From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 23 Feb 2017 18:07:39 -0500 Subject: [refpolicy] [PATCH] patch for samba In-Reply-To: <20170221082950.izhx6lvxfzea562l@athena.coker.com.au> References: <20170221082950.izhx6lvxfzea562l@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/21/17 03:29, Russell Coker via refpolicy wrote: > I merged the types nmbd_var_run_t and smbd_var_run_t because nmbd_t and smbd_t > interacted with each other so much there was no benefit in separating them. > > Also added a tunable for reading /etc/shadow because on one of my systems I > couldn't get samba working without it. Maybe I misconfigured samba, but > others will do the same and we need to give users the choice. Merged, though I moved a few lines around. > Description: samba patches > Author: Russell Coker > Last-Update: 2017-02-21 > > Index: refpolicy-2.20170221/policy/modules/contrib/samba.te > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/samba.te > +++ refpolicy-2.20170221/policy/modules/contrib/samba.te > @@ -6,6 +6,14 @@ policy_module(samba, 1.20.0) > # > > ## > +##

> +## Determine whether smbd_t can > +## read shadow files. > +##

> +##
> +gen_tunable(samba_read_shadow, false) > + > +## > ##

> ## Determine whether samba can modify > ## public files used for public file > @@ -104,8 +112,9 @@ type nmbd_t; > type nmbd_exec_t; > init_daemon_domain(nmbd_t, nmbd_exec_t) > > -type nmbd_var_run_t; > -files_pid_file(nmbd_var_run_t) > +type samba_var_run_t; > +typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t }; > +files_pid_file(samba_var_run_t) > > type samba_etc_t; > files_config_file(samba_etc_t) > @@ -151,9 +160,6 @@ files_type(smbd_keytab_t) > type smbd_tmp_t; > files_tmp_file(smbd_tmp_t) > > -type smbd_var_run_t; > -files_pid_file(smbd_var_run_t) > - > type smbmount_t; > type smbmount_exec_t; > application_domain(smbmount_t, smbmount_exec_t) > @@ -305,16 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t, > manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) > files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) > > -manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) > -manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) > -manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) > -files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) > +manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t) > +manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) > +manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) > +files_pid_filetrans(smbd_t, samba_var_run_t, { dir file }) > > allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; > stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) > > -allow smbd_t nmbd_var_run_t:file read_file_perms; > -stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) > +stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t) > > kernel_getattr_core_if(smbd_t) > kernel_getattr_message_if(smbd_t) > @@ -377,6 +382,11 @@ auth_domtrans_upd_passwd(smbd_t) > auth_manage_cache(smbd_t) > auth_write_login_records(smbd_t) > > +auth_can_read_shadow_passwords(smbd_t) > +tunable_policy(`samba_read_shadow',` > + auth_tunable_read_shadow(smbd_t) > +') > + > init_rw_utmp(smbd_t) > > logging_search_logs(smbd_t) > @@ -519,11 +529,10 @@ allow nmbd_t self:tcp_socket { accept li > allow nmbd_t self:unix_dgram_socket sendto; > allow nmbd_t self:unix_stream_socket { accept connectto listen }; > > -manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) > -manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) > -manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) > -files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file }) > -filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir) > +manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) > +manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) > +manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) > +files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file }) > > read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) > read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) > @@ -542,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t, > > allow nmbd_t { swat_t smbcontrol_t }:process signal; > > -allow nmbd_t smbd_var_run_t:dir rw_dir_perms; > +allow nmbd_t samba_var_run_t:dir rw_dir_perms; > > kernel_getattr_core_if(nmbd_t) > kernel_getattr_message_if(nmbd_t) > @@ -567,6 +576,8 @@ corenet_sendrecv_smbd_client_packets(nmb > corenet_tcp_connect_smbd_port(nmbd_t) > corenet_tcp_sendrecv_smbd_port(nmbd_t) > > +corecmd_search_bin(nmbd_t) > +dev_read_urand(nmbd_t) > dev_read_sysfs(nmbd_t) > dev_getattr_mtrr_dev(nmbd_t) > > @@ -618,7 +629,7 @@ allow smbcontrol_t self:unix_stream_sock > allow smbcontrol_t self:process { signal signull }; > > allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; > -read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) > +read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t) > > manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) > > @@ -733,8 +744,8 @@ allow swat_t self:unix_stream_socket con > > allow swat_t { nmbd_t smbd_t }:process { signal signull }; > > -allow swat_t smbd_var_run_t:file read_file_perms; > -allow swat_t smbd_var_run_t:file { lock delete_file_perms }; > +allow swat_t samba_var_run_t:file read_file_perms; > +allow swat_t samba_var_run_t:file { lock delete_file_perms }; > > rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) > read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) > @@ -766,8 +777,8 @@ read_files_pattern(swat_t, winbind_var_r > allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; > allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; > > -read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) > -stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) > +read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t) > +stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t) > > samba_domtrans_smbd(swat_t) > samba_domtrans_nmbd(swat_t) > @@ -852,8 +863,8 @@ allow winbind_t self:tcp_socket { accept > > allow winbind_t nmbd_t:process { signal signull }; > > -allow winbind_t nmbd_var_run_t:file read_file_perms; > -stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) > +allow winbind_t samba_var_run_t:file read_file_perms; > +stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t) > > allow winbind_t samba_etc_t:dir list_dir_perms; > read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) > @@ -885,15 +896,15 @@ manage_files_pattern(winbind_t, winbind_ > manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) > files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) > > -manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) > +manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t) > manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) > manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) > files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) > -filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) > +filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir) > > -manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) > -manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) > -manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) > +manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t) > +manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) > +manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) > > kernel_read_network_state(winbind_t) > kernel_read_kernel_sysctls(winbind_t) > Index: refpolicy-2.20170221/policy/modules/contrib/samba.fc > =================================================================== > --- refpolicy-2.20170221.orig/policy/modules/contrib/samba.fc > +++ refpolicy-2.20170221/policy/modules/contrib/samba.fc > @@ -31,21 +31,21 @@ > > /var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) > > -/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) > -/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) > +/run/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) > > -/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) > -/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) > -/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) > -/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) > -/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) > +/run/samba(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) > +/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) > > /run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) > /run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) -- Chris PeBenito