1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
863 lines
23 KiB
Plaintext
863 lines
23 KiB
Plaintext
|
|
policy_module(samba,1.5.2)
|
|
|
|
#################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow samba to modify public files
|
|
## used for public file transfer services.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_smbd_anon_write,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow samba to run as the domain controller; add machines to passwd file
|
|
##
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(samba_domain_controller,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow samba to export user home directories.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(samba_enable_home_dirs,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Export all files on system read only.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(samba_export_all_ro,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Export all files on system read-write.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(samba_export_all_rw,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow samba to run unconfined scripts
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(samba_run_unconfined,false)
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow samba to export NFS volumes.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(samba_share_nfs,false)
|
|
|
|
type nmbd_t;
|
|
type nmbd_exec_t;
|
|
init_daemon_domain(nmbd_t,nmbd_exec_t)
|
|
|
|
type nmbd_var_run_t;
|
|
files_pid_file(nmbd_var_run_t)
|
|
|
|
type samba_etc_t;
|
|
files_config_file(samba_etc_t)
|
|
|
|
type samba_log_t;
|
|
logging_log_file(samba_log_t)
|
|
|
|
type samba_net_t;
|
|
domain_type(samba_net_t)
|
|
role system_r types samba_net_t;
|
|
|
|
type samba_net_exec_t;
|
|
domain_entry_file(samba_net_t,samba_net_exec_t)
|
|
|
|
type samba_net_tmp_t;
|
|
files_tmp_file(samba_net_tmp_t)
|
|
|
|
type samba_secrets_t;
|
|
files_type(samba_secrets_t)
|
|
|
|
type samba_share_t; # customizable
|
|
files_type(samba_share_t)
|
|
|
|
type samba_unconfined_script_t;
|
|
type samba_unconfined_script_exec_t;
|
|
domain_type(samba_unconfined_script_t)
|
|
domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
|
|
corecmd_shell_entry_type(samba_unconfined_script_t)
|
|
role system_r types samba_unconfined_script_t;
|
|
|
|
type samba_var_t;
|
|
files_type(samba_var_t)
|
|
|
|
type smbd_t;
|
|
type smbd_exec_t;
|
|
init_daemon_domain(smbd_t,smbd_exec_t)
|
|
|
|
type smbd_tmp_t;
|
|
files_tmp_file(smbd_tmp_t)
|
|
|
|
type smbd_var_run_t;
|
|
files_pid_file(smbd_var_run_t)
|
|
|
|
type smbmount_t;
|
|
domain_type(smbmount_t)
|
|
|
|
type smbmount_exec_t;
|
|
domain_entry_file(smbmount_t,smbmount_exec_t)
|
|
|
|
type swat_t;
|
|
type swat_exec_t;
|
|
domain_type(swat_t)
|
|
domain_entry_file(swat_t,swat_exec_t)
|
|
role system_r types swat_t;
|
|
|
|
type swat_tmp_t;
|
|
files_tmp_file(swat_tmp_t)
|
|
|
|
type swat_var_run_t;
|
|
files_pid_file(swat_var_run_t)
|
|
|
|
type winbind_t;
|
|
type winbind_exec_t;
|
|
init_daemon_domain(winbind_t,winbind_exec_t)
|
|
|
|
type winbind_helper_t;
|
|
domain_type(winbind_helper_t)
|
|
role system_r types winbind_helper_t;
|
|
|
|
type winbind_helper_exec_t;
|
|
domain_entry_file(winbind_helper_t,winbind_helper_exec_t)
|
|
|
|
type winbind_log_t;
|
|
logging_log_file(winbind_log_t)
|
|
|
|
type winbind_tmp_t;
|
|
files_tmp_file(winbind_tmp_t)
|
|
|
|
type winbind_var_run_t;
|
|
files_pid_file(winbind_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# Samba net local policy
|
|
#
|
|
|
|
allow samba_net_t self:unix_dgram_socket create_socket_perms;
