Dan Walsh's Blog

In the previous entry I documented how to use Samba with SELinux. In this blog I will actually walk through the Samba SELinux policy. As you know Policy is made up of three files, File Context (FC) Type Enforcement (TE) and an Interface file (IF)

Lets start by looking at the Type Enforcement File samba.te. It the src rpm this file is located at policy/modules/services/samba.te. This file contains all the rules uses to confine all of the domains (processes) in Samba.

policy_module(samba,1.6.2)
The first section of the policy file is the module definition. This definition macro generates the policy module definition, the name of the module and the version. It also generates all of the generate gen_require definitions for all classes and accesses within the policy.

#################################
#
# Declarations
#

We start out by declaring all of the booleans/tunables that are local to the Samba policy Module. We define booleans/tunables that apply to multiple modules like use_samba_home_dirs in the files policy/global_booleans or policy/global_tunable. This is by convention only and the booleans can be used in other policy modules. When defining a boolean we place some XML snipets in front that describe the boolean. Policy generate tools extract these snipets and use them to create a policy.xml. Newer versions of system-config-selinux are using this xml to generate the UI to describe booleans.
## <desc>
## 
## Allow samba to modify public files
## used for public file transfer services. Files/Directories must be labeled public_content_rw_t.
## 
## </desc>
gen_tunable(allow_smbd_anon_write,false)

Gen_tunable is a macro used to generate the correct m4 code to define a boolean. The first parameter is the boolean name, the second is the default value.

## <desc>
## 
## Allow samba to act as the domain controller, add users, groups and change passwords
##
## 
## </desc>
gen_tunable(samba_domain_controller,false)

## <desc>
## 
## Allow Samba to share users home directories
## 
## </desc>
gen_tunable(samba_enable_home_dirs,false)

## <desc>
## 
## Allow Samba to share any file/directory read only
## 
## </desc>
gen_tunable(samba_export_all_ro,false)

## <desc>
## 
## Allow Samba to share any file/directory read/write
## 
## </desc>
gen_tunable(samba_export_all_rw,false)

## <desc>
## 
## Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory
## 
## </desc>
gen_tunable(samba_run_unconfined,false)

## <desc>
## 
## Allow samba to export NFS volumes.
## 
## </desc>
gen_tunable(samba_share_nfs,false)

Now that we defined all of the booleans we will begin defining the types used in the samba policy. Types are used to identify and name Sources and Targets in an SELinux environment. Usually they identify running processes and objects on the machine like files, directories, char files. The policy compilers do not enforce the policy naming convention but we try to follow a standard convention when naming policy.
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)

nmbd_t is the type of the running nmbd process. nmbd_exec_t is the label we place on the execuable /usr/sbin/nmbd. init_daemon_domain is the macro that defines a "daemon". This macro sets up all the policy to say that executables started by init will transition to the proper domain. For example this rule states that if a initscript (usually running as initrc_t executes a file labeled nmbd_exec_t, it will transition to nmbd_t.
type nmbd_var_run_t;
files_pid_file(nmbd_var_run_t)

nmbd_var_run_t is the type of files/directories etc that get created under neath /var/run directory tree. The files_pid_file macro adds attributes to the nmbd_var_run_t type, that generates allow rules other confined domains (processes) to operate on /var/run files. For example logrotate needs to read all pidfiles in order to figure out which processes are running.
type samba_etc_t;
files_config_file(samba_etc_t)

Samba files contained under /etc

type samba_log_t;
logging_log_file(samba_log_t)

Samba files under /var/log

type samba_net_t;
domain_type(samba_net_t)
role system_r types samba_net_t;

type samba_net_exec_t;
domain_entry_file(samba_net_t,samba_net_exec_t)

Above we are defining policy for the /ust/bin/net application. This application does not usually run withing init scripts so we do not use the init_daemon_domain. The domain_type macro adds an attribute that allows samba_net_t to be used for naming a process. This attribute adds allow rules for all confined domains that need to operate on processes. domain_entry_file sets up the rules that say samba_net_exec_t files can be used as a entry point to the samba_net_t domain. The role command says that system_r role can run samba_net_t domains. system_r is the default domain for all system run processes. So if you think a domain could be run by a confined domain that can be started on boot, you need this rule.

