refpolicy patch: samba enhancements

refpolicy patch: samba enhancements

[Mike Edenfield]

I apologize if I'm not doing this right, I'm kinda new at this...

I have made some changes to the SELinux policy for our intranet servers 
that I thought might be useful to a broader audience.  Included below is 
a patch to the latest refpolicy.  This has been tested on the Gentoo 
systems we have here; I don't have easy access to other SELinux systems 
at the moment.  It does the following:

* Updates samba_stream_connect_winbind to match the observed behavior of 
winbind

* Gives winbind access to delete its own sockets

* Gives nmbd access to fully manage (i.e. rename) log files

* Adds a tunable that lets samba create home directories via pam_mkhomedir


Index: policy/modules/services/samba.if
===================================================================
--- policy/modules/services/samba.if	(revision 2758)
+++ policy/modules/services/samba.if	(working copy)
@@ -484,17 +484,19 @@
  ## </param>
  #
  interface(`samba_stream_connect_winbind',`
-	ifdef(`distro_redhat',`
-		gen_require(`
-			type samba_var_t, winbind_t, winbind_var_run_t;
-		')
+	gen_require(`
+		type samba_var_t, winbind_t, winbind_var_run_t;
+	')

-		files_search_pids($1)
-		allow $1 samba_var_t:dir search_dir_perms;
-		stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
-	',`
+	files_search_pids($1)
+	allow $1 samba_var_t:dir search_dir_perms;
+	stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
+	
+	ifdef(`distro_redhat',`', `
  		gen_require(`
-			type winbind_t, winbind_tmp_t;
+			type winbind_tmp_t;
  		')

  		# the default for the socket is (poorly named):
Index: policy/modules/services/samba.te
===================================================================
--- policy/modules/services/samba.te	(revision 2758)
+++ policy/modules/services/samba.te	(working copy)
@@ -59,6 +59,13 @@
  ## </desc>
  gen_tunable(samba_share_nfs,false)

+## <desc>
+## <p>
+## Allow samba to create new home directories (e.g. via PAM)
+## </p>
+## </desc>
+gen_tunable(samba_create_home_dirs,false)
+
  type nmbd_t;
  type nmbd_exec_t;
  init_daemon_domain(nmbd_t,nmbd_exec_t)
@@ -379,6 +386,14 @@
  	unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
  ')

+tunable_policy(`samba_create_home_dirs',`
+    unprivuser_home_filetrans_home_dir(smbd_t)
+    unprivuser_manage_home_dirs(smbd_t)
+
+    allow smbd_t self:capability chown;
+')
  ########################################
  #
  # nmbd Local policy
@@ -404,7 +419,7 @@
  read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)

  manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
  allow nmbd_t samba_log_t:file unlink;

  read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -675,6 +690,7 @@

  manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
  manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
+manage_sock_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
  files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })

  manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Christopher J. PeBenito]

On Mon, 2008-07-14 at 16:31 -0400, Mike Edenfield wrote:
> I apologize if I'm not doing this right, I'm kinda new at this...
> 
> I have made some changes to the SELinux policy for our intranet servers 
> that I thought might be useful to a broader audience.  Included below is 
> a patch to the latest refpolicy.  This has been tested on the Gentoo 
> systems we have here; I don't have easy access to other SELinux systems 
> at the moment.  It does the following:
> 
> * Updates samba_stream_connect_winbind to match the observed behavior of 
> winbind
> 
> * Gives winbind access to delete its own sockets
> 
> * Gives nmbd access to fully manage (i.e. rename) log files
> 
> * Adds a tunable that lets samba create home directories via pam_mkhomedir

A few notes:

> Index: policy/modules/services/samba.if
> ===================================================================
> --- policy/modules/services/samba.if	(revision 2758)
> +++ policy/modules/services/samba.if	(working copy)
> @@ -484,17 +484,19 @@
>   ## </param>
>   #
>   interface(`samba_stream_connect_winbind',`
> -	ifdef(`distro_redhat',`
> -		gen_require(`
> -			type samba_var_t, winbind_t, winbind_var_run_t;
> -		')
> +	gen_require(`
> +		type samba_var_t, winbind_t, winbind_var_run_t;
> +	')
> 
> -		files_search_pids($1)
> -		allow $1 samba_var_t:dir search_dir_perms;
> -		stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
> -	',`
> +	files_search_pids($1)
> +	allow $1 samba_var_t:dir search_dir_perms;
> +	stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
> +	
> +	ifdef(`distro_redhat',`', `

This can be ifndef(`distro_redhat',`


> +tunable_policy(`samba_create_home_dirs',`
> +    unprivuser_home_filetrans_home_dir(smbd_t)
> +    unprivuser_manage_home_dirs(smbd_t)

I think we want this to be unprivuser_create_home_dirs(), which would
need to be added.

