From 84c92239d4177e292ffc788fc7efbc5087d5acb8 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Sep 14 2005 18:33:53 +0000 Subject: add samba --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index ad14a2a..b63c5fe 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -2,6 +2,7 @@ - Added policies: ktalk portmap + samba zebra * Wed Sep 07 2005 Chris PeBenito - 20050907 diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te index c95e40f..0b9aeec 100644 --- a/refpolicy/policy/modules/admin/logrotate.te +++ b/refpolicy/policy/modules/admin/logrotate.te @@ -126,6 +126,10 @@ optional_policy(`hostname.te',` hostname_exec(logrotate_t) ') +optional_policy(`samba.te',` + samba_exec_log(logrotate_t) +') + optional_policy(`mysql.te',` mysql_read_config(logrotate_t) mysql_search_db_dir(logrotate_t) diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index cd29096..6a57c88 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -456,6 +456,24 @@ interface(`fs_search_cifs',` ######################################## ## +## List the contents of directories on a +## CIFS or SMB filesystem. +## +## +## The type of the domain reading the files. +## +# +interface(`fs_list_cifs',` + gen_require(` + type cifs_t; + class dir r_dir_perms; + ') + + allow $1 cifs_t:dir r_dir_perms; +') + +######################################## +## ## Read files on a CIFS or SMB filesystem. ## ## diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index d18945d..998f73c 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -329,6 +329,12 @@ optional_policy(`nscd.te',` nscd_use_socket(system_crond_t) ') +optional_policy(`samba.te',` + samba_read_config(system_crond_t) + samba_read_log(system_crond_t) + #samba_read_secrets(system_crond_t) +') + optional_policy(`squid.te',` # cjp: why? squid_domtrans(system_crond_t) diff --git a/refpolicy/policy/modules/services/samba.fc b/refpolicy/policy/modules/services/samba.fc new file mode 100644 index 0000000..a4c187a --- /dev/null +++ b/refpolicy/policy/modules/services/samba.fc @@ -0,0 +1,39 @@ + +# +# /etc +# +/etc/samba/MACHINE\.SID -- context_template(system_u:object_r:samba_secrets_t,s0) +/etc/samba/secrets\.tdb -- context_template(system_u:object_r:samba_secrets_t,s0) +/etc/samba/smbpasswd -- context_template(system_u:object_r:samba_secrets_t,s0) +/etc/samba(/.*)? context_template(system_u:object_r:samba_etc_t,s0) + +# +# /usr +# +/usr/bin/net -- context_template(system_u:object_r:samba_net_exec_t,s0) +/usr/bin/smbmount -- context_template(system_u:object_r:smbmount_exec_t,s0) +/usr/bin/smbmnt -- context_template(system_u:object_r:smbmount_exec_t,s0) + +/usr/sbin/nmbd -- context_template(system_u:object_r:nmbd_exec_t,s0) +/usr/sbin/smbd -- context_template(system_u:object_r:smbd_exec_t,s0) + +# +# /var +# +/var/cache/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0) + +/var/lib/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0) + +/var/log/samba(/.*)? context_template(system_u:object_r:samba_log_t,s0) + +/var/run/samba/brlock\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/connections\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/locking\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/messages\.tdb -- context_template(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/namelist\.debug -- context_template(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/nmbd\.pid -- context_template(system_u:object_r:nmbd_var_run_t,s0) +/var/run/samba/sessionid\.tdb -- context_template(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/smbd\.pid -- context_template(system_u:object_r:smbd_var_run_t,s0) +/var/run/samba/unexpected\.tdb -- context_template(system_u:object_r:nmbd_var_run_t,s0) + +/var/spool/samba(/.*)? context_template(system_u:object_r:samba_var_t,s0) diff --git a/refpolicy/policy/modules/services/samba.if b/refpolicy/policy/modules/services/samba.if new file mode 100644 index 0000000..da8ca03 --- /dev/null +++ b/refpolicy/policy/modules/services/samba.if @@ -0,0 +1,243 @@ +## SMB and CIFS client/server programs for UNIX + +####################################### +## +## The per user domain template for the samba module. +## +## +##

