Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListManage samba changes
From: dwalsh_at_redhat.com
Date: Wed, 30 May 2007 10:25:21 -0400
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
######################################## ## <summary>+## <rolecap/> +# +interface(`samba_append_log',` + gen_require(` + type samba_log_t; + ') + + logging_search_logs($1) + allow $1 samba_log_t:dir list_dir_perms; + allow $1 samba_log_t:file append_file_perms; +') + +######################################## +## <summary> ## Execute samba log in the caller domain. ## </summary> ## <param name="domain"> @@ -263,6 +284,7 @@ ') files_search_var($1)') @@ -283,11 +305,55 @@ ') files_search_var($1)') ######################################## ## <summary>+## </param> +# +interface(`samba_manage_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + files_search_var_lib($1) + manage_files_pattern($1,samba_var_t,samba_var_t) + manage_lnk_files_pattern($1,samba_var_t,samba_var_t) +') + +######################################## +## <summary> +## Allow the specified domain to +## read samba /var files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`samba_read_var_files',` + gen_require(` + type samba_var_t; + ') + + files_search_var($1) + files_search_var_lib($1) + read_files_pattern($1,samba_var_t,samba_var_t) +') + +######################################## +## <summary> ## Allow the specified domain to write to smbmount tcp sockets. ## </summary> ## <param name="domain"> @@ -410,3 +476,52 @@ allow $1 samba_var_t:dir search_dir_perms; stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)') + +######################################## +## <summary> +## Do not audit attempts to use file descriptors from samba. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`samba_dontaudit_use_fds',` + gen_require(` + type smbd_t; + ') + + dontaudit $1 smbd_t:fd use; +') + + +######################################## +## <summary> +## Create a set of derived types for apache +## web content. +## </summary> +## <param name="prefix"> +## <summary> +## The prefix to be used for deriving type names. +## </summary> +## </param> +# +template(`samba_helper_template',` + gen_require(` + type smbd_t; + ') + #This type is for samba helper scripts + type samba_$1_script_t; + domain_type(samba_$1_script_t) + role system_r types samba_$1_script_t; + + # This type is used for executable scripts files + type samba_$1_script_exec_t; + corecmd_shell_entry_type(samba_$1_script_t) + domain_entry_file(samba_$1_script_t,samba_$1_script_exec_t) + + domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) + allow smbd_t samba_$1_script_exec_t:file ioctl; + +') --- nsaserefpolicy/policy/modules/services/samba.te 2007-05-29 14:10:57.000000000 -0400@@ -28,6 +28,35 @@ ## </desc> gen_tunable(samba_share_nfs,false)
+## <desc> allow samba_net_t self:unix_stream_socket create_stream_socket_perms; allow samba_net_t self:udp_socket create_socket_perms; allow samba_net_t self:tcp_socket create_socket_perms; +allow samba_net_t self:netlink_route_socket r_netlink_socket_perms; allow samba_net_t samba_etc_t:file read_file_perms; @@ -159,6 +189,8 @@ miscfiles_read_localization(samba_net_t)
+samba_read_var_files(samba_net_t) @@ -197,7 +229,6 @@ create_dirs_pattern(smbd_t,samba_log_t,samba_log_t) create_files_pattern(smbd_t,samba_log_t,samba_log_t) -append_files_pattern(smbd_t,samba_log_t,samba_log_t)allow smbd_t samba_log_t:dir setattr; dontaudit smbd_t samba_log_t:dir remove_name;
@@ -251,6 +282,9 @@
+corecmd_exec_shell(smbd_t) dev_read_sysfs(smbd_t) dev_read_urand(smbd_t) dev_getattr_mtrr_dev(smbd_t) @@ -260,11 +294,13 @@ fs_get_xattr_fs_quotas(smbd_t) fs_search_auto_mountpoints(smbd_t) fs_getattr_rpc_dirs(smbd_t) +fs_list_inotifyfs(smbd_t)
auth_use_nsswitch(smbd_t)
domain_use_interactive_fds(smbd_t)
files_list_var_lib(smbd_t)
+tunable_policy(`samba_domain_controller',` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) @@ -328,6 +370,23 @@ udev_read_db(smbd_t) ')
+tunable_policy(`samba_export_all_rw',` ######################################### # nmbd Local policy @@ -351,9 +410,12 @@ files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
-create_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) +manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t) append_files_pattern(nmbd_t,samba_log_t,samba_log_t) +allow nmbd_t samba_log_t:file unlink; + read_files_pattern(nmbd_t,samba_log_t,samba_log_t) create_files_pattern(nmbd_t,samba_log_t,samba_log_t) allow nmbd_t samba_log_t:dir setattr; @@ -380,6 +442,7 @@ corenet_udp_bind_nmbd_port(nmbd_t) corenet_sendrecv_nmbd_server_packets(nmbd_t) corenet_sendrecv_nmbd_client_packets(nmbd_t) +corenet_tcp_connect_smbd_port(nmbd_t)
dev_read_sysfs(nmbd_t)
allow smbmount_t samba_secrets_t:file manage_file_perms;
+files_list_var_lib(smbmount_t)
term_list_ptys(smbmount_t)
corecmd_list_bin(smbmount_t)
@@ -493,6 +558,11 @@
userdom_use_all_users_fds(smbmount_t)
optional_policy(`
nis_use_ypbind(smbmount_t)
allow swat_t self:process signal_perms; allow swat_t self:fifo_file rw_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -allow swat_t self:netlink_audit_socket create; allow swat_t self:tcp_socket create_stream_socket_perms; allow swat_t self:udp_socket create_socket_perms; allow swat_t self:netlink_route_socket r_netlink_socket_perms;@@ -602,6 +671,8 @@ # Winbind local policy #
+
+allow winbind_t nmbd_t:process { signal signull };
+rw_files_pattern(winbind_t,smbd_tmp_t,smbd_tmp_t)
@@ -622,6 +698,8 @@
+files_list_var_lib(winbind_t)
@@ -707,6 +785,7 @@
+files_list_var_lib(winbind_helper_t) stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t) @@ -722,6 +801,11 @@ miscfiles_read_localization(winbind_helper_t)
+ifdef(`targeted_policy',`
nscd_socket_use(winbind_helper_t)
squid_read_log(winbind_helper_t) squid_append_log(winbind_helper_t) ') + +######################################## +# +# samba_unconfined_script_t local policy +# +type samba_unconfined_script_t; +domain_type(samba_unconfined_script_t) +role system_r types samba_unconfined_script_t; + +# This type is used for executable scripts files +type samba_unconfined_script_exec_t; +corecmd_shell_entry_type(samba_unconfined_script_t) +domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t) +allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; +allow smbd_t samba_unconfined_script_exec_t:file ioctl; + +tunable_policy(`samba_run_unconfined',` + domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) +') +unconfined_domain(samba_unconfined_script_t) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 30 May 2007 - 13:37:23 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |