Add policy for /usr/libexec/samba/samba-bgqd

samba-bgqd is an helper program added in samba v4.20.2 to be spawned by smbd or spoolssd to perform jobs like updating the printer list or other management tasks asynchronously on demand. It is not intended to be called by users or administrators. Resolves: RHEL-53124
fedora-selinux · Aug 7, 2024 · ab069a0 · ab069a0
1 parent 7be2299
commit ab069a0
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 0 deletions.
diff --git a/policy/modules/contrib/samba.fc b/policy/modules/contrib/samba.fc
@@ -19,6 +19,7 @@
 /usr/lib/systemd/system/winbind.*   --  gen_context(system_u:object_r:samba_unit_file_t,s0)
 
 /usr/libexec/samba/rpcd_lsad	--	gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
+/usr/libexec/samba/samba-bgqd	--	gen_context(system_u:object_r:samba_bgqd_exec_t,s0)
 /usr/libexec/samba/samba-dcerpcd --	gen_context(system_u:object_r:winbind_rpcd_exec_t,s0)
 
 /usr/bin/net			--	gen_context(system_u:object_r:samba_net_exec_t,s0)

diff --git a/policy/modules/contrib/samba.if b/policy/modules/contrib/samba.if
@@ -1118,3 +1118,22 @@ interface(`samba_domtrans_winbind_rpcd',`
 	corecmd_search_bin($1)
 	domtrans_pattern($1, winbind_rpcd_exec_t, winbind_rpcd_t)
 ')
+
+########################################
+## <summary>
+##	Execute samba-bgqd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed accesss.
+##	</summary>
+## </param>
+#
+interface(`samba_exec_bgqd',`
+	gen_require(`
+		type samba_bgqd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, samba_bgqd_exec_t)
+')
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
@@ -134,6 +134,11 @@ type samba_gpupdate_exec_t;
 application_domain(samba_gpupdate_t, samba_gpupdate_exec_t)
 role system_r types samba_gpupdate_t;
 
+type samba_bgqd_t;
+type samba_bgqd_exec_t;
+application_domain(samba_bgqd_t, samba_bgqd_exec_t)
+role system_r types samba_bgqd_t;
+
 type smbcontrol_t;
 type smbcontrol_exec_t;
 application_domain(smbcontrol_t, smbcontrol_exec_t)
@@ -300,6 +305,20 @@ optional_policy(`
 	certmonger_domtrans(samba_gpupdate_t)
 ')
 
+########################################
+#
+# samba-bgqd Local policy
+#
+
+permissive samba_bgqd_t;
+
+read_files_pattern(samba_bgqd_t, samba_etc_t, samba_etc_t)
+manage_files_pattern(samba_bgqd_t, samba_log_t, samba_log_t)
+manage_files_pattern(samba_bgqd_t, samba_var_t, samba_var_t)
+manage_sock_files_pattern(samba_bgqd_t, samba_var_t, samba_var_t)
+
+corenet_tcp_connect_ipp_port(samba_bgqd_t)
+
 ########################################
 #
 # smbd Local policy