+## This template allows smbd to manage files in +## a user home directory, creating files with the +## correct type. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the user domain. +## +## +## The role associated with the user domain. +## +# +template(`samba_per_userdomain_template',` + optional_policy(` + gen_require(` + type smbd_t; + ') + + userdom_manage_user_home_subdir_files($1,smbd_t) + userdom_manage_user_home_subdir_symlinks($1,smbd_t) + userdom_manage_user_home_subdir_sockets($1,smbd_t) + userdom_manage_user_home_subdir_pipes($1,smbd_t) + userdom_create_user_home($1,smbd_t,{ dir file lnk_file sock_file fifo_file }) + ') +') + +######################################## +## +## Execute samba net in the samba_net domain. +## +## +## The type of the process performing this action. +## +# +interface(`samba_domtrans_net',` + gen_require(` + type samba_net_t, samba_net_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_bin($1) + domain_auto_trans($1,samba_net_exec_t,samba_net_t) + + allow $1 samba_net_t:fd use; + allow samba_net_t $1:fd use; + allow samba_net_t $1:fifo_file rw_file_perms; + allow samba_net_t $1:process sigchld; +') + +######################################## +## +## Execute samba net in the samba_net domain, and +## allow the specified role the samba_net domain. +## +## +## The type of the process performing this action. +## +## +## The role to be allowed the samba_net domain. +## +## +## The type of the terminal allow the samba_net domain to use. +## +# +interface(`samba_run_net',` + gen_require(` + type samba_net_t; + class chr_file rw_term_perms; + ') + + samba_domtrans_net($1) + role $2 types samba_net_t; + allow samba_net_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Execute smbmount in the smbmount domain. +## +## +## The type of the process performing this action. +## +# +interface(`samba_domtrans_smbmount',` + gen_require(` + type smbmount_t, smbmount_exec_t; + class process sigchld; + class fd use; + class fifo_file rw_file_perms; + ') + + corecmd_search_bin($1) + domain_auto_trans($1,smbmount_exec_t,smbmount_t) + + allow $1 smbmount_t:fd use; + allow smbmount_t $1:fd use; + allow smbmount_t $1:fifo_file rw_file_perms; + allow smbmount_t $1:process sigchld; +') + +######################################## +## +## Allow the specified domain to read +## samba configuration files. +## +## +## Domain allowed access. +## +# +interface(`samba_read_config',` + gen_require(` + type samba_etc_t; + class file { read getattr lock }; + ') + + files_search_etc($1) + allow $1 samba_etc_t:file { read getattr lock }; +') + +######################################## +## +## Allow the specified domain to read +## and write samba configuration files. +## +## +## Domain allowed access. +## +# +interface(`samba_rw_config',` + gen_require(` + type samba_etc_t; + class file rw_file_perms; + ') + + files_search_etc($1) + allow $1 samba_etc_t:file rw_file_perms; +') + +######################################## +## +## Allow the specified domain to read samba's log files. +## +## +## Domain allowed access. +## +# +interface(`samba_read_log',` + gen_require(` + type samba_log_t; + class file { read getattr lock }; + ') + + logging_search_logs($1) + allow $1 samba_log_t:file { read getattr lock }; +') + +######################################## +## +## Execute samba log in the caller domain. +## +## +## The type of the process performing this action. +## +# +interface(`samba_exec_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + can_exec($1,samba_log_t) +') + +######################################## +## +## Allow the specified domain to read samba's secrets. +## +## +## Domain allowed access. +## +# +interface(`samba_read_secrets',` + gen_require(` + type samba_secrets_t; + class file { read getattr lock }; + ') + + files_search_etc($1) + allow $1 samba_secrets_t:file { read getattr lock }; +') + +######################################## +## +## Allow the specified domain to write to smbmount tcp sockets. +## +## +## Domain allowed access. +## +# +interface(`samba_write_smbmount_tcp_socket',` + gen_require(` + type smbmount_t; + class tcp_socket write; + ') + + allow $1 smbmount_t:tcp_socket write; +') + +######################################## +## +## Allow the specified domain to read and write to smbmount tcp sockets. +## +## +## Domain allowed access. +## +# +interface(`samba_rw_smbmount_tcp_socket',` + gen_require(` + type smbmount_t; + class tcp_socket { read write }; + ') + + allow $1 smbmount_t:tcp_socket { read write }; +') diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te new file mode 100644 index 0000000..c56c5a3 --- /dev/null +++ b/refpolicy/policy/modules/services/samba.te @@ -0,0 +1,467 @@ + +policy_module(samba,1.0) + +################################# +# +# Declarations +# + +type nmbd_t; +type nmbd_exec_t; +init_daemon_domain(nmbd_t,nmbd_exec_t) + +type nmbd_var_run_t; +files_pid_file(nmbd_var_run_t) + +type samba_etc_t; #, usercanread; +files_type(samba_etc_t) + +type samba_log_t, logfile; +files_type(samba_log_t) + +type samba_net_t; +domain_type(samba_net_t) + +type samba_net_exec_t; +domain_entry_file(samba_net_t,samba_net_exec_t) + +type samba_net_tmp_t; +files_tmp_file(samba_net_tmp_t) + +type samba_secrets_t; +files_type(samba_secrets_t) + +type samba_share_t; #, customizable; +files_type(samba_share_t) + +type samba_var_t; +files_type(samba_var_t) + +type smbd_t; +type smbd_exec_t; +init_daemon_domain(smbd_t,smbd_exec_t) + +type smbd_tmp_t; +files_tmp_file(smbd_tmp_t) + +type smbd_var_run_t; +files_pid_file(smbd_var_run_t) + +type smbmount_t; +domain_type(smbmount_t) + +type smbmount_exec_t; +domain_entry_file(smbmount_t,smbmount_exec_t) + +######################################## +# +# Samba net local policy +# + +allow samba_net_t self:unix_dgram_socket create_socket_perms; +allow samba_net_t self:unix_stream_socket create_stream_socket_perms; +allow samba_net_t self:udp_socket create_socket_perms; +allow samba_net_t self:tcp_socket create_socket_perms; + +allow samba_net_t samba_etc_t:file r_file_perms; + +allow samba_net_t samba_secrets_t:file create_file_perms; +allow samba_net_t samba_etc_t:dir rw_dir_perms; +type_transition samba_net_t samba_etc_t:file samba_secrets_t; + +allow samba_net_t samba_net_tmp_t:dir create_dir_perms; +allow samba_net_t samba_net_tmp_t:file create_file_perms; +files_create_tmp_files(samba_net_t, samba_net_tmp_t, { file dir }) + +allow samba_net_t samba_var_t:dir rw_dir_perms; +allow samba_net_t samba_var_t:lnk_file create_lnk_perms; +allow samba_net_t samba_var_t:file create_lnk_perms; + +kernel_read_proc_symlinks(samba_net_t) + +corenet_tcp_sendrecv_all_if(samba_net_t) +corenet_udp_sendrecv_all_if(samba_net_t) +corenet_raw_sendrecv_all_if(samba_net_t) +corenet_tcp_sendrecv_all_nodes(samba_net_t) +corenet_udp_sendrecv_all_nodes(samba_net_t) +corenet_raw_sendrecv_all_nodes(samba_net_t) +corenet_tcp_sendrecv_all_ports(samba_net_t) +corenet_udp_sendrecv_all_ports(samba_net_t) +corenet_tcp_bind_all_nodes(samba_net_t) +corenet_udp_bind_all_nodes(samba_net_t) +corenet_tcp_connect_smbd_port(samba_net_t) + +dev_read_urand(samba_net_t) + +domain_use_wide_inherit_fd(samba_net_t) + +files_read_etc_files(samba_net_t) + +libs_use_ld_so(samba_net_t) +libs_use_shared_libs(samba_net_t) + +miscfiles_read_localization(samba_net_t) + +sysnet_read_config(samba_net_t) + +userdom_dontaudit_search_sysadm_home_dir(samba_net_t) + +optional_policy(`kerberos.te',` + kerberos_use(samba_net_t) +') + +optional_policy(`ldap.te',` + allow