add winbind
This commit is contained in:
Chris PeBenito
parent
6942484b6f
commit
79cde317df
@ -11,16 +11,19 @@
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/net -- context_template(system_u:object_r:samba_net_exec_t,s0)
|
||||
/usr/bin/ntlm_auth -- context_template(system_u:object_r:winbind_helper_exec_t,s0)
|
||||
/usr/bin/smbmount -- context_template(system_u:object_r:smbmount_exec_t,s0)
|
||||
/usr/bin/smbmnt -- context_template(system_u:object_r:smbmount_exec_t,s0)
|
||||
|
||||
/usr/sbin/nmbd -- context_template(system_u:object_r:nmbd_exec_t,s0)
|
||||
/usr/sbin/smbd -- context_template(system_u:object_r:smbd_exec_t,s0)
|
||||
/usr/sbin/winbindd -- context_template(system_u:object_r:winbind_exec_t,s0)
|
||||
|
||||
#
|
||||
# /var
|
||||
#
|
||||
/var/cache/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0)
|
||||
/var/cache/samba/winbindd_privileged(/.*)? context_template(system_u:object_r:winbind_var_run_t,s0)
|
||||
|
||||
/var/lib/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0)
|
||||
|
||||
@ -36,4 +39,6 @@
|
||||
/var/run/samba/smbd\.pid -- context_template(system_u:object_r:smbd_var_run_t,s0)
|
||||
/var/run/samba/unexpected\.tdb -- context_template(system_u:object_r:nmbd_var_run_t,s0)
|
||||
|
||||
/var/run/winbindd(/.*)? context_template(system_u:object_r:winbind_var_run_t,s0)
|
||||
|
||||
/var/spool/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0)
|
||||
|
||||
@ -1,4 +1,8 @@
|
||||
## <summary>SMB and CIFS client/server programs for UNIX</summary>
|
||||
## <summary>
|
||||
## SMB and CIFS client/server programs for UNIX and
|
||||
## name Service Switch daemon for resolving names
|
||||
## from Windows NT servers.
|
||||
## </summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
@ -228,3 +232,83 @@ interface(`samba_rw_smbmount_tcp_socket',`
|
||||
|
||||
allow $1 smbmount_t:tcp_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute winbind_helper in the winbind_helper domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_domtrans_winbind_helper',`
|
||||
gen_require(`
|
||||
type winbind_helper_t, winbind_helper_exec_t;
|
||||
')
|
||||
|
||||
domain_auto_trans($1,winbind_helper_exec_t,winbind_helper_t)
|
||||
|
||||
allow $1 winbind_helper_t:fd use;
|
||||
allow winbind_helper_t $1:fd use;
|
||||
allow winbind_helper_t $1:fifo_file rw_file_perms;
|
||||
allow winbind_helper_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute winbind_helper in the winbind_helper domain, and
|
||||
## allow the specified role the winbind_helper domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## The type of the process performing this action.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to be allowed the winbind_helper domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow the winbind_helper domain to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_run_winbind_helper',`
|
||||
gen_require(`
|
||||
type winbind_helper_t;
|
||||
')
|
||||
|
||||
samba_domtrans_winbind_helper($1)
|
||||
role $2 types winbind_helper_t;
|
||||
allow winbind_helper_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read the winbind pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_read_winbind_pid',`
|
||||
gen_require(`
|
||||
type winbind_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 winbind_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read the winbind pid files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`samba_read_winbind_pid',`
|
||||
