diff options
Diffstat (limited to 'policy/modules/contrib/samba.if')
-rw-r--r-- | policy/modules/contrib/samba.if | 724 |
1 files changed, 0 insertions, 724 deletions
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if deleted file mode 100644 index aee75af5..00000000 --- a/policy/modules/contrib/samba.if +++ /dev/null @@ -1,724 +0,0 @@ -## <summary>SMB and CIFS client/server programs.</summary> - -######################################## -## <summary> -## Execute nmbd in the nmbd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_nmbd',` - gen_require(` - type nmbd_t, nmbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, nmbd_exec_t, nmbd_t) -') - -####################################### -## <summary> -## Send generic signals to nmbd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_signal_nmbd',` - gen_require(` - type nmbd_t; - ') - allow $1 nmbd_t:process signal; -') - -######################################## -## <summary> -## Connect to nmbd with a unix domain -## stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_stream_connect_nmbd',` - gen_require(` - type samba_var_t, nmbd_t, nmbd_var_run_t, smbd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t nmbd_var_run_t }, nmbd_var_run_t, nmbd_t) -') - -######################################## -## <summary> -## Execute samba init scripts in -## the init script domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_initrc_domtrans',` - gen_require(` - type samba_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, samba_initrc_exec_t) -') - -######################################## -## <summary> -## Execute samba net in the samba net domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_net',` - gen_require(` - type samba_net_t, samba_net_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, samba_net_exec_t, samba_net_t) -') - -######################################## -## <summary> -## Execute samba net in the samba net -## domain, and allow the specified -## role the samba net domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_run_net',` - gen_require(` - attribute_role samba_net_roles; - ') - - samba_domtrans_net($1) - roleattribute $2 samba_net_roles; -') - -######################################## -## <summary> -## Execute smbmount in the smbmount domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_smbmount',` - gen_require(` - type smbmount_t, smbmount_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbmount_exec_t, smbmount_t) -') - -######################################## -## <summary> -## Execute smbmount in the smbmount -## domain, and allow the specified -## role the smbmount domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_run_smbmount',` - gen_require(` - attribute_role smbmount_roles; - ') - - samba_domtrans_smbmount($1) - roleattribute $2 smbmount_roles; -') - -######################################## -## <summary> -## Read samba configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_read_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - read_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## <summary> -## Read and write samba configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_rw_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - rw_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## samba configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_manage_config',` - gen_require(` - type samba_etc_t; - ') - - files_search_etc($1) - manage_dirs_pattern($1, samba_etc_t, samba_etc_t) - manage_files_pattern($1, samba_etc_t, samba_etc_t) -') - -######################################## -## <summary> -## Read samba log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_read_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - read_files_pattern($1, samba_log_t, samba_log_t) -') - -######################################## -## <summary> -## Append to samba log files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_append_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - allow $1 samba_log_t:dir list_dir_perms; - allow $1 samba_log_t:file append_file_perms; -') - -######################################## -## <summary> -## Execute samba log files in the caller domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_exec_log',` - gen_require(` - type samba_log_t; - ') - - logging_search_logs($1) - can_exec($1, samba_log_t) -') - -######################################## -## <summary> -## Read samba secret files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_secrets',` - gen_require(` - type samba_secrets_t; - ') - - files_search_etc($1) - allow $1 samba_secrets_t:file read_file_perms; -') - -######################################## -## <summary> -## Read samba share files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_share_files',` - gen_require(` - type samba_share_t; - ') - - allow $1 samba_share_t:filesystem getattr; - read_files_pattern($1, samba_share_t, samba_share_t) -') - -######################################## -## <summary> -## Search samba var directories. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_search_var',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - allow $1 samba_var_t:dir search_dir_perms; -') - -######################################## -## <summary> -## Read samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## <summary> -## Do not audit attempts to write -## samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`samba_dontaudit_write_var_files',` - gen_require(` - type samba_var_t; - ') - - dontaudit $1 samba_var_t:file write; -') - -######################################## -## <summary> -## Read and write samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_rw_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - rw_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## <summary> -## Create, read, write, and delete -## samba var files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_manage_var_files',` - gen_require(` - type samba_var_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, samba_var_t, samba_var_t) -') - -######################################## -## <summary> -## Execute smbcontrol in the smbcontrol domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_smbcontrol',` - gen_require(` - type smbcontrol_t, smbcontrol_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbcontrol_exec_t, smbcontrol_t) -') - -######################################## -## <summary> -## Execute smbcontrol in the smbcontrol -## domain, and allow the specified -## role the smbcontrol domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -# -interface(`samba_run_smbcontrol',` - gen_require(` - attribute_role smbcontrol_roles; - ') - - samba_domtrans_smbcontrol($1) - roleattribute $2 smbcontrol_roles; -') - -######################################## -## <summary> -## Execute smbd in the smbd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_smbd',` - gen_require(` - type smbd_t, smbd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, smbd_exec_t, smbd_t) -') - -###################################### -## <summary> -## Send generic signals to smbd. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_signal_smbd',` - gen_require(` - type smbd_t; - ') - allow $1 smbd_t:process signal; -') - -######################################## -## <summary> -## Do not audit attempts to inherit -## and use smbd file descriptors. -## </summary> -## <param name="domain"> -## <summary> -## Domain to not audit. -## </summary> -## </param> -# -interface(`samba_dontaudit_use_fds',` - gen_require(` - type smbd_t; - ') - - dontaudit $1 smbd_t:fd use; -') - -######################################## -## <summary> -## Write smbmount tcp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_write_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket write; -') - -######################################## -## <summary> -## Read and write smbmount tcp sockets. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_rw_smbmount_tcp_sockets',` - gen_require(` - type smbmount_t; - ') - - allow $1 smbmount_t:tcp_socket { read write }; -') - -######################################## -## <summary> -## Execute winbind helper in the -## winbind helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`samba_domtrans_winbind_helper',` - gen_require(` - type winbind_helper_t, winbind_helper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t) -') - -####################################### -## <summary> -## Get attributes of winbind executable files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_getattr_winbind_exec',` - gen_require(` - type winbind_exec_t; - ') - - allow $1 winbind_exec_t:file getattr_file_perms; -') - -######################################## -## <summary> -## Execute winbind helper in the winbind -## helper domain, and allow the specified -## role the winbind helper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_run_winbind_helper',` - gen_require(` - attribute_role winbind_helper_roles; - ') - - samba_domtrans_winbind_helper($1) - roleattribute $2 winbind_helper_roles; -') - -######################################## -## <summary> -## Read winbind pid files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_read_winbind_pid',` - gen_require(` - type winbind_var_run_t, smbd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, { smbd_var_run_t winbind_var_run_t }, winbind_var_run_t) -') - -######################################## -## <summary> -## Connect to winbind with a unix -## domain stream socket. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`samba_stream_connect_winbind',` - gen_require(` - type samba_var_t, winbind_t, winbind_var_run_t, smbd_var_run_t; - ') - - files_search_pids($1) - stream_connect_pattern($1, { smbd_var_run_t samba_var_t winbind_var_run_t }, winbind_var_run_t, winbind_t) -') - -######################################## -## <summary> -## All of the rules required to -## administrate an samba environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`samba_admin',` - gen_require(` - type nmbd_t, nmbd_var_run_t, smbd_var_run_t; - type smbd_t, smbd_tmp_t, smbd_spool_t; - type samba_log_t, samba_var_t, samba_secrets_t; - type samba_etc_t, samba_share_t, samba_initrc_exec_t; - type swat_var_run_t, swat_tmp_t, winbind_log_t; - type winbind_var_run_t, winbind_tmp_t; - ') - - allow $1 { nmbd_t smbd_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { nmbd_t smbd_t }) - - init_labeled_script_domtrans($1, samba_initrc_exec_t) - domain_system_change_exemption($1) - role_transition $2 samba_initrc_exec_t system_r; - allow $2 system_r; - - files_list_etc($1) - admin_pattern($1, samba_etc_t) - - logging_list_logs($1) - admin_pattern($1, { samba_log_t winbind_log_t }) - - files_list_var($1) - admin_pattern($1, { samba_share_t samba_var_t samba_secrets_t }) - - files_list_spool($1) - admin_pattern($1, smbd_spool_t) - - files_list_pids($1) - admin_pattern($1, { winbind_var_run_t smbd_var_run_t swat_var_run_t nmbd_var_run_t }) - - files_list_tmp($1) - admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) - - samba_run_smbcontrol($1, $2) - samba_run_winbind_helper($1, $2) - samba_run_smbmount($1, $2) - samba_run_net($1, $2) -') |