> +
> +    allow smbd_t self:capability chown;
> +')



> @@ -404,7 +419,7 @@
>   read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
> 
>   manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
> -append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
> +manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
>   allow nmbd_t samba_log_t:file unlink;
> 
>   read_files_pattern(nmbd_t,samba_log_t,samba_log_t)

If the goal is just to add a rename permission onto nmbd, then that
permission should be added explicitly.  Manage will allow it to delete
the log, which we don't want, if we don't have to.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Mike Edenfield]

Christopher J. PeBenito wrote:
> On Mon, 2008-07-14 at 16:31 -0400, Mike Edenfield wrote:

>> +tunable_policy(`samba_create_home_dirs',`
>> +    unprivuser_home_filetrans_home_dir(smbd_t)
>> +    unprivuser_manage_home_dirs(smbd_t)
> 
> I think we want this to be unprivuser_create_home_dirs(), which would
> need to be added.

That was my first instinct but I didn't see one already present, so I 
just copied what I found for oddjob_mkhomedir.

I'll define a new interface for this -- I assume that's probably a 
separate patch?  And I should convert the sysadm role and oddjob type to 
use the interface?

>> @@ -404,7 +419,7 @@
>>   read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
>>
>>   manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
>> -append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
>> +manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
>>   allow nmbd_t samba_log_t:file unlink;
>>
>>   read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
> 
> If the goal is just to add a rename permission onto nmbd, then that
> permission should be added explicitly.  Manage will allow it to delete
> the log, which we don't want, if we don't have to.

Actually, I missed a line when I was reapplying my patches to do svn 
diffs; the nmbd_t type already has unlink permissions for the type, just 
not rename, so it seemed that manage_files was the correct thing -- it 
should let me get rid of the next line as well.

New patch coming in a bit.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mike Edenfield wrote:
> I apologize if I'm not doing this right, I'm kinda new at this...
> 
> I have made some changes to the SELinux policy for our intranet servers
> that I thought might be useful to a broader audience.  Included below is
> a patch to the latest refpolicy.  This has been tested on the Gentoo
> systems we have here; I don't have easy access to other SELinux systems
> at the moment.  It does the following:
> 
> * Updates samba_stream_connect_winbind to match the observed behavior of
> winbind
> 
> * Gives winbind access to delete its own sockets
> 
> * Gives nmbd access to fully manage (i.e. rename) log files
> 
> * Adds a tunable that lets samba create home directories via pam_mkhomedir
> 
> 
> Index: policy/modules/services/samba.if
> ===================================================================
> --- policy/modules/services/samba.if    (revision 2758)
> +++ policy/modules/services/samba.if    (working copy)
> @@ -484,17 +484,19 @@
>  ## </param>
>  #
>  interface(`samba_stream_connect_winbind',`
> -    ifdef(`distro_redhat',`
> -        gen_require(`
> -            type samba_var_t, winbind_t, winbind_var_run_t;
> -        ')
> +    gen_require(`
> +        type samba_var_t, winbind_t, winbind_var_run_t;
> +    ')
> 
> -        files_search_pids($1)
> -        allow $1 samba_var_t:dir search_dir_perms;
> -       
> stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
> -    ',`
> +    files_search_pids($1)
> +    allow $1 samba_var_t:dir search_dir_perms;
> +   
> stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
> +   
> +    ifdef(`distro_redhat',`', `
>          gen_require(`
> -            type winbind_t, winbind_tmp_t;
> +            type winbind_tmp_t;
>          ')
> 
>          # the default for the socket is (poorly named):
> Index: policy/modules/services/samba.te
> ===================================================================
> --- policy/modules/services/samba.te    (revision 2758)
> +++ policy/modules/services/samba.te    (working copy)
> @@ -59,6 +59,13 @@
>  ## </desc>
>  gen_tunable(samba_share_nfs,false)
> 
> +## <desc>
> +## <p>
> +## Allow samba to create new home directories (e.g. via PAM)
> +## </p>
> +## </desc>
> +gen_tunable(samba_create_home_dirs,false)
> +
>  type nmbd_t;
>  type nmbd_exec_t;
>  init_daemon_domain(nmbd_t,nmbd_exec_t)
> @@ -379,6 +386,14 @@
>      unprivuser_home_dir_filetrans_home_content(nmbd_t, { file dir })
>  ')
> 
> +tunable_policy(`samba_create_home_dirs',`
> +    unprivuser_home_filetrans_home_dir(smbd_t)
> +    unprivuser_manage_home_dirs(smbd_t)
> +
> +    allow smbd_t self:capability chown;
> +')
>  ########################################
>  #
>  # nmbd Local policy
> @@ -404,7 +419,7 @@
>  read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
> 
>  manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
> -append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
> +manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
>  allow nmbd_t samba_log_t:file unlink;
> 
>  read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
> @@ -675,6 +690,7 @@
> 
>  manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
>  manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
> +manage_sock_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
>  files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
> 
>  manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
Could you do this with pam_oddjob_mkhomedir without having to add the
privs.  I think this is a better solution.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiA1fwACgkQrlYvE4MpobNGsACfUVTxg3r9Z5BWOcDvyFhhbdyt
QKMAoJHXtwqhlM2dAIsizZ2bhvjnKtrz
=E5Av
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Christopher J. PeBenito]