type samba_net_tmp_t;
files_tmp_file(samba_net_tmp_t)

Files uses in the /tmp or /var/tmp directories.

type samba_secrets_t;
files_type(samba_secrets_t)

"secret" files in /etc/samba. The files_type macro just adds a attribute that says the type can be applied to a file/directory on disk. Domain types can not be assigned to files and file_type can not be assigned to domains.

type samba_share_t; # customizable
files_type(samba_share_t)

samba_share_t is the "customizable" type that uses can use to set the context so that samba domains can read/write the files. This customizable flag is collected during the build procedure to generate /etc/selinux/targeted/contexts/customizable_types. This file is read in by restorecon and these file types are not changed to the system default on a restorecon run.
This flag is not as necessary on a mordern SELinux system since you have the ability to easily customize selinux file context layout using "semanage fcontext -a -t samba_share_t PATH"

type samba_var_t;
files_type(samba_var_t)

Samba files under /var

type smbd_t;
type smbd_exec_t;
init_daemon_domain(smbd_t,smbd_exec_t)

smbd_t is the type of the running smbd process. smbd_exec_t is the label we place on the execuable /usr/sbin/smbd. In this policy we have chosen to run the different processes of samba under different domains and attempt to isolate the files types of each process whenever possible. Other policy modules can and do run multiple processes under the same policy domain. It all depends on what your security goals are and how much complexity you are willing to work with.

type smbd_tmp_t;
files_tmp_file(smbd_tmp_t)

type smbd_var_run_t;
files_pid_file(smbd_var_run_t)

The above two file types define types for files that smbd needs to write to in /tmp and /var/run.

type smbmount_t;
domain_type(smbmount_t)

type smbmount_exec_t;
domain_entry_file(smbmount_t,smbmount_exec_t)

Types for the /usr/bin/smbmount or /usr/bin/smbmnt commands

type swat_t;
type swat_exec_t;
domain_type(swat_t)
domain_entry_file(swat_t,swat_exec_t)
role system_r types swat_t;

Types for the /usr/sbin/swat

type swat_tmp_t;
files_tmp_file(swat_tmp_t)

type swat_var_run_t;
files_pid_file(swat_var_run_t)

type winbind_t;
type winbind_exec_t;
init_daemon_domain(winbind_t,winbind_exec_t)

Types for the /usr/sbin/winbindd

type winbind_helper_t;
domain_type(winbind_helper_t)
role system_r types winbind_helper_t;

type winbind_helper_exec_t;
domain_entry_file(winbind_helper_t,winbind_helper_exec_t)

Types for the /usr/sbin/ntlm_auth

type winbind_log_t;
logging_log_file(winbind_log_t)

type winbind_tmp_t;
files_tmp_file(winbind_tmp_t)

type winbind_var_run_t;
files_pid_file(winbind_var_run_t)

type smbcontrol_t;
type smbcontrol_exec_t;
application_domain(smbcontrol_t, smbcontrol_exec_t)
role system_r types smbcontrol_t;

Types for the /usr/bin/smbcontrol

Now we begin defining the actual allow rules for all of the types we just defined. By convention we break the policy into blocks containing allow rules for each process domain.
The rules are defined for each domain in the following order.

Allow rules that effect this module directly

Usually starting out with rules containing self. (capabilities, process, sockets)
Then rules on types contained within the module. (Alphabetically by type)

Interface rules from the policy/modules/kernel directory, in alphabetic order
Interface rules from the policy/modules/system directory in alphabetic order
All other interfaces in alphabetic order
Optional Policy blocks
Ifdef blocks (Usually used for policy types specific rules (mls, targeted) and distribution specific rules (redhat, debian, gentoo)

########################################
#
# Samba net local policy
#

allow samba_net_t self:unix_dgram_socket create_socket_perms;
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
allow samba_net_t self:udp_socket create_socket_perms;
allow samba_net_t self:tcp_socket create_socket_perms;

Allow samba_net to create the different types of sockets for interprocess communications. A lot of these sockets will be used with the corenetwork macros below.

