]>
Commit | Line | Data |
---|---|---|
79cde317 CP |
1 | ## <summary> |
2 | ## SMB and CIFS client/server programs for UNIX and | |
3 | ## name Service Switch daemon for resolving names | |
4 | ## from Windows NT servers. | |
5 | ## </summary> | |
84c92239 | 6 | |
0c89174f CP |
7 | ######################################## |
8 | ## <summary> | |
9 | ## Execute nmbd net in the nmbd_t domain. | |
10 | ## </summary> | |
11 | ## <param name="domain"> | |
12 | ## <summary> | |
288845a6 | 13 | ## Domain allowed to transition. |
0c89174f CP |
14 | ## </summary> |
15 | ## </param> | |
16 | # | |
17 | interface(`samba_domtrans_nmbd',` | |
18 | gen_require(` | |
19 | type nmbd_t, nmbd_exec_t; | |
20 | ') | |
21 | ||
22 | corecmd_search_bin($1) | |
23 | domtrans_pattern($1, nmbd_exec_t, nmbd_t) | |
24 | ') | |
25 | ||
34838aa6 JS |
26 | ####################################### |
27 | ## <summary> | |
28 | ## Allow domain to signal samba | |
29 | ## </summary> | |
30 | ## <param name="domain"> | |
31 | ## <summary> | |
32 | ## Domain allowed access. | |
33 | ## </summary> | |
34 | ## </param> | |
35 | # | |
36 | interface(`samba_signal_nmbd',` | |
37 | gen_require(` | |
38 | type nmbd_t; | |
39 | ') | |
40 | allow $1 nmbd_t:process signal; | |
41 | ') | |
42 | ||
0c89174f CP |
43 | ######################################## |
44 | ## <summary> | |
45 | ## Execute samba server in the samba domain. | |
46 | ## </summary> | |
47 | ## <param name="domain"> | |
48 | ## <summary> | |
288845a6 | 49 | ## Domain allowed to transition. |
0c89174f CP |
50 | ## </summary> |
51 | ## </param> | |
52 | # | |
53 | interface(`samba_initrc_domtrans',` | |
54 | gen_require(` | |
55 | type samba_initrc_exec_t; | |
56 | ') | |
57 | ||
58 | init_labeled_script_domtrans($1, samba_initrc_exec_t) | |
59 | ') | |
60 | ||
1fca9d34 DW |
61 | ######################################## |
62 | ## <summary> | |
63 | ## Execute samba server in the samba domain. | |
64 | ## </summary> | |
65 | ## <param name="domain"> | |
66 | ## <summary> | |
67 | ## Domain allowed to transition. | |
68 | ## </summary> | |
69 | ## </param> | |
70 | # | |
71 | interface(`samba_systemctl',` | |
72 | gen_require(` | |
8149320e | 73 | type samba_unit_file_t; |
1fca9d34 DW |
74 | type smbd_t; |
75 | ') | |
76 | ||
77 | systemd_exec_systemctl($1) | |
8149320e DW |
78 | allow $1 samba_unit_file_t:file read_file_perms; |
79 | allow $1 samba_unit_file_t:service all_service_perms; | |
1fca9d34 DW |
80 | |
81 | ps_process_pattern($1, smbd_t) | |
82 | ') | |
83 | ||
84c92239 CP |
84 | ######################################## |
85 | ## <summary> | |
86 | ## Execute samba net in the samba_net domain. | |
87 | ## </summary> | |
88 | ## <param name="domain"> | |
885b83ec | 89 | ## <summary> |
288845a6 | 90 | ## Domain allowed to transition. |
885b83ec | 91 | ## </summary> |
84c92239 CP |
92 | ## </param> |
93 | # | |
94 | interface(`samba_domtrans_net',` | |
95 | gen_require(` | |
96 | type samba_net_t, samba_net_exec_t; | |
84c92239 CP |
97 | ') |
98 | ||
99 | corecmd_search_bin($1) | |
0bfccda4 | 100 | domtrans_pattern($1, samba_net_exec_t, samba_net_t) |
84c92239 CP |
101 | ') |
102 | ||
3eaa9939 DW |
103 | ######################################## |
104 | ## <summary> | |
105 | ## Execute samba net in the samba_unconfined_net domain. | |
106 | ## </summary> | |
107 | ## <param name="domain"> | |
108 | ## <summary> | |
61234647 | 109 | ## Domain allowed to transition. |
