Add samba_unit_file_t support

diff --git a/policy/modules/apps/sambagui.te b/policy/modules/apps/sambagui.te
index 340c389043351bfdfaee74fd0dcf320120d4b527..c4ee8342769ae8e6cd179c9578511a0d790d9698 100644 (file)
--- a/policy/modules/apps/sambagui.te
+++ b/policy/modules/apps/sambagui.te
@@ -57,6 +57,7 @@ optional_policy(`
        samba_manage_var_files(sambagui_t)
        samba_read_secrets(sambagui_t)
        samba_initrc_domtrans(sambagui_t)
+       samba_systemctl(sambagui_t)
        samba_domtrans_smbd(sambagui_t)
        samba_domtrans_nmbd(sambagui_t)
 ')

diff --git a/policy/modules/services/samba.fc b/policy/modules/services/samba.fc
index 73db5baf4a81cb9b3b9d886d13b2ddc3b6ffc375..c79b415aaf47322e6a1a64144934eddff499d9fb 100644 (file)
--- a/policy/modules/services/samba.fc
+++ b/policy/modules/services/samba.fc
@@ -11,6 +11,8 @@
 /etc/samba/smbpasswd           --      gen_context(system_u:object_r:samba_secrets_t,s0)
 /etc/samba(/.*)?                       gen_context(system_u:object_r:samba_etc_t,s0)
 
+/lib/systemd/system/smb.service        --      gen_context(system_u:object_r:samba_unit_file_t,s0)
+
 #
 # /usr
 #

diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 9e7297013a71650352d6536b063887f99f491e2e..8ee105eaaf4bb5548572ca5b997ac57fd381c87e 100644 (file)
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -58,6 +58,30 @@ interface(`samba_initrc_domtrans',`
        init_labeled_script_domtrans($1, samba_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##     Execute samba server in the samba domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`samba_systemctl',`
+       gen_require(`
+               type samba_unit_t;
+               type smbd_t;
+       ')
+
+       systemd_exec_systemctl($1)
+       systemd_search_unit_dirs($1)
+       allow $1 samba_unit_t:file read_file_perms;
+       allow $1 samba_unit_t:service all_service_perms;
+
+       ps_process_pattern($1, smbd_t)
+')
+
 ########################################
 ## <summary>
 ##     Execute samba net in the samba_net domain.

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index be3f8533ac165a623bd4bc12581e28fad2fe72b5..3bc774c4a3537441470ac0c78915a950b927c730 100644 (file)
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -85,6 +85,9 @@ files_config_file(samba_etc_t)
 type samba_initrc_exec_t;
 init_script_file(samba_initrc_exec_t)
 
+type samba_unit_file_t;
+systemd_unit_file(samba_unit_file_t)
+
 type samba_log_t;
 logging_log_file(samba_log_t)