On Fri, 2008-07-18 at 13:42 -0400, Daniel J Walsh wrote:
> Mike Edenfield wrote:
> > I apologize if I'm not doing this right, I'm kinda new at this...
> > 
> > I have made some changes to the SELinux policy for our intranet servers
> > that I thought might be useful to a broader audience.  Included below is
> > a patch to the latest refpolicy.  This has been tested on the Gentoo
> > systems we have here; I don't have easy access to other SELinux systems
> > at the moment.  It does the following:
[...]
> > * Adds a tunable that lets samba create home directories via pam_mkhomedir

> Could you do this with pam_oddjob_mkhomedir without having to add the
> privs.  I think this is a better solution.

What if you don't have oddjob?  It doesn't hurt to have the perms in a
tunable.  It could be put in a ifndef distro_redhat, if samba in
fedora/rh requires pam_oddjob_mkhomedir.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Christopher J. PeBenito]

On Fri, 2008-07-18 at 13:31 -0400, Mike Edenfield wrote:
> Christopher J. PeBenito wrote:
> > On Mon, 2008-07-14 at 16:31 -0400, Mike Edenfield wrote:
> 
> >> +tunable_policy(`samba_create_home_dirs',`
> >> +    unprivuser_home_filetrans_home_dir(smbd_t)
> >> +    unprivuser_manage_home_dirs(smbd_t)
> > 
> > I think we want this to be unprivuser_create_home_dirs(), which would
> > need to be added.
> 
> That was my first instinct but I didn't see one already present, so I 
> just copied what I found for oddjob_mkhomedir.
> 
> I'll define a new interface for this -- I assume that's probably a 
> separate patch?

No, its fine to include it in this one.

>   And I should convert the sysadm role and oddjob type to 
> use the interface?

Sysadm is fine as is, since it already has broad powers for managing
users.  I'm not sure about the oddjob usage; you'd have to check the
programs features to see if it does other things in addition to just
creating the dirs.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Mike Edenfield]

Daniel J Walsh wrote:

> Could you do this with pam_oddjob_mkhomedir without having to add the
> privs.  I think this is a better solution.

Is this a Redhat-specific thing?  I'm running Gentoo, and while I have a 
"pam_mkhomedir" module, I don't have anything called oddjob anywhere.

I'm using the pam_mkhomedir module, but it's running under the nmbd 
context, so that's where I had to put the rules.  There isn't a way to 
get the PAM module to use a different context than the process it's 
loaded into, is there?

--Mike

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Mike Edenfield]

Christopher J. PeBenito wrote:
> On Fri, 2008-07-18 at 13:42 -0400, Daniel J Walsh wrote:
>> Mike Edenfield wrote:
>>> I apologize if I'm not doing this right, I'm kinda new at this...
>>>
>>> I have made some changes to the SELinux policy for our intranet servers
>>> that I thought might be useful to a broader audience.  Included below is
>>> a patch to the latest refpolicy.  This has been tested on the Gentoo
>>> systems we have here; I don't have easy access to other SELinux systems
>>> at the moment.  It does the following:
> [...]
>>> * Adds a tunable that lets samba create home directories via pam_mkhomedir
> 
>> Could you do this with pam_oddjob_mkhomedir without having to add the
>> privs.  I think this is a better solution.
> 
> What if you don't have oddjob?  It doesn't hurt to have the perms in a
> tunable.  It could be put in a ifndef distro_redhat, if samba in
> fedora/rh requires pam_oddjob_mkhomedir.

