132 lines
4.7 KiB
Diff
132 lines
4.7 KiB
Diff
From 7367896085db099d956d666b94601fa9fc9df92a Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Wed, 1 Jun 2022 12:55:02 +0200
|
|
Subject: [PATCH] Add support for samba-dcerpcd
|
|
|
|
New samba-dcerpcd binary is shipped with samba-4.16 (refer to
|
|
https://www.samba.org/samba/history/samba-4.16.0.html) to break out
|
|
the DCERPC services from smbd. samba-dcerpcd can be invoked on demand
|
|
from smbd or "winbind --np-helper" to serve DCERPC over named pipes,
|
|
or in a standalone mode, started separately from smbd or winbind,
|
|
but this requires changes to system startup scripts.
|
|
|
|
This commit bring SELinux support for the breakout with a new
|
|
winbind_rpcd_t type.
|
|
|
|
Resolves: rhbz#2083511
|
|
---
|
|
policy/modules/contrib/samba.fc | 3 +++
|
|
policy/modules/contrib/samba.if | 19 +++++++++++++
|
|
policy/modules/contrib/samba.te | 47 +++++++++++++++++++++++++++++++++
|
|
3 files changed, 69 insertions(+)
|
|
|
|
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
|
|
index a93346efee..873b3091b8 100644
|
|
--- a/policy/modules/contrib/samba.fc
|
|
+++ b/policy/modules/contrib/samba.fc
|
|
@@ -18,6 +18,9 @@
|
|
/usr/lib/systemd/system/nmb.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
|
/usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0)
|
|
|
|
+/usr/libexec/samba/rpcd_lsad -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
|
|
+/usr/libexec/samba/samba-dcerpcd -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
|
|
+
|
|
/usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0)
|
|
/usr/bin/ntlm_auth -- gen_context(system_u:object_r:winbind_helper_exec_t,s0)
|
|
/usr/bin/smbcontrol -- gen_context(system_u:object_r:smbcontrol_exec_t,s0)
|
|
diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
|
|
index 0366038a90..80244a4360 100644
|
|
--- a/policy/modules/contrib/samba.if
|
|
+++ b/policy/modules/contrib/samba.if
|
|
@@ -1080,3 +1080,22 @@ interface(`samba_admin',`
|
|
admin_pattern($1, samba_unit_file_t)
|
|
allow $1 samba_unit_file_t:service all_service_perms;
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Execute winbind rpcd in the winbind_rpcd_t domain.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed to transition.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`samba_domtrans_winbind_rpcd',`
|
|
+ gen_require(`
|
|
+ type winbind_rpcd_t, winbind_rpcd_exec_t;
|
|
+ ')
|
|
+
|
|
+ corecmd_search_bin($1)
|
|
+ domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t)
|
|
+')
|
|
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
|
|
index 60767f430f..03b49cba42 100644
|
|
--- a/policy/modules/contrib/samba.te
|
|
+++ b/policy/modules/contrib/samba.te
|
|
@@ -176,9 +176,17 @@ role system_r types winbind_helper_t;
|
|
type winbind_helper_exec_t;
|
|
domain_entry_file(winbind_helper_t, winbind_helper_exec_t)
|
|
|
|
+type winbind_rpcd_t;
|
|
+type winbind_rpcd_exec_t;
|
|
+application_domain(winbind_rpcd_t, winbind_rpcd_exec_t)
|
|
+role system_r types winbind_rpcd_t;
|
|
+
|
|
type winbind_log_t;
|
|
logging_log_file(winbind_log_t)
|
|
|
|
+type winbind_rpcd_var_run_t;
|
|
+files_pid_file(winbind_rpcd_var_run_t)
|
|
+
|
|
type winbind_var_run_t;
|
|
files_pid_file(winbind_var_run_t)
|
|
|
|
@@ -1151,6 +1159,45 @@ optional_policy(`
|
|
squid_rw_stream_sockets(winbind_helper_t)
|
|
')
|
|
|
|
+########################################
|
|
+#
|
|
+# Winbind-rpcd local policy
|
|
+#
|
|
+
|
|
+allow winbind_rpcd_t self:capability { setgid setuid };
|
|
+allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
|
|
+allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
|
|
+allow winbind_rpcd_t self:udp_socket create_socket_perms;
|
|
+
|
|
+allow winbind_rpcd_t winbind_rpcd_exec_t:file execute_no_trans;
|
|
+
|
|
+read_files_pattern(winbind_rpcd_t, samba_etc_t, samba_etc_t)
|
|
+
|
|
+manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
|
|
+files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })
|
|
+manage_dirs_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
|
+manage_sock_files_pattern(winbind_rpcd_t, smbd_var_run_t, smbd_var_run_t)
|
|
+
|
|
+manage_files_pattern(winbind_rpcd_t, samba_log_t, samba_log_t)
|
|
+
|
|
+manage_dirs_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
|
+manage_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
|
+manage_sock_files_pattern(winbind_rpcd_t, samba_var_t, samba_var_t)
|
|
+allow winbind_rpcd_t samba_var_t:file { map } ;
|
|
+
|
|
+corecmd_exec_bin(winbind_rpcd_t)
|
|
+
|
|
+optional_policy(`
|
|
+ auth_read_passwd_file(winbind_rpcd_t)
|
|
+')
|
|
+
|
|
+# interactions with smbd_t/winbind_t
|
|
+allow smbd_t winbind_rpcd_t:unix_stream_socket connectto;
|
|
+allow winbind_t winbind_rpcd_t:unix_stream_socket connectto;
|
|
+
|
|
+samba_domtrans_winbind_rpcd(smbd_t)
|
|
+samba_domtrans_winbind_rpcd(winbind_t)
|
|
+
|
|
########################################
|
|
#
|
|
# samba_unconfined_script_t local policy
|