3eaa9939 DW |
110 | ## </summary> |
111 | ## </param> | |
112 | # | |
113 | interface(`samba_domtrans_unconfined_net',` | |
114 | gen_require(` | |
115 | type samba_unconfined_net_t, samba_net_exec_t; | |
116 | ') | |
117 | ||
118 | corecmd_search_bin($1) | |
119 | domtrans_pattern($1, samba_net_exec_t, samba_unconfined_net_t) | |
120 | ') | |
121 | ||
84c92239 CP |
122 | ######################################## |
123 | ## <summary> | |
124 | ## Execute samba net in the samba_net domain, and | |
125 | ## allow the specified role the samba_net domain. | |
126 | ## </summary> | |
127 | ## <param name="domain"> | |
885b83ec | 128 | ## <summary> |
288845a6 | 129 | ## Domain allowed to transition. |
885b83ec | 130 | ## </summary> |
84c92239 CP |
131 | ## </param> |
132 | ## <param name="role"> | |
885b83ec | 133 | ## <summary> |
a7ee7f81 | 134 | ## Role allowed access. |
885b83ec | 135 | ## </summary> |
84c92239 | 136 | ## </param> |
bbcd3c97 | 137 | ## <rolecap/> |
84c92239 CP |
138 | # |
139 | interface(`samba_run_net',` | |
140 | gen_require(` | |
141 | type samba_net_t; | |
84c92239 CP |
142 | ') |
143 | ||
144 | samba_domtrans_net($1) | |
145 | role $2 types samba_net_t; | |
84c92239 CP |
146 | ') |
147 | ||
3eaa9939 DW |
148 | ####################################### |
149 | ## <summary> | |
150 | ## The role for the samba module. | |
151 | ## </summary> | |
152 | ## <param name="role"> | |
153 | ## <summary> | |
154 | ## The role to be allowed the samba_net domain. | |
155 | ## </summary> | |
156 | ## </param> | |
9c9e4c81 | 157 | ## <rolecap/> |
3eaa9939 | 158 | # |
d15b40a5 | 159 | interface(`samba_role_notrans',` |
3eaa9939 DW |
160 | gen_require(` |
161 | type smbd_t; | |
162 | ') | |
163 | ||
164 | role $1 types smbd_t; | |
165 | ') | |
166 | ||
167 | ######################################## | |
168 | ## <summary> | |
169 | ## Execute samba net in the samba_unconfined_net domain, and | |
170 | ## allow the specified role the samba_unconfined_net domain. | |
171 | ## </summary> | |
172 | ## <param name="domain"> | |
173 | ## <summary> | |
61234647 | 174 | ## Domain allowed to transition. |
3eaa9939 DW |
175 | ## </summary> |
176 | ## </param> | |
177 | ## <param name="role"> | |
178 | ## <summary> | |
179 | ## The role to be allowed the samba_unconfined_net domain. | |
180 | ## </summary> | |
181 | ## </param> | |
182 | ## <rolecap/> | |
183 | # | |
184 | interface(`samba_run_unconfined_net',` | |
185 | gen_require(` | |
186 | type samba_unconfined_net_t; | |
187 | ') | |
188 | ||
189 | samba_domtrans_unconfined_net($1) | |
190 | role $2 types samba_unconfined_net_t; | |
191 | ') | |
192 | ||
84c92239 CP |
193 | ######################################## |
194 | ## <summary> | |
195 | ## Execute smbmount in the smbmount domain. | |
196 | ## </summary> | |
197 | ## <param name="domain"> | |
885b83ec | 198 | ## <summary> |
288845a6 | 199 | ## Domain allowed to transition. |
885b83ec | 200 | ## </summary> |
84c92239 CP |
201 | ## </param> |
202 | # | |
203 | interface(`samba_domtrans_smbmount',` | |
204 | gen_require(` | |
205 | type smbmount_t, smbmount_exec_t; | |
84c92239 CP |
206 | ') |
207 | ||
208 | corecmd_search_bin($1) | |
0bfccda4 | 209 | domtrans_pattern($1, smbmount_exec_t, smbmount_t) |
84c92239 CP |
210 | ') |
211 | ||
350b6ab7 CP |
212 | ######################################## |
213 | ## <summary> | |
214 | ## Execute smbmount interactively and do | |
