[people/stevee/selinux-policy.git] / policy / modules / system / mount.te

policy_module(mount, 1.12.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow the mount command to mount any directory or file.
## </p>
## </desc>
gen_tunable(allow_mount_anyfile, false)

type mount_t;
type mount_exec_t;
init_system_domain(mount_t, mount_exec_t)
role system_r types mount_t;

type fusermount_exec_t;
domain_entry_file(mount_t, fusermount_exec_t)

typealias mount_t alias mount_ntfs_t;
typealias mount_exec_t alias mount_ntfs_exec_t;

type mount_loopback_t; # customizable
files_type(mount_loopback_t)
typealias mount_loopback_t alias mount_loop_t;

type mount_tmp_t;
files_tmp_file(mount_tmp_t)

type mount_var_run_t;
files_pid_file(mount_var_run_t)
dev_associate(mount_var_run_t)

# showmount - show mount information for an NFS server

type showmount_t;
type showmount_exec_t;
application_domain(showmount_t, showmount_exec_t)
role system_r types showmount_t;

########################################
#
# mount local policy
#

# setuid/setgid needed to mount cifs 
allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
tunable_policy(`deny_ptrace',`',`
	allow mount_t self:process ptrace;
')

allow mount_t self:fifo_file rw_fifo_file_perms;
allow mount_t self:unix_stream_socket create_stream_socket_perms;
allow mount_t self:unix_dgram_socket create_socket_perms; 

allow mount_t mount_loopback_t:file read_file_perms;

allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;

can_exec(mount_t, mount_exec_t)

files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })

manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
files_pid_filetrans(mount_t,mount_var_run_t,dir)
files_var_filetrans(mount_t,mount_var_run_t,dir)
dev_filetrans(mount_t, mount_var_run_t, dir)

# In order to mount reiserfs_t
kernel_dontaudit_getattr_core_if(mount_t)
kernel_list_unlabeled(mount_t)
kernel_mount_unlabeled(mount_t)
kernel_unmount_unlabeled(mount_t)
kernel_read_system_state(mount_t)
kernel_read_network_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_manage_debugfs(mount_t)
kernel_setsched(mount_t)
kernel_use_fds(mount_t)
kernel_request_load_module(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)

# required for mount.smbfs
corecmd_exec_bin(mount_t)

dev_getattr_generic_blk_files(mount_t)
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_read_usbfs(mount_t)
dev_read_rand(mount_t)
dev_read_urand(mount_t)
dev_read_sysfs(mount_t)
dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)

ifdef(`hide_broken_symptoms',`
	dev_rw_generic_blk_files(mount_t)
')

# Early devtmpfs, before udev relabel
dev_dontaudit_rw_generic_chr_files(mount_t)

domain_use_interactive_fds(mount_t)
domain_read_all_domains_state(mount_t)

files_search_all(mount_t)
files_read_etc_files(mount_t)
files_read_etc_runtime_files(mount_t)
files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t, file)
# for when /etc/mtab loses its type
files_delete_etc_files(mount_t)
files_mounton_all_mountpoints(mount_t)
files_setattr_all_mountpoints(mount_t)
# ntfs-3g checks whether the mountpoint is writable before mounting
files_write_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)

# These rules need to be generalized.  Only admin, initrc should have it:
files_relabel_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
files_write_all_dirs(mount_t)
files_dontaudit_write_root_dirs(mount_t)

fs_list_all(mount_t)
fs_getattr_all_fs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
fs_rw_anon_inodefs_files(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_rw_nfsd_fs(mount_t)
fs_rw_removable_blk_files(mount_t)
#fs_manage_tmpfs_dirs(mount_t)
fs_read_tmpfs_symlinks(mount_t)
fs_read_fusefs_files(mount_t)
fs_manage_nfs_dirs(mount_t)
fs_read_nfs_symlinks(mount_t)
fs_manage_cgroup_dirs(mount_t)
fs_manage_cgroup_files(mount_t)
fs_dontaudit_write_tmpfs_dirs(mount_t)

mls_file_read_to_clearance(mount_t)
mls_file_write_to_clearance(mount_t)
mls_process_write_to_clearance(mount_t)

selinux_get_enforce_mode(mount_t)
selinux_mounton_fs(mount_t)

storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
storage_rw_fuse(mount_t)

term_use_all_inherited_terms(mount_t)

auth_use_nsswitch(mount_t)

init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
init_stream_connect_script(mount_t)
init_rw_script_stream_sockets(mount_t)

logging_send_syslog_msg(mount_t)

miscfiles_read_localization(mount_t)

sysnet_use_portmap(mount_t)

