Chris PeBenito 31b7c0
#DESC SAMBA - SMB file server
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: Ryan Bergauer (bergauer@rice.edu)
Chris PeBenito 31b7c0
# X-Debian-Packages: samba
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Declarations for Samba
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
Chris PeBenito 31b7c0
daemon_domain(nmbd)
Chris PeBenito 31b7c0
type samba_etc_t, file_type, sysadmfile, usercanread;
Chris PeBenito 31b7c0
type samba_log_t, file_type, sysadmfile, logfile;
Chris PeBenito 31b7c0
type samba_var_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
type samba_share_t, file_type, sysadmfile, customizable;
Chris PeBenito 31b7c0
type samba_secrets_t, file_type, sysadmfile;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# for /var/run/samba/messages.tdb
Chris PeBenito 31b7c0
allow smbd_t nmbd_var_run_t:file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow smbd_t self:process setrlimit;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# not sure why it needs this
Chris PeBenito 31b7c0
tmp_domain(smbd)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow samba to search mnt_t for potential mounted dirs
Chris PeBenito 31b7c0
allow smbd_t mnt_t:dir r_dir_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`crond.te', `
Chris PeBenito 31b7c0
allow system_crond_t samba_etc_t:file { read getattr lock };
Chris PeBenito 31b7c0
allow system_crond_t samba_log_t:file { read getattr lock };
Chris PeBenito 31b7c0
#allow system_crond_t samba_secrets_t:file { read getattr lock };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the smbd_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions normally found in every_domain.
Chris PeBenito 31b7c0
general_domain_access(smbd_t)
Chris PeBenito 31b7c0
general_proc_read_access(smbd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow smbd_t smbd_port_t:tcp_socket name_bind;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use capabilities.
Chris PeBenito 31b7c0
allow smbd_t self:capability { fowner setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use the network.
Chris PeBenito 31b7c0
can_network(smbd_t)
Chris PeBenito 31b7c0
nsswitch_domain(smbd_t)
Chris PeBenito 31b7c0
can_kerberos(smbd_t)
Chris PeBenito 31b7c0
allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow smbd_t urandom_device_t:chr_file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions for Samba files in /etc/samba
Chris PeBenito 31b7c0
# either allow read access to the directory or allow the auto_trans rule to
Chris PeBenito 31b7c0
# allow creation of the secrets.tdb file and the MACHINE.SID file
Chris PeBenito 31b7c0
#allow smbd_t samba_etc_t:dir { search getattr };
Chris PeBenito 31b7c0
file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
Chris PeBenito 31b7c0
allow smbd_t var_lib_t:dir search;
Chris PeBenito 31b7c0
create_dir_file(smbd_t, samba_var_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Needed for shared printers
Chris PeBenito 31b7c0
allow smbd_t var_spool_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions to write log files.
Chris PeBenito 31b7c0
allow smbd_t samba_log_t:file { create ra_file_perms };
Chris PeBenito 31b7c0
allow smbd_t var_log_t:dir search;
Chris PeBenito 31b7c0
allow smbd_t samba_log_t:dir ra_dir_perms;
Chris PeBenito 31b7c0
dontaudit smbd_t samba_log_t:dir remove_name;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`hide_broken_symptoms', `
Chris PeBenito 31b7c0
dontaudit smbd_t { usbfs_t security_t devpts_t boot_t default_t tmpfs_t }:dir getattr;
Chris PeBenito 31b7c0
dontaudit smbd_t devpts_t:dir getattr;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
allow smbd_t fs_t:filesystem quotaget;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow smbd_t usr_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access Samba shares.
Chris PeBenito 31b7c0
create_dir_file(smbd_t, samba_share_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
anonymous_domain(smbd)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`logrotate.te', `
Chris PeBenito 31b7c0
# the application should be changed
Chris PeBenito 31b7c0
can_exec(logrotate_t, samba_log_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
#################################
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Rules for the nmbd_t domain.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions normally found in every_domain.
Chris PeBenito 31b7c0
general_domain_access(nmbd_t)
Chris PeBenito 31b7c0
general_proc_read_access(nmbd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow nmbd_t nmbd_port_t:udp_socket name_bind;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use capabilities.
Chris PeBenito 31b7c0
allow nmbd_t self:capability net_bind_service;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Use the network.
Chris PeBenito 31b7c0
can_network_server(nmbd_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions for Samba files in /etc/samba
Chris PeBenito 31b7c0
allow nmbd_t samba_etc_t:file { getattr read };
Chris PeBenito 31b7c0
allow nmbd_t samba_etc_t:dir { search getattr };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions for Samba cache files in /var/cache/samba
Chris PeBenito 31b7c0
allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
Chris PeBenito 31b7c0
allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow nmbd_t usr_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Permissions to write log files.
Chris PeBenito 31b7c0
allow nmbd_t samba_log_t:file { create ra_file_perms };
Chris PeBenito 31b7c0
allow nmbd_t var_log_t:dir search;
Chris PeBenito 31b7c0
allow nmbd_t samba_log_t:dir ra_dir_perms;
Chris PeBenito 31b7c0
allow nmbd_t etc_t:file { getattr read };
Chris PeBenito 31b7c0
ifdef(`cups.te', `
Chris PeBenito 31b7c0
allow smbd_t cupsd_rw_etc_t:file { getattr read };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
# Needed for winbindd
Chris PeBenito 31b7c0
allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Support Samba sharing of home directories
Chris PeBenito 31b7c0
bool samba_enable_home_dirs false;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`mount.te', `
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Domain for running smbmount
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Derive from app. domain. Transition from mount.
