1 |
commit: 8e14efe4abf1297f7c8c341d7690802f82d798a2 |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Tue Feb 21 08:29:50 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 25 14:50:53 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e14efe4 |
7 |
|
8 |
patch for samba |
9 |
|
10 |
I merged the types nmbd_var_run_t and smbd_var_run_t because nmbd_t and smbd_t |
11 |
interacted with each other so much there was no benefit in separating them. |
12 |
|
13 |
Also added a tunable for reading /etc/shadow because on one of my systems I |
14 |
couldn't get samba working without it. Maybe I misconfigured samba, but |
15 |
others will do the same and we need to give users the choice. |
16 |
|
17 |
Description: samba patches |
18 |
Author: Russell Coker <russell <AT> coker.com.au> |
19 |
Last-Update: 2017-02-21 |
20 |
|
21 |
policy/modules/contrib/samba.fc | 30 +++++++++--------- |
22 |
policy/modules/contrib/samba.te | 69 ++++++++++++++++++++++++----------------- |
23 |
2 files changed, 55 insertions(+), 44 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc |
26 |
index d227fd82..753a009c 100644 |
27 |
--- a/policy/modules/contrib/samba.fc |
28 |
+++ b/policy/modules/contrib/samba.fc |
29 |
@@ -31,21 +31,21 @@ |
30 |
|
31 |
/var/nmbd(/.*)? gen_context(system_u:object_r:samba_var_t,s0) |
32 |
|
33 |
-/run/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) |
34 |
-/run/samba/nmbd(/.*)? gen_context(system_u:object_r:nmbd_var_run_t,s0) |
35 |
- |
36 |
-/run/samba(/.*)? gen_context(system_u:object_r:smbd_var_run_t,s0) |
37 |
-/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) |
38 |
-/run/samba/connections\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) |
39 |
-/run/samba/gencache\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) |
40 |
-/run/samba/locking\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) |
41 |
-/run/samba/messages\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) |
42 |
-/run/samba/namelist\.debug -- gen_context(system_u:object_r:nmbd_var_run_t,s0) |
43 |
-/run/samba/nmbd\.pid -- gen_context(system_u:object_r:nmbd_var_run_t,s0) |
44 |
-/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) |
45 |
-/run/samba/share_info\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) |
46 |
-/run/samba/smbd\.pid -- gen_context(system_u:object_r:smbd_var_run_t,s0) |
47 |
-/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:nmbd_var_run_t,s0) |
48 |
+/run/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) |
49 |
+/run/samba/nmbd(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) |
50 |
+ |
51 |
+/run/samba(/.*)? gen_context(system_u:object_r:samba_var_run_t,s0) |
52 |
+/run/samba/brlock\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
53 |
+/run/samba/connections\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
54 |
+/run/samba/gencache\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
55 |
+/run/samba/locking\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
56 |
+/run/samba/messages\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
57 |
+/run/samba/namelist\.debug -- gen_context(system_u:object_r:samba_var_run_t,s0) |
58 |
+/run/samba/nmbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) |
59 |
+/run/samba/sessionid\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
60 |
+/run/samba/share_info\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
61 |
+/run/samba/smbd\.pid -- gen_context(system_u:object_r:samba_var_run_t,s0) |
62 |
+/run/samba/unexpected\.tdb -- gen_context(system_u:object_r:samba_var_run_t,s0) |
63 |
|
64 |
/run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) |
65 |
/run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) |
66 |
|
67 |
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te |
68 |
index e7dae973..6f314b0c 100644 |
69 |
--- a/policy/modules/contrib/samba.te |
70 |
+++ b/policy/modules/contrib/samba.te |
71 |
@@ -6,6 +6,14 @@ policy_module(samba, 1.20.0) |
72 |
# |
73 |
|
74 |
## <desc> |
75 |
+## <p> |
76 |