seutil_read_config(mount_t)

userdom_use_all_users_fds(mount_t)
userdom_manage_user_home_content_dirs(mount_t)
userdom_read_user_home_content_symlinks(mount_t)

ifdef(`distro_redhat',`
	optional_policy(`
		auth_read_pam_console_data(mount_t)
		# mount config by default sets fscontext=removable_t
		fs_relabelfrom_dos_fs(mount_t)
	')
')

ifdef(`distro_ubuntu',`
	optional_policy(`
		unconfined_domain(mount_t)
	')
')

corecmd_exec_shell(mount_t)

tunable_policy(`allow_mount_anyfile',`
	files_read_non_security_files(mount_t)
	files_mounton_non_security(mount_t)
	files_rw_all_inherited_files(mount_t)
')

optional_policy(`
	# for nfs
	corenet_all_recvfrom_unlabeled(mount_t)
	corenet_all_recvfrom_netlabel(mount_t)
	corenet_tcp_sendrecv_generic_if(mount_t)
	corenet_raw_sendrecv_generic_if(mount_t)
	corenet_udp_sendrecv_generic_if(mount_t)
	corenet_tcp_sendrecv_generic_node(mount_t)
	corenet_raw_sendrecv_generic_node(mount_t)
	corenet_udp_sendrecv_generic_node(mount_t)
	corenet_tcp_sendrecv_all_ports(mount_t)
	corenet_udp_sendrecv_all_ports(mount_t)
	corenet_tcp_bind_generic_node(mount_t)
	corenet_udp_bind_generic_node(mount_t)
	corenet_tcp_bind_generic_port(mount_t)
	corenet_udp_bind_generic_port(mount_t)
	corenet_tcp_bind_reserved_port(mount_t)
	corenet_udp_bind_reserved_port(mount_t)
	corenet_tcp_bind_all_rpc_ports(mount_t)
	corenet_udp_bind_all_rpc_ports(mount_t)
	corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
	corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
	corenet_tcp_connect_all_ports(mount_t)

	fs_search_rpc(mount_t)

	rpc_stub(mount_t)

	rpc_domtrans_rpcd(mount_t)
')

optional_policy(`
	apm_use_fds(mount_t)
')

optional_policy(`
	cron_system_entry(mount_t, mount_exec_t)
')

optional_policy(`
	devicekit_read_state_power(mount_t)
')

optional_policy(`
	dbus_system_bus_client(mount_t)

	optional_policy(`
		hal_dbus_chat(mount_t)
	')
')

optional_policy(`
	hal_write_log(mount_t)
	hal_use_fds(mount_t)
	hal_dontaudit_rw_pipes(mount_t)
')

optional_policy(`
	ifdef(`hide_broken_symptoms',`
		# for a bug in the X server
		rhgb_dontaudit_rw_stream_sockets(mount_t)
		term_dontaudit_use_ptmx(mount_t)
	')
')

# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
optional_policy(`
	lvm_domtrans(mount_t)
')

optional_policy(`
	modutils_domtrans_insmod(mount_t)
	modutils_read_module_deps(mount_t)
')

optional_policy(`
	fstools_domtrans(mount_t)
')

optional_policy(`
	rhcs_stream_connect_gfs_controld(mount_t)
')

# for kernel package installation
optional_policy(`
	rpm_rw_pipes(mount_t)
	rpm_dontaudit_leaks(mount_t)
')

optional_policy(`
	samba_domtrans_smbmount(mount_t)
	samba_read_config(mount_t)
')

optional_policy(`
	ssh_exec(mount_t)
')

optional_policy(`
	usbmuxd_stream_connect(mount_t)
')

optional_policy(`
	userhelper_exec_console(mount_t)
')

optional_policy(`
	virt_read_blk_images(mount_t)
')

optional_policy(`
	vmware_exec_host(mount_t)
')

######################################
#
# showmount local policy
#

allow showmount_t self:tcp_socket create_stream_socket_perms;
allow showmount_t self:udp_socket create_socket_perms;

kernel_read_system_state(showmount_t)

corenet_all_recvfrom_unlabeled(showmount_t)
corenet_all_recvfrom_netlabel(showmount_t)
corenet_tcp_sendrecv_generic_if(showmount_t)
corenet_udp_sendrecv_generic_if(showmount_t)
corenet_tcp_sendrecv_generic_node(showmount_t)
corenet_udp_sendrecv_generic_node(showmount_t)
corenet_tcp_sendrecv_all_ports(showmount_t)
corenet_udp_sendrecv_all_ports(showmount_t)
corenet_tcp_bind_generic_node(showmount_t)
corenet_udp_bind_generic_node(showmount_t)
corenet_tcp_bind_all_rpc_ports(showmount_t)
corenet_udp_bind_all_rpc_ports(showmount_t)
corenet_tcp_connect_all_ports(showmount_t)

