diff --git a/Changelog b/Changelog
index 06da490..1b2e5a4 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Large samba update from Dan Walsh.
- Drop snmpd_etc_t.
- Confine sendmail and logrotate on targeted.
- Tunable connection to postgresql for users from KaiGai Kohei.
diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
index 60fbca0..4454f48 100644
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -3,6 +3,7 @@
# /etc
#
/etc/samba/MACHINE\.SID -- gen_context(system_u:object_r:samba_secrets_t,s0)
+/etc/samba/passdb.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba/secrets\.tdb -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba/smbpasswd -- gen_context(system_u:object_r:samba_secrets_t,s0)
/etc/samba(/.*)? gen_context(system_u:object_r:samba_etc_t,s0)
@@ -27,6 +28,7 @@
/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 3ecc275..ecda9ab 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -177,6 +177,27 @@ interface(`samba_read_log',`
########################################
##
+## Allow the specified domain to append to samba's log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`samba_append_log',`
+ gen_require(`
+ type samba_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 samba_log_t:dir list_dir_perms;
+ allow $1 samba_log_t:file append_file_perms;
+')
+
+########################################
+##
## Execute samba log in the caller domain.
##
##
@@ -230,12 +251,34 @@ interface(`samba_search_var',`
')
files_search_var($1)
+ files_search_var_lib($1)
allow $1 samba_var_t:dir search_dir_perms;
')
########################################
##
## Allow the specified domain to
+## read samba /var files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_read_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ read_files_pattern($1,samba_var_t,samba_var_t)
+')
+
+########################################
+##
+## Allow the specified domain to
## read and write samba /var files.
##
##
@@ -250,11 +293,51 @@ interface(`samba_rw_var_files',`
')
files_search_var($1)
+ files_search_var_lib($1)
rw_files_pattern($1,samba_var_t,samba_var_t)
')
########################################
##
+## Allow the specified domain to
+## read and write samba /var files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_manage_var_files',`
+ gen_require(`
+ type samba_var_t;
+ ')
+
+ files_search_var($1)
+ files_search_var_lib($1)
+ manage_files_pattern($1,samba_var_t,samba_var_t)
+')
+
+########################################
+##
+## Do not audit attempts to use file descriptors from samba.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`samba_dontaudit_use_fds',`
+ gen_require(`
+ type smbd_t;
+ ')
+
+ dontaudit $1 smbd_t:fd use;
+')
+
+########################################
+##
## Allow the specified domain to write to smbmount tcp sockets.
##
##
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 487d8ba..bb9746e 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.5.0)
+policy_module(samba,1.5.1)
#################################
#
@@ -16,6 +16,14 @@ gen_tunable(allow_smbd_anon_write,false)
##
##
+## Allow samba to run as the domain controller; add machines to passwd file
+##
+##
+##
+gen_tunable(samba_domain_controller,false)
+
+##
+##
## Allow samba to export user home directories.
##
##
@@ -23,6 +31,27 @@ gen_tunable(samba_enable_home_dirs,false)
##
##
+## Export all files on system read only.
+##
+##
+gen_tunable(samba_export_all_ro,false)
+
+##
+##
+## Export all files on system read-write.
+##
+##
+gen_tunable(samba_export_all_rw,false)
+
+##
+##
+## Allow samba to run unconfined scripts
+##
+##
+gen_tunable(samba_run_unconfined,false)
