From bb517fb5ee14f9370c6ef36ab6cdafeb872fc406 Mon Sep 17 00:00:00 2001 From: Lukas Vrabec <lvrabec@redhat.com> Date: Thu, 26 Oct 2023 13:36:25 +0200 Subject: [PATCH] Allow winbind_rpcd_t processes access when samba_export_all_* is on This commit expand the commit 7367896085 to include winbind_rpcd_t process to access all samba shares when boolean samba_export_all_rw or samba_export_all_ro is enabled. Signed-off-by: Lukas Vrabec <lvrabec@redhat.com> --- policy/modules/contrib/samba.te | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te index 2e73ce4479..c43a4529e0 100644 --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -604,6 +604,11 @@ tunable_policy(`samba_export_all_ro',` files_dontaudit_list_security_dirs(nmbd_t) files_dontaudit_search_security_files(nmbd_t) files_dontaudit_read_security_files(nmbd_t) + fs_read_noxattr_fs_files(winbind_rpcd_t) + files_read_non_security_files(winbind_rpcd_t) + files_dontaudit_list_security_dirs(winbind_rpcd_t) + files_dontaudit_search_security_files(winbind_rpcd_t) + files_dontaudit_read_security_files(winbind_rpcd_t) ') tunable_policy(`samba_export_all_rw',` @@ -620,6 +625,12 @@ tunable_policy(`samba_export_all_rw',` files_dontaudit_list_security_dirs(nmbd_t) files_dontaudit_search_security_files(nmbd_t) files_dontaudit_read_security_files(nmbd_t) + fs_manage_noxattr_fs_files(winbind_rpcd_t) + files_manage_non_security_files(winbind_rpcd_t) + files_manage_non_security_dirs(winbind_rpcd_t) + files_dontaudit_list_security_dirs(winbind_rpcd_t) + files_dontaudit_search_security_files(winbind_rpcd_t) + files_dontaudit_read_security_files(winbind_rpcd_t) ') userdom_filetrans_home_content(nmbd_t)