|
|
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow samba_net_t self:udp_socket create_socket_perms;
|
|
allow samba_net_t self:tcp_socket create_socket_perms;
|
|
allow samba_net_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
allow samba_net_t samba_etc_t:file read_file_perms;
|
|
|
|
manage_files_pattern(samba_net_t,samba_etc_t,samba_secrets_t)
|
|
filetrans_pattern(samba_net_t,samba_etc_t,samba_secrets_t,file)
|
|
|
|
manage_dirs_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t)
|
|
manage_files_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t)
|
|
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
|
|
|
|
allow samba_net_t samba_var_t:dir rw_dir_perms;
|
|
manage_files_pattern(samba_net_t,samba_var_t,samba_var_t)
|
|
manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
|
|
|
|
kernel_read_proc_symlinks(samba_net_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(samba_net_t)
|
|
corenet_all_recvfrom_netlabel(samba_net_t)
|
|
corenet_tcp_sendrecv_all_if(samba_net_t)
|
|
corenet_udp_sendrecv_all_if(samba_net_t)
|
|
corenet_raw_sendrecv_all_if(samba_net_t)
|
|
corenet_tcp_sendrecv_all_nodes(samba_net_t)
|
|
corenet_udp_sendrecv_all_nodes(samba_net_t)
|
|
corenet_raw_sendrecv_all_nodes(samba_net_t)
|
|
corenet_tcp_sendrecv_all_ports(samba_net_t)
|
|
corenet_udp_sendrecv_all_ports(samba_net_t)
|
|
corenet_tcp_bind_all_nodes(samba_net_t)
|
|
corenet_udp_bind_all_nodes(samba_net_t)
|
|
corenet_tcp_connect_smbd_port(samba_net_t)
|
|
|
|
dev_read_urand(samba_net_t)
|
|
|
|
domain_use_interactive_fds(samba_net_t)
|
|
|
|
files_read_etc_files(samba_net_t)
|
|
|
|
libs_use_ld_so(samba_net_t)
|
|
libs_use_shared_libs(samba_net_t)
|
|
|
|
logging_send_syslog_msg(samba_net_t)
|
|
|
|
miscfiles_read_localization(samba_net_t)
|
|
|
|
sysnet_read_config(samba_net_t)
|
|
sysnet_use_ldap(samba_net_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_use_generic_ptys(samba_net_t)
|
|
term_use_unallocated_ttys(samba_net_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(samba_net_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(samba_net_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# smbd Local policy
|
|
#
|
|
allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
|
|
dontaudit smbd_t self:capability sys_tty_config;
|
|
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow smbd_t self:process setrlimit;
|
|
allow smbd_t self:fd use;
|
|
allow smbd_t self:fifo_file rw_fifo_file_perms;
|
|
allow smbd_t self:msg { send receive };
|
|
allow smbd_t self:msgq create_msgq_perms;
|
|
allow smbd_t self:sem create_sem_perms;
|
|
allow smbd_t self:shm create_shm_perms;
|
|
allow smbd_t self:sock_file read_file_perms;
|
|
allow smbd_t self:tcp_socket create_stream_socket_perms;
|
|
allow smbd_t self:udp_socket create_socket_perms;
|
|
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
allow smbd_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
|
|
|
|
create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
|
|
create_files_pattern(smbd_t,samba_log_t,samba_log_t)
|
|
allow smbd_t samba_log_t:dir setattr;
|
|
dontaudit smbd_t samba_log_t:dir remove_name;
|
|
|
|
allow smbd_t samba_net_tmp_t:file getattr;
|
|
|
|
manage_files_pattern(smbd_t,samba_secrets_t,samba_secrets_t)
|
|
filetrans_pattern(smbd_t,samba_etc_t,samba_secrets_t,file)
|
|
|
|
manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
|
|
manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
|
|
manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
|
|
|
|
manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
|
|
manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