+
+##
+##
## Allow samba to export NFS volumes.
##
##
@@ -57,6 +86,13 @@ files_type(samba_secrets_t)
type samba_share_t; # customizable
files_type(samba_share_t)
+type samba_unconfined_script_t;
+type samba_unconfined_script_exec_t;
+domain_type(samba_unconfined_script_t)
+domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
+corecmd_shell_entry_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
+
type samba_var_t;
files_type(samba_var_t)
@@ -117,6 +153,7 @@ allow samba_net_t self:unix_dgram_socket create_socket_perms;
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
allow samba_net_t self:udp_socket create_socket_perms;
allow samba_net_t self:tcp_socket create_socket_perms;
+allow samba_net_t self:netlink_route_socket r_netlink_socket_perms;
allow samba_net_t samba_etc_t:file read_file_perms;
@@ -202,7 +239,6 @@ allow smbd_t samba_etc_t:file { rw_file_perms setattr };
create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
create_files_pattern(smbd_t,samba_log_t,samba_log_t)
-append_files_pattern(smbd_t,samba_log_t,samba_log_t)
allow smbd_t samba_log_t:dir setattr;
dontaudit smbd_t samba_log_t:dir remove_name;
@@ -241,6 +277,9 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
+corecmd_exec_shell(smbd_t)
+corecmd_exec_bin(smbd_t)
+
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
@@ -265,11 +304,13 @@ fs_getattr_all_fs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
+fs_list_inotifyfs(smbd_t)
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
files_list_var_lib(smbd_t)
files_read_etc_files(smbd_t)
@@ -312,6 +353,12 @@ tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')
+tunable_policy(`samba_domain_controller',`
+ usermanage_domtrans_passwd(smbd_t)
+ usermanage_domtrans_useradd(smbd_t)
+ usermanage_domtrans_groupadd(smbd_t)
+')
+
# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
@@ -339,6 +386,21 @@ optional_policy(`
udev_read_db(smbd_t)
')
+tunable_policy(`samba_export_all_ro',`
+ fs_read_noxattr_fs_files(smbd_t)
+ auth_read_all_files_except_shadow(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ auth_read_all_files_except_shadow(nmbd_t)
+')
+
+tunable_policy(`samba_export_all_rw',`
+ fs_read_noxattr_fs_files(smbd_t)
+ auth_manage_all_files_except_shadow(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ auth_manage_all_files_except_shadow(nmbd_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(nmbd_t, { file dir })
+')
+
########################################
#
# nmbd Local policy
@@ -363,8 +425,10 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
-create_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
+manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+allow nmbd_t samba_log_t:file unlink;
+
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
@@ -391,6 +455,7 @@ corenet_udp_bind_all_nodes(nmbd_t)
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
+corenet_tcp_connect_smbd_port(nmbd_t)
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
@@ -402,6 +467,7 @@ domain_use_interactive_fds(nmbd_t)
files_read_usr_files(nmbd_t)
files_read_etc_files(nmbd_t)
+files_list_var_lib(nmbd_t)
libs_use_ld_so(nmbd_t)
libs_use_shared_libs(nmbd_t)
@@ -457,9 +523,9 @@ allow smbmount_t samba_log_t:file manage_file_perms;
allow smbmount_t samba_secrets_t:file manage_file_perms;
-allow smbmount_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
+files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
@@ -534,7 +600,6 @@ allow swat_t self:capability { setuid setgid };
allow swat_t self:process signal_perms;
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow swat_t self:netlink_audit_socket create;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:netlink_route_socket r_netlink_socket_perms;
@@ -625,6 +690,8 @@ optional_policy(`
# Winbind local policy
#
+
+allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
allow winbind_t self:fifo_file { read write };
@@ -634,6 +701,10 @@ allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
+allow winbind_t nmbd_t:process { signal signull };
+
+allow winbind_t nmbd_var_run_t:file read_file_perms;
+
allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
@@ -645,8 +716,12 @@ manage_dirs_pattern(winbind_t,samba_log_t,samba_log_t)
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
+manage_dirs_pattern(winbind_t,samba_var_t,samba_var_t)
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
+files_list_var_lib(winbind_t)
+
+rw_files_pattern(winbind_t,smbd_tmp_t,smbd_tmp_t)
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t,winbind_log_t,file)
@@ -737,6 +812,7 @@ read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
allow winbind_helper_t samba_var_t:dir search;
+files_list_var_lib(winbind_helper_t)
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
@@ -764,3 +840,17 @@ optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
+
+########################################
+#
+# samba_unconfined_script_t local policy
+#
+
+allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+
+unconfined_domain(samba_unconfined_script_t)
+
+tunable_policy(`samba_run_unconfined',`
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+')