commit 94ee6e6f6113e19b7ba8b5bf069d6b0dde53df97 Author: Dustin C. Hatch Date: Thu Aug 26 21:18:41 2021 -0500 Initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5552bee --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +tmp/ +*.pp diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..5030cd4 --- /dev/null +++ b/Makefile @@ -0,0 +1,5 @@ +NAME ?= targetd + +.PHONY: all +all: + $(MAKE) NAME=$(NAME) -f /usr/share/selinux/devel/Makefile diff --git a/README.md b/README.md new file mode 100644 index 0000000..3026a82 --- /dev/null +++ b/README.md @@ -0,0 +1,17 @@ +# Dustin's SELinux Policy Modules + +This is a collection of SELinux policy modules that fix or augment the default +SELinux policy for Fedora/RHEL. + +## dch-samba + +The SELinux reference policy does not have rules for the Samba Active Directory +Domain Controller ("samba4"). On Fedora/RHEL, `/usr/bin/samba` runs in +`unconfined_service_t`. This is fine for the DC functionality itself, but +breaks `winbindd`. The refpolicy does have rules for winbind, but they expect +it to run in its own domain, `winbind_t`. Since `winbindd` is started by +`samba` when running on a DC, it runs in `unconfined_service_t` as well. + +The *dch-samba* policy module adds a couple of rules to allow `samba` to launch +`winbindd` in the correct domain, and fixes up a few other AVC denials that +come from doing this. diff --git a/dch-samba.fc b/dch-samba.fc new file mode 100644 index 0000000..f8e4579 --- /dev/null +++ b/dch-samba.fc @@ -0,0 +1,2 @@ +/usr/sbin/samba -- gen_context(system_u:object_r:samba_exec_t,s0) + diff --git a/dch-samba.if b/dch-samba.if new file mode 100644 index 0000000..3eb6a30 --- /dev/null +++ b/dch-samba.if @@ -0,0 +1 @@ +## diff --git a/dch-samba.te b/dch-samba.te new file mode 100644 index 0000000..6ce918c --- /dev/null +++ b/dch-samba.te @@ -0,0 +1,22 @@ +policy_module(dch-samba, 0.0.1) + +######################################## +# +# Declarations +# + +type samba_t; +type samba_exec_t; +init_daemon_domain(samba_t, samba_exec_t); + +unconfined_domain_noaudit(samba_t); + +gen_require(` + type winbind_t, winbind_exec_t; +') + +# Allow winbindd to transition winbind_t when launched by samba +domtrans_pattern(samba_t, winbind_exec_t, winbind_t); + +# Allow winbind to connect to the samr socket +allow winbind_t samba_t:unix_stream_socket connectto;