If this is the preferable way for RH users to set up samba, would this 
be an appropriate solution?

tunable_policy(`samba_create_home_dirs',`
     ifdef(`distro_redhat', `
         refpolicywarn(`Use of samba_create_home_dirs is discouraged. 
Please use pam_oddjob_mkhomedir instead.')
     ', `
         unprivuser_create_home_dirs(smbd_t)
         allow smbd_t self:capability chown;
     ')
')


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Mike Edenfield]

Christopher J. PeBenito wrote:
> On Fri, 2008-07-18 at 13:31 -0400, Mike Edenfield wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-07-14 at 16:31 -0400, Mike Edenfield wrote:
>>>> +tunable_policy(`samba_create_home_dirs',`
>>>> +    unprivuser_home_filetrans_home_dir(smbd_t)
>>>> +    unprivuser_manage_home_dirs(smbd_t)
>>> I think we want this to be unprivuser_create_home_dirs(), which would
>>> need to be added.
>> That was my first instinct but I didn't see one already present, so I 
>> just copied what I found for oddjob_mkhomedir.
>>
>> I'll define a new interface for this -- I assume that's probably a 
>> separate patch?
> 
> No, its fine to include it in this one.
> 
>>   And I should convert the sysadm role and oddjob type to 
>> use the interface?
> 
> Sysadm is fine as is, since it already has broad powers for managing
> users.  I'm not sure about the oddjob usage; you'd have to check the
> programs features to see if it does other things in addition to just
> creating the dirs.
> 

The reason I mentioned it is because both sysadm and oddjob use the same 
two interfaces I put in the samba patch.  In fact, I don't see anywhere 
in the ref policy that manage_home_dirs is ever used without the 
filetrans interface right before it.  This leads me to suggest that I 
just add a call to home_filetrans_home_dir inside manage_home_dirs, 
since it seems to be almost a prerequisite anyway.

I just checked oddjob -- it calls a series of related interfaces, which 
sysadm and the samba policy already also called, so perhaps all of these 
can be put into a "create_home_directories" interface and simplify the 
policy in three places:

unprivuser_home_filetrans_home_dir(oddjob_mkhomedir_t)
unprivuser_manage_home_content_dirs(oddjob_mkhomedir_t)
unprivuser_manage_home_content_files(oddjob_mkhomedir_t)
unprivuser_manage_home_dirs(oddjob_mkhomedir_t)
unprivuser_home_dir_filetrans_home_content(oddjob_mkhomedir_t,notdevfile_class_set)

--Mike


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Fri, 2008-07-18 at 13:42 -0400, Daniel J Walsh wrote:
>> Mike Edenfield wrote:
>>> I apologize if I'm not doing this right, I'm kinda new at this...
>>>
>>> I have made some changes to the SELinux policy for our intranet servers
>>> that I thought might be useful to a broader audience.  Included below is
>>> a patch to the latest refpolicy.  This has been tested on the Gentoo
>>> systems we have here; I don't have easy access to other SELinux systems
>>> at the moment.  It does the following:
> [...]
>>> * Adds a tunable that lets samba create home directories via pam_mkhomedir
> 
>> Could you do this with pam_oddjob_mkhomedir without having to add the
>> privs.  I think this is a better solution.
> 
> What if you don't have oddjob?  It doesn't hurt to have the perms in a
> tunable.  It could be put in a ifndef distro_redhat, if samba in
> fedora/rh requires pam_oddjob_mkhomedir.
> 
I have more of a problem with pam_mkhomedir from login programs since
samba can currently read/write homedirs with a boolean.  It is not as
big a deal.  oddjob just breaks things out the way SELinux likes it.
Pam modure requests a service create a homedir.  Service execs a job to
create the homedir.  Each process gets a different context.


gentoo should look into it.

But I am fine with adding the patch.  pam_mkhomedir does not work well
currently with ssh, locallogin, gdm on Fedora platform.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy patch: samba enhancements

[Daniel J Walsh]

Christopher J. PeBenito wrote:
> On Fri, 2008-07-18 at 13:31 -0400, Mike Edenfield wrote:
>> Christopher J. PeBenito wrote:
>>> On Mon, 2008-07-14 at 16:31 -0400, Mike Edenfield wrote:
>>>> +tunable_policy(`samba_create_home_dirs',`
>>>> +    unprivuser_home_filetrans_home_dir(smbd_t)
>>>> +    unprivuser_manage_home_dirs(smbd_t)
>>> I think we want this to be unprivuser_create_home_dirs(), which would
>>> need to be added.
>> That was my first instinct but I didn't see one already present, so I 
>> just copied what I found for oddjob_mkhomedir.
>>
>> I'll define a new interface for this -- I assume that's probably a 
>> separate patch?
> 
> No, its fine to include it in this one.
> 
>>   And I should convert the sysadm role and oddjob type to 
>> use the interface?
> 
> Sysadm is fine as is, since it already has broad powers for managing
> users.  I'm not sure about the oddjob usage; you'd have to check the
> programs features to see if it does other things in addition to just
> creating the dirs.
> 
Oddjob creates the directory and copies /etc/skel


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.