add samba
This commit is contained in:
		
							parent
							
								
									4479b31614
								
							
						
					
					
						commit
						84c92239d4
					
				| @ -2,6 +2,7 @@ | ||||
| - Added policies: | ||||
| 	ktalk | ||||
| 	portmap | ||||
| 	samba | ||||
| 	zebra | ||||
| 
 | ||||
| * Wed Sep 07 2005 Chris PeBenito <selinux@tresys.com> - 20050907 | ||||
|  | ||||
| @ -126,6 +126,10 @@ optional_policy(`hostname.te',` | ||||
| 	hostname_exec(logrotate_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`samba.te',` | ||||
| 	samba_exec_log(logrotate_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`mysql.te',` | ||||
| 	mysql_read_config(logrotate_t) | ||||
| 	mysql_search_db_dir(logrotate_t) | ||||
|  | ||||
| @ -454,6 +454,24 @@ interface(`fs_search_cifs',` | ||||
| 	allow $1 cifs_t:dir search; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	List the contents of directories on a | ||||
| ##	CIFS or SMB filesystem. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the domain reading the files. | ||||
| ## </param> | ||||
| # | ||||
| interface(`fs_list_cifs',` | ||||
| 	gen_require(` | ||||
| 		type cifs_t; | ||||
| 		class dir r_dir_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 cifs_t:dir r_dir_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Read files on a CIFS or SMB filesystem. | ||||
|  | ||||
| @ -329,6 +329,12 @@ optional_policy(`nscd.te',` | ||||
| 	nscd_use_socket(system_crond_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`samba.te',` | ||||
| 	samba_read_config(system_crond_t) | ||||
| 	samba_read_log(system_crond_t) | ||||
| 	#samba_read_secrets(system_crond_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`squid.te',` | ||||
| 	# cjp: why? | ||||
| 	squid_domtrans(system_crond_t) | ||||
|  | ||||
							
								
								
									
										39
									
								
								refpolicy/policy/modules/services/samba.fc
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										39
									
								
								refpolicy/policy/modules/services/samba.fc
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,39 @@ | ||||
| 
 | ||||
| # | ||||
| # /etc | ||||
| # | ||||
| /etc/samba/MACHINE\.SID		--	context_template(system_u:object_r:samba_secrets_t,s0) | ||||
| /etc/samba/secrets\.tdb		--	context_template(system_u:object_r:samba_secrets_t,s0) | ||||
| /etc/samba/smbpasswd		--	context_template(system_u:object_r:samba_secrets_t,s0) | ||||
| /etc/samba(/.*)?			context_template(system_u:object_r:samba_etc_t,s0) | ||||
| 
 | ||||
| # | ||||
| # /usr | ||||
| # | ||||
| /usr/bin/net			--	context_template(system_u:object_r:samba_net_exec_t,s0) | ||||
| /usr/bin/smbmount		--	context_template(system_u:object_r:smbmount_exec_t,s0) | ||||
| /usr/bin/smbmnt			--	context_template(system_u:object_r:smbmount_exec_t,s0) | ||||
| 
 | ||||
| /usr/sbin/nmbd			--	context_template(system_u:object_r:nmbd_exec_t,s0) | ||||
| /usr/sbin/smbd			--	context_template(system_u:object_r:smbd_exec_t,s0) | ||||
| 
 | ||||
| # | ||||
| # /var | ||||
| # | ||||
| /var/cache/samba(/.*)?			context_template(system_u:object_r:samba_var_t,s0) | ||||
| 
 | ||||
| /var/lib/samba(/.*)?			context_template(system_u:object_r:samba_var_t,s0) | ||||
| 
 | ||||
| /var/log/samba(/.*)?			context_template(system_u:object_r:samba_log_t,s0) | ||||
| 
 | ||||
| /var/run/samba/brlock\.tdb	--	context_template(system_u:object_r:smbd_var_run_t,s0) | ||||
| /var/run/samba/connections\.tdb	--	context_template(system_u:object_r:smbd_var_run_t,s0) | ||||
| /var/run/samba/locking\.tdb 	--	context_template(system_u:object_r:smbd_var_run_t,s0) | ||||
| /var/run/samba/messages\.tdb	--	context_template(system_u:object_r:nmbd_var_run_t,s0) | ||||
| /var/run/samba/namelist\.debug	--	context_template(system_u:object_r:nmbd_var_run_t,s0) | ||||
| /var/run/samba/nmbd\.pid	--	context_template(system_u:object_r:nmbd_var_run_t,s0) | ||||
| /var/run/samba/sessionid\.tdb	--	context_template(system_u:object_r:smbd_var_run_t,s0) | ||||
| /var/run/samba/smbd\.pid	--	context_template(system_u:object_r:smbd_var_run_t,s0) | ||||
| /var/run/samba/unexpected\.tdb	--	context_template(system_u:object_r:nmbd_var_run_t,s0) | ||||
| 
 | ||||
| /var/spool/samba(/.*)?			context_template(system_u:object_r:samba_var_t,s0) | ||||
							
								
								
