From bb517fb5ee14f9370c6ef36ab6cdafeb872fc406 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Thu, 26 Oct 2023 13:36:25 +0200
Subject: [PATCH] Allow  winbind_rpcd_t processes access when
 samba_export_all_* is on

This commit expand the commit 7367896085 to include winbind_rpcd_t process to access all samba shares when boolean
samba_export_all_rw or samba_export_all_ro is enabled.

Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
---
 policy/modules/contrib/samba.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 2e73ce4479..c43a4529e0 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -604,6 +604,11 @@ tunable_policy(`samba_export_all_ro',`
     files_dontaudit_list_security_dirs(nmbd_t)
     files_dontaudit_search_security_files(nmbd_t)
     files_dontaudit_read_security_files(nmbd_t)
+    fs_read_noxattr_fs_files(winbind_rpcd_t)
+    files_read_non_security_files(winbind_rpcd_t)
+    files_dontaudit_list_security_dirs(winbind_rpcd_t)
+    files_dontaudit_search_security_files(winbind_rpcd_t)
+    files_dontaudit_read_security_files(winbind_rpcd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
@@ -620,6 +625,12 @@ tunable_policy(`samba_export_all_rw',`
     files_dontaudit_list_security_dirs(nmbd_t)
     files_dontaudit_search_security_files(nmbd_t)
     files_dontaudit_read_security_files(nmbd_t)
+    fs_manage_noxattr_fs_files(winbind_rpcd_t)
+    files_manage_non_security_files(winbind_rpcd_t)
+    files_manage_non_security_dirs(winbind_rpcd_t)
+    files_dontaudit_list_security_dirs(winbind_rpcd_t)
+    files_dontaudit_search_security_files(winbind_rpcd_t)
+    files_dontaudit_read_security_files(winbind_rpcd_t)
 ')
 
 userdom_filetrans_home_content(nmbd_t)