|
|
manage_lnk_files_pattern(smbd_t,samba_var_t,samba_var_t)
|
|
manage_sock_files_pattern(smbd_t,samba_var_t,samba_var_t)
|
|
|
|
manage_dirs_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t)
|
|
manage_files_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t)
|
|
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
|
|
|
|
allow smbd_t nmbd_var_run_t:file rw_file_perms;
|
|
|
|
manage_dirs_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
|
|
manage_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
|
|
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
|
|
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
|
|
|
|
allow smbd_t winbind_var_run_t:sock_file { read write getattr };
|
|
|
|
kernel_getattr_core_if(smbd_t)
|
|
kernel_getattr_message_if(smbd_t)
|
|
kernel_read_network_state(smbd_t)
|
|
kernel_read_fs_sysctls(smbd_t)
|
|
kernel_read_kernel_sysctls(smbd_t)
|
|
kernel_read_software_raid_state(smbd_t)
|
|
kernel_read_system_state(smbd_t)
|
|
|
|
corecmd_exec_shell(smbd_t)
|
|
corecmd_exec_bin(smbd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(smbd_t)
|
|
corenet_all_recvfrom_netlabel(smbd_t)
|
|
corenet_tcp_sendrecv_all_if(smbd_t)
|
|
corenet_udp_sendrecv_all_if(smbd_t)
|
|
corenet_raw_sendrecv_all_if(smbd_t)
|
|
corenet_tcp_sendrecv_all_nodes(smbd_t)
|
|
corenet_udp_sendrecv_all_nodes(smbd_t)
|
|
corenet_raw_sendrecv_all_nodes(smbd_t)
|
|
corenet_tcp_sendrecv_all_ports(smbd_t)
|
|
corenet_udp_sendrecv_all_ports(smbd_t)
|
|
corenet_tcp_bind_all_nodes(smbd_t)
|
|
corenet_udp_bind_all_nodes(smbd_t)
|
|
corenet_tcp_bind_smbd_port(smbd_t)
|
|
corenet_tcp_connect_ipp_port(smbd_t)
|
|
corenet_tcp_connect_smbd_port(smbd_t)
|
|
|
|
dev_read_sysfs(smbd_t)
|
|
dev_read_urand(smbd_t)
|
|
dev_getattr_mtrr_dev(smbd_t)
|
|
dev_dontaudit_getattr_usbfs_dirs(smbd_t)
|
|
|
|
fs_getattr_all_fs(smbd_t)
|
|
fs_get_xattr_fs_quotas(smbd_t)
|
|
fs_search_auto_mountpoints(smbd_t)
|
|
fs_getattr_rpc_dirs(smbd_t)
|
|
fs_list_inotifyfs(smbd_t)
|
|
|
|
auth_use_nsswitch(smbd_t)
|
|
auth_domtrans_chk_passwd(smbd_t)
|
|
|
|
domain_use_interactive_fds(smbd_t)
|
|
domain_dontaudit_list_all_domains_state(smbd_t)
|
|
|
|
files_list_var_lib(smbd_t)
|
|
files_read_etc_files(smbd_t)
|
|
files_read_etc_runtime_files(smbd_t)
|
|
files_read_usr_files(smbd_t)
|
|
files_search_spool(smbd_t)
|
|
# Allow samba to list mnt_t for potential mounted dirs
|
|
files_list_mnt(smbd_t)
|
|
|
|
init_rw_utmp(smbd_t)
|
|
|
|
libs_use_ld_so(smbd_t)
|
|
libs_use_shared_libs(smbd_t)
|
|
|
|
logging_search_logs(smbd_t)
|
|
logging_send_syslog_msg(smbd_t)
|
|
|
|
miscfiles_read_localization(smbd_t)
|
|
miscfiles_read_public_files(smbd_t)
|
|
|
|
sysnet_read_config(smbd_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
|
|
userdom_use_unpriv_users_fds(smbd_t)
|
|
|
|
ifdef(`hide_broken_symptoms', `
|
|
files_dontaudit_getattr_default_dirs(smbd_t)
|
|
files_dontaudit_getattr_boot_dirs(smbd_t)
|
|
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
|
|
')
|
|
|
|
ifdef(`targeted_policy', `
|
|
files_dontaudit_read_root_files(smbd_t)
|
|
term_dontaudit_use_generic_ptys(smbd_t)
|
|
term_dontaudit_use_unallocated_ttys(smbd_t)
|
|
')
|
|
|
|
tunable_policy(`allow_smbd_anon_write',`
|
|
miscfiles_manage_public_files(smbd_t)
|
|
')
|
|
|
|
tunable_policy(`samba_domain_controller',`
|
|
usermanage_domtrans_passwd(smbd_t)
|
|
usermanage_domtrans_useradd(smbd_t)
|
|
usermanage_domtrans_groupadd(smbd_t)
|
|
')
|
|
|
|
# Support Samba sharing of NFS mount points
|
|
tunable_policy(`samba_share_nfs',`
|
|
fs_manage_nfs_dirs(smbd_t)
|
|
fs_manage_nfs_files(smbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cups_read_rw_config(smbd_t)