215 | ## a domain transition to the smbmount domain. | |
216 | ## </summary> | |
217 | ## <param name="domain"> | |
218 | ## <summary> | |
288845a6 | 219 | ## Domain allowed to transition. |
350b6ab7 CP |
220 | ## </summary> |
221 | ## </param> | |
222 | ## <param name="role"> | |
223 | ## <summary> | |
a7ee7f81 | 224 | ## Role allowed access. |
350b6ab7 CP |
225 | ## </summary> |
226 | ## </param> | |
350b6ab7 CP |
227 | ## <rolecap/> |
228 | # | |
229 | interface(`samba_run_smbmount',` | |
230 | gen_require(` | |
231 | type smbmount_t; | |
232 | ') | |
233 | ||
234 | samba_domtrans_smbmount($1) | |
235 | role $2 types smbmount_t; | |
350b6ab7 CP |
236 | ') |
237 | ||
84c92239 CP |
238 | ######################################## |
239 | ## <summary> | |
240 | ## Allow the specified domain to read | |
241 | ## samba configuration files. | |
242 | ## </summary> | |
243 | ## <param name="domain"> | |
885b83ec | 244 | ## <summary> |
84c92239 | 245 | ## Domain allowed access. |
885b83ec | 246 | ## </summary> |
84c92239 | 247 | ## </param> |
bbcd3c97 | 248 | ## <rolecap/> |
84c92239 CP |
249 | # |
250 | interface(`samba_read_config',` | |
251 | gen_require(` | |
252 | type samba_etc_t; | |
84c92239 CP |
253 | ') |
254 | ||
255 | files_search_etc($1) | |
0bfccda4 | 256 | read_files_pattern($1, samba_etc_t, samba_etc_t) |
84c92239 CP |
257 | ') |
258 | ||
259 | ######################################## | |
260 | ## <summary> | |
261 | ## Allow the specified domain to read | |
262 | ## and write samba configuration files. | |
263 | ## </summary> | |
264 | ## <param name="domain"> | |
885b83ec | 265 | ## <summary> |
84c92239 | 266 | ## Domain allowed access. |
885b83ec | 267 | ## </summary> |
84c92239 | 268 | ## </param> |
bbcd3c97 | 269 | ## <rolecap/> |
84c92239 CP |
270 | # |
271 | interface(`samba_rw_config',` | |
272 | gen_require(` | |
273 | type samba_etc_t; | |
84c92239 CP |
274 | ') |
275 | ||
276 | files_search_etc($1) | |
0bfccda4 | 277 | rw_files_pattern($1, samba_etc_t, samba_etc_t) |
84c92239 CP |
278 | ') |
279 | ||
0c89174f CP |
280 | ######################################## |
281 | ## <summary> | |
282 | ## Allow the specified domain to read | |
283 | ## and write samba configuration files. | |
284 | ## </summary> | |
285 | ## <param name="domain"> | |
286 | ## <summary> | |
287 | ## Domain allowed access. | |
288 | ## </summary> | |
289 | ## </param> | |
290 | ## <rolecap/> | |
291 | # | |
292 | interface(`samba_manage_config',` | |
293 | gen_require(` | |
294 | type samba_etc_t; | |
295 | ') | |
296 | ||
297 | files_search_etc($1) | |
298 | manage_dirs_pattern($1, samba_etc_t, samba_etc_t) | |
299 | manage_files_pattern($1, samba_etc_t, samba_etc_t) | |
300 | ') | |
301 | ||
84c92239 CP |
302 | ######################################## |
303 | ## <summary> | |
304 | ## Allow the specified domain to read samba's log files. | |
305 | ## </summary> | |
306 | ## <param name="domain"> | |
885b83ec | 307 | ## <summary> |
84c92239 | 308 | ## Domain allowed access. |
885b83ec | 309 | ## </summary> |
84c92239 | 310 | ## </param> |
bbcd3c97 | 311 | ## <rolecap/> |
84c92239 CP |
312 | # |
313 | interface(`samba_read_log',` | |
314 | gen_require(` | |
315 | type samba_log_t; | |
84c92239 CP |
316 | ') |
317 | ||
318 | logging_search_logs($1) | |
c0868a7a | 319 | allow $1 samba_log_t:dir list_dir_perms; |
0bfccda4 | 320 | read_files_pattern($1, samba_log_t, samba_log_t) |
84c92239 CP |