gen_require(`
|
||||
type winbind_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 winbind_var_run_t:file r_file_perms;
|
||||
')
|
||||
|
||||
@ -54,6 +54,26 @@ domain_type(smbmount_t)
|
||||
type smbmount_exec_t;
|
||||
domain_entry_file(smbmount_t,smbmount_exec_t)
|
||||
|
||||
type winbind_t; # privhome
|
||||
type winbind_exec_t;
|
||||
init_daemon_domain(winbind_t,winbind_exec_t)
|
||||
|
||||
type winbind_helper_t;
|
||||
domain_type(winbind_helper_t)
|
||||
role system_r types winbind_helper_t;
|
||||
|
||||
type winbind_helper_exec_t;
|
||||
domain_entry_file(winbind_helper_t,winbind_helper_exec_t)
|
||||
|
||||
type winbind_log_t;
|
||||
logging_log_file(winbind_log_t)
|
||||
|
||||
type winbind_tmp_t;
|
||||
files_tmp_file(winbind_tmp_t)
|
||||
|
||||
type winbind_var_run_t;
|
||||
files_pid_file(winbind_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Samba net local policy
|
||||
@ -387,6 +407,7 @@ optional_policy(`rhgb.te',`
|
||||
#
|
||||
# smbmount Local policy
|
||||
#
|
||||
|
||||
allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
|
||||
allow smbmount_t self:process { fork signal_perms };
|
||||
allow smbmount_t self:tcp_socket create_stream_socket_perms;
|
||||
@ -472,3 +493,154 @@ ifdef(`cups.te', `
|
||||
allow smbd_t cupsd_rw_etc_t:file { getattr read };
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Winbind local policy
|
||||
#
|
||||
|
||||
dontaudit winbind_t self:capability sys_tty_config;
|
||||
allow winbind_t self:process signal_perms;
|
||||
allow winbind_t self:fifo_file { read write };
|
||||
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
||||
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
|
||||
allow winbind_t self:tcp_socket create_stream_socket_perms;
|
||||
allow winbind_t self:udp_socket create_socket_perms;
|
||||
|
||||
allow winbind_t samba_etc_t:dir r_dir_perms;
|
||||
allow winbind_t samba_etc_t:lnk_file { getattr read };
|
||||
allow winbind_t samba_etc_t:file r_file_perms;
|
||||
|
||||
allow winbind_t samba_secrets_t:file create_file_perms;
|
||||
allow winbind_t samba_etc_t:dir rw_dir_perms;
|
||||
type_transition winbind_t samba_etc_t:file samba_secrets_t;
|
||||
|
||||
allow winbind_t samba_log_t:dir rw_dir_perms;
|
||||
allow winbind_t samba_log_t:file create_file_perms;
|
||||
allow winbind_t samba_log_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow winbind_t samba_var_t:dir rw_dir_perms;
|
||||
allow winbind_t samba_var_t:file create_file_perms;
|
||||
allow winbind_t samba_var_t:lnk_file create_lnk_perms;
|
||||
|
||||
allow winbind_t winbind_log_t:file create_file_perms;
|
||||
logging_create_log(winbind_t,winbind_log_t)
|
||||
|
||||
allow winbind_t winbind_tmp_t:dir create_dir_perms;
|
||||
allow winbind_t winbind_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(winbind_t, winbind_tmp_t, { file dir })
|
||||
|
||||
allow winbind_t winbind_var_run_t:file create_file_perms;
|
||||
allow winbind_t winbind_var_run_t:sock_file create_file_perms;
|
||||
allow winbind_t winbind_var_run_t:dir rw_dir_perms;
|
||||
files_create_pid(winbind_t,winbind_var_run_t)
|
||||
|
||||
kernel_read_kernel_sysctl(winbind_t)
|
||||
kernel_list_proc(winbind_t)
|
||||
kernel_read_proc_symlinks(winbind_t)
|
||||
|
||||
corenet_tcp_sendrecv_all_if(winbind_t)
|
||||
corenet_udp_sendrecv_all_if(winbind_t)
|
||||
corenet_raw_sendrecv_all_if(winbind_t)
|
||||
corenet_tcp_sendrecv_all_nodes(winbind_t)
|
||||
corenet_udp_sendrecv_all_nodes(winbind_t)