									
										243
									
								
								refpolicy/policy/modules/services/samba.if
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										243
									
								
								refpolicy/policy/modules/services/samba.if
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,243 @@ | ||||
| ## <summary>SMB and CIFS client/server programs for UNIX</summary> | ||||
| 
 | ||||
| ####################################### | ||||
| ## <summary> | ||||
| ##	The per user domain template for the samba module. | ||||
| ## </summary> | ||||
| ## <desc> | ||||
| ##	<p> | ||||
| ##	This template allows smbd to manage files in | ||||
| ##	a user home directory, creating files with the | ||||
| ##	correct type. | ||||
| ##	</p> | ||||
| ##	<p> | ||||
| ##	This template is invoked automatically for each user, and | ||||
| ##	generally does not need to be invoked directly | ||||
| ##	by policy writers. | ||||
| ##	</p> | ||||
| ## </desc> | ||||
| ## <param name="userdomain_prefix"> | ||||
| ##	The prefix of the user domain (e.g., user | ||||
| ##	is the prefix for user_t). | ||||
| ## </param> | ||||
| ## <param name="user_domain"> | ||||
| ##	The type of the user domain. | ||||
| ## </param> | ||||
| ## <param name="user_role"> | ||||
| ##	The role associated with the user domain. | ||||
| ## </param> | ||||
| # | ||||
| template(`samba_per_userdomain_template',` | ||||
| 	optional_policy(` | ||||
| 		gen_require(` | ||||
| 			type smbd_t; | ||||
| 		') | ||||
| 
 | ||||
| 		userdom_manage_user_home_subdir_files($1,smbd_t) | ||||
| 		userdom_manage_user_home_subdir_symlinks($1,smbd_t) | ||||
| 		userdom_manage_user_home_subdir_sockets($1,smbd_t) | ||||
| 		userdom_manage_user_home_subdir_pipes($1,smbd_t) | ||||
| 		userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute samba net in the samba_net domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_domtrans_net',` | ||||
| 	gen_require(` | ||||
| 		type samba_net_t, samba_net_exec_t; | ||||
| 		class process sigchld; | ||||
| 		class fd use; | ||||
| 		class fifo_file rw_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	corecmd_search_bin($1) | ||||
| 	domain_auto_trans($1,samba_net_exec_t,samba_net_t) | ||||
| 
 | ||||
| 	allow $1 samba_net_t:fd use; | ||||
| 	allow samba_net_t $1:fd use; | ||||
| 	allow samba_net_t $1:fifo_file rw_file_perms; | ||||
| 	allow samba_net_t $1:process sigchld; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute samba net in the samba_net domain, and | ||||
| ##	allow the specified role the samba_net domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| ## <param name="role"> | ||||
| ##	The role to be allowed the samba_net domain. | ||||
| ## </param> | ||||
| ## <param name="terminal"> | ||||
| ##	The type of the terminal allow the samba_net domain to use. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_run_net',` | ||||
| 	gen_require(` | ||||
| 		type samba_net_t; | ||||
| 		class chr_file rw_term_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	samba_domtrans_net($1) | ||||
| 	role $2 types samba_net_t; | ||||
| 	allow samba_net_t $3:chr_file rw_term_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute smbmount in the smbmount domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_domtrans_smbmount',` | ||||
| 	gen_require(` | ||||
| 		type smbmount_t, smbmount_exec_t; | ||||
| 		class process sigchld; | ||||
| 		class fd use; | ||||
| 		class fifo_file rw_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	corecmd_search_bin($1) | ||||
| 	domain_auto_trans($1,smbmount_exec_t,smbmount_t) | ||||
| 
 | ||||
| 	allow $1 smbmount_t:fd use; | ||||
| 	allow smbmount_t $1:fd use; | ||||
| 	allow smbmount_t $1:fifo_file rw_file_perms; | ||||
| 	allow smbmount_t $1:process sigchld; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to read | ||||
| ##	samba configuration files. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_read_config',` | ||||
| 	gen_require(` | ||||
| 		type samba_etc_t; | ||||
| 		class file { read getattr lock }; | ||||
| 	') | ||||
| 
 | ||||
| 	files_search_etc($1) | ||||
| 	allow $1 samba_etc_t:file { read getattr lock }; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to read | ||||
| ##	and write samba configuration files. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_rw_config',` | ||||
| 	gen_require(` | ||||
| 		type samba_etc_t; | ||||
| 		class file rw_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	files_search_etc($1) | ||||
| 	allow $1 samba_etc_t:file rw_file_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to read samba's log files. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_read_log',` | ||||
| 	gen_require(` | ||||
| 		type samba_log_t; | ||||
| 		class file { read getattr lock }; | ||||
| 	') | ||||
| 
 | ||||
| 	logging_search_logs($1) | ||||
| 	allow $1 samba_log_t:file { read getattr lock }; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Execute samba log in the caller domain. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_exec_log',` | ||||
| 	gen_require(` | ||||
| 		type samba_log_t; | ||||
| 	') | ||||
| 
 | ||||
| 	logging_search_logs($1) | ||||
| 	can_exec($1,samba_log_t) | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to read samba's secrets. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_read_secrets',` | ||||
| 	gen_require(` | ||||
| 		type samba_secrets_t; | ||||
| 		class file { read getattr lock }; | ||||
| 	') | ||||
| 
 | ||||
| 	files_search_etc($1) | ||||
| 	allow $1 samba_secrets_t:file { read getattr lock }; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to write to smbmount tcp sockets. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_write_smbmount_tcp_socket',` | ||||
| 	gen_require(` | ||||
| 		type smbmount_t; | ||||
| 		class tcp_socket write; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 smbmount_t:tcp_socket write; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Allow the specified domain to read and write to smbmount tcp sockets. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`samba_rw_smbmount_tcp_socket',` | ||||
| 	gen_require(` | ||||
| 		type smbmount_t; | ||||
| 		class tcp_socket { read write }; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 smbmount_t:tcp_socket { read write }; | ||||
| ') | ||||
							