The patterns and file_perms definitions below are defined in policy/support directory. It is often better to use these definitions then to just use the output from audit2allow. Since the kernel might not have caught all of the access needed yet. For example you might get a getattr access generated with out audit2allow but if you no the domain is going to read the file you should just use the read_file_perms.

allow samba_net_t samba_etc_t:file read_file_perms;

manage_files_pattern(samba_net_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(samba_net_t,samba_etc_t,samba_secrets_t,file)

filetrans_pattern is a macro that changes the default behaviour of how files are created within directories. Remember that by default files created within a directory get labeled with the directories label. This macro says that if a process is runing as samba_net_t and creates a file in a directory labeles samba_etc_t, the kernel will create the file labeles samba_secrets_t.
In Macro language you can put multiple entries in using the {} Syntax. So you could have said { file dir sock_file } for the last parameter and this would have said kernel will create files/directories and sock_files in samba_etc_t as samba_secrets_t. If you don't specify the last file at all, then all objects will be created with this type.

manage_dirs_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t)
manage_files_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t)
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })

The files_tmp_filetrans macro says that if a domain running as samba_net_t creates a file or directory in a directory labeled tmp_t the kernel will create the file labeled samba_net_tmp_t

allow samba_net_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(samba_net_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)

auth_use_nsswitch(samba_net_t)

This macro should be used for any application that calls getpw* functions. On a linux system calling getpw can trigger all sorts of ways of looking up passwords including nis, nscd, ldap etc.

kernel_read_proc_symlinks(samba_net_t)

corenet_all_recvfrom_unlabeled(samba_net_t)
corenet_all_recvfrom_netlabel(samba_net_t)
corenet_tcp_sendrecv_all_if(samba_net_t)
corenet_udp_sendrecv_all_if(samba_net_t)
corenet_raw_sendrecv_all_if(samba_net_t)
corenet_tcp_sendrecv_all_nodes(samba_net_t)
corenet_udp_sendrecv_all_nodes(samba_net_t)
corenet_raw_sendrecv_all_nodes(samba_net_t)
corenet_tcp_sendrecv_all_ports(samba_net_t)
corenet_udp_sendrecv_all_ports(samba_net_t)
corenet_tcp_bind_all_nodes(samba_net_t)
corenet_udp_bind_all_nodes(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)

These macros define all of the rules necessary to do network connections. The last macro corenet_tcp_connect_smbd_port defines the only ports that samba_net_t can connect to .

dev_read_urand(samba_net_t)

Allows the reading of /dev/urand. This is considered pretty safe. Whereas giving a domain the ability to read /dev/rand can be considered potentially dangerous

domain_use_interactive_fds(samba_net_t)

This domain allows the tool so interact with the terminal file descriptors created at login

files_read_etc_files(samba_net_t)

libs_use_ld_so(samba_net_t)
libs_use_shared_libs(samba_net_t)

Use of shared libraries. allows samba_net_t to read and execure files labeled lib_t, shlib_t and textrel_shlib_t. (Execmod on textrel_shlib_t also)

logging_send_syslog_msg(samba_net_t)

Sending syslog messages

miscfiles_read_localization(samba_net_t)

samba_read_var_files(samba_net_t)

userdom_dontaudit_search_sysadm_home_dirs(samba_net_t)

Many processes looks at the current working directory when they start this can generate an AVC. When you login as root you usually end up in the /root directory and this macro says ignore getattr in the /root directory if is labeled sysadm_home_dir_t

optional_policy(`
kerberos_use(samba_net_t)
')

This macro sets up all of the rules necessary for the domains to use kerberos, including the ability to contact the kerberos servers. The optional block allows the policy to be installed on machines that do not include the kerberos module installed.
########################################
#
# smbd Local policy
#
allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
All of the capabilities needed for the domain. The policy writer has determined that while the smbd_t domains requests access to the ssy_tty_config capability it does not really need it so he dontaudit's the access

allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
allow smbd_t self:fd use;
allow smbd_t self:fifo_file rw_fifo_file_perms;
allow smbd_t self:msg { send receive };
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
allow smbd_t self:sock_file read_sock_file_perms;
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow smbd_t self:unix_stream_socket { create_stream_socket_perms connectto };

