diff --git a/refpolicy/Changelog b/refpolicy/Changelog index d7cf04d..c760ebf 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Add swat to samba module. - Miscellaneous fixes from Dan Walsh. - Added modules: automount diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if index d7b6423..a64164e 100644 --- a/refpolicy/policy/modules/kernel/filesystem.if +++ b/refpolicy/policy/modules/kernel/filesystem.if @@ -2444,7 +2444,7 @@ interface(`fs_getattr_all_dirs',` attribute filesystem_type; ') - allow $1 filesystem_type:dir search_dir_perms; + allow $1 filesystem_type:dir getattr; ') ######################################## diff --git a/refpolicy/policy/modules/services/automount.te b/refpolicy/policy/modules/services/automount.te index d1aeb62..f68c043 100644 --- a/refpolicy/policy/modules/services/automount.te +++ b/refpolicy/policy/modules/services/automount.te @@ -99,7 +99,7 @@ files_getattr_default_dir(automount_t) files_exec_etc_files(automount_t) fs_getattr_all_fs(automount_t) -fs_getattr_all_files(automount_t) +fs_getattr_all_dirs(automount_t) fs_search_auto_mountpoints(automount_t) fs_manage_auto_mountpoints(automount_t) diff --git a/refpolicy/policy/modules/services/samba.fc b/refpolicy/policy/modules/services/samba.fc index f076ffa..d0e6b6d 100644 --- a/refpolicy/policy/modules/services/samba.fc +++ b/refpolicy/policy/modules/services/samba.fc @@ -14,6 +14,7 @@ /usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0) /usr/bin/smbmount -- gen_context(system_u:object_r:smbmount_exec_t,s0) /usr/bin/smbmnt -- gen_context(system_u:object_r:smbmount_exec_t,s0) +/usr/sbin/swat -- gen_context(system_u:object_r:swat_exec_t,s0) /usr/sbin/nmbd -- gen_context(system_u:object_r:nmbd_exec_t,s0) /usr/sbin/smbd -- gen_context(system_u:object_r:smbd_exec_t,s0) diff --git a/refpolicy/policy/modules/services/samba.te b/refpolicy/policy/modules/services/samba.te index 5e7cdde..733dc4c 100644 --- a/refpolicy/policy/modules/services/samba.te +++ b/refpolicy/policy/modules/services/samba.te @@ -1,5 +1,5 @@ -policy_module(samba,1.1.0) +policy_module(samba,1.1.1) ################################# # @@ -54,6 +54,17 @@ domain_type(smbmount_t) type smbmount_exec_t; domain_entry_file(smbmount_t,smbmount_exec_t) +type swat_t; +type swat_exec_t; +inetd_service_domain(swat_t,swat_exec_t) +role system_r types swat_t; + +type swat_tmp_t; +files_tmp_file(swat_tmp_t) + +type swat_var_run_t; +files_pid_file(swat_var_run_t) + type winbind_t; type winbind_exec_t; init_daemon_domain(winbind_t,winbind_exec_t) @@ -520,6 +531,70 @@ ifdef(`cups.te', ` ######################################## # +# SWAT Local policy +# + +allow swat_t self:capability { setuid setgid }; +allow swat_t self:process signal_perms; +allow swat_t self:fifo_file rw_file_perms; +allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; +allow swat_t self:tcp_socket connected_stream_socket_perms; +allow swat_t self:udp_socket create_socket_perms; + +allow swat_t swat_tmp_t:dir create_dir_perms; +allow swat_t swat_tmp_t:file create_file_perms; +files_create_tmp_files(swat_t, swat_tmp_t, { file dir }) + +allow swat_t swat_var_run_t:file create_file_perms; +allow swat_t swat_var_run_t:dir rw_dir_perms; +files_create_pid(swat_t,swat_var_run_t) + +kernel_read_kernel_sysctl(swat_t) +kernel_read_system_state(swat_t) +kernel_read_network_state(swat_t) + +corenet_non_ipsec_sendrecv(swat_t) +corenet_tcp_sendrecv_generic_if(swat_t) +corenet_udp_sendrecv_generic_if(swat_t) +corenet_raw_sendrecv_generic_if(swat_t) +corenet_tcp_sendrecv_all_nodes(swat_t) +corenet_udp_sendrecv_all_nodes(swat_t) +corenet_raw_sendrecv_all_nodes(swat_t) +corenet_tcp_sendrecv_all_ports(swat_t) +corenet_udp_sendrecv_all_ports(swat_t) +corenet_tcp_bind_all_nodes(swat_t) +corenet_udp_bind_all_nodes(swat_t) + +dev_read_urand(swat_t) + +files_read_etc_files(swat_t) +files_search_home(swat_t) + +fs_getattr_xattr_fs(swat_t) + +libs_use_ld_so(swat_t) +libs_use_shared_libs(swat_t) + +logging_send_syslog_msg(swat_t) + +miscfiles_read_localization(swat_t) + +sysnet_read_config(swat_t) + +optional_policy(`kerberos',` + kerberos_use(swat_t) +') + +optional_policy(`nis',` + nis_use_ypbind(swat_t) +') + +optional_policy(`nscd',` + nscd_use_socket(swat_t) +') + +######################################## +# # Winbind local policy #