								
								
									
										467
									
								
								refpolicy/policy/modules/services/samba.te
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										467
									
								
								refpolicy/policy/modules/services/samba.te
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,467 @@ | ||||
| 
 | ||||
| policy_module(samba,1.0) | ||||
| 
 | ||||
| ################################# | ||||
| # | ||||
| # Declarations | ||||
| # | ||||
| 
 | ||||
| type nmbd_t; | ||||
| type nmbd_exec_t; | ||||
| init_daemon_domain(nmbd_t,nmbd_exec_t) | ||||
| 
 | ||||
| type nmbd_var_run_t; | ||||
| files_pid_file(nmbd_var_run_t) | ||||
| 
 | ||||
| type samba_etc_t; #, usercanread; | ||||
| files_type(samba_etc_t) | ||||
| 
 | ||||
| type samba_log_t, logfile; | ||||
| files_type(samba_log_t) | ||||
| 
 | ||||
| type samba_net_t; | ||||
| domain_type(samba_net_t) | ||||
| 
 | ||||
| type samba_net_exec_t; | ||||
| domain_entry_file(samba_net_t,samba_net_exec_t) | ||||
| 
 | ||||
| type samba_net_tmp_t; | ||||
| files_tmp_file(samba_net_tmp_t) | ||||
| 
 | ||||
| type samba_secrets_t; | ||||
| files_type(samba_secrets_t) | ||||
| 
 | ||||
| type samba_share_t; #, customizable; | ||||
| files_type(samba_share_t) | ||||
| 
 | ||||
| type samba_var_t; | ||||
| files_type(samba_var_t) | ||||
| 
 | ||||
| type smbd_t; | ||||
| type smbd_exec_t; | ||||
| init_daemon_domain(smbd_t,smbd_exec_t) | ||||
| 
 | ||||
| type smbd_tmp_t; | ||||
| files_tmp_file(smbd_tmp_t) | ||||
| 
 | ||||
| type smbd_var_run_t; | ||||
| files_pid_file(smbd_var_run_t) | ||||
| 
 | ||||
| type smbmount_t; | ||||
| domain_type(smbmount_t) | ||||
| 
 | ||||
| type smbmount_exec_t; | ||||
| domain_entry_file(smbmount_t,smbmount_exec_t) | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # Samba net local policy | ||||
| # | ||||
| 
 | ||||
| allow samba_net_t self:unix_dgram_socket create_socket_perms; | ||||
| allow samba_net_t self:unix_stream_socket create_stream_socket_perms; | ||||
| allow samba_net_t self:udp_socket create_socket_perms; | ||||
| allow samba_net_t self:tcp_socket create_socket_perms; | ||||
| 
 | ||||
| allow samba_net_t samba_etc_t:file r_file_perms; | ||||
| 
 | ||||
| allow samba_net_t samba_secrets_t:file create_file_perms; | ||||
| allow samba_net_t samba_etc_t:dir rw_dir_perms; | ||||
| type_transition samba_net_t samba_etc_t:file samba_secrets_t; | ||||
| 
 | ||||
| allow samba_net_t samba_net_tmp_t:dir create_dir_perms; | ||||
| allow samba_net_t samba_net_tmp_t:file create_file_perms; | ||||
| files_create_tmp_files(samba_net_t, samba_net_tmp_t, { file dir }) | ||||
| 
 | ||||
| allow samba_net_t samba_var_t:dir rw_dir_perms; | ||||
| allow samba_net_t samba_var_t:lnk_file create_lnk_perms; | ||||
| allow samba_net_t samba_var_t:file create_lnk_perms; | ||||
| 
 | ||||
| kernel_read_proc_symlinks(samba_net_t) | ||||
| 
 | ||||
| corenet_tcp_sendrecv_all_if(samba_net_t) | ||||
| corenet_udp_sendrecv_all_if(samba_net_t) | ||||
| corenet_raw_sendrecv_all_if(samba_net_t) | ||||
| corenet_tcp_sendrecv_all_nodes(samba_net_t) | ||||
| corenet_udp_sendrecv_all_nodes(samba_net_t) | ||||
| corenet_raw_sendrecv_all_nodes(samba_net_t) | ||||
| corenet_tcp_sendrecv_all_ports(samba_net_t) | ||||
| corenet_udp_sendrecv_all_ports(samba_net_t) | ||||
| corenet_tcp_bind_all_nodes(samba_net_t) | ||||
| corenet_udp_bind_all_nodes(samba_net_t) | ||||
| corenet_tcp_connect_smbd_port(samba_net_t) | ||||
| 
 | ||||
| dev_read_urand(samba_net_t) | ||||
| 
 | ||||
| domain_use_wide_inherit_fd(samba_net_t) | ||||
| 
 | ||||
| files_read_etc_files(samba_net_t) | ||||
| 
 | ||||
| libs_use_ld_so(samba_net_t) | ||||
| libs_use_shared_libs(samba_net_t) | ||||
| 
 | ||||
| miscfiles_read_localization(samba_net_t)  | ||||
| 
 | ||||
| sysnet_read_config(samba_net_t) | ||||
| 
 | ||||