321 | ') |
322 | ||
40df5677 CP |
323 | ######################################## |
324 | ## <summary> | |
325 | ## Allow the specified domain to append to samba's log files. | |
326 | ## </summary> | |
327 | ## <param name="domain"> | |
328 | ## <summary> | |
329 | ## Domain allowed access. | |
330 | ## </summary> | |
331 | ## </param> | |
332 | ## <rolecap/> | |
333 | # | |
334 | interface(`samba_append_log',` | |
335 | gen_require(` | |
336 | type samba_log_t; | |
337 | ') | |
338 | ||
339 | logging_search_logs($1) | |
340 | allow $1 samba_log_t:dir list_dir_perms; | |
341 | allow $1 samba_log_t:file append_file_perms; | |
342 | ') | |
343 | ||
84c92239 CP |
344 | ######################################## |
345 | ## <summary> | |
346 | ## Execute samba log in the caller domain. | |
347 | ## </summary> | |
348 | ## <param name="domain"> | |
885b83ec | 349 | ## <summary> |
a72e42f4 | 350 | ## Domain allowed access. |
885b83ec | 351 | ## </summary> |
84c92239 CP |
352 | ## </param> |
353 | # | |
354 | interface(`samba_exec_log',` | |
355 | gen_require(` | |
356 | type samba_log_t; | |
357 | ') | |
358 | ||
359 | logging_search_logs($1) | |
0bfccda4 | 360 | can_exec($1, samba_log_t) |
84c92239 CP |
361 | ') |
362 | ||
363 | ######################################## | |
364 | ## <summary> | |
365 | ## Allow the specified domain to read samba's secrets. | |
366 | ## </summary> | |
367 | ## <param name="domain"> | |
885b83ec | 368 | ## <summary> |
84c92239 | 369 | ## Domain allowed access. |
885b83ec | 370 | ## </summary> |
84c92239 CP |
371 | ## </param> |
372 | # | |
373 | interface(`samba_read_secrets',` | |
374 | gen_require(` | |
375 | type samba_secrets_t; | |
84c92239 CP |
376 | ') |
377 | ||
378 | files_search_etc($1) | |
82d2775c | 379 | allow $1 samba_secrets_t:file read_file_perms; |
84c92239 CP |
380 | ') |
381 | ||
0c89174f CP |
382 | ######################################## |
383 | ## <summary> | |
384 | ## Allow the specified domain to read samba's shares | |
385 | ## </summary> | |
386 | ## <param name="domain"> | |
387 | ## <summary> | |
388 | ## Domain allowed access. | |
389 | ## </summary> | |
390 | ## </param> | |
391 | # | |
392 | interface(`samba_read_share_files',` | |
393 | gen_require(` | |
394 | type samba_share_t; | |
395 | ') | |
396 | ||
397 | allow $1 samba_share_t:filesystem getattr; | |
398 | read_files_pattern($1, samba_share_t, samba_share_t) | |
399 | ') | |
400 | ||
725926c5 CP |
401 | ######################################## |
402 | ## <summary> | |
403 | ## Allow the specified domain to search | |
404 | ## samba /var directories. | |
405 | ## </summary> | |
406 | ## <param name="domain"> | |
885b83ec | 407 | ## <summary> |
725926c5 | 408 | ## Domain allowed access. |
885b83ec | 409 | ## </summary> |
725926c5 CP |
410 | ## </param> |
411 | # | |
412 | interface(`samba_search_var',` | |
413 | gen_require(` | |
414 | type samba_var_t; | |
415 | ') | |
416 | ||
40df5677 | 417 | files_search_var_lib($1) |
725926c5 CP |
418 | allow $1 samba_var_t:dir search_dir_perms; |
419 | ') | |
420 | ||
40df5677 CP |
421 | ######################################## |
422 | ## <summary> | |
423 | ## Allow the specified domain to | |
424 | ## read samba /var files. | |
425 | ## </summary> | |
426 | ## <param name="domain"> | |
427 | ## <summary> | |
428 | ## Domain allowed access. | |
429 | ## </summary> | |
430 | ## </param> | |
431 | # | |
432 | interface(`samba_read_var_files',` | |
