userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+		userdom_manage_user_home_subdir_pipes($1,smbd_t)
+		userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file })
+	')
 ')
 
 ########################################

refpolicy/policy/modules/services/samba.te

@@ -121,12 +121,19 @@ files_read_etc_files(samba_net_t)
 libs_use_ld_so(samba_net_t)
 libs_use_shared_libs(samba_net_t)
 
+logging_send_syslog_msg(samba_net_t)
+
 miscfiles_read_localization(samba_net_t) 
 
 sysnet_read_config(samba_net_t)
 
 userdom_dontaudit_search_sysadm_home_dir(samba_net_t)
 
+ifdef(`targeted_policy',`
+	term_use_generic_pty(samba_net_t)
+	term_use_unallocated_tty(samba_net_t)
+')
+
 optional_policy(`kerberos.te',`
 	kerberos_use(samba_net_t)
 ')
@@ -254,6 +261,7 @@ logging_search_logs(smbd_t)
 logging_send_syslog_msg(smbd_t)
 
 miscfiles_read_localization(smbd_t)
+miscfiles_read_public_files(smbd_t)
 
 mount_send_nfs_client_request(smbd_t)
 
@@ -269,6 +277,10 @@ ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(smbd_t)
 ')
 
+tunable_policy(`allow_smbd_anon_write',`
+	miscfiles_manage_public_files(smbd_t)
+') 
+
 optional_policy(`kerberos.te',`
 	kerberos_use(smbd_t)
 ')
@@ -293,7 +305,6 @@ ifdef(`TODO',`
 optional_policy(`rhgb.te',`
 	rhgb_domain(smbd_t)
 ')
-anonymous_domain(smbd)
 ifdef(`hide_broken_symptoms', `
 dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
 dontaudit smbd_t devpts_t:dir getattr;
@@ -648,6 +659,7 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(winbind_helper_t)
 ')
 
-ifdef(`TODO',`
+optional_policy(`squid.te',`
-allow winbind_helper_t squid_log_t:file ra_file_perms;
+	squid_read_log(winbind_helper_t)
+	squid_append_log(winbind_helper_t)
 ')

refpolicy/policy/modules/services/squid.if

@@ -64,6 +64,63 @@ interface(`squid_manage_logs',`
 	allow $1 squid_log_t:file create_file_perms;
 ')
 
+########################################
+## <summary>
+##	Append squid logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_read_log',`
+	gen_require(`
+		type squid_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 squid_log_t:dir search_dir_perms;
+	allow $1 squid_log_t:file r_file_perms;
+')
+
+########################################
+## <summary>
+##	Append squid logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_append_log',`
+	gen_require(`
+		type squid_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 squid_log_t:dir search_dir_perms;
+	allow $1 squid_log_t:file { getattr append };
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	squid logs.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`squid_manage_logs',`
+	gen_require(`
+		type squid_log_t;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	logging_search_logs($1)
+	allow $1 squid_log_t:dir rw_dir_perms;
+	allow $1 squid_log_t:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Use squid services by connecting over TCP.

refpolicy/policy/modules/system/miscfiles.if

@@ -183,12 +183,12 @@ interface(`miscfiles_manage_man_pages',`
 #
 interface(`miscfiles_read_public_files',`
 	gen_require(`
-		type public_content_t;
+		type public_content_t, public_content_rw_t;
 	')
 
-	allow $1 public_content_t:dir r_dir_perms;
+	allow $1 { public_content_t public_content_rw_t }:dir r_dir_perms;
-	allow $1 public_content_t:file r_file_perms;
+	allow $1 { public_content_t public_content_rw_t }:file r_file_perms;
-	allow $1 public_content_t:lnk_file { getattr read };
+	allow $1 { public_content_t public_content_rw_t }:lnk_file { getattr read };
 ')
 
 ########################################

refpolicy/policy/modules/system/unconfined.te

@@ -35,16 +35,16 @@ ifdef(`targeted_policy',`
 
 	userdom_unconfined(unconfined_t)
 