| userdom_dontaudit_search_sysadm_home_dir(samba_net_t) | ||||
| 
 | ||||
| optional_policy(`kerberos.te',` | ||||
| 	kerberos_use(samba_net_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`ldap.te',` | ||||
| 	allow samba_net_t self:tcp_socket create_socket_perms; | ||||
| 	corenet_tcp_sendrecv_all_if(samba_net_t) | ||||
| 	corenet_raw_sendrecv_all_if(samba_net_t) | ||||
| 	corenet_tcp_sendrecv_all_nodes(samba_net_t) | ||||
| 	corenet_raw_sendrecv_all_nodes(samba_net_t) | ||||
| 	corenet_tcp_sendrecv_ldap_port(samba_net_t) | ||||
| 	corenet_tcp_bind_all_nodes(samba_net_t) | ||||
| 	sysnet_read_config(samba_net_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`nscd.te',` | ||||
| 	nscd_use_socket(samba_net_t) | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # smbd Local policy | ||||
| # | ||||
| allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search }; | ||||
| dontaudit smbd_t self:capability sys_tty_config; | ||||
| allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | ||||
| allow smbd_t self:fd use; | ||||
| allow smbd_t self:fifo_file rw_file_perms; | ||||
| allow smbd_t self:msg { send receive }; | ||||
| allow smbd_t self:msgq create_msgq_perms; | ||||
| allow smbd_t self:sem create_sem_perms; | ||||
| allow smbd_t self:shm create_shm_perms; | ||||
| allow smbd_t self:sock_file r_file_perms; | ||||
| allow smbd_t self:tcp_socket create_stream_socket_perms; | ||||
| allow smbd_t self:udp_socket create_socket_perms; | ||||
| allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; | ||||
| allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; | ||||
| 
 | ||||
| allow smbd_t samba_etc_t:dir rw_dir_perms; | ||||
| allow smbd_t samba_etc_t:file r_file_perms; | ||||
| 
 | ||||
| allow smbd_t samba_log_t:dir ra_dir_perms; | ||||
| dontaudit smbd_t samba_log_t:dir remove_name; | ||||
| allow smbd_t samba_log_t:file { create ra_file_perms }; | ||||
| 
 | ||||
| allow smbd_t samba_secrets_t:dir rw_dir_perms; | ||||
| allow smbd_t samba_secrets_t:file create_file_perms; | ||||
| type_transition smbd_t samba_etc_t:file samba_secrets_t; | ||||
| 
 | ||||
| allow smbd_t samba_share_t:dir create_dir_perms; | ||||
| allow smbd_t samba_share_t:file create_file_perms; | ||||
| allow smbd_t samba_share_t:lnk_file create_lnk_perms; | ||||
| 
 | ||||
| allow smbd_t samba_var_t:dir create_dir_perms; | ||||
| allow smbd_t samba_var_t:file create_file_perms; | ||||
| allow smbd_t samba_var_t:lnk_file create_lnk_perms; | ||||
| allow smbd_t samba_var_t:sock_file create_file_perms; | ||||
| 
 | ||||
| allow smbd_t smbd_tmp_t:dir create_dir_perms; | ||||
| allow smbd_t smbd_tmp_t:file create_file_perms; | ||||
| files_create_tmp_files(smbd_t, smbd_tmp_t, { file dir }) | ||||
| 
 | ||||
| allow smbd_t nmbd_var_run_t:file rw_file_perms; | ||||
| 
 | ||||
| allow smbd_t smbd_var_run_t:dir create_dir_perms; | ||||
| allow smbd_t smbd_var_run_t:file create_file_perms; | ||||
| allow smbd_t smbd_var_run_t:sock_file create_file_perms; | ||||
| files_create_pid(smbd_t,smbd_var_run_t) | ||||
| 
 | ||||
| kernel_getattr_core(smbd_t) | ||||
| kernel_getattr_message_if(smbd_t) | ||||
| kernel_read_network_state(smbd_t) | ||||
| kernel_read_kernel_sysctl(smbd_t) | ||||
| kernel_read_software_raid_state(smbd_t) | ||||
| kernel_read_system_state(smbd_t) | ||||
| 
 | ||||
| corenet_tcp_sendrecv_all_if(smbd_t) | ||||
| corenet_udp_sendrecv_all_if(smbd_t) | ||||
| corenet_raw_sendrecv_all_if(smbd_t) | ||||
| corenet_tcp_sendrecv_all_nodes(smbd_t) | ||||
| corenet_udp_sendrecv_all_nodes(smbd_t) | ||||
| corenet_raw_sendrecv_all_nodes(smbd_t) | ||||
| corenet_tcp_sendrecv_all_ports(smbd_t) | ||||
| corenet_udp_sendrecv_all_ports(smbd_t) | ||||
| corenet_tcp_bind_all_nodes(smbd_t) | ||||
| corenet_udp_bind_all_nodes(smbd_t) | ||||
| corenet_tcp_bind_smbd_port(smbd_t) | ||||