files_read_etc_files(showmount_t)
files_read_etc_runtime_files(showmount_t)

miscfiles_read_localization(showmount_t)

sysnet_dns_name_resolve(showmount_t)

userdom_use_inherited_user_terminals(showmount_t)
Commit	Line	Data
17910a2a	1	policy_module(mount, 1.12.1)
7a2f20a3 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
56e1b3d2 CP	8	## <desc>
56e1b3d2 CP	9	## <p>
dd9e1de3	10	## Allow the mount command to mount any directory or file.
56e1b3d2 CP	11	## </p>
56e1b3d2 CP	12	## </desc>
3f67f722	13	gen_tunable(allow_mount_anyfile, false)
56e1b3d2	14
f0574fa9	15	type mount_t;
3016a9ff	16	type mount_exec_t;
3f67f722	17	init_system_domain(mount_t, mount_exec_t)
bbd6a621	18	role system_r types mount_t;
3016a9ff	19
3eaa9939 DW	20	type fusermount_exec_t;
	21	domain_entry_file(mount_t, fusermount_exec_t)
	22
	23	typealias mount_t alias mount_ntfs_t;
	24	typealias mount_exec_t alias mount_ntfs_exec_t;
	25
eac818f0 CP	26	type mount_loopback_t; # customizable
eac818f0 CP	27	files_type(mount_loopback_t)
3eaa9939	28	typealias mount_loopback_t alias mount_loop_t;
eac818f0	29
3016a9ff	30	type mount_tmp_t;
c9428d33	31	files_tmp_file(mount_tmp_t)
3016a9ff	32
3eaa9939 DW	33	type mount_var_run_t;
3eaa9939 DW	34	files_pid_file(mount_var_run_t)
634d6b31	35	dev_associate(mount_var_run_t)
3eaa9939 DW	36
	37	# showmount - show mount information for an NFS server
	38
	39	type showmount_t;
	40	type showmount_exec_t;
	41	application_domain(showmount_t, showmount_exec_t)
	42	role system_r types showmount_t;
85a0f967	43
3016a9ff CP	44	########################################
	45	#
	46	# mount local policy
	47	#
	48
8cfa5a00	49	# setuid/setgid needed to mount cifs
633cf006 DW	50	allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice };
633cf006 DW	51	allow mount_t self:process { getcap getsched setsched setcap setrlimit signal };
995bdbb1	52	tunable_policy(`deny_ptrace',`',`
	53	allow mount_t self:process ptrace;
	54	')
	55
3eaa9939 DW	56	allow mount_t self:fifo_file rw_fifo_file_perms;
	57	allow mount_t self:unix_stream_socket create_stream_socket_perms;
	58	allow mount_t self:unix_dgram_socket create_socket_perms;
3016a9ff	59
c0868a7a	60	allow mount_t mount_loopback_t:file read_file_perms;
d6d16b97	61
c0868a7a CP	62	allow mount_t mount_tmp_t:file manage_file_perms;
	63	allow mount_t mount_tmp_t:dir manage_dir_perms;
	64
d6d16b97	65	can_exec(mount_t, mount_exec_t)
eac818f0	66
3f67f722	67	files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
3016a9ff	68
3eaa9939 DW	69	manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t)
	70	manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t)
	71	files_pid_filetrans(mount_t,mount_var_run_t,dir)
	72	files_var_filetrans(mount_t,mount_var_run_t,dir)
634d6b31	73	dev_filetrans(mount_t, mount_var_run_t, dir)
3eaa9939 DW	74
	75	# In order to mount reiserfs_t
	76	kernel_dontaudit_getattr_core_if(mount_t)
	77	kernel_list_unlabeled(mount_t)
	78	kernel_mount_unlabeled(mount_t)
	79	kernel_unmount_unlabeled(mount_t)
3016a9ff	80	kernel_read_system_state(mount_t)
3eaa9939	81	kernel_read_network_state(mount_t)
d9845ae9	82	kernel_read_kernel_sysctls(mount_t)
cbadf720	83	kernel_manage_debugfs(mount_t)
3eaa9939 DW	84	kernel_setsched(mount_t)