All of the rules defining how a the smbd_t acts on itself. Including lots of interprocess communications.
allow smbd_t samba_etc_t:file { rw_file_perms setattr };

manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
manage_files_pattern(smbd_t,samba_log_t,samba_log_t)

allow smbd_t samba_net_tmp_t:file getattr;

manage_files_pattern(smbd_t,samba_secrets_t,samba_secrets_t)
filetrans_pattern(smbd_t,samba_etc_t,samba_secrets_t,file)

manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)

manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbd_t,samba_var_t,samba_var_t)
manage_sock_files_pattern(smbd_t,samba_var_t,samba_var_t)

manage_dirs_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t)
manage_files_pattern(smbd_t,smbd_tmp_t,smbd_tmp_t)
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })

allow smbd_t nmbd_var_run_t:file rw_file_perms;

manage_dirs_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
manage_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)

This macro says that files created by processes running as smbd_t in directories labeled var_run_t will be created as smbd_var_run_t

allow smbd_t winbind_var_run_t:sock_file rw_sock_file_perms;

kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
kernel_read_fs_sysctls(smbd_t)
kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)

Most of these kernel definitions have to do with processes interacting with kernel file systems like /proc

corecmd_exec_shell(smbd_t)
corecmd_exec_bin(smbd_t)

These macros say that smbd_t can run programs that are labeled bin_t or shell_exec_t without a transition. Since most files in /usr/bin and /usr/sbin are labeled bin_t samba can execute them and those processes will also run as smbd_t.

corenet_all_recvfrom_unlabeled(smbd_t)
corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
corenet_tcp_sendrecv_all_nodes(smbd_t)
corenet_udp_sendrecv_all_nodes(smbd_t)
corenet_raw_sendrecv_all_nodes(smbd_t)
corenet_tcp_sendrecv_all_ports(smbd_t)
corenet_udp_sendrecv_all_ports(smbd_t)
corenet_tcp_bind_all_nodes(smbd_t)
corenet_udp_bind_all_nodes(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
corenet_tcp_connect_ipp_port(smbd_t)
corenet_tcp_connect_smbd_port(smbd_t)

smbd_t can connect to all ports labeled ipp_port_t or smbd_port_t can can bind to ports labeled smbd_t

dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
dev_dontaudit_getattr_usbfs_dirs(smbd_t)

Interactions with different devices on the system. Some times a domains will list all of the contents of a directory, and this can generate avcs. The dev_dontaudit_getattr_usbfs_dirs is probably caused by smbd doing a getattr of everying thing in /dev

fs_getattr_all_fs(smbd_t)
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
fs_list_inotifyfs(smbd_t)

The fs macro interfaces are used for interaction with many of the file systems

auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
These two macros tell the kernel that if smbd_t runs an application labeled chkpwd_exec_t or updpwd_exec_t then it should transition to the appropriate domain. These two domains happen to be used in pam authentication programs and allow us to protect the /etc/shadow file from requireing direct access.

domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)

Sometimes a confined domain will try to list all processes on a system. For example a domain might execute a killall or pidof scrips and this will cause an avc for allow processes running on the system. This macro eliminates that noise.

files_list_var_lib(smbd_t)
files_read_etc_files(smbd_t)
files_read_etc_runtime_files(smbd_t)
files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)

init_rw_utmp(smbd_t)
Many confined domains try to update the utmp file. Some only need to read it but still generated a avc for write. So some domains have this dontaudited, Be sure a domain actually needs to write to this file since a cracker could try to clear this file to hide his tracks.

libs_use_ld_so(smbd_t)
libs_use_shared_libs(smbd_t)

logging_search_logs(smbd_t)
logging_send_syslog_msg(smbd_t)

miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
This macro allows smbd_t to read files/directories labeled public_content_t and public_content_rw_t

userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)

ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
fs_dontaudit_getattr_tmpfs_dirs(smbd_t)
')

The policy writer added the above block of policy to quiet avc's of what he believes is badly coded application. He should have entered a bugzilla to fix the behaviour that he believes to be broken. At policy build time you can specify to drop all broken_sysmtoms policy.

tunable_policy(`allow_smbd_anon_write',`
miscfiles_manage_public_files(smbd_t)
')

This is a tunable policy block. The macro says that smbd_t can manage files/directories in labeled as public_content_rw_t but only if the allow_smbd_anon_write boolean is set to true.

tunable_policy(`samba_domain_controller',`
usermanage_domtrans_passwd(smbd_t)
usermanage_domtrans_useradd(smbd_t)
usermanage_domtrans_groupadd(smbd_t)
')
This is a tunable policy block. The macros say that smbd_t can executed useradd, passwd and groupadd in the correct domain but only if the samba_domain_controller boolean is set to true.