433 | gen_require(` | |
434 | type samba_var_t; | |
435 | ') | |
436 | ||
40df5677 | 437 | files_search_var_lib($1) |
0bfccda4 | 438 | read_files_pattern($1, samba_var_t, samba_var_t) |
40df5677 CP |
439 | ') |
440 | ||
0c89174f CP |
441 | ######################################## |
442 | ## <summary> | |
443 | ## Do not audit attempts to write samba | |
444 | ## /var files. | |
445 | ## </summary> | |
446 | ## <param name="domain"> | |
447 | ## <summary> | |
288845a6 | 448 | ## Domain to not audit. |
0c89174f CP |
449 | ## </summary> |
450 | ## </param> | |
451 | # | |
452 | interface(`samba_dontaudit_write_var_files',` | |
453 | gen_require(` | |
454 | type samba_var_t; | |
455 | ') | |
456 | ||
457 | dontaudit $1 samba_var_t:file write; | |
458 | ') | |
459 | ||
9fd4b818 CP |
460 | ######################################## |
461 | ## <summary> | |
462 | ## Allow the specified domain to | |
463 | ## read and write samba /var files. | |
464 | ## </summary> | |
465 | ## <param name="domain"> | |
885b83ec | 466 | ## <summary> |
9fd4b818 | 467 | ## Domain allowed access. |
885b83ec | 468 | ## </summary> |
9fd4b818 CP |
469 | ## </param> |
470 | # | |
471 | interface(`samba_rw_var_files',` | |
472 | gen_require(` | |
473 | type samba_var_t; | |
474 | ') | |
475 | ||
40df5677 | 476 | files_search_var_lib($1) |
0bfccda4 | 477 | rw_files_pattern($1, samba_var_t, samba_var_t) |
9fd4b818 CP |
478 | ') |
479 | ||
40df5677 CP |
480 | ######################################## |
481 | ## <summary> | |
482 | ## Allow the specified domain to | |
483 | ## read and write samba /var files. | |
484 | ## </summary> | |
485 | ## <param name="domain"> | |
486 | ## <summary> | |
487 | ## Domain allowed access. | |
488 | ## </summary> | |
489 | ## </param> | |
490 | # | |
491 | interface(`samba_manage_var_files',` | |
492 | gen_require(` | |
493 | type samba_var_t; | |
494 | ') | |
495 | ||
40df5677 | 496 | files_search_var_lib($1) |
0bfccda4 | 497 | manage_files_pattern($1, samba_var_t, samba_var_t) |
3eaa9939 | 498 | manage_lnk_files_pattern($1, samba_var_t, samba_var_t) |
40df5677 CP |
499 | ') |
500 | ||
0c89174f CP |
501 | ######################################## |
502 | ## <summary> | |
503 | ## Execute a domain transition to run smbcontrol. | |
504 | ## </summary> | |
505 | ## <param name="domain"> | |
0dacd040 | 506 | ## <summary> |
0c89174f | 507 | ## Domain allowed to transition. |
0dacd040 | 508 | ## </summary> |
0c89174f CP |
509 | ## </param> |
510 | # | |
511 | interface(`samba_domtrans_smbcontrol',` | |
512 | gen_require(` | |
2f94f460 | 513 | type smbcontrol_t, smbcontrol_exec_t; |
0c89174f CP |
514 | ') |
515 | ||
516 | domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) | |
517 | ') | |
518 | ||
519 | ######################################## | |
520 | ## <summary> | |
521 | ## Execute smbcontrol in the smbcontrol domain, and | |
522 | ## allow the specified role the smbcontrol domain. | |
523 | ## </summary> | |
524 | ## <param name="domain"> | |
525 | ## <summary> | |
288845a6 | 526 | ## Domain allowed to transition. |
0c89174f CP |
527 | ## </summary> |
528 | ## </param> | |
529 | ## <param name="role"> | |
530 | ## <summary> | |
a7ee7f81 | 531 | ## Role allowed access. |
0c89174f CP |
532 | ## </summary> |
533 | ## </param> | |
534 | # | |
535 | interface(`samba_run_smbcontrol',` | |
536 | gen_require(` | |
537 | type smbcontrol_t; | |
538 | ') | |
539 | ||