+## Determine whether smbd_t can |
77 |
+## read shadow files. |
78 |
+## </p> |
79 |
+## </desc> |
80 |
+gen_tunable(samba_read_shadow, false) |
81 |
+ |
82 |
+## <desc> |
83 |
## <p> |
84 |
## Determine whether samba can modify |
85 |
## public files used for public file |
86 |
@@ -104,8 +112,9 @@ type nmbd_t; |
87 |
type nmbd_exec_t; |
88 |
init_daemon_domain(nmbd_t, nmbd_exec_t) |
89 |
|
90 |
-type nmbd_var_run_t; |
91 |
-files_pid_file(nmbd_var_run_t) |
92 |
+type samba_var_run_t; |
93 |
+typealias samba_var_run_t alias { nmbd_var_run_t smbd_var_run_t }; |
94 |
+files_pid_file(samba_var_run_t) |
95 |
|
96 |
type samba_etc_t; |
97 |
files_config_file(samba_etc_t) |
98 |
@@ -151,9 +160,6 @@ files_type(smbd_keytab_t) |
99 |
type smbd_tmp_t; |
100 |
files_tmp_file(smbd_tmp_t) |
101 |
|
102 |
-type smbd_var_run_t; |
103 |
-files_pid_file(smbd_var_run_t) |
104 |
- |
105 |
type smbmount_t; |
106 |
type smbmount_exec_t; |
107 |
application_domain(smbmount_t, smbmount_exec_t) |
108 |
@@ -305,16 +311,15 @@ manage_dirs_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) |
109 |
manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) |
110 |
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) |
111 |
|
112 |
-manage_dirs_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) |
113 |
-manage_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) |
114 |
-manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t) |
115 |
-files_pid_filetrans(smbd_t, smbd_var_run_t, { dir file }) |
116 |
+manage_dirs_pattern(smbd_t, samba_var_run_t, samba_var_run_t) |
117 |
+manage_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) |
118 |
+manage_sock_files_pattern(smbd_t, samba_var_run_t, samba_var_run_t) |
119 |
+files_pid_filetrans(smbd_t, samba_var_run_t, { dir file }) |
120 |
|
121 |
allow smbd_t winbind_var_run_t:sock_file read_sock_file_perms; |
122 |
stream_connect_pattern(smbd_t, winbind_var_run_t, winbind_var_run_t, winbind_t) |
123 |
|
124 |
-allow smbd_t nmbd_var_run_t:file read_file_perms; |
125 |
-stream_connect_pattern(smbd_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) |
126 |
+stream_connect_pattern(smbd_t, samba_var_run_t, samba_var_run_t, nmbd_t) |
127 |
|
128 |
kernel_getattr_core_if(smbd_t) |
129 |
kernel_getattr_message_if(smbd_t) |
130 |
@@ -377,6 +382,11 @@ auth_domtrans_upd_passwd(smbd_t) |
131 |
auth_manage_cache(smbd_t) |
132 |
auth_write_login_records(smbd_t) |
133 |
|
134 |
+auth_can_read_shadow_passwords(smbd_t) |
135 |
+tunable_policy(`samba_read_shadow',` |
136 |
+ auth_tunable_read_shadow(smbd_t) |
137 |
+') |
138 |
+ |
139 |
init_rw_utmp(smbd_t) |
140 |
|
141 |
logging_search_logs(smbd_t) |
142 |
@@ -519,11 +529,10 @@ allow nmbd_t self:tcp_socket { accept listen }; |
143 |
allow nmbd_t self:unix_dgram_socket sendto; |
144 |
allow nmbd_t self:unix_stream_socket { accept connectto listen }; |
145 |
|
146 |
-manage_dirs_pattern(nmbd_t, { smbd_var_run_t nmbd_var_run_t }, nmbd_var_run_t) |
147 |
-manage_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) |
148 |
-manage_sock_files_pattern(nmbd_t, nmbd_var_run_t, nmbd_var_run_t) |
149 |
-files_pid_filetrans(nmbd_t, nmbd_var_run_t, { dir file sock_file }) |
150 |
-filetrans_pattern(nmbd_t, smbd_var_run_t, nmbd_var_run_t, dir) |
151 |
+manage_dirs_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) |
152 |
+manage_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) |
153 |
+manage_sock_files_pattern(nmbd_t, samba_var_run_t, samba_var_run_t) |
154 |
+files_pid_filetrans(nmbd_t, samba_var_run_t, { dir file sock_file }) |
155 |
|
156 |
read_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) |
157 |
read_lnk_files_pattern(nmbd_t, samba_etc_t, samba_etc_t) |
158 |
@@ -542,7 +551,7 @@ files_var_filetrans(nmbd_t, samba_var_t, dir, "samba") |
159 |
|
160 |
allow nmbd_t { swat_t smbcontrol_t }:process signal; |
161 |
|
162 |
-allow nmbd_t smbd_var_run_t:dir rw_dir_perms; |
163 |
+allow nmbd_t samba_var_run_t:dir rw_dir_perms; |
164 |
|
165 |
kernel_getattr_core_if(nmbd_t) |