# Support Samba sharing of NFS mount points
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
fs_manage_nfs_symlinks(smbd_t)
fs_manage_nfs_named_pipes(smbd_t)
fs_manage_nfs_named_sockets(smbd_t)
')

This is a tunable policy block. The macros say that smbd_t can executed manage files in nfs shares but only if the samba_share_nfs boolean is set to true.

optional_policy(`
kerberos_read_keytab(smbd_t)
')

optional_policy(`
lpd_exec_lpr(smbd_t)
')

optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
Allows samba to print to cups printers

optional_policy(`
kerberos_use(smbd_t)
')

optional_policy(`
rpc_search_nfs_state_data(smbd_t)
')

optional_policy(`
seutil_sigchld_newrole(smbd_t)
')

optional_policy(`
udev_read_db(smbd_t)
')

tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
auth_read_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_read_all_files_except_shadow(nmbd_t)
')

tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
userdom_generic_user_home_dir_filetrans_generic_user_home_content(nmbd_t, { file dir })
')
The macros above allow smbd to share every file on the system either as read/only or read/write depending on which boolean is set. The userdom_generic_user_home_dir_filetrans_generic_user_home_content macro says to create files and directories in homedirectories with user_home_t not user_home_dir_t.

The rest of the policy in this file is similar and should be fairly easy to understand.

########################################
#
# nmbd Local policy
#

dontaudit nmbd_t self:capability sys_tty_config;
allow nmbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
allow nmbd_t self:msg { send receive };
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
allow nmbd_t self:sock_file read_sock_file_perms;
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nmbd_t self:unix_stream_socket { create_stream_socket_perms connectto };

manage_files_pattern(nmbd_t,nmbd_var_run_t,nmbd_var_run_t)
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)

read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)

manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)

read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;

manage_files_pattern(nmbd_t,samba_var_t,samba_var_t)

allow nmbd_t smbd_var_run_t:dir rw_dir_perms;

auth_use_nsswitch(nmbd_t)

kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)

corenet_all_recvfrom_unlabeled(nmbd_t)
corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_all_if(nmbd_t)
corenet_udp_sendrecv_all_if(nmbd_t)
corenet_tcp_sendrecv_all_nodes(nmbd_t)
corenet_udp_sendrecv_all_nodes(nmbd_t)
corenet_tcp_sendrecv_all_ports(nmbd_t)
corenet_udp_sendrecv_all_ports(nmbd_t)
corenet_udp_bind_all_nodes(nmbd_t)
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
corenet_tcp_connect_smbd_port(nmbd_t)

dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)

fs_getattr_all_fs(nmbd_t)
fs_search_auto_mountpoints(nmbd_t)

domain_use_interactive_fds(nmbd_t)

files_read_usr_files(nmbd_t)
files_read_etc_files(nmbd_t)
files_list_var_lib(nmbd_t)

libs_use_ld_so(nmbd_t)
libs_use_shared_libs(nmbd_t)

logging_search_logs(nmbd_t)
logging_send_syslog_msg(nmbd_t)

miscfiles_read_localization(nmbd_t)

userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)

optional_policy(`
seutil_sigchld_newrole(nmbd_t)
')

optional_policy(`
udev_read_db(nmbd_t)
')

########################################
#
# smbmount Local policy
#

allow smbmount_t self:capability { sys_rawio sys_admin dac_override chown }; # FIXME: is all of this really necessary?
allow smbmount_t self:process { fork signal_perms };
allow smbmount_t self:tcp_socket create_stream_socket_perms;
allow smbmount_t self:udp_socket connect;
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t self:unix_stream_socket create_socket_perms;

allow smbmount_t samba_etc_t:dir list_dir_perms;
allow smbmount_t samba_etc_t:file read_file_perms;

can_exec(smbmount_t, smbmount_exec_t)

allow smbmount_t samba_log_t:dir list_dir_perms;
allow smbmount_t samba_log_t:file manage_file_perms;

allow smbmount_t samba_secrets_t:file manage_file_perms;

manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)

auth_use_nsswitch(smbmount_t)

kernel_read_system_state(smbmount_t)