540 | samba_domtrans_smbcontrol($1) | |
541 | role $2 types smbcontrol_t; | |
542 | ') | |
543 | ||
544 | ######################################## | |
545 | ## <summary> | |
546 | ## Execute smbd in the smbd_t domain. | |
547 | ## </summary> | |
548 | ## <param name="domain"> | |
549 | ## <summary> | |
288845a6 | 550 | ## Domain allowed to transition. |
0c89174f CP |
551 | ## </summary> |
552 | ## </param> | |
553 | # | |
554 | interface(`samba_domtrans_smbd',` | |
555 | gen_require(` | |
556 | type smbd_t, smbd_exec_t; | |
557 | ') | |
558 | ||
559 | corecmd_search_bin($1) | |
560 | domtrans_pattern($1, smbd_exec_t, smbd_t) | |
561 | ') | |
562 | ||
34838aa6 JS |
563 | ###################################### |
564 | ## <summary> | |
565 | ## Allow domain to signal samba | |
566 | ## </summary> | |
567 | ## <param name="domain"> | |
568 | ## <summary> | |
569 | ## Domain allowed access. | |
570 | ## </summary> | |
571 | ## </param> | |
572 | # | |
573 | interface(`samba_signal_smbd',` | |
574 | gen_require(` | |
575 | type smbd_t; | |
576 | ') | |
577 | allow $1 smbd_t:process signal; | |
578 | ') | |
579 | ||
40df5677 CP |
580 | ######################################## |
581 | ## <summary> | |
582 | ## Do not audit attempts to use file descriptors from samba. | |
583 | ## </summary> | |
584 | ## <param name="domain"> | |
585 | ## <summary> | |
586 | ## Domain to not audit. | |
587 | ## </summary> | |
588 | ## </param> | |
589 | # | |
590 | interface(`samba_dontaudit_use_fds',` | |
591 | gen_require(` | |
592 | type smbd_t; | |
593 | ') | |
594 | ||
595 | dontaudit $1 smbd_t:fd use; | |
596 | ') | |
597 | ||
84c92239 CP |
598 | ######################################## |
599 | ## <summary> | |
600 | ## Allow the specified domain to write to smbmount tcp sockets. | |
601 | ## </summary> | |
602 | ## <param name="domain"> | |
885b83ec | 603 | ## <summary> |
84c92239 | 604 | ## Domain allowed access. |
885b83ec | 605 | ## </summary> |
84c92239 CP |
606 | ## </param> |
607 | # | |
1815bad1 | 608 | interface(`samba_write_smbmount_tcp_sockets',` |
84c92239 CP |
609 | gen_require(` |
610 | type smbmount_t; | |
84c92239 CP |
611 | ') |
612 | ||
613 | allow $1 smbmount_t:tcp_socket write; | |
614 | ') | |
615 | ||
616 | ######################################## | |
617 | ## <summary> | |
618 | ## Allow the specified domain to read and write to smbmount tcp sockets. | |
619 | ## </summary> | |
620 | ## <param name="domain"> | |
885b83ec | 621 | ## <summary> |
84c92239 | 622 | ## Domain allowed access. |
885b83ec | 623 | ## </summary> |
84c92239 CP |
624 | ## </param> |
625 | # | |
1815bad1 | 626 | interface(`samba_rw_smbmount_tcp_sockets',` |
84c92239 CP |
627 | gen_require(` |
628 | type smbmount_t; | |
84c92239 CP |
629 | ') |
630 | ||
631 | allow $1 smbmount_t:tcp_socket { read write }; | |
632 | ') | |
79cde317 CP |
633 | |
634 | ######################################## | |
635 | ## <summary> | |
636 | ## Execute winbind_helper in the winbind_helper domain. | |
637 | ## </summary> | |
638 | ## <param name="domain"> | |
885b83ec | 639 | ## <summary> |
288845a6 | 640 | ## Domain allowed to transition. |
885b83ec | 641 | ## </summary> |
79cde317 CP |
642 | ## </param> |
643 | # | |
644 | interface(`samba_domtrans_winbind_helper',` | |
645 | gen_require(` | |
646 | type winbind_helper_t, winbind_helper_exec_t; | |
647 | ') | |
648 | ||
0bfccda4 | 649 | domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) |
