This patch curbs on userdomain file read and/or write permissions
for the samba module.
It aims to ensure user data confidentiality.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/samba.te | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/samba.te 2017-02-04 19:30:44.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/samba.te 2017-04-20 00:43:43.177442179 +0200
@@ -427,6 +427,9 @@ tunable_policy(`samba_enable_home_dirs',
userdom_manage_user_home_content_symlinks(smbd_t)
userdom_manage_user_home_content_sockets(smbd_t)
userdom_manage_user_home_content_pipes(smbd_t)
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(smbd_t)
+ userdom_dontaudit_manage_user_home_content_files(smbd_t)
')
tunable_policy(`samba_portmapper',`
@@ -933,12 +936,18 @@ miscfiles_read_localization(winbind_t)
miscfiles_read_generic_certs(winbind_t)
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
-userdom_manage_user_home_content_dirs(winbind_t)
-userdom_manage_user_home_content_files(winbind_t)
-userdom_manage_user_home_content_symlinks(winbind_t)
-userdom_manage_user_home_content_pipes(winbind_t)
-userdom_manage_user_home_content_sockets(winbind_t)
-userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+
+tunable_policy(`samba_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(winbind_t)
+ userdom_manage_user_home_content_files(winbind_t)
+ userdom_manage_user_home_content_pipes(winbind_t)
+ userdom_manage_user_home_content_sockets(winbind_t)
+ userdom_manage_user_home_content_symlinks(winbind_t)
+ userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(winbind_t)
+ userdom_dontaudit_manage_user_home_content_files(winbind_t)
+')
optional_policy(`
ctdbd_stream_connect(winbind_t)