Chris PeBenito 31b7c0
application_domain(smbmount, `, fs_domain, nscd_client_domain')
Chris PeBenito 31b7c0
domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Capabilities
Chris PeBenito 31b7c0
# FIXME: is all of this really necessary?
Chris PeBenito 31b7c0
allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access samba config
Chris PeBenito 31b7c0
allow smbmount_t samba_etc_t:file r_file_perms;
Chris PeBenito 31b7c0
allow smbmount_t samba_etc_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow initrc_t samba_etc_t:file rw_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Write samba log
Chris PeBenito 31b7c0
allow smbmount_t samba_log_t:file create_file_perms;
Chris PeBenito 31b7c0
allow smbmount_t samba_log_t:dir r_dir_perms; 
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Write stuff in var
Chris PeBenito 31b7c0
allow smbmount_t var_log_t:dir r_dir_perms;
Chris PeBenito 31b7c0
rw_dir_create_file(smbmount_t, samba_var_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Access mtab
Chris PeBenito 31b7c0
file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Read nsswitch.conf
Chris PeBenito 31b7c0
allow smbmount_t etc_t:file r_file_perms;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Networking
Chris PeBenito 31b7c0
can_network(smbmount_t)
Chris PeBenito 31b7c0
allow smbmount_t port_type:tcp_socket name_connect;
Chris PeBenito 31b7c0
can_ypbind(smbmount_t)
Chris PeBenito 31b7c0
allow smbmount_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow smbmount_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 31b7c0
allow kernel_t smbmount_t:tcp_socket { read write };
Chris PeBenito 31b7c0
allow userdomain smbmount_t:tcp_socket write;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Proc
Chris PeBenito 31b7c0
# FIXME: is this necessary?
Chris PeBenito 31b7c0
r_dir_file(smbmount_t, proc_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Fork smbmnt 
Chris PeBenito 31b7c0
allow smbmount_t bin_t:dir r_dir_perms;
Chris PeBenito 31b7c0
can_exec(smbmount_t, smbmount_exec_t)
Chris PeBenito 31b7c0
allow smbmount_t self:process { fork signal_perms };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Mount 
Chris PeBenito 31b7c0
allow smbmount_t cifs_t:filesystem mount_fs_perms;
Chris PeBenito 31b7c0
allow smbmount_t cifs_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow smbmount_t mnt_t:dir r_dir_perms;
Chris PeBenito 31b7c0
allow smbmount_t mnt_t:dir mounton;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Terminal
Chris PeBenito 31b7c0
read_locale(smbmount_t) 
Chris PeBenito 31b7c0
access_terminal(smbmount_t, sysadm)
Chris PeBenito 31b7c0
allow smbmount_t userdomain:fd use;
Chris PeBenito 31b7c0
allow smbmount_t local_login_t:fd use;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
# Derive from app. domain. Transition from mount.
Chris PeBenito 31b7c0
application_domain(samba_net, `, nscd_client_domain')
Chris PeBenito 31b7c0
role system_r types samba_net_t;
Chris PeBenito 31b7c0
in_user_role(samba_net_t)
Chris PeBenito 31b7c0
file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
Chris PeBenito 31b7c0
read_locale(samba_net_t) 
Chris PeBenito 31b7c0
allow samba_net_t samba_etc_t:file r_file_perms;
Chris PeBenito 31b7c0
r_dir_file(samba_net_t, samba_var_t)
Chris PeBenito 31b7c0
can_network_udp(samba_net_t)
Chris PeBenito 31b7c0
access_terminal(samba_net_t, sysadm)
Chris PeBenito 31b7c0
allow samba_net_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 31b7c0
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 31b7c0
rw_dir_create_file(samba_net_t, samba_var_t)
Chris PeBenito 31b7c0
allow samba_net_t etc_t:file { getattr read };
Chris PeBenito 31b7c0
can_network_client(samba_net_t)
Chris PeBenito 31b7c0
allow samba_net_t smbd_port_t:tcp_socket name_connect;
Chris PeBenito 31b7c0
can_ldap(samba_net_t)
Chris PeBenito 31b7c0
can_kerberos(samba_net_t)
Chris PeBenito 31b7c0
allow samba_net_t urandom_device_t:chr_file r_file_perms;
Chris PeBenito 31b7c0
allow samba_net_t proc_t:dir search;
Chris PeBenito 31b7c0
allow samba_net_t proc_t:lnk_file read;
Chris PeBenito 31b7c0
allow samba_net_t self:dir search;
Chris PeBenito 31b7c0
allow samba_net_t self:file read;
Chris PeBenito 31b7c0
allow samba_net_t self:process signal;
Chris PeBenito 31b7c0
tmp_domain(samba_net)
Chris PeBenito 31b7c0
dontaudit samba_net_t sysadm_home_dir_t:dir search;
Chris PeBenito 31b7c0
allow samba_net_t privfd:fd use;