Initial commit

.gitignore

@@ -0,0 +1,2 @@
+tmp/
+*.pp

Makefile

@@ -0,0 +1,5 @@
+NAME ?= targetd
+
+.PHONY: all
+all:
+	$(MAKE) NAME=$(NAME) -f /usr/share/selinux/devel/Makefile

README.md

@@ -0,0 +1,17 @@
+# Dustin's SELinux Policy Modules
+
+This is a collection of SELinux policy modules that fix or augment the default
+SELinux policy for Fedora/RHEL.
+
+## dch-samba
+
+The SELinux reference policy does not have rules for the Samba Active Directory
+Domain Controller ("samba4").  On Fedora/RHEL, `/usr/bin/samba` runs in
+`unconfined_service_t`.  This is fine for the DC functionality itself, but
+breaks `winbindd`.  The refpolicy does have rules for winbind, but they expect
+it to run in its own domain, `winbind_t`.  Since `winbindd` is started by
+`samba` when running on a DC, it runs in `unconfined_service_t` as well.
+
+The *dch-samba* policy module adds a couple of rules to allow `samba` to launch
+`winbindd` in the correct domain, and fixes up a few other AVC denials that
+come from doing this.

dch-samba.fc

@@ -0,0 +1,2 @@
+/usr/sbin/samba	-- gen_context(system_u:object_r:samba_exec_t,s0)
+

dch-samba.if

@@ -0,0 +1 @@
+## <summary></summary>

dch-samba.te

@@ -0,0 +1,22 @@
+policy_module(dch-samba, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type samba_t;
+type samba_exec_t;
+init_daemon_domain(samba_t, samba_exec_t);
+
+unconfined_domain_noaudit(samba_t);
+
+gen_require(`
+	type winbind_t, winbind_exec_t;
+')
+
+# Allow winbindd to transition winbind_t when launched by samba
+domtrans_pattern(samba_t, winbind_exec_t,  winbind_t);
+
+# Allow winbind to connect to the samr socket
+allow winbind_t samba_t:unix_stream_socket connectto;