+	optional_policy(`samba.te',`
+		samba_domtrans_net(unconfined_t)
+	')
+
 	optional_policy(`su.te',`
 		su_per_userdomain_template(sysadm,unconfined_t,system_r)
 	')
 
 	ifdef(`TODO',`
-	ifdef(`samba.te', `samba_domain(user)')
-
 	ifdef(`use_mcs',`
-	domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
-	can_exec(sysadm_su_t, bin_t)
 	rw_dir_create_file(sysadm_su_t, home_dir_type)
 	')
 

refpolicy/policy/modules/system/userdomain.if

@@ -2058,7 +2058,7 @@ interface(`userdom_dontaudit_use_unpriv_user_fd',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_create_user_home_dir',`
+interface(`userdom_create_generic_user_home_dir',`
 	gen_require(`
 		type user_home_dir_t;
 	')
@@ -2075,7 +2075,7 @@ interface(`userdom_create_user_home_dir',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_manage_user_home_dir',`
+interface(`userdom_manage_generic_user_home_dir',`
 	gen_require(`
 		type user_home_dir_t;
 	')
@@ -2096,7 +2096,7 @@ interface(`userdom_manage_user_home_dir',`
 ##	If not specified, file is used.
 ## </param>
 #
-interface(`userdom_create_user_home',`
+interface(`userdom_create_generic_user_home',`
 	gen_require(`
 		type user_home_dir_t, user_home_t;
 	')
@@ -2135,7 +2135,7 @@ interface(`userdom_dontaudit_search_user_home_dirs',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_manage_user_home_dirs',`
+interface(`userdom_manage_generic_user_home_dirs',`
 	gen_require(`
 		type user_home_t;
 	')
@@ -2152,7 +2152,7 @@ interface(`userdom_manage_user_home_dirs',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_manage_user_home_files',`
+interface(`userdom_manage_generic_user_home_files',`
 	gen_require(`
 		type user_home_t;
 	')
@@ -2170,7 +2170,7 @@ interface(`userdom_manage_user_home_files',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_manage_user_home_symlinks',`
+interface(`userdom_manage_generic_user_home_symlinks',`
 	gen_require(`
 		type user_home_t;
 	')
@@ -2188,7 +2188,7 @@ interface(`userdom_manage_user_home_symlinks',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_manage_user_home_pipes',`
+interface(`userdom_manage_generic_user_home_pipes',`
 	gen_require(`
 		type user_home_t;
 	')
@@ -2206,7 +2206,7 @@ interface(`userdom_manage_user_home_pipes',`
 ##	Domain allowed access.
 ## </param>
 #
-interface(`userdom_manage_user_home_sockets',`
+interface(`userdom_manage_generic_user_home_sockets',`
 	gen_require(`
 		type user_home_t;
 	')

refpolicy/policy/modules/system/userdomain.te

@@ -71,9 +71,17 @@ ifdef(`targeted_policy',`
 	allow system_r sysadm_r;
 	allow system_r sysadm_r;
 
-	ifdef(`TODO',`
+	allow privhome user_home_t:dir manage_dir_perms;
-	allow privhome home_root_t:dir { getattr search };
+	allow privhome user_home_t:file create_file_perms;
-	file_type_auto_trans(privhome, user_home_dir_t, user_home_t)
+	allow privhome user_home_t:lnk_file create_lnk_perms;
+	allow privhome user_home_t:fifo_file create_file_perms;
+	allow privhome user_home_t:sock_file create_file_perms;
+	allow privhome user_home_dir_t:dir rw_dir_perms;
+	type_transition privhome user_home_dir_t:{ dir file lnk_file fifo_file sock_file } user_home_t;
+	files_search_home(privhome)
+
+	optional_policy(`samba.te',`
+		samba_per_userdomain_template(user)
 	')
 ',`
 	admin_user_template(sysadm)
@@ -95,9 +103,7 @@ ifdef(`targeted_policy',`
 		role_change(user,sysadm)
 	')
 
-	ifdef(`TODO',`
 	allow privhome home_root_t:dir { getattr search };
-	')
 
 	########################################
 	#