samba_net_t self:tcp_socket create_socket_perms; + corenet_tcp_sendrecv_all_if(samba_net_t) + corenet_raw_sendrecv_all_if(samba_net_t) + corenet_tcp_sendrecv_all_nodes(samba_net_t) + corenet_raw_sendrecv_all_nodes(samba_net_t) + corenet_tcp_sendrecv_ldap_port(samba_net_t) + corenet_tcp_bind_all_nodes(samba_net_t) + sysnet_read_config(samba_net_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(samba_net_t) +') + +######################################## +# +# smbd Local policy +# +allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search }; +dontaudit smbd_t self:capability sys_tty_config; +allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow smbd_t self:fd use; +allow smbd_t self:fifo_file rw_file_perms; +allow smbd_t self:msg { send receive }; +allow smbd_t self:msgq create_msgq_perms; +allow smbd_t self:sem create_sem_perms; +allow smbd_t self:shm create_shm_perms; +allow smbd_t self:sock_file r_file_perms; +allow smbd_t self:tcp_socket create_stream_socket_perms; +allow smbd_t self:udp_socket create_socket_perms; +allow smbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow smbd_t samba_etc_t:dir rw_dir_perms; +allow smbd_t samba_etc_t:file r_file_perms; + +allow smbd_t samba_log_t:dir ra_dir_perms; +dontaudit smbd_t samba_log_t:dir remove_name; +allow smbd_t samba_log_t:file { create ra_file_perms }; + +allow smbd_t samba_secrets_t:dir rw_dir_perms; +allow smbd_t samba_secrets_t:file create_file_perms; +type_transition smbd_t samba_etc_t:file samba_secrets_t; + +allow smbd_t samba_share_t:dir create_dir_perms; +allow smbd_t samba_share_t:file create_file_perms; +allow smbd_t samba_share_t:lnk_file create_lnk_perms; + +allow smbd_t samba_var_t:dir create_dir_perms; +allow smbd_t samba_var_t:file create_file_perms; +allow smbd_t samba_var_t:lnk_file create_lnk_perms; +allow smbd_t samba_var_t:sock_file create_file_perms; + +allow smbd_t smbd_tmp_t:dir create_dir_perms; +allow smbd_t smbd_tmp_t:file create_file_perms; +files_create_tmp_files(smbd_t, smbd_tmp_t, { file dir }) + +allow smbd_t nmbd_var_run_t:file rw_file_perms; + +allow smbd_t smbd_var_run_t:dir create_dir_perms; +allow smbd_t smbd_var_run_t:file create_file_perms; +allow smbd_t smbd_var_run_t:sock_file create_file_perms; +files_create_pid(smbd_t,smbd_var_run_t) + +kernel_getattr_core(smbd_t) +kernel_getattr_message_if(smbd_t) +kernel_read_network_state(smbd_t) +kernel_read_kernel_sysctl(smbd_t) +kernel_read_software_raid_state(smbd_t) +kernel_read_system_state(smbd_t) + +corenet_tcp_sendrecv_all_if(smbd_t) +corenet_udp_sendrecv_all_if(smbd_t) +corenet_raw_sendrecv_all_if(smbd_t) +corenet_tcp_sendrecv_all_nodes(smbd_t) +corenet_udp_sendrecv_all_nodes(smbd_t) +corenet_raw_sendrecv_all_nodes(smbd_t) +corenet_tcp_sendrecv_all_ports(smbd_t) +corenet_udp_sendrecv_all_ports(smbd_t) +corenet_tcp_bind_all_nodes(smbd_t) +corenet_udp_bind_all_nodes(smbd_t) +corenet_tcp_bind_smbd_port(smbd_t) +corenet_tcp_connect_ipp_port(smbd_t) + +dev_read_sysfs(smbd_t) +dev_read_urand(smbd_t) + +fs_getattr_all_fs(smbd_t) +fs_search_auto_mountpoints(smbd_t) + +term_dontaudit_use_console(smbd_t) + +auth_domtrans_chk_passwd(smbd_t) + +domain_use_wide_inherit_fd(smbd_t) + +files_list_var_lib(smbd_t) +files_read_etc_files(smbd_t) +files_read_etc_runtime_files(smbd_t) +files_read_usr_files(smbd_t) +files_search_spool(smbd_t) + +init_use_fd(smbd_t) +init_use_script_pty(smbd_t) + +libs_use_ld_so(smbd_t) +libs_use_shared_libs(smbd_t) + +logging_search_logs(smbd_t) +logging_send_syslog_msg(smbd_t) + +miscfiles_read_localization(smbd_t) + +mount_send_nfs_client_request(smbd_t) + +sysnet_read_config(smbd_t) + +userdom_dontaudit_search_sysadm_home_dir(smbd_t) +userdom_dontaudit_use_unpriv_user_fd(smbd_t) +userdom_use_unpriv_users_fd(smbd_t) + +ifdef(`targeted_policy', ` + files_dontaudit_read_root_file(smbd_t) + term_dontaudit_use_generic_pty(smbd_t) + term_dontaudit_use_unallocated_tty(smbd_t) +') + +optional_policy(`kerberos.te',` + kerberos_use(smbd_t) +') + +optional_policy(`ldap.te',` + allow smbd_t self:tcp_socket create_socket_perms; + corenet_tcp_sendrecv_all_if(smbd_t) + corenet_raw_sendrecv_all_if(smbd_t) + corenet_tcp_sendrecv_all_nodes(smbd_t) + corenet_raw_sendrecv_all_nodes(smbd_t) + corenet_tcp_sendrecv_ldap_port(smbd_t) + corenet_tcp_bind_all_nodes(smbd_t) + sysnet_read_config(smbd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(smbd_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(smbd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(smbd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(smbd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(smbd_t) +') +can_winbind(smbd_t) +') + +######################################## +# +# nmbd Local policy +# +dontaudit nmbd_t self:capability sys_tty_config; +allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow nmbd_t self:fd use; +allow nmbd_t self:fifo_file rw_file_perms; +allow nmbd_t self:msg { send receive }; +allow nmbd_t self:msgq create_msgq_perms; +allow nmbd_t self:sem create_sem_perms; +allow nmbd_t self:shm create_shm_perms; +allow nmbd_t self:sock_file r_file_perms; +allow nmbd_t self:tcp_socket create_stream_socket_perms; +allow nmbd_t self:udp_socket create_socket_perms; +allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto }; + +allow nmbd_t nmbd_var_run_t:file create_file_perms; +files_create_pid(nmbd_t,nmbd_var_run_t) + +allow nmbd_t samba_etc_t:dir { search getattr }; +allow nmbd_t samba_etc_t:file { getattr read }; + +allow nmbd_t samba_log_t:dir ra_dir_perms; +allow nmbd_t samba_log_t:file { create ra_file_perms }; + +allow nmbd_t samba_var_t:dir rw_dir_perms; +allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename }; + +allow nmbd_t smbd_var_run_t:dir rw_dir_perms; + +kernel_getattr_core(nmbd_t) +kernel_getattr_message_if(nmbd_t) +kernel_read_kernel_sysctl(nmbd_t) +kernel_read_network_state(nmbd_t) +kernel_read_software_raid_state(nmbd_t) +kernel_read_system_state(nmbd_t) + +corenet_tcp_sendrecv_all_if(nmbd_t) +corenet_raw_sendrecv_all_if(nmbd_t) +corenet_tcp_sendrecv_all_nodes(nmbd_t) +corenet_raw_sendrecv_all_nodes(nmbd_t) +corenet_tcp_sendrecv_all_ports(nmbd_t) +corenet_tcp_bind_all_nodes(nmbd_t) +corenet_udp_bind_nmbd_port(nmbd_t) + +dev_read_sysfs(nmbd_t) + +fs_getattr_all_fs(nmbd_t) +fs_search_auto_mountpoints(nmbd_t) + +term_dontaudit_use_console(nmbd_t) + +domain_use_wide_inherit_fd(nmbd_t) + +files_read_usr_files(nmbd_t) +files_read_etc_files(nmbd_t) + +init_use_fd(nmbd_t) +init_use_script_pty(nmbd_t) + +libs_use_ld_so(nmbd_t) +libs_use_shared_libs(nmbd_t) + +logging_search_logs(nmbd_t) +logging_send_syslog_msg(nmbd_t) + +miscfiles_read_localization(nmbd_t) + +sysnet_read_config(nmbd_t) + +userdom_dontaudit_search_sysadm_home_dir(nmbd_t) +userdom_dontaudit_use_unpriv_user_fd(nmbd_t) +userdom_use_unpriv_users_fd(nmbd_t) + +ifdef(`targeted_policy', ` + files_dontaudit_read_root_file(nmbd_t) + term_dontaudit_use_generic_pty(nmbd_t) + term_dontaudit_use_unallocated_tty(nmbd_t) +') + +optional_policy(`nis.te',` + nis_use_ypbind(nmbd_t) +') + +optional_policy(`selinuxutil.te',` + seutil_sigchld_newrole(nmbd_t) +') + +optional_policy(`udev.te', ` + udev_read_db(nmbd_t) +') + +ifdef(`TODO',` +optional_policy(`rhgb.te',` + rhgb_domain(nmbd_t) +') +') + +######################################## +# +# smbmount