corenet_all_recvfrom_unlabeled(smbmount_t)
corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_all_if(smbmount_t)
corenet_raw_sendrecv_all_if(smbmount_t)
corenet_udp_sendrecv_all_if(smbmount_t)
corenet_tcp_sendrecv_all_nodes(smbmount_t)
corenet_raw_sendrecv_all_nodes(smbmount_t)
corenet_udp_sendrecv_all_nodes(smbmount_t)
corenet_tcp_sendrecv_all_ports(smbmount_t)
corenet_udp_sendrecv_all_ports(smbmount_t)
corenet_tcp_bind_all_nodes(smbmount_t)
corenet_udp_bind_all_nodes(smbmount_t)
corenet_tcp_connect_all_ports(smbmount_t)

fs_getattr_cifs(smbmount_t)
fs_mount_cifs(smbmount_t)
fs_remount_cifs(smbmount_t)
fs_unmount_cifs(smbmount_t)
fs_list_cifs(smbmount_t)
fs_read_cifs_files(smbmount_t)

storage_raw_read_fixed_disk(smbmount_t)
storage_raw_write_fixed_disk(smbmount_t)

term_list_ptys(smbmount_t)
term_use_controlling_term(smbmount_t)

corecmd_list_bin(smbmount_t)

files_list_mnt(smbmount_t)
files_mounton_mnt(smbmount_t)
files_manage_etc_runtime_files(smbmount_t)
files_etc_filetrans_etc_runtime(smbmount_t,file)
files_read_etc_files(smbmount_t)

miscfiles_read_localization(smbmount_t)

mount_use_fds(smbmount_t)

libs_use_ld_so(smbmount_t)
libs_use_shared_libs(smbmount_t)

locallogin_use_fds(smbmount_t)

logging_search_logs(smbmount_t)

userdom_use_all_users_fds(smbmount_t)
userdom_use_sysadm_ttys(smbmount_t)

optional_policy(`
cups_read_rw_config(smbmount_t)
')

########################################
#
# SWAT Local policy
#

allow swat_t self:capability { setuid setgid sys_resource };
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;

allow swat_t self:unix_stream_socket connectto;
can_exec(swat_t, smbd_exec_t)
allow swat_t smbd_port_t:tcp_socket name_bind;
allow swat_t smbd_t:process { signal signull };
allow swat_t smbd_var_run_t:file { lock unlink };

can_exec(swat_t, nmbd_exec_t)
allow swat_t nmbd_port_t:udp_socket name_bind;
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_var_run_t:file { lock read unlink };

rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)

append_files_pattern(swat_t,samba_log_t,samba_log_t)

allow swat_t smbd_var_run_t:file read;

manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
manage_files_pattern(swat_t,swat_tmp_t,swat_tmp_t)
files_tmp_filetrans(swat_t, swat_tmp_t, { file dir })

manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)

can_exec(swat_t, winbind_exec_t)
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };

auth_use_nsswitch(swat_t)

kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
kernel_read_network_state(swat_t)

corecmd_search_bin(swat_t)

corenet_all_recvfrom_unlabeled(swat_t)
corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
corenet_raw_sendrecv_generic_if(swat_t)
corenet_tcp_sendrecv_all_nodes(swat_t)
corenet_udp_sendrecv_all_nodes(swat_t)
corenet_raw_sendrecv_all_nodes(swat_t)
corenet_tcp_sendrecv_all_ports(swat_t)
corenet_udp_sendrecv_all_ports(swat_t)
corenet_tcp_connect_smbd_port(swat_t)
corenet_tcp_connect_ipp_port(swat_t)
corenet_sendrecv_smbd_client_packets(swat_t)
corenet_sendrecv_ipp_client_packets(swat_t)

dev_read_urand(swat_t)

files_list_var_lib(swat_t)
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
fs_getattr_xattr_fs(swat_t)

auth_domtrans_chk_passwd(swat_t)
auth_domtrans_upd_passwd(swat_t)

libs_use_ld_so(swat_t)
libs_use_shared_libs(swat_t)

logging_send_syslog_msg(swat_t)
logging_send_audit_msgs(swat_t)
logging_search_logs(swat_t)

miscfiles_read_localization(swat_t)

optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
')

optional_policy(`
inetd_service_domain(swat_t,swat_exec_t)
')

optional_policy(`
kerberos_use(swat_t)
')

init_read_utmp(swat_t)
init_dontaudit_write_utmp(swat_t)

manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
create_files_pattern(swat_t,samba_log_t,samba_log_t)

manage_files_pattern(swat_t,samba_etc_t,samba_secrets_t)

manage_files_pattern(swat_t,samba_var_t,samba_var_t)
files_list_var_lib(swat_t)