|
|
cups_stream_connect(smbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(smbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_search_nfs_state_data(smbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(smbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(smbd_t)
|
|
')
|
|
|
|
tunable_policy(`samba_export_all_ro',`
|
|
fs_read_noxattr_fs_files(smbd_t)
|
|
auth_read_all_files_except_shadow(smbd_t)
|
|
fs_read_noxattr_fs_files(nmbd_t)
|
|
auth_read_all_files_except_shadow(nmbd_t)
|
|
')
|
|
|
|
tunable_policy(`samba_export_all_rw',`
|
|
fs_read_noxattr_fs_files(smbd_t)
|
|
auth_manage_all_files_except_shadow(smbd_t)
|
|
fs_read_noxattr_fs_files(nmbd_t)
|
|
auth_manage_all_files_except_shadow(nmbd_t)
|
|
userdom_generic_user_home_dir_filetrans_generic_user_home_content(nmbd_t, { file dir })
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# nmbd Local policy
|
|
#
|
|
|
|
dontaudit nmbd_t self:capability sys_tty_config;
|
|
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow nmbd_t self:fd use;
|
|
allow nmbd_t self:fifo_file rw_fifo_file_perms;
|
|
allow nmbd_t self:msg { send receive };
|
|
allow nmbd_t self:msgq create_msgq_perms;
|
|
allow nmbd_t self:sem create_sem_perms;
|
|
allow nmbd_t self:shm create_shm_perms;
|
|
allow nmbd_t self:sock_file read_file_perms;
|
|
allow nmbd_t self:tcp_socket create_stream_socket_perms;
|
|
allow nmbd_t self:udp_socket create_socket_perms;
|
|
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
|
|
|
manage_files_pattern(nmbd_t,nmbd_var_run_t,nmbd_var_run_t)
|
|
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
|
|
|
|
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
|
|
|
|
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
|
|
append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
|
|
allow nmbd_t samba_log_t:file unlink;
|
|
|
|
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
|
|
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
|
|
allow nmbd_t samba_log_t:dir setattr;
|
|
|
|
manage_files_pattern(nmbd_t,samba_var_t,samba_var_t)
|
|
|
|
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
|
|
|
|
kernel_getattr_core_if(nmbd_t)
|
|
kernel_getattr_message_if(nmbd_t)
|
|
kernel_read_kernel_sysctls(nmbd_t)
|
|
kernel_read_network_state(nmbd_t)
|
|
kernel_read_software_raid_state(nmbd_t)
|
|
kernel_read_system_state(nmbd_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(nmbd_t)
|
|
corenet_all_recvfrom_netlabel(nmbd_t)
|
|
corenet_tcp_sendrecv_all_if(nmbd_t)
|
|
corenet_udp_sendrecv_all_if(nmbd_t)
|
|
corenet_tcp_sendrecv_all_nodes(nmbd_t)
|
|
corenet_udp_sendrecv_all_nodes(nmbd_t)
|
|
corenet_tcp_sendrecv_all_ports(nmbd_t)
|
|
corenet_udp_sendrecv_all_ports(nmbd_t)
|
|
corenet_udp_bind_all_nodes(nmbd_t)
|
|
corenet_udp_bind_nmbd_port(nmbd_t)
|
|
corenet_sendrecv_nmbd_server_packets(nmbd_t)
|
|
corenet_sendrecv_nmbd_client_packets(nmbd_t)
|
|
corenet_tcp_connect_smbd_port(nmbd_t)
|
|
|
|
dev_read_sysfs(nmbd_t)
|
|
dev_getattr_mtrr_dev(nmbd_t)
|
|
|
|
fs_getattr_all_fs(nmbd_t)
|
|
fs_search_auto_mountpoints(nmbd_t)
|
|
|
|
domain_use_interactive_fds(nmbd_t)
|
|
|
|
files_read_usr_files(nmbd_t)
|
|
files_read_etc_files(nmbd_t)
|
|
files_list_var_lib(nmbd_t)
|
|
|
|
libs_use_ld_so(nmbd_t)
|
|
libs_use_shared_libs(nmbd_t)
|
|
|
|
logging_search_logs(nmbd_t)
|
|
logging_send_syslog_msg(nmbd_t)
|
|
|
|
miscfiles_read_localization(nmbd_t)
|
|
|
|
sysnet_read_config(nmbd_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
|
|
userdom_use_unpriv_users_fds(nmbd_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
files_dontaudit_read_root_files(nmbd_t)