Local policy +# +allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary? +allow smbmount_t self:process { fork signal_perms }; +allow smbmount_t self:tcp_socket create_stream_socket_perms; +allow smbmount_t self:udp_socket connect; +allow smbmount_t self:unix_dgram_socket create_socket_perms; +allow smbmount_t self:unix_stream_socket create_socket_perms; + +allow smbmount_t samba_etc_t:dir r_dir_perms; +allow smbmount_t samba_etc_t:file r_file_perms; + +can_exec(smbmount_t, smbmount_exec_t) + +allow smbmount_t samba_log_t:dir r_dir_perms; +allow smbmount_t samba_log_t:file create_file_perms; + +allow smbmount_t samba_secrets_t:file create_file_perms; + +allow smbmount_t samba_var_t:dir rw_dir_perms; +allow smbmount_t samba_var_t:file create_file_perms; +allow smbmount_t samba_var_t:lnk_file create_lnk_perms; + +kernel_read_system_state(smbmount_t) + +corenet_tcp_sendrecv_all_if(smbmount_t) +corenet_raw_sendrecv_all_if(smbmount_t) +corenet_udp_sendrecv_all_if(smbmount_t) +corenet_tcp_sendrecv_all_nodes(smbmount_t) +corenet_raw_sendrecv_all_nodes(smbmount_t) +corenet_udp_sendrecv_all_nodes(smbmount_t) +corenet_tcp_sendrecv_all_ports(smbmount_t) +corenet_udp_sendrecv_all_ports(smbmount_t) +corenet_tcp_bind_all_nodes(smbmount_t) +corenet_udp_bind_all_nodes(smbmount_t) +corenet_tcp_connect_all_ports(smbmount_t) + +fs_getattr_cifs(smbmount_t) +fs_mount_cifs(smbmount_t) +fs_remount_cifs(smbmount_t) +fs_unmount_cifs(smbmount_t) +fs_list_cifs(smbmount_t) +fs_read_cifs_files(smbmount_t) + +storage_raw_read_fixed_disk(smbmount_t) +storage_raw_write_fixed_disk(smbmount_t) + +term_list_ptys(smbmount_t) +term_use_controlling_term(smbmount_t) + +corecmd_list_bin(smbmount_t) + +files_list_mnt(smbmount_t) +files_mounton_mnt(smbmount_t) +files_manage_etc_runtime_files(smbmount_t) +files_read_etc_files(smbmount_t) + +miscfiles_read_localization(smbmount_t) + +mount_use_fd(smbmount_t) +mount_send_nfs_client_request(smbmount_t) + +libs_use_ld_so(smbmount_t) +libs_use_shared_libs(smbmount_t) + +locallogin_use_fd(smbmount_t) + +logging_search_logs(smbmount_t) + +sysnet_read_config(smbmount_t) + +userdom_use_all_user_fd(smbmount_t) +userdom_use_sysadm_tty(smbmount_t) + +optional_policy(`nis.te',` + nis_use_ypbind(smbmount_t) +') + +optional_policy(`nscd.te',` + nscd_use_socket(smbmount_t) +') + +ifdef(`TODO',` +ifdef(`cups.te', ` + allow smbd_t cupsd_rw_etc_t:file { getattr read }; +') +') diff --git a/refpolicy/policy/modules/system/files.fc b/refpolicy/policy/modules/system/files.fc index 3430a3c..970538e 100644 --- a/refpolicy/policy/modules/system/files.fc +++ b/refpolicy/policy/modules/system/files.fc @@ -11,6 +11,7 @@ ifdef(`distro_redhat',` /fastboot -- context_template(system_u:object_r:etc_runtime_t,s0) /forcefsck -- context_template(system_u:object_r:etc_runtime_t,s0) /fsckoptions -- context_template(system_u:object_r:etc_runtime_t,s0) +/halt -- context_template(system_u:object_r:etc_runtime_t,s0) /poweroff -- context_template(system_u:object_r:etc_runtime_t,s0) ') diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 13d3883..9c57f5b 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1371,6 +1371,23 @@ interface(`files_list_mnt',` ######################################## ## +## Mount a filesystem on /mnt. +## +## +## Domain allowed access. +## +# +interface(`files_mounton_mnt',` + gen_require(` + type mnt_t; + class dir { search mounton }; + ') + + allow $1 mnt_t:dir { search mounton }; +') + +######################################## +## ## Create, read, write, and delete directories in /mnt. ## ## diff --git a/refpolicy/policy/modules/system/init.fc b/refpolicy/policy/modules/system/init.fc index c85ca5a..a89151f 100644 --- a/refpolicy/policy/modules/system/init.fc +++ b/refpolicy/policy/modules/system/init.fc @@ -1,13 +1,5 @@ # -# / -# -ifdef(`distro_redhat', ` -/\.autofsck -- context_template(system_u:object_r:etc_runtime_t,s0) -/halt -- context_template(system_u:object_r:etc_runtime_t,s0) -') - -# # /etc # /etc/init\.d/.