	85	kernel_use_fds(mount_t)
	86	kernel_request_load_module(mount_t)
a861c7c6 CR	87	kernel_dontaudit_write_debugfs_dirs(mount_t)
a861c7c6 CR	88	kernel_dontaudit_write_proc_dirs(mount_t)
a2307ca2 CP	89	# To load binfmt_misc kernel module
a2307ca2 CP	90	kernel_request_load_module(mount_t)
3016a9ff	91
f0e959b4 CP	92	# required for mount.smbfs
	93	corecmd_exec_bin(mount_t)
	94
3eaa9939	95	dev_getattr_generic_blk_files(mount_t)
f0c985ca KM	96	dev_getattr_all_blk_files(mount_t)
f0c985ca KM	97	dev_list_all_dev_nodes(mount_t)
3eaa9939 DW	98	dev_read_usbfs(mount_t)
3eaa9939 DW	99	dev_read_rand(mount_t)
5d321e63	100	dev_read_urand(mount_t)
3eaa9939	101	dev_read_sysfs(mount_t)
66ef236c	102	dev_dontaudit_write_sysfs_dirs(mount_t)
93727e3f	103	dev_rw_lvm_control(mount_t)
a3cf80d8	104	dev_dontaudit_getattr_all_chr_files(mount_t)
b0d2243c CP	105	dev_dontaudit_getattr_memory_dev(mount_t)
b0d2243c CP	106	dev_getattr_sound_dev(mount_t)
6304ef30	107
3eaa9939 DW	108	ifdef(`hide_broken_symptoms',`
	109	dev_rw_generic_blk_files(mount_t)
	110	')
6304ef30	111
2fc79f1e JS	112	# Early devtmpfs, before udev relabel
2fc79f1e JS	113	dev_dontaudit_rw_generic_chr_files(mount_t)
3016a9ff	114
15722ec9	115	domain_use_interactive_fds(mount_t)
fa25968a	116	domain_read_all_domains_state(mount_t)
a2d8246b	117
9e04f5c5	118	files_search_all(mount_t)
8fd36732	119	files_read_etc_files(mount_t)
82e4d007	120	files_read_etc_runtime_files(mount_t)
c9428d33	121	files_manage_etc_runtime_files(mount_t)
3f67f722	122	files_etc_filetrans_etc_runtime(mount_t, file)
79bff2bb DW	123	# for when /etc/mtab loses its type
79bff2bb DW	124	files_delete_etc_files(mount_t)
c9428d33	125	files_mounton_all_mountpoints(mount_t)
ef394695	126	files_setattr_all_mountpoints(mount_t)
3eaa9939 DW	127	# ntfs-3g checks whether the mountpoint is writable before mounting
3eaa9939 DW	128	files_write_all_mountpoints(mount_t)
c9428d33	129	files_unmount_rootfs(mount_t)
79bff2bb	130
dc771ff4	131	# These rules need to be generalized. Only admin, initrc should have it:
3eaa9939	132	files_relabel_all_file_type_fs(mount_t)
763c441e	133	files_mount_all_file_type_fs(mount_t)
ce1b44aa	134	files_unmount_all_file_type_fs(mount_t)
9e04f5c5	135	files_read_isid_type_files(mount_t)
72492557 CP	136	# For reading cert files
72492557 CP	137	files_read_usr_files(mount_t)
a5e2133b	138	files_list_mnt(mount_t)
82afdf6f	139	files_write_all_dirs(mount_t)
a861c7c6	140	files_dontaudit_write_root_dirs(mount_t)
3016a9ff	141
3eaa9939 DW	142	fs_list_all(mount_t)
3eaa9939 DW	143	fs_getattr_all_fs(mount_t)
f0e959b4 CP	144	fs_mount_all_fs(mount_t)
	145	fs_unmount_all_fs(mount_t)
	146	fs_remount_all_fs(mount_t)
	147	fs_relabelfrom_all_fs(mount_t)
3eaa9939	148	fs_rw_anon_inodefs_files(mount_t)
f0e959b4	149	fs_rw_tmpfs_chr_files(mount_t)
3eaa9939	150	fs_rw_nfsd_fs(mount_t)
397ecfb1	151	fs_rw_removable_blk_files(mount_t)
6304ef30	152	#fs_manage_tmpfs_dirs(mount_t)
f0e959b4	153	fs_read_tmpfs_symlinks(mount_t)
3eaa9939 DW	154	fs_read_fusefs_files(mount_t)
	155	fs_manage_nfs_dirs(mount_t)
	156	fs_read_nfs_symlinks(mount_t)
3034a8d9 DW	157	fs_manage_cgroup_dirs(mount_t)
3034a8d9 DW	158	fs_manage_cgroup_files(mount_t)
a861c7c6	159	fs_dontaudit_write_tmpfs_dirs(mount_t)