|
|
term_dontaudit_use_generic_ptys(nmbd_t)
|
|
term_dontaudit_use_unallocated_ttys(nmbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(nmbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(nmbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(nmbd_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# smbmount Local policy
|
|
#
|
|
|
|
allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
|
|
allow smbmount_t self:process { fork signal_perms };
|
|
allow smbmount_t self:tcp_socket create_stream_socket_perms;
|
|
allow smbmount_t self:udp_socket connect;
|
|
allow smbmount_t self:unix_dgram_socket create_socket_perms;
|
|
allow smbmount_t self:unix_stream_socket create_socket_perms;
|
|
|
|
allow smbmount_t samba_etc_t:dir list_dir_perms;
|
|
allow smbmount_t samba_etc_t:file read_file_perms;
|
|
|
|
can_exec(smbmount_t, smbmount_exec_t)
|
|
|
|
allow smbmount_t samba_log_t:dir list_dir_perms;
|
|
allow smbmount_t samba_log_t:file manage_file_perms;
|
|
|
|
allow smbmount_t samba_secrets_t:file manage_file_perms;
|
|
|
|
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
|
|
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
|
|
files_list_var_lib(smbmount_t)
|
|
|
|
kernel_read_system_state(smbmount_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(smbmount_t)
|
|
corenet_all_recvfrom_netlabel(smbmount_t)
|
|
corenet_tcp_sendrecv_all_if(smbmount_t)
|
|
corenet_raw_sendrecv_all_if(smbmount_t)
|
|
corenet_udp_sendrecv_all_if(smbmount_t)
|
|
corenet_tcp_sendrecv_all_nodes(smbmount_t)
|
|
corenet_raw_sendrecv_all_nodes(smbmount_t)
|
|
corenet_udp_sendrecv_all_nodes(smbmount_t)
|
|
corenet_tcp_sendrecv_all_ports(smbmount_t)
|
|
corenet_udp_sendrecv_all_ports(smbmount_t)
|
|
corenet_tcp_bind_all_nodes(smbmount_t)
|
|
corenet_udp_bind_all_nodes(smbmount_t)
|
|
corenet_tcp_connect_all_ports(smbmount_t)
|
|
|
|
fs_getattr_cifs(smbmount_t)
|
|
fs_mount_cifs(smbmount_t)
|
|
fs_remount_cifs(smbmount_t)
|
|
fs_unmount_cifs(smbmount_t)
|
|
fs_list_cifs(smbmount_t)
|
|
fs_read_cifs_files(smbmount_t)
|
|
|
|
storage_raw_read_fixed_disk(smbmount_t)
|
|
storage_raw_write_fixed_disk(smbmount_t)
|
|
|
|
term_list_ptys(smbmount_t)
|
|
term_use_controlling_term(smbmount_t)
|
|
|
|
corecmd_list_bin(smbmount_t)
|
|
|
|
files_list_mnt(smbmount_t)
|
|
files_mounton_mnt(smbmount_t)
|
|
files_manage_etc_runtime_files(smbmount_t)
|
|
files_etc_filetrans_etc_runtime(smbmount_t,file)
|
|
files_read_etc_files(smbmount_t)
|
|
|
|
miscfiles_read_localization(smbmount_t)
|
|
|
|
mount_use_fds(smbmount_t)
|
|
|
|
libs_use_ld_so(smbmount_t)
|
|
libs_use_shared_libs(smbmount_t)
|
|
|
|
locallogin_use_fds(smbmount_t)
|
|
|
|
logging_search_logs(smbmount_t)
|
|
|
|
sysnet_read_config(smbmount_t)
|
|
|
|
userdom_use_all_users_fds(smbmount_t)
|
|
userdom_use_sysadm_ttys(smbmount_t)
|
|
|
|
optional_policy(`
|
|
cups_read_rw_config(smbd_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(smbmount_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(smbmount_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# SWAT Local policy
|
|
#
|
|
|
|
allow swat_t self:capability { setuid setgid };
|
|
allow swat_t self:process signal_perms;
|
|
allow swat_t self:fifo_file rw_file_perms;
|
|
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
|
allow swat_t self:tcp_socket create_stream_socket_perms;
|
|
allow swat_t self:udp_socket create_socket_perms;
|
|
allow swat_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
allow swat_t nmbd_exec_t:file { execute read };
|
|
|
|
rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
|
|
|
|
append_files_pattern(swat_t,samba_log_t,samba_log_t)