* -- context_template(system_u:object_r:initrc_exec_t,s0) diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index ad8c451..9941b9c 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -490,6 +490,10 @@ optional_policy(`rpm.te',` rpm_manage_db(initrc_t) ') +optional_policy(`samba.te',` + samba_rw_config(initrc_t) +') + optional_policy(`squid.te',` squid_read_config(initrc_t) squid_manage_logs(initrc_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 47c9f28..d7ecfc7 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -120,6 +120,10 @@ optional_policy(`rpm.te', ` rpm_rw_pipe(mount_t) ') +optional_policy(`samba.te',` + samba_domtrans_smbmount(mount_t) +') + ifdef(`TODO',` # this goes to the nfs/rpc module files_mountpoint(var_lib_nfs_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 375092f..0e91736 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1014,6 +1014,118 @@ template(`userdom_manage_user_home_subdir_symlinks',` ######################################## ## +## Create, read, write, and delete named pipes +## in a user home subdirectory. +## +## +##

+## Create, read, write, and delete named pipes +## in a user home subdirectory. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the process performing this action. +## +# +template(`userdom_manage_user_home_subdir_pipes',` + gen_require(` + class dir rw_dir_perms; + class fifo_file create_file_perms; + ') + + files_search_home($2) + allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_t:dir rw_dir_perms; + allow $2 $1_home_t:fifo_file create_file_perms; +') + +######################################## +## +## Create, read, write, and delete named sockets +## in a user home subdirectory. +## +## +##

+## Create, read, write, and delete named sockets +## in a user home subdirectory. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the process performing this action. +## +# +template(`userdom_manage_user_home_subdir_sockets',` + gen_require(` + class dir rw_dir_perms; + class sock_file create_file_perms; + ') + + files_search_home($2) + allow $2 $1_home_dir_t:dir search; + allow $2 $1_home_t:dir rw_dir_perms; + allow $2 $1_home_t:sock_file create_file_perms; +') + +######################################## +## +## +## +## +##

+## Create, read, write, and delete named sockets +## in a user home subdirectory. +##

+##

+## This is a templated interface, and should only +## be called from a per-userdomain template. +##

+##
+## +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## +## +## The type of the process performing this action. +## +## +## The class of the object to be created. If not +## specified, file is used. +## +# +template(`userdom_create_user_home',` + gen_require(` + class dir rw_dir_perms; + ') + + files_search_home($2) + + allow $2 $1_home_dir_t:dir rw_dir_perms; + + ifelse(`$3',`',` + type_transition $2 $1_home_dir_t:file $1_home_t; + ',` + type_transition $2 $1_home_dir_t:$3 $1_home_t; + ') +') + +######################################## +## ## Create, read, write, and delete user ## temporary directories. ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 1719c11..8438dd5 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -202,6 +202,10 @@ ifdef(`targeted_policy',` rpm_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`samba.te',` + samba_run_net(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`selinuxutil.te',` seutil_run_checkpol(sysadm_t,sysadm_r,admin_terminal) seutil_run_loadpol(sysadm_t,sysadm_r,admin_terminal)