From eca23feba8a378088a1d3ea2951b74ce8de2670a Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Wed, 7 Aug 2024 12:46:10 +0200 Subject: [PATCH] Add policy for /usr/libexec/samba/samba-bgqd samba-bgqd is a daemon enumerating cups printers and storing the gathered information in a cache. Since gathering the information about one printer takes about 1 sec, in environments with many printers the process may get killed before finishing. Providing a way to start samba-bgqd as a systemd service and always having it running in the background is a solution to this issue. Resolves: RHEL-53124 --- policy/modules/contrib/samba.fc | 2 ++ policy/modules/contrib/samba.if | 19 +++++++++++++++++++ policy/modules/contrib/samba.te | 24 ++++++++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc index 7dccca9b57..19652acde5 100644 --- a/policy/modules/contrib/samba.fc +++ b/policy/modules/contrib/samba.fc @@ -19,6 +19,7 @@ /usr/lib/systemd/system/winbind.* -- gen_context(system_u:object_r:samba_unit_file_t,s0) /usr/libexec/samba/rpcd_lsad -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) +/usr/libexec/samba/samba-bgqd -- gen_context(system_u:object_r:samba_bgqd_exec_t,s0) /usr/libexec/samba/samba-dcerpcd -- gen_context(system_u:object_r:winbind_rpcd_exec_t,s0) /usr/bin/net -- gen_context(system_u:object_r:samba_net_exec_t,s0) @@ -67,6 +68,7 @@ /run/samba/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) /run/winbindd(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0) +/run/samba-bgqd.pid -- gen_context(system_u:object_r:samba_bgqd_var_run_t,s0) /var/spool/samba(/.*)? gen_context(system_u:object_r:samba_spool_t,s0) diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if index 00e8ec268c..6b8525f164 100644 --- a/policy/modules/contrib/samba.if +++ b/policy/modules/contrib/samba.if @@ -1118,3 +1118,22 @@ interface(`samba_domtrans_winbind_rpcd',` corecmd_search_bin($1) domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t) ') + +######################################## +## +## Execute samba-bgqd in the caller domain. +## +## +## +## Domain allowed accesss. +## +## +# +interface(`samba_exec_bgqd',` + gen_require(` + type samba_bgqd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, samba_bgqd_exec_t) +') diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te index 560a3edf01..39aaffe706 100644 --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -134,6 +134,13 @@ type samba_gpupdate_exec_t; application_domain(samba_gpupdate_t, samba_gpupdate_exec_t) role system_r types samba_gpupdate_t; +type samba_bgqd_t; +type samba_bgqd_exec_t; +init_daemon_domain(samba_bgqd_t, samba_bgqd_exec_t) + +type samba_bgqd_var_run_t; +files_pid_file(samba_bgqd_var_run_t) + type smbcontrol_t; type smbcontrol_exec_t; application_domain(smbcontrol_t, smbcontrol_exec_t) @@ -300,6 +307,23 @@ optional_policy(` certmonger_domtrans(samba_gpupdate_t) ') +######################################## +# +# samba-bgqd Local policy +# + +permissive samba_bgqd_t; + +read_files_pattern(samba_bgqd_t, samba_etc_t, samba_etc_t) +manage_files_pattern(samba_bgqd_t, samba_log_t, samba_log_t) +manage_files_pattern(samba_bgqd_t, samba_var_t, samba_var_t) +manage_sock_files_pattern(samba_bgqd_t, samba_var_t, samba_var_t) + +manage_files_pattern(samba_bgqd_t, samba_bgqd_var_run_t, samba_bgqd_var_run_t) +files_pid_filetrans(samba_bgqd_t, samba_bgqd_var_run_t, file) + +corenet_tcp_connect_ipp_port(samba_bgqd_t) + ######################################## # # smbd Local policy