3eaa9939 | 650 | allow $1 winbind_helper_t:process signal; |
79cde317 CP |
651 | ') |
652 | ||
653 | ######################################## | |
654 | ## <summary> | |
655 | ## Execute winbind_helper in the winbind_helper domain, and | |
656 | ## allow the specified role the winbind_helper domain. | |
657 | ## </summary> | |
658 | ## <param name="domain"> | |
885b83ec | 659 | ## <summary> |
288845a6 | 660 | ## Domain allowed to transition. |
885b83ec | 661 | ## </summary> |
79cde317 CP |
662 | ## </param> |
663 | ## <param name="role"> | |
885b83ec | 664 | ## <summary> |
a7ee7f81 | 665 | ## Role allowed access. |
885b83ec | 666 | ## </summary> |
79cde317 | 667 | ## </param> |
bbcd3c97 | 668 | ## <rolecap/> |
79cde317 CP |
669 | # |
670 | interface(`samba_run_winbind_helper',` | |
671 | gen_require(` | |
672 | type winbind_helper_t; | |
673 | ') | |
674 | ||
675 | samba_domtrans_winbind_helper($1) | |
676 | role $2 types winbind_helper_t; | |
79cde317 CP |
677 | ') |
678 | ||
679 | ######################################## | |
680 | ## <summary> | |
681 | ## Allow the specified domain to read the winbind pid files. | |
682 | ## </summary> | |
683 | ## <param name="domain"> | |
885b83ec | 684 | ## <summary> |
79cde317 | 685 | ## Domain allowed access. |
885b83ec | 686 | ## </summary> |
79cde317 CP |
687 | ## </param> |
688 | # | |
689 | interface(`samba_read_winbind_pid',` | |
690 | gen_require(` | |
691 | type winbind_var_run_t; | |
692 | ') | |
693 | ||
694 | files_search_pids($1) | |
c0868a7a | 695 | allow $1 winbind_var_run_t:file read_file_perms; |
79cde317 CP |
696 | ') |
697 | ||
30705b6b CP |
698 | ######################################## |
699 | ## <summary> | |
700 | ## Connect to winbind. | |
701 | ## </summary> | |
702 | ## <param name="domain"> | |
885b83ec | 703 | ## <summary> |
30705b6b | 704 | ## Domain allowed access. |
885b83ec | 705 | ## </summary> |
30705b6b CP |
706 | ## </param> |
707 | # | |
1815bad1 | 708 | interface(`samba_stream_connect_winbind',` |
b81bfc26 CP |
709 | gen_require(` |
710 | type samba_var_t, winbind_t, winbind_var_run_t; | |
711 | ') | |
9377a3e5 | 712 | |
b81bfc26 CP |
713 | files_search_pids($1) |
714 | allow $1 samba_var_t:dir search_dir_perms; | |
715 | stream_connect_pattern($1, winbind_var_run_t, winbind_var_run_t, winbind_t) | |
2a98379a | 716 | |
b81bfc26 | 717 | ifndef(`distro_redhat',` |
9377a3e5 | 718 | gen_require(` |
6073ea1e | 719 | type winbind_tmp_t; |
9377a3e5 CP |
720 | ') |
721 | ||
722 | # the default for the socket is (poorly named): | |
723 | # /tmp/.winbindd/pipe | |
724 | files_search_tmp($1) | |
0bfccda4 | 725 | stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t) |
30705b6b | 726 | ') |
30705b6b | 727 | ') |
0c89174f | 728 | |
3eaa9939 DW |
729 | ######################################## |
730 | ## <summary> | |
731 | ## Create a set of derived types for apache | |
732 | ## web content. | |
733 | ## </summary> | |
734 | ## <param name="prefix"> | |
735 | ## <summary> | |
736 | ## The prefix to be used for deriving type names. | |
737 | ## </summary> | |
738 | ## </param> | |
739 | # | |
740 | template(`samba_helper_template',` | |
741 | gen_require(` | |
742 | type smbd_t; | |
23ac318d | 743 | role system_r; |
3eaa9939 | 744 | ') |
dcf87460 | 745 | |
3eaa9939 DW |
746 | #This type is for samba helper scripts |
747 | type samba_$1_script_t; | |
748 | domain_type(samba_$1_script_t) | |
