#DESC SAMBA - SMB file server
#
# Author: Ryan Bergauer (bergauer@rice.edu)
# X-Debian-Packages: samba
#
#################################
#
# Declarations for Samba
#
daemon_domain(smbd, `, auth_chkpwd, nscd_client_domain')
daemon_domain(nmbd)
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
type samba_share_t, file_type, sysadmfile, customizable;
type samba_secrets_t, file_type, sysadmfile;
# for /var/run/samba/messages.tdb
allow smbd_t nmbd_var_run_t:file rw_file_perms;
allow smbd_t self:process setrlimit;
# not sure why it needs this
tmp_domain(smbd)
ifdef(`crond.te', `
allow system_crond_t samba_etc_t:file { read getattr lock };
allow system_crond_t samba_log_t:file { read getattr lock };
#allow system_crond_t samba_secrets_t:file { read getattr lock };
')
#################################
#
# Rules for the smbd_t domain.
#
# Permissions normally found in every_domain.
general_domain_access(smbd_t)
general_proc_read_access(smbd_t)
allow smbd_t smbd_port_t:tcp_socket name_bind;
# Use capabilities.
allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
# Use the network.
can_network(smbd_t)
can_ldap(smbd_t)
can_kerberos(smbd_t)
can_winbind(smbd_t)
allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
allow smbd_t urandom_device_t:chr_file { getattr read };
# Permissions for Samba files in /etc/samba
# either allow read access to the directory or allow the auto_trans rule to
# allow creation of the secrets.tdb file and the MACHINE.SID file
#allow smbd_t samba_etc_t:dir { search getattr };
file_type_auto_trans(smbd_t, samba_etc_t, samba_secrets_t, file)
allow smbd_t { etc_t samba_etc_t etc_runtime_t }:file r_file_perms;
# Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
allow smbd_t var_lib_t:dir search;
create_dir_file(smbd_t, samba_var_t)
# Needed for shared printers
allow smbd_t var_spool_t:dir search;
# Permissions to write log files.
allow smbd_t samba_log_t:file { create ra_file_perms };
allow smbd_t var_log_t:dir search;
allow smbd_t samba_log_t:dir ra_dir_perms;
dontaudit smbd_t samba_log_t:dir remove_name;
allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
create_dir_file(smbd_t, samba_share_t)
ifdef(`logrotate.te', `
# the application should be changed
can_exec(logrotate_t, samba_log_t)
')
#################################
#
# Rules for the nmbd_t domain.
#
# Permissions normally found in every_domain.
general_domain_access(nmbd_t)
general_proc_read_access(nmbd_t)
allow nmbd_t nmbd_port_t:udp_socket name_bind;
# Use capabilities.
allow nmbd_t self:capability net_bind_service;
# Use the network.
can_network_server(nmbd_t)
# Permissions for Samba files in /etc/samba
allow nmbd_t samba_etc_t:file { getattr read };
allow nmbd_t samba_etc_t:dir { search getattr };
# Permissions for Samba cache files in /var/cache/samba
allow nmbd_t samba_var_t:dir { write remove_name add_name lock getattr search };
allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
allow nmbd_t usr_t:file { getattr read };
# Permissions to write log files.
allow nmbd_t samba_log_t:file { create ra_file_perms };
allow nmbd_t var_log_t:dir search;
allow nmbd_t samba_log_t:dir ra_dir_perms;
allow nmbd_t etc_t:file { getattr read };
ifdef(`cups.te', `
allow smbd_t cupsd_rw_etc_t:file { getattr read };
')
# Needed for winbindd
allow smbd_t { samba_var_t smbd_var_run_t }:sock_file create_file_perms;
# Support Samba sharing of home directories
bool samba_enable_home_dirs false;
ifdef(`mount.te', `
#
# Domain for running smbmount
#
# Derive from app. domain. Transition from mount.
application_domain(smbmount, `, fs_domain, nscd_client_domain')
domain_auto_trans(mount_t, smbmount_exec_t, smbmount_t)
# Capabilities
# FIXME: is all of this really necessary?
allow smbmount_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
# Access samba config
allow smbmount_t samba_etc_t:file r_file_perms;
allow smbmount_t samba_etc_t:dir r_dir_perms;
allow initrc_t samba_etc_t:file rw_file_perms;
# Write samba log
allow smbmount_t samba_log_t:file create_file_perms;
allow smbmount_t samba_log_t:dir r_dir_perms;
# Write stuff in var
allow smbmount_t var_log_t:dir r_dir_perms;
rw_dir_create_file(smbmount_t, samba_var_t)
# Access mtab
file_type_auto_trans(smbmount_t, etc_t, etc_runtime_t, file)
# Read nsswitch.conf
allow smbmount_t etc_t:file r_file_perms;
# Networking
can_network(smbmount_t)
allow smbmount_t port_type:tcp_socket name_connect;
can_ypbind(smbmount_t)
allow smbmount_t self:unix_dgram_socket create_socket_perms;
allow smbmount_t self:unix_stream_socket create_socket_perms;
allow kernel_t smbmount_t:tcp_socket { read write };
allow userdomain smbmount_t:tcp_socket write;
# Proc
# FIXME: is this necessary?
r_dir_file(smbmount_t, proc_t)
# Fork smbmnt
allow smbmount_t bin_t:dir r_dir_perms;
can_exec(smbmount_t, smbmount_exec_t)
allow smbmount_t self:process { fork signal_perms };
# Mount
allow smbmount_t cifs_t:filesystem mount_fs_perms;
allow smbmount_t cifs_t:dir r_dir_perms;
allow smbmount_t mnt_t:dir r_dir_perms;
allow smbmount_t mnt_t:dir mounton;
# Terminal
read_locale(smbmount_t)
access_terminal(smbmount_t, sysadm)
allow smbmount_t userdomain:fd use;
allow smbmount_t local_login_t:fd use;
')
# Derive from app. domain. Transition from mount.
application_domain(samba_net, `, nscd_client_domain')
role system_r types samba_net_t;
in_user_role(samba_net_t)
file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
read_locale(samba_net_t)
allow samba_net_t samba_etc_t:file r_file_perms;
r_dir_file(samba_net_t, samba_var_t)
can_network_udp(samba_net_t)
access_terminal(samba_net_t, sysadm)
allow samba_net_t self:unix_dgram_socket create_socket_perms;
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
rw_dir_create_file(samba_net_t, samba_var_t)
allow samba_net_t etc_t:file { getattr read };
can_network_client(samba_net_t)
allow samba_net_t smbd_port_t:tcp_socket name_connect;
can_ldap(samba_net_t)
can_kerberos(samba_net_t)
allow samba_net_t urandom_device_t:chr_file r_file_perms;
allow samba_net_t proc_t:dir search;
allow samba_net_t proc_t:lnk_file read;
allow samba_net_t self:dir search;
allow samba_net_t self:file read;
allow samba_net_t self:process signal;
tmp_domain(samba_net)
dontaudit samba_net_t sysadm_home_dir_t:dir search;
allow samba_net_t privfd:fd use;