No caso de alguém encontrar o mesmo problema, optei por uma solução alternativa, ou seja, permitir que smbd_t
acessasse o material com o nome svirt_sandbox_file_t
. Esta é uma cópia 1: 1 do samba_share_t
em um sistema CentOS 7.
# cat >samba_docker_policy.te<<EOF
module samba_docker_policy 1.0;
require {
type smbd_t;
type svirt_sandbox_file_t;
class dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open };
class lnk_file { ioctl read write create getattr setattr lock append unlink link rename };
class file { ioctl read write create getattr setattr lock append unlink link rename open };
class filesystem { getattr quotaget };
class fifo_file { ioctl read write create getattr setattr lock append unlink link rename open };
class sock_file { ioctl read write create getattr setattr lock append unlink link rename open };
}
#============= svirt_sandbox_file_t ==============
allow smbd_t svirt_sandbox_file_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ;
allow smbd_t svirt_sandbox_file_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ;
allow smbd_t svirt_sandbox_file_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow smbd_t svirt_sandbox_file_t : filesystem { getattr quotaget } ;
allow smbd_t svirt_sandbox_file_t : fifo_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
allow smbd_t svirt_sandbox_file_t : sock_file { ioctl read write create getattr setattr lock append unlink link rename open } ;
EOF
# checkmodule -M -m -o samba_docker_policy.mod samba_docker_policy.te
# semodule_package -o samba_docker_policy.pp -m samba_docker_policy.mod
# semodule -i samba_docker_policy.pp