749 | role system_r types samba_$1_script_t; | |
750 | ||
751 | # This type is used for executable scripts files | |
752 | type samba_$1_script_exec_t; | |
753 | corecmd_shell_entry_type(samba_$1_script_t) | |
754 | domain_entry_file(samba_$1_script_t, samba_$1_script_exec_t) | |
755 | ||
756 | domtrans_pattern(smbd_t, samba_$1_script_exec_t, samba_$1_script_t) | |
757 | allow smbd_t samba_$1_script_exec_t:file ioctl; | |
3eaa9939 DW |
758 | ') |
759 | ||
0c89174f CP |
760 | ######################################## |
761 | ## <summary> | |
762 | ## All of the rules required to administrate | |
763 | ## an samba environment | |
764 | ## </summary> | |
765 | ## <param name="domain"> | |
766 | ## <summary> | |
767 | ## Domain allowed access. | |
768 | ## </summary> | |
769 | ## </param> | |
770 | ## <param name="role"> | |
771 | ## <summary> | |
772 | ## The role to be allowed to manage the samba domain. | |
773 | ## </summary> | |
774 | ## </param> | |
775 | ## <rolecap/> | |
776 | # | |
777 | interface(`samba_admin',` | |
778 | gen_require(` | |
2f94f460 DG |
779 | type nmbd_t, nmbd_var_run_t, smbd_var_run_t; |
780 | type smbd_t, smbd_tmp_t, samba_secrets_t; | |
781 | type samba_initrc_exec_t, samba_log_t, samba_var_t; | |
782 | type samba_etc_t, samba_share_t, winbind_log_t; | |
2528a2d7 DG |
783 | type swat_var_run_t, swat_tmp_t, samba_unconfined_script_exec_t; |
784 | type winbind_var_run_t, winbind_tmp_t, samba_unconfined_script_t; | |
0c89174f CP |
785 | ') |
786 | ||
995bdbb1 | 787 | allow $1 smbd_t:process signal_perms; |
0c89174f | 788 | ps_process_pattern($1, smbd_t) |
995bdbb1 | 789 | tunable_policy(`deny_ptrace',`',` |
790 | allow $1 smbd_t:process ptrace; | |
791 | allow $1 nmbd_t:process ptrace; | |
792 | allow $1 samba_unconfined_script_t:process ptrace; | |
793 | ') | |
0c89174f | 794 | |
995bdbb1 | 795 | allow $1 nmbd_t:process signal_perms; |
0c89174f CP |
796 | ps_process_pattern($1, nmbd_t) |
797 | ||
995bdbb1 | 798 | allow $1 samba_unconfined_script_t:process signal_perms; |
2de23411 | 799 | ps_process_pattern($1, samba_unconfined_script_t) |
dcf87460 | 800 | |
0c89174f CP |
801 | samba_run_smbcontrol($1, $2, $3) |
802 | samba_run_winbind_helper($1, $2, $3) | |
803 | samba_run_smbmount($1, $2, $3) | |
804 | samba_run_net($1, $2, $3) | |
805 | ||
806 | init_labeled_script_domtrans($1, samba_initrc_exec_t) | |
807 | domain_system_change_exemption($1) | |
808 | role_transition $2 samba_initrc_exec_t system_r; | |
809 | allow $2 system_r; | |
810 | ||
811 | admin_pattern($1, nmbd_var_run_t) | |
812 | ||
813 | admin_pattern($1, samba_etc_t) | |
814 | files_list_etc($1) | |
815 | ||
816 | admin_pattern($1, samba_log_t) | |
817 | logging_list_logs($1) | |
818 | ||
819 | admin_pattern($1, samba_secrets_t) | |
820 | ||
821 | admin_pattern($1, samba_share_t) | |
822 | ||
823 | admin_pattern($1, samba_var_t) | |
824 | files_list_var($1) | |
825 | ||
826 | admin_pattern($1, smbd_var_run_t) | |
827 | files_list_pids($1) | |
828 | ||
829 | admin_pattern($1, smbd_tmp_t) | |
830 | files_list_tmp($1) | |
831 | ||
832 | admin_pattern($1, swat_var_run_t) | |
833 | ||
834 | admin_pattern($1, swat_tmp_t) | |
835 | ||
836 | admin_pattern($1, winbind_log_t) | |
837 | ||
838 | admin_pattern($1, winbind_tmp_t) | |
839 | ||
840 | admin_pattern($1, winbind_var_run_t) | |
3eaa9939 | 841 | admin_pattern($1, samba_unconfined_script_exec_t) |
347d9ee7 DW |
842 | |
843 | samba_systemctl($1) | |
0c89174f | 844 | ') |