| corenet_tcp_connect_ipp_port(smbd_t) | ||||
| 
 | ||||
| dev_read_sysfs(smbd_t) | ||||
| dev_read_urand(smbd_t) | ||||
| 
 | ||||
| fs_getattr_all_fs(smbd_t) | ||||
| fs_search_auto_mountpoints(smbd_t) | ||||
| 
 | ||||
| term_dontaudit_use_console(smbd_t) | ||||
| 
 | ||||
| auth_domtrans_chk_passwd(smbd_t) | ||||
| 
 | ||||
| domain_use_wide_inherit_fd(smbd_t) | ||||
| 
 | ||||
| files_list_var_lib(smbd_t) | ||||
| files_read_etc_files(smbd_t) | ||||
| files_read_etc_runtime_files(smbd_t) | ||||
| files_read_usr_files(smbd_t) | ||||
| files_search_spool(smbd_t) | ||||
| 
 | ||||
| init_use_fd(smbd_t) | ||||
| init_use_script_pty(smbd_t) | ||||
| 
 | ||||
| libs_use_ld_so(smbd_t) | ||||
| libs_use_shared_libs(smbd_t) | ||||
| 
 | ||||
| logging_search_logs(smbd_t) | ||||
| logging_send_syslog_msg(smbd_t) | ||||
| 
 | ||||
| miscfiles_read_localization(smbd_t) | ||||
| 
 | ||||
| mount_send_nfs_client_request(smbd_t) | ||||
| 
 | ||||
| sysnet_read_config(smbd_t) | ||||
| 
 | ||||
| userdom_dontaudit_search_sysadm_home_dir(smbd_t) | ||||
| userdom_dontaudit_use_unpriv_user_fd(smbd_t) | ||||
| userdom_use_unpriv_users_fd(smbd_t) | ||||
| 
 | ||||
| ifdef(`targeted_policy', ` | ||||
| 	files_dontaudit_read_root_file(smbd_t) | ||||
| 	term_dontaudit_use_generic_pty(smbd_t) | ||||
| 	term_dontaudit_use_unallocated_tty(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`kerberos.te',` | ||||
| 	kerberos_use(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`ldap.te',` | ||||
| 	allow smbd_t self:tcp_socket create_socket_perms; | ||||
| 	corenet_tcp_sendrecv_all_if(smbd_t) | ||||
| 	corenet_raw_sendrecv_all_if(smbd_t) | ||||
| 	corenet_tcp_sendrecv_all_nodes(smbd_t) | ||||
| 	corenet_raw_sendrecv_all_nodes(smbd_t) | ||||
| 	corenet_tcp_sendrecv_ldap_port(smbd_t) | ||||
| 	corenet_tcp_bind_all_nodes(smbd_t) | ||||
| 	sysnet_read_config(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`nis.te',` | ||||
| 	nis_use_ypbind(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`nscd.te',` | ||||
| 	nscd_use_socket(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`selinuxutil.te',` | ||||
| 	seutil_sigchld_newrole(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`udev.te', ` | ||||
| 	udev_read_db(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| ifdef(`TODO',` | ||||
| optional_policy(`rhgb.te',` | ||||
| 	rhgb_domain(smbd_t) | ||||
| ') | ||||
| can_winbind(smbd_t) | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # nmbd Local policy | ||||
| # | ||||
| dontaudit nmbd_t self:capability sys_tty_config; | ||||
| allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | ||||
| allow nmbd_t self:fd use; | ||||
| allow nmbd_t self:fifo_file rw_file_perms; | ||||
| allow nmbd_t self:msg { send receive }; | ||||
| allow nmbd_t self:msgq create_msgq_perms; | ||||
| allow nmbd_t self:sem create_sem_perms; | ||||
| allow nmbd_t self:shm create_shm_perms; | ||||
| allow nmbd_t self:sock_file r_file_perms; | ||||
| allow nmbd_t self:tcp_socket create_stream_socket_perms; | ||||
| allow nmbd_t self:udp_socket create_socket_perms; | ||||
| allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; | ||||
| allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; | ||||
| 
 | ||||
| allow nmbd_t nmbd_var_run_t:file create_file_perms; | ||||
| files_create_pid(nmbd_t,nmbd_var_run_t) | ||||
| 
 | ||||
| allow nmbd_t samba_etc_t:dir { search getattr }; | ||||
| allow nmbd_t samba_etc_t:file { getattr read }; | ||||
| 
 | ||||
| allow nmbd_t samba_log_t:dir ra_dir_perms; | ||||
| allow nmbd_t samba_log_t:file { create ra_file_perms }; | ||||
| 
 | ||||
| allow nmbd_t samba_var_t:dir rw_dir_perms; | ||||
| allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; | ||||
| 
 | ||||
| allow nmbd_t smbd_var_run_t:dir rw_dir_perms; | ||||
| 
 | ||||
| kernel_getattr_core(nmbd_t) | ||||
| kernel_getattr_message_if(nmbd_t) | ||||
| kernel_read_kernel_sysctl(nmbd_t) | ||||
| kernel_read_network_state(nmbd_t) | ||||
| kernel_read_software_raid_state(nmbd_t) | ||||
| kernel_read_system_state(nmbd_t) | ||||
| 
 | ||||
| corenet_tcp_sendrecv_all_if(nmbd_t) | ||||
| corenet_raw_sendrecv_all_if(nmbd_t) | ||||
| corenet_tcp_sendrecv_all_nodes(nmbd_t) | ||||
| corenet_raw_sendrecv_all_nodes(nmbd_t) | ||||
| corenet_tcp_sendrecv_all_ports(nmbd_t) | ||||
| corenet_tcp_bind_all_nodes(nmbd_t) | ||||
| corenet_udp_bind_nmbd_port(nmbd_t) | ||||
| 
 | ||||
| dev_read_sysfs(nmbd_t) | ||||
| 
 | ||||
| fs_getattr_all_fs(nmbd_t) | ||||
| fs_search_auto_mountpoints(nmbd_t) | ||||
| 
 | ||||
| term_dontaudit_use_console(nmbd_t) | ||||
| 
 | ||||
| domain_use_wide_inherit_fd(nmbd_t) | ||||
| 
 | ||||
| files_read_usr_files(nmbd_t) | ||||
| files_read_etc_files(nmbd_t) | ||||
| 
 | ||||
| init_use_fd(nmbd_t) | ||||
| init_use_script_pty(nmbd_t) | ||||
| 
 | ||||
| libs_use_ld_so(nmbd_t) | ||||
| libs_use_shared_libs(nmbd_t) | ||||
| 
 | ||||
| logging_search_logs(nmbd_t) | ||||
| logging_send_syslog_msg(nmbd_t) | ||||
| 
 | ||||
| miscfiles_read_localization(nmbd_t) | ||||
| 
 | ||||
| sysnet_read_config(nmbd_t) | ||||
| 
 | ||||
| userdom_dontaudit_search_sysadm_home_dir(nmbd_t) | ||||
| userdom_dontaudit_use_unpriv_user_fd(nmbd_t) | ||||
| userdom_use_unpriv_users_fd(nmbd_t) | ||||
| 
 | ||||
| ifdef(`targeted_policy', ` | ||||
| 	files_dontaudit_read_root_file(nmbd_t) | ||||
| 	term_dontaudit_use_generic_pty(nmbd_t) | ||||
| 	term_dontaudit_use_unallocated_tty(nmbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`nis.te',` | ||||
| 	nis_use_ypbind(nmbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`selinuxutil.te',` | ||||
| 	seutil_sigchld_newrole(nmbd_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`udev.te', ` | ||||
| 	udev_read_db(nmbd_t) | ||||
| ') | ||||
| 
 | ||||
| ifdef(`TODO',` | ||||
| optional_policy(`rhgb.te',` | ||||
| 	rhgb_domain(nmbd_t) | ||||
| ') | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| # | ||||
| # smbmount Local policy | ||||
| # | ||||
| allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? | ||||
| allow smbmount_t self:process { fork signal_perms }; | ||||
| allow smbmount_t self:tcp_socket create_stream_socket_perms; | ||||
| allow smbmount_t self:udp_socket connect; | ||||
| allow smbmount_t self:unix_dgram_socket create_socket_perms; | ||||
| allow smbmount_t self:unix_stream_socket create_socket_perms; | ||||
| 
 | ||||
| allow smbmount_t samba_etc_t:dir r_dir_perms; | ||||
| allow smbmount_t samba_etc_t:file r_file_perms; | ||||
| 
 | ||||
| can_exec(smbmount_t, smbmount_exec_t) | ||||
| 
 | ||||
| allow smbmount_t samba_log_t:dir r_dir_perms;  | ||||
| allow smbmount_t samba_log_t:file create_file_perms; | ||||
| 
 | ||||
| allow smbmount_t samba_secrets_t:file create_file_perms; | ||||
| 
 | ||||
| allow smbmount_t samba_var_t:dir rw_dir_perms; | ||||
| allow smbmount_t samba_var_t:file create_file_perms; | ||||
| allow smbmount_t samba_var_t:lnk_file create_lnk_perms; | ||||
| 
 | ||||
| kernel_read_system_state(smbmount_t) | ||||
| 
 | ||||
| corenet_tcp_sendrecv_all_if(smbmount_t) | ||||
| corenet_raw_sendrecv_all_if(smbmount_t) | ||||
| corenet_udp_sendrecv_all_if(smbmount_t) | ||||
| corenet_tcp_sendrecv_all_nodes(smbmount_t) | ||||
| corenet_raw_sendrecv_all_nodes(smbmount_t) | ||||
| corenet_udp_sendrecv_all_nodes(smbmount_t) | ||||
| corenet_tcp_sendrecv_all_ports(smbmount_t) | ||||
| corenet_udp_sendrecv_all_ports(smbmount_t) | ||||
| corenet_tcp_bind_all_nodes(smbmount_t) | ||||
| corenet_udp_bind_all_nodes(smbmount_t) | ||||
| corenet_tcp_connect_all_ports(smbmount_t) | ||||
| 
 | ||||
| fs_getattr_cifs(smbmount_t) | ||||
| fs_mount_cifs(smbmount_t) | ||||
| fs_remount_cifs(smbmount_t) | ||||
