Skip to content

Commit

Permalink
Allow winbind-rpcd use its private tmp files
Browse files Browse the repository at this point in the history 
This permission is required for working with temporary printing files
created in the /tmp or /var/tmp directories.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(07/26/2023 07:22:13.392:2480) : proctitle=/bin/bash /usr/local/bin/Pdfprint.sh -s /var/tmp/smbprn.uY9Kob -d /home/smbuser -o smbuser -m 600 -l /var/log/samba/lo
type=SYSCALL msg=audit(07/26/2023 07:22:13.392:2480) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x55648f0250b0 a2=O_RDWR|O_CREAT|O_EXCL a3=0x180 items=0 ppid=40948 pid=40952 auid=unset uid=unknown(1001) gid=unknown(1001) euid=unknown(1001) suid=unknown(1001) fsuid=unknown(1001) egid=unknown(1001) sgid=unknown(1001) fsgid=unknown(1001) tty=(none) ses=unset comm=Pdfprint.sh exe=/usr/bin/bash subj=system_u:system_r:winbind_rpcd_t:s0 key=(null) SYSCALL=openat AUID="unset" UID="smbuser" GID="smbuser" EUID="smbuser" SUID="smbuser" FSUID="smbuser" EGID="smbuser" SGID="smbuser" FSGID="smbuser"
type=AVC msg=audit(07/26/2023 07:22:13.392:2480) : avc:  denied  { write } for  pid=40952 comm=Pdfprint.sh name=tmp dev="vda3" ino=17458889 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0
  • Loading branch information
@zpytela
zpytela committed Aug 1, 2023
1 parent a4ba6ba commit 5e0041c
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions policy/modules/contrib/samba.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,9 @@ type winbind_rpcd_exec_t;
application_domain(winbind_rpcd_t, winbind_rpcd_exec_t)
role system_r types winbind_rpcd_t;

type winbind_rpcd_tmp_t;
files_tmp_file(winbind_rpcd_tmp_t)

type winbind_log_t;
logging_log_file(winbind_log_t)

Expand Down Expand Up @@ -1188,6 +1191,9 @@ write_sock_files_pattern(winbind_rpcd_t, winbind_var_run_t, winbind_var_run_t)
manage_files_pattern(winbind_rpcd_t, winbind_rpcd_var_run_t, winbind_rpcd_var_run_t)
files_pid_filetrans(winbind_rpcd_t, winbind_rpcd_var_run_t, { dir file })

manage_files_pattern(winbind_rpcd_t, winbind_rpcd_tmp_t, winbind_rpcd_tmp_t)
files_tmp_filetrans(winbind_rpcd_t, winbind_rpcd_tmp_t, file)

# access to files of other samba domains
manage_dirs_pattern(winbind_rpcd_t, samba_share_t, samba_share_t)
manage_files_pattern(winbind_rpcd_t, samba_share_t, samba_share_t)
Expand Down

0 comments on commit 5e0041c

Please sign in to comment.