166 |
kernel_getattr_message_if(nmbd_t) |
167 |
@@ -567,6 +576,8 @@ corenet_sendrecv_smbd_client_packets(nmbd_t) |
168 |
corenet_tcp_connect_smbd_port(nmbd_t) |
169 |
corenet_tcp_sendrecv_smbd_port(nmbd_t) |
170 |
|
171 |
+corecmd_search_bin(nmbd_t) |
172 |
+dev_read_urand(nmbd_t) |
173 |
dev_read_sysfs(nmbd_t) |
174 |
dev_getattr_mtrr_dev(nmbd_t) |
175 |
|
176 |
@@ -618,7 +629,7 @@ allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; |
177 |
allow smbcontrol_t self:process { signal signull }; |
178 |
|
179 |
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; |
180 |
-read_files_pattern(smbcontrol_t, { nmbd_var_run_t smbd_var_run_t }, { nmbd_var_run_t smbd_var_run_t }) |
181 |
+read_files_pattern(smbcontrol_t, samba_var_run_t, samba_var_run_t) |
182 |
|
183 |
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) |
184 |
|
185 |
@@ -733,8 +744,8 @@ allow swat_t self:unix_stream_socket connectto; |
186 |
|
187 |
allow swat_t { nmbd_t smbd_t }:process { signal signull }; |
188 |
|
189 |
-allow swat_t smbd_var_run_t:file read_file_perms; |
190 |
-allow swat_t smbd_var_run_t:file { lock delete_file_perms }; |
191 |
+allow swat_t samba_var_run_t:file read_file_perms; |
192 |
+allow swat_t samba_var_run_t:file { lock delete_file_perms }; |
193 |
|
194 |
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t) |
195 |
read_lnk_files_pattern(swat_t, samba_etc_t, samba_etc_t) |
196 |
@@ -766,8 +777,8 @@ read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t) |
197 |
allow swat_t winbind_var_run_t:dir { add_entry_dir_perms del_entry_dir_perms }; |
198 |
allow swat_t winbind_var_run_t:sock_file { create_sock_file_perms delete_sock_file_perms }; |
199 |
|
200 |
-read_files_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t) |
201 |
-stream_connect_pattern(swat_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) |
202 |
+read_files_pattern(swat_t, samba_var_run_t, samba_var_run_t) |
203 |
+stream_connect_pattern(swat_t, samba_var_run_t, samba_var_run_t, nmbd_t) |
204 |
|
205 |
samba_domtrans_smbd(swat_t) |
206 |
samba_domtrans_nmbd(swat_t) |
207 |
@@ -852,8 +863,8 @@ allow winbind_t self:tcp_socket { accept listen }; |
208 |
|
209 |
allow winbind_t nmbd_t:process { signal signull }; |
210 |
|
211 |
-allow winbind_t nmbd_var_run_t:file read_file_perms; |
212 |
-stream_connect_pattern(winbind_t, nmbd_var_run_t, nmbd_var_run_t, nmbd_t) |
213 |
+allow winbind_t samba_var_run_t:file read_file_perms; |
214 |
+stream_connect_pattern(winbind_t, samba_var_run_t, samba_var_run_t, nmbd_t) |
215 |
|
216 |
allow winbind_t samba_etc_t:dir list_dir_perms; |
217 |
read_files_pattern(winbind_t, samba_etc_t, samba_etc_t) |
218 |
@@ -885,15 +896,15 @@ manage_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) |
219 |
manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t) |
220 |
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir }) |
221 |
|
222 |
-manage_dirs_pattern(winbind_t, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) |
223 |
+manage_dirs_pattern(winbind_t, { samba_var_run_t winbind_var_run_t }, winbind_var_run_t) |
224 |
manage_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) |
225 |
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t) |
226 |
files_pid_filetrans(winbind_t, winbind_var_run_t, { sock_file file dir }) |
227 |
-filetrans_pattern(winbind_t, smbd_var_run_t, winbind_var_run_t, dir) |
228 |
+filetrans_pattern(winbind_t, samba_var_run_t, winbind_var_run_t, dir) |
229 |
|
230 |
-manage_dirs_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) |
231 |
-manage_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) |
232 |
-manage_sock_files_pattern(winbind_t, smbd_var_run_t, smbd_var_run_t) |
233 |
+manage_dirs_pattern(winbind_t, samba_var_run_t, samba_var_run_t) |
234 |
+manage_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) |
235 |
+manage_sock_files_pattern(winbind_t, samba_var_run_t, samba_var_run_t) |
236 |
|
237 |
kernel_read_network_state(winbind_t) |
238 |
kernel_read_kernel_sysctls(winbind_t) |