| fs_unmount_cifs(smbmount_t) | ||||
| fs_list_cifs(smbmount_t) | ||||
| fs_read_cifs_files(smbmount_t) | ||||
| 
 | ||||
| storage_raw_read_fixed_disk(smbmount_t) | ||||
| storage_raw_write_fixed_disk(smbmount_t) | ||||
| 
 | ||||
| term_list_ptys(smbmount_t) | ||||
| term_use_controlling_term(smbmount_t) | ||||
| 
 | ||||
| corecmd_list_bin(smbmount_t) | ||||
| 
 | ||||
| files_list_mnt(smbmount_t) | ||||
| files_mounton_mnt(smbmount_t) | ||||
| files_manage_etc_runtime_files(smbmount_t) | ||||
| files_read_etc_files(smbmount_t) | ||||
| 
 | ||||
| miscfiles_read_localization(smbmount_t) | ||||
| 
 | ||||
| mount_use_fd(smbmount_t) | ||||
| mount_send_nfs_client_request(smbmount_t) | ||||
| 
 | ||||
| libs_use_ld_so(smbmount_t) | ||||
| libs_use_shared_libs(smbmount_t) | ||||
| 
 | ||||
| locallogin_use_fd(smbmount_t) | ||||
| 
 | ||||
| logging_search_logs(smbmount_t) | ||||
| 
 | ||||
| sysnet_read_config(smbmount_t) | ||||
| 
 | ||||
| userdom_use_all_user_fd(smbmount_t) | ||||
| userdom_use_sysadm_tty(smbmount_t) | ||||
| 
 | ||||
| optional_policy(`nis.te',` | ||||
| 	nis_use_ypbind(smbmount_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`nscd.te',` | ||||
| 	nscd_use_socket(smbmount_t) | ||||
| ') | ||||
| 
 | ||||
| ifdef(`TODO',` | ||||
| ifdef(`cups.te', ` | ||||
| 	allow smbd_t cupsd_rw_etc_t:file { getattr read }; | ||||
| ') | ||||
| ') | ||||
| @ -11,6 +11,7 @@ ifdef(`distro_redhat',` | ||||
| /fastboot 		--	context_template(system_u:object_r:etc_runtime_t,s0) | ||||
| /forcefsck 		--	context_template(system_u:object_r:etc_runtime_t,s0) | ||||
| /fsckoptions 		--	context_template(system_u:object_r:etc_runtime_t,s0) | ||||
| /halt			--	context_template(system_u:object_r:etc_runtime_t,s0) | ||||
| /poweroff		--	context_template(system_u:object_r:etc_runtime_t,s0) | ||||
| ') | ||||
| 
 | ||||
|  | ||||
| @ -1369,6 +1369,23 @@ interface(`files_list_mnt',` | ||||
| 	allow $1 mnt_t:dir r_dir_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Mount a filesystem on /mnt. | ||||
| ## </summary> | ||||
| ## <param name="domain"> | ||||
| ##	Domain allowed access. | ||||
| ## </param> | ||||
| # | ||||
| interface(`files_mounton_mnt',` | ||||
| 	gen_require(` | ||||
| 		type mnt_t; | ||||
| 		class dir { search mounton }; | ||||
| 	') | ||||
| 
 | ||||
| 	allow $1 mnt_t:dir { search mounton }; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Create, read, write, and delete directories in /mnt. | ||||
|  | ||||
| @ -1,12 +1,4 @@ | ||||
| 
 | ||||
| # | ||||
| # / | ||||
| # | ||||
| ifdef(`distro_redhat', ` | ||||
| /\.autofsck		--	context_template(system_u:object_r:etc_runtime_t,s0) | ||||
| /halt			--	context_template(system_u:object_r:etc_runtime_t,s0) | ||||
| ') | ||||
| 
 | ||||
| # | ||||
| # /etc | ||||
| # | ||||
|  | ||||
| @ -490,6 +490,10 @@ optional_policy(`rpm.te',` | ||||
| 	rpm_manage_db(initrc_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`samba.te',` | ||||
| 	samba_rw_config(initrc_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`squid.te',` | ||||
| 	squid_read_config(initrc_t) | ||||
| 	squid_manage_logs(initrc_t) | ||||
|  | ||||
| @ -120,6 +120,10 @@ optional_policy(`rpm.te', ` | ||||
| 	rpm_rw_pipe(mount_t) | ||||
| ') | ||||
| 
 | ||||
| optional_policy(`samba.te',` | ||||
| 	samba_domtrans_smbmount(mount_t) | ||||
| ') | ||||
| 
 | ||||
| ifdef(`TODO',` | ||||
| # this goes to the nfs/rpc module | ||||
| files_mountpoint(var_lib_nfs_t) | ||||
|  | ||||
| @ -1012,6 +1012,118 @@ template(`userdom_manage_user_home_subdir_symlinks',` | ||||
| 	allow $2 $1_home_t:lnk_file create_lnk_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Create, read, write, and delete named pipes | ||||
| ##	in a user home subdirectory. | ||||
| ## </summary> | ||||
| ## <desc> | ||||
| ##	<p> | ||||
