RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

samba: fixes for smbd/nmbd 

* Do not audit capability net_admin for smbd_t/nmbd_t
* Allow nmbd_t to manage samba_var_t dirs

Fixes:
avc:  denied  { net_admin } for  pid=334 comm="smbd" capability=12
scontext=system_u:system_r:smbd_t tcontext=system_u:system_r:smbd_t
tclass=capability permissive=1

avc:  denied  { net_admin } for  pid=273 comm="nmbd" capability=12
scontext=system_u:system_r:nmbd_t tcontext=system_u:system_r:nmbd_t
tclass=capability permissive=1

avc:  denied  { create } for  pid=273 comm="nmbd" name="msg.lock"
scontext=system_u:system_r:nmbd_t tcontext=system_u:object_r:samba_var_t
tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Yi Zhao 2020-07-03 14:21:16 +08:00
parent 0c6e887481
commit 5e7b58612e
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
policy/modules/services/samba.te
View File

@ -268,7 +268,7 @@ optional_policy(`
#
allow smbd_t self:capability { chown dac_override dac_read_search fowner fsetid kill lease setgid setuid sys_admin sys_chroot sys_nice sys_resource };
dontaudit smbd_t self:capability sys_tty_config;
dontaudit smbd_t self:capability { sys_tty_config net_admin };
allow smbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow smbd_t self:fd use;
allow smbd_t self:fifo_file rw_fifo_file_perms;
@ -518,7 +518,7 @@ optional_policy(`
# Nmbd Local policy
#
dontaudit nmbd_t self:capability sys_tty_config;
dontaudit nmbd_t self:capability { sys_tty_config net_admin };
allow nmbd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow nmbd_t self:fd use;
allow nmbd_t self:fifo_file rw_fifo_file_perms;
@ -543,6 +543,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_dirs_pattern(nmbd_t, samba_var_t, samba_var_t)
mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)