#include <tunables/global>

/usr/sbin/smbd {
  #include <abstractions/authentication>
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/cups-client>
  #include <abstractions/nameservice>
  #include <abstractions/samba>
  #include <abstractions/user-tmp>
  #include <abstractions/wutmp>

  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability lease,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability sys_resource,
  capability sys_tty_config,
#added
  capability audit_write,
#
  /etc/mtab r,
  /etc/netgroup r,
  /etc/printcap r,
  /etc/samba/* rwk,
  @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/core_pattern r,
  /usr/lib*/samba/vfs/*.so mr,
  /usr/lib*/samba/charset/*.so mr,
  /usr/lib*/samba/auth/script.so mr,
  /usr/lib*/samba/pdb/*.so mr,
  /usr/lib*/samba/{lowcase,upcase,valid}.dat r,
  /usr/sbin/smbd mr,
  /usr/sbin/smbldap-useradd Px,
  /var/cache/samba/** rwk,
  /var/{cache,lib}/samba/printing/printers.tdb mrw,
  /var/lib/samba/** rwk,
  /var/lib/sss/pubconf/kdcinfo.* r,
# added
  /usr/sbin/cupsd Px,
#
#changed
  #/{,var/}run/dbus/system_bus_socket rw,
  #/{,var/}run/samba/** rk,
  #/{,var/}run/samba/ncalrpc/ rw,
  #/{,var/}run/samba/ncalrpc/** rw,
  #/{,var/}run/samba/smbd.pid rw,
  /run/dbus/system_bus_socket rw,
  /run/samba/** rwk,
  /run/samba/ncalrpc/ rw,
  /run/samba/ncalrpc/** rw,
  /run/samba/smbd.pid rw,
#
  /var/spool/samba/** rw,

  @{HOMEDIRS}/** lrwk,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.smbd>

}