| ##	Create, read, write, and delete named pipes | ||||
| ##	in a user home subdirectory. | ||||
| ##	</p> | ||||
| ##	<p> | ||||
| ##	This is a templated interface, and should only | ||||
| ##	be called from a per-userdomain template. | ||||
| ##	</p> | ||||
| ## </desc> | ||||
| ## <param name="userdomain_prefix"> | ||||
| ##	The prefix of the user domain (e.g., user | ||||
| ##	is the prefix for user_t). | ||||
| ## </param> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| # | ||||
| template(`userdom_manage_user_home_subdir_pipes',` | ||||
| 	gen_require(` | ||||
| 		class dir rw_dir_perms; | ||||
| 		class fifo_file create_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	files_search_home($2) | ||||
| 	allow $2 $1_home_dir_t:dir search; | ||||
| 	allow $2 $1_home_t:dir rw_dir_perms; | ||||
| 	allow $2 $1_home_t:fifo_file create_file_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Create, read, write, and delete named sockets | ||||
| ##	in a user home subdirectory. | ||||
| ## </summary> | ||||
| ## <desc> | ||||
| ##	<p> | ||||
| ##	Create, read, write, and delete named sockets | ||||
| ##	in a user home subdirectory. | ||||
| ##	</p> | ||||
| ##	<p> | ||||
| ##	This is a templated interface, and should only | ||||
| ##	be called from a per-userdomain template. | ||||
| ##	</p> | ||||
| ## </desc> | ||||
| ## <param name="userdomain_prefix"> | ||||
| ##	The prefix of the user domain (e.g., user | ||||
| ##	is the prefix for user_t). | ||||
| ## </param> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| # | ||||
| template(`userdom_manage_user_home_subdir_sockets',` | ||||
| 	gen_require(` | ||||
| 		class dir rw_dir_perms; | ||||
| 		class sock_file create_file_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	files_search_home($2) | ||||
| 	allow $2 $1_home_dir_t:dir search; | ||||
| 	allow $2 $1_home_t:dir rw_dir_perms; | ||||
| 	allow $2 $1_home_t:sock_file create_file_perms; | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	 | ||||
| ## </summary> | ||||
| ## <desc> | ||||
| ##	<p> | ||||
| ##	Create, read, write, and delete named sockets | ||||
| ##	in a user home subdirectory. | ||||
| ##	</p> | ||||
| ##	<p> | ||||
| ##	This is a templated interface, and should only | ||||
| ##	be called from a per-userdomain template. | ||||
| ##	</p> | ||||
| ## </desc> | ||||
| ## <param name="userdomain_prefix"> | ||||
| ##	The prefix of the user domain (e.g., user | ||||
| ##	is the prefix for user_t). | ||||
| ## </param> | ||||
| ## <param name="domain"> | ||||
| ##	The type of the process performing this action. | ||||
| ## </param> | ||||
| ## <param name="object_class" optional="true"> | ||||
| ##	The class of the object to be created.  If not | ||||
| ##	specified, file is used. | ||||
| ## </param> | ||||
| # | ||||
| template(`userdom_create_user_home',` | ||||
| 	gen_require(` | ||||
| 		class dir rw_dir_perms; | ||||
| 	') | ||||
| 
 | ||||
| 	files_search_home($2) | ||||
| 
 | ||||
| 	allow $2 $1_home_dir_t:dir rw_dir_perms; | ||||
| 
 | ||||
| 	ifelse(`$3',`',` | ||||
| 		type_transition $2 $1_home_dir_t:file $1_home_t; | ||||
| 	',` | ||||
| 		type_transition $2 $1_home_dir_t:$3 $1_home_t; | ||||
| 	') | ||||
| ') | ||||
| 
 | ||||
| ######################################## | ||||
| ## <summary> | ||||
| ##	Create, read, write, and delete user | ||||
|  | ||||
| @ -202,6 +202,10 @@ ifdef(`targeted_policy',` | ||||
| 		rpm_run(sysadm_t,sysadm_r,admin_terminal) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`samba.te',` | ||||
| 		samba_run_net(sysadm_t,sysadm_r,admin_terminal) | ||||
| 	') | ||||
| 
 | ||||
| 	optional_policy(`selinuxutil.te',` | ||||
| 		seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) | ||||
| 		seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal) | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user