samba - Mar 2021 - selinux whac-a-mole - samba/ctdb/winbindd/....

So I'm starting to feel like we're playing SELinux whac-a-mole with
Samba/CTDB/Winbind/....

Is there a complete package out there including all of the security rules
for Samba so that I don't have to keep on finding more issues in
production? I'm looking for a .te file with all the settings one could
possibly want.

We don't want to disable SELinux, clearly.

Thanks in advance

Bob

-- 

BOB BUCK
SENIOR PLATFORM SOFTWARE ENGINEER

SKIDMORE, OWINGS & MERRILL
7 WORLD TRADE CENTER
250 GREENWICH STREET
NEW YORK, NY 10007
T  (212) 298-9624
ROBERT.BUCK at SOM.COM

On 3/29/21 11:55 AM, Robert Buck via samba wrote:
> So I'm starting to feel like we're playing SELinux whac-a-mole with
> Samba/CTDB/Winbind/....
> 
> Is there a complete package out there including all of the security rules
> for Samba so that I don't have to keep on finding more issues in
> production? I'm looking for a .te file with all the settings one could
> possibly want.
The default distro policy should be enough, It should be based on the 
reference policy [1]

But these reference policy is customized for Samba built for /usr prefix 
and /var for data, not for any locally built Samba installed on another 
directories.

You can build it on the expected directories for the reference policy or 
you would need to customize it otherwise.


[1] 
https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/services/samba.te
> 
> We don't want to disable SELinux, clearly.
> 
> Thanks in advance
> 
> Bob
>