7.10. Samba

With this configuration, Samba must be started prior to sealing the kernel, or when LIDS_GLOBAL is disabled so it can bind to ports 137 & 139.
/sbin/lidsconf -A -o /etc/samba -j READONLY
/sbin/lidsconf -A -o /var/samba -j READONLY
/sbin/lidsconf -A -s /usr/sbin/smbd -o /var/samba -j WRITE
/sbin/lidsconf -A -s /usr/sbin/nmbd -o /var/samba -j WRITE

# smbd needs write access to smbpasswd to chmod it.  i think it
# also needs access to MACHINE.SID
/sbin/lidsconf -A -s /usr/sbin/smbd -o /etc/samba -j WRITE
/sbin/lidsconf -A -s /usr/sbin/smbd -o /etc/shadow -j READONLY

/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SETUID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SETGID -j GRANT
/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_HIDDEN -j GRANT

# LIDS complains about smbd trying to chroot to /
# everything still seems to work without it, though
# (and isn't chrooting to / kinda pointless anyway?)
#/sbin/lidsconf -A -s /usr/sbin/smbd -o CAP_SYS_CHROOT -j GRANT
/sbin/lidsconf -A -s /usr/sbin/nmbd -o CAP_HIDDEN -j GRANT