|
|
|
|
allow swat_t smbd_exec_t:file execute ;
|
|
|
|
allow swat_t smbd_t:process signull;
|
|
|
|
allow swat_t smbd_var_run_t:file read;
|
|
|
|
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
|
|
manage_files_pattern(swat_t,swat_tmp_t,swat_tmp_t)
|
|
files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
|
|
files_pid_filetrans(swat_t,swat_var_run_t,file)
|
|
|
|
allow swat_t winbind_exec_t:file execute;
|
|
|
|
kernel_read_kernel_sysctls(swat_t)
|
|
kernel_read_system_state(swat_t)
|
|
kernel_read_network_state(swat_t)
|
|
|
|
corecmd_search_bin(swat_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(swat_t)
|
|
corenet_all_recvfrom_netlabel(swat_t)
|
|
corenet_tcp_sendrecv_generic_if(swat_t)
|
|
corenet_udp_sendrecv_generic_if(swat_t)
|
|
corenet_raw_sendrecv_generic_if(swat_t)
|
|
corenet_tcp_sendrecv_all_nodes(swat_t)
|
|
corenet_udp_sendrecv_all_nodes(swat_t)
|
|
corenet_raw_sendrecv_all_nodes(swat_t)
|
|
corenet_tcp_sendrecv_all_ports(swat_t)
|
|
corenet_udp_sendrecv_all_ports(swat_t)
|
|
corenet_tcp_connect_smbd_port(swat_t)
|
|
corenet_tcp_connect_ipp_port(swat_t)
|
|
corenet_sendrecv_smbd_client_packets(swat_t)
|
|
corenet_sendrecv_ipp_client_packets(swat_t)
|
|
|
|
dev_read_urand(swat_t)
|
|
|
|
files_read_etc_files(swat_t)
|
|
files_search_home(swat_t)
|
|
files_read_usr_files(swat_t)
|
|
fs_getattr_xattr_fs(swat_t)
|
|
|
|
auth_domtrans_chk_passwd(swat_t)
|
|
|
|
libs_use_ld_so(swat_t)
|
|
libs_use_shared_libs(swat_t)
|
|
|
|
logging_send_syslog_msg(swat_t)
|
|
logging_search_logs(swat_t)
|
|
|
|
miscfiles_read_localization(swat_t)
|
|
|
|
sysnet_read_config(swat_t)
|
|
|
|
optional_policy(`
|
|
cups_read_rw_config(swat_t)
|
|
cups_stream_connect(swat_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
inetd_service_domain(swat_t,swat_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(swat_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(swat_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(swat_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Winbind local policy
|
|
#
|
|
|
|
|
|
allow winbind_t self:capability { dac_override ipc_lock setuid };
|
|
dontaudit winbind_t self:capability sys_tty_config;
|
|
allow winbind_t self:process signal_perms;
|
|
allow winbind_t self:fifo_file { read write };
|
|
allow winbind_t self:unix_dgram_socket create_socket_perms;
|
|
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
|
|
allow winbind_t self:tcp_socket create_stream_socket_perms;
|
|
allow winbind_t self:udp_socket create_socket_perms;
|
|
|
|
allow winbind_t nmbd_t:process { signal signull };
|
|
|
|
allow winbind_t nmbd_var_run_t:file read_file_perms;
|
|
|
|
allow winbind_t samba_etc_t:dir list_dir_perms;
|
|
read_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
|
|
read_lnk_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
|
|
|
|
manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
|
|
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
|
|
|
|
manage_dirs_pattern(winbind_t,samba_log_t,samba_log_t)
|
|
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
|
|
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
|
|
|
|
manage_dirs_pattern(winbind_t,samba_var_t,samba_var_t)
|
|
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
|
|
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
|
|
files_list_var_lib(winbind_t)
|
|
|
|
rw_files_pattern(winbind_t,smbd_tmp_t,smbd_tmp_t)
|
|
|
|
allow winbind_t winbind_log_t:file manage_file_perms;
|
|
logging_log_filetrans(winbind_t,winbind_log_t,file)
|
|
|
|
manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
|
|
manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
|
|
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
|
|
|
|
manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
|
|
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
|
|
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
|
|
|
|
kernel_read_kernel_sysctls(winbind_t)
|
|
kernel_list_proc(winbind_t)
|
|
kernel_read_proc_symlinks(winbind_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(winbind_t)
|
|
corenet_all_recvfrom_netlabel(winbind_t)
|
|
corenet_tcp_sendrecv_all_if(winbind_t)
|
|
corenet_udp_sendrecv_all_if(winbind_t)
|
|
corenet_raw_sendrecv_all_if(winbind_t)
|
|
corenet_tcp_sendrecv_all_nodes(winbind_t)
|
|
corenet_udp_sendrecv_all_nodes(winbind_t)
|
|
corenet_raw_sendrecv_all_nodes(winbind_t)
|
|
corenet_tcp_sendrecv_all_ports(winbind_t)
|
|
corenet_udp_sendrecv_all_ports(winbind_t)
|
|
corenet_tcp_bind_all_nodes(winbind_t)
|
|
corenet_udp_bind_all_nodes(winbind_t)
|
|
corenet_tcp_connect_smbd_port(winbind_t)
|
|
|
|
dev_read_sysfs(winbind_t)
|
|
dev_read_urand(winbind_t)
|
|
|
|
fs_getattr_all_fs(winbind_t)
|
|
fs_search_auto_mountpoints(winbind_t)
|
|
|
|
auth_domtrans_chk_passwd(winbind_t)
|
|
|
|
domain_use_interactive_fds(winbind_t)
|
|
|
|
files_read_etc_files(winbind_t)
|
|
|
|
libs_use_ld_so(winbind_t)
|
|
libs_use_shared_libs(winbind_t)
|
|
|
|
logging_send_syslog_msg(winbind_t)
|
|
|
|
miscfiles_read_localization(winbind_t)
|
|
|
|
sysnet_read_config(winbind_t)
|
|
sysnet_dns_name_resolve(winbind_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
|
|
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
|
|
userdom_priveleged_home_dir_manager(winbind_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
term_dontaudit_use_unallocated_ttys(winbind_t)
|
|
term_dontaudit_use_generic_ptys(winbind_t)
|
|
files_dontaudit_read_root_files(winbind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(winbind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(winbind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(winbind_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(winbind_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Winbind helper local policy
|
|
#
|
|
|
|
allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
|
|
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
allow winbind_helper_t samba_etc_t:dir list_dir_perms;
|
|
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
|
|
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
|
|
|
|
allow winbind_helper_t samba_var_t:dir search;
|
|
files_list_var_lib(winbind_helper_t)
|
|
|
|
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
|
|
|
|
term_list_ptys(winbind_helper_t)
|
|
|
|
domain_use_interactive_fds(winbind_helper_t)
|
|
|
|
libs_use_ld_so(winbind_helper_t)
|
|
libs_use_shared_libs(winbind_helper_t)
|
|
|
|
logging_send_syslog_msg(winbind_helper_t)
|
|
|
|
miscfiles_read_localization(winbind_helper_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
term_use_generic_ptys(winbind_helper_t)
|
|
term_use_unallocated_ttys(winbind_helper_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nscd_socket_use(winbind_helper_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
squid_read_log(winbind_helper_t)
|
|
squid_append_log(winbind_helper_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# samba_unconfined_script_t local policy
|
|
#
|
|
|
|
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
|
|
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
|
|
|
|
unconfined_domain(samba_unconfined_script_t)
|
|
|
|
tunable_policy(`samba_run_unconfined',`
|
|
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
|
|
')
|