|
||||
corenet_raw_sendrecv_all_nodes(winbind_t)
|
||||
corenet_tcp_sendrecv_all_ports(winbind_t)
|
||||
corenet_udp_sendrecv_all_ports(winbind_t)
|
||||
corenet_tcp_bind_all_nodes(winbind_t)
|
||||
corenet_udp_bind_all_nodes(winbind_t)
|
||||
corenet_tcp_connect_smbd_port(winbind_t)
|
||||
|
||||
dev_read_sysfs(winbind_t)
|
||||
dev_read_urand(winbind_t)
|
||||
|
||||
fs_getattr_all_fs(winbind_t)
|
||||
fs_search_auto_mountpoints(winbind_t)
|
||||
|
||||
term_dontaudit_use_console(winbind_t)
|
||||
|
||||
auth_domtrans_chk_passwd(winbind_t)
|
||||
|
||||
domain_use_wide_inherit_fd(winbind_t)
|
||||
|
||||
files_read_etc_files(winbind_t)
|
||||
|
||||
init_use_fd(winbind_t)
|
||||
init_use_script_pty(winbind_t)
|
||||
|
||||
libs_use_ld_so(winbind_t)
|
||||
libs_use_shared_libs(winbind_t)
|
||||
|
||||
logging_send_syslog_msg(winbind_t)
|
||||
|
||||
miscfiles_read_localization(winbind_t)
|
||||
|
||||
sysnet_read_config(winbind_t)
|
||||
sysnet_dns_name_resolve(winbind_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fd(winbind_t)
|
||||
userdom_dontaudit_search_sysadm_home_dir(winbind_t)
|
||||
|
||||
ifdef(`targeted_policy', `
|
||||
term_dontaudit_use_unallocated_tty(winbind_t)
|
||||
term_dontaudit_use_generic_pty(winbind_t)
|
||||
files_dontaudit_read_root_file(winbind_t)
|
||||
')
|
||||
|
||||
optional_policy(`kerberos.te',`
|
||||
kerberos_use(winbind_t)
|
||||
')
|
||||
|
||||
optional_policy(`mount.te',`
|
||||
mount_send_nfs_client_request(winbind_t)
|
||||
')
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(winbind_t)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
seutil_sigchld_newrole(winbind_t)
|
||||
')
|
||||
|
||||
optional_policy(`udev.te', `
|
||||
udev_read_db(winbind_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
optional_policy(`rhgb.te',`
|
||||
rhgb_domain(winbind_t)
|
||||
')
|
||||
') dnl end TODO
|
||||
|
||||
########################################
|
||||
#
|
||||
# Winbind helper local policy
|
||||
#
|
||||
|
||||
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
|
||||
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
allow winbind_helper_t samba_etc_t:dir r_dir_perms;
|
||||
allow winbind_helper_t samba_etc_t:lnk_file { getattr read };
|
||||
allow winbind_helper_t samba_etc_t:file r_file_perms;
|
||||
|
||||
allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
|
||||
allow winbind_helper_t winbind_var_run_t:sock_file { getattr read write };
|
||||
allow winbind_helper_t winbind_t:unix_stream_socket connectto;
|
||||
|
||||
term_list_ptys(winbind_helper_t)
|
||||
|
||||
domain_use_wide_inherit_fd(winbind_helper_t)
|
||||
|
||||
libs_use_ld_so(winbind_helper_t)
|
||||
libs_use_shared_libs(winbind_helper_t)
|
||||
|
||||
logging_send_syslog_msg(winbind_helper_t)
|
||||
|
||||
miscfiles_read_localization(winbind_helper_t)
|
||||
|
||||
optional_policy(`nscd.te',`
|
||||
nscd_use_socket(winbind_helper_t)
|
||||
')
|
||||
|
||||
@ -527,6 +527,7 @@ optional_policy(`rpm.te',`
|
||||
|
||||
optional_policy(`samba.te',`
|
||||
samba_rw_config(initrc_t)
|
||||
samba_read_winbind_pid(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`squid.te',`
|
||||
|
||||
@ -221,6 +221,7 @@ ifdef(`targeted_policy',`
|
||||
|
||||
optional_policy(`samba.te',`
|
||||
samba_run_net(sysadm_t,sysadm_r,admin_terminal)
|
||||
samba_run_winbind_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`selinuxutil.te',`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user