########################################
#
# Winbind local policy
#

allow winbind_t self:capability { dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;

allow winbind_t nmbd_t:process { signal signull };

allow winbind_t nmbd_var_run_t:file read_file_perms;

allow winbind_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_t,samba_etc_t,samba_etc_t)

manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)

manage_dirs_pattern(winbind_t,samba_log_t,samba_log_t)
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)

manage_dirs_pattern(winbind_t,samba_var_t,samba_var_t)
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
files_list_var_lib(winbind_t)

rw_files_pattern(winbind_t,smbd_tmp_t,smbd_tmp_t)

allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t,winbind_log_t,file)

manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })

manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)

corecmd_exec_bin(winbind_t)

kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)

corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_all_if(winbind_t)
corenet_udp_sendrecv_all_if(winbind_t)
corenet_raw_sendrecv_all_if(winbind_t)
corenet_tcp_sendrecv_all_nodes(winbind_t)
corenet_udp_sendrecv_all_nodes(winbind_t)
corenet_raw_sendrecv_all_nodes(winbind_t)
corenet_tcp_sendrecv_all_ports(winbind_t)
corenet_udp_sendrecv_all_ports(winbind_t)
corenet_tcp_bind_all_nodes(winbind_t)
corenet_udp_bind_all_nodes(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)

dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)

fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)

auth_use_nsswitch(winbind_t)
auth_domtrans_chk_passwd(winbind_t)
auth_domtrans_upd_passwd(winbind_t)

domain_use_interactive_fds(winbind_t)

files_read_etc_files(winbind_t)

libs_use_ld_so(winbind_t)
libs_use_shared_libs(winbind_t)

logging_send_syslog_msg(winbind_t)

miscfiles_read_localization(winbind_t)

userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)

optional_policy(`
kerberos_use(winbind_t)
')

optional_policy(`
seutil_sigchld_newrole(winbind_t)
')

optional_policy(`
udev_read_db(winbind_t)
')

########################################
#
# Winbind helper local policy
#

allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;

allow winbind_helper_t samba_etc_t:dir list_dir_perms;
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)

allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)

auth_use_nsswitch(winbind_helper_t)

stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)

term_list_ptys(winbind_helper_t)

domain_use_interactive_fds(winbind_helper_t)

libs_use_ld_so(winbind_helper_t)
libs_use_shared_libs(winbind_helper_t)

logging_send_syslog_msg(winbind_helper_t)

miscfiles_read_localization(winbind_helper_t)

optional_policy(`
nscd_socket_use(winbind_helper_t)
')

optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
squid_rw_stream_sockets(winbind_helper_t)
')

########################################
#
# samba_unconfined_script_t local policy
#

optional_policy(`
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
corecmd_shell_entry_type(samba_unconfined_script_t)
role system_r types samba_unconfined_script_t;

allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;

unconfined_domain(samba_unconfined_script_t)

tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')

########################################
#
# smbcontrol local policy
#

## internal communication is often done using fifo and unix sockets.
allow smbcontrol_t self:fifo_file rw_file_perms;
allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(smbcontrol_t)

libs_use_ld_so(smbcontrol_t)
libs_use_shared_libs(smbcontrol_t)

miscfiles_read_localization(smbcontrol_t)

files_search_var_lib(smbcontrol_t)
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
samba_read_winbind_pid(smbcontrol_t)

allow smbcontrol_t smbd_t:process signal;
domain_use_interactive_fds(smbcontrol_t)
allow smbd_t smbcontrol_t:process { signal signull };

allow nmbd_t smbcontrol_t:process signal;
allow smbcontrol_t nmbd_t:process { signal signull };

allow smbcontrol_t winbind_t:process { signal signull };
allow winbind_t smbcontrol_t:process signal;

allow smbcontrol_t nmbd_var_run_t:file { read lock };