f0e959b4	160
9f805998 DW	161	mls_file_read_to_clearance(mount_t)
	162	mls_file_write_to_clearance(mount_t)
	163	mls_process_write_to_clearance(mount_t)
f0e959b4 CP	164
f0e959b4 CP	165	selinux_get_enforce_mode(mount_t)
0fc1dfbb	166	selinux_mounton_fs(mount_t)
f0e959b4 CP	167
	168	storage_raw_read_fixed_disk(mount_t)
	169	storage_raw_write_fixed_disk(mount_t)
	170	storage_raw_read_removable_device(mount_t)
	171	storage_raw_write_removable_device(mount_t)
3eaa9939	172	storage_rw_fuse(mount_t)
f0e959b4	173
af2d8802	174	term_use_all_inherited_terms(mount_t)
f0e959b4 CP	175
	176	auth_use_nsswitch(mount_t)
	177
1c1ac67f	178	init_use_fds(mount_t)
1815bad1	179	init_use_script_ptys(mount_t)
a3cf80d8	180	init_dontaudit_getattr_initctl(mount_t)
3eaa9939 DW	181	init_stream_connect_script(mount_t)
3eaa9939 DW	182	init_rw_script_stream_sockets(mount_t)
daa0e0b0	183
c9428d33	184	logging_send_syslog_msg(mount_t)
3016a9ff CP	185
	186	miscfiles_read_localization(mount_t)
	187
98a8ead4 CP	188	sysnet_use_portmap(mount_t)
98a8ead4 CP	189
d9845ae9	190	seutil_read_config(mount_t)
a5e2133b	191
15722ec9	192	userdom_use_all_users_fds(mount_t)
3eaa9939 DW	193	userdom_manage_user_home_content_dirs(mount_t)
	194	userdom_read_user_home_content_symlinks(mount_t)
	195
254bbc7b	196	ifdef(`distro_redhat',`
bb7170f6	197	optional_policy(`
c9428d33	198	auth_read_pam_console_data(mount_t)
0c73cd25	199	# mount config by default sets fscontext=removable_t
763c441e	200	fs_relabelfrom_dos_fs(mount_t)
0c73cd25 CP	201	')
0c73cd25 CP	202	')
daa0e0b0	203
12cf805e CP	204	ifdef(`distro_ubuntu',`
	205	optional_policy(`
	206	unconfined_domain(mount_t)
	207	')
	208	')
	209
3eaa9939 DW	210	corecmd_exec_shell(mount_t)
3eaa9939 DW	211
350b6ab7	212	tunable_policy(`allow_mount_anyfile',`
78c4fb1b	213	files_read_non_security_files(mount_t)
350b6ab7	214	files_mounton_non_security(mount_t)
3eaa9939	215	files_rw_all_inherited_files(mount_t)
165b42d2 CP	216	')
165b42d2 CP	217
bb7170f6	218	optional_policy(`
0c73cd25	219	# for nfs
19006686 CP	220	corenet_all_recvfrom_unlabeled(mount_t)
19006686 CP	221	corenet_all_recvfrom_netlabel(mount_t)
4bc56eb9 DW	222	corenet_tcp_sendrecv_generic_if(mount_t)
	223	corenet_raw_sendrecv_generic_if(mount_t)
	224	corenet_udp_sendrecv_generic_if(mount_t)
	225	corenet_tcp_sendrecv_generic_node(mount_t)
	226	corenet_raw_sendrecv_generic_node(mount_t)
	227	corenet_udp_sendrecv_generic_node(mount_t)
0fd9dc55 CP	228	corenet_tcp_sendrecv_all_ports(mount_t)
0fd9dc55 CP	229	corenet_udp_sendrecv_all_ports(mount_t)
4bc56eb9 DW	230	corenet_tcp_bind_generic_node(mount_t)
4bc56eb9 DW	231	corenet_udp_bind_generic_node(mount_t)
0fd9dc55 CP	232	corenet_tcp_bind_generic_port(mount_t)
	233	corenet_udp_bind_generic_port(mount_t)
	234	corenet_tcp_bind_reserved_port(mount_t)
	235	corenet_udp_bind_reserved_port(mount_t)
e9935943 CP	236	corenet_tcp_bind_all_rpc_ports(mount_t)
e9935943 CP	237	corenet_udp_bind_all_rpc_ports(mount_t)
35a4b349 CP	238	corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
35a4b349 CP	239	corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
98a8ead4	240	corenet_tcp_connect_all_ports(mount_t)
ab940a4c	241
4d851fe9	242	fs_search_rpc(mount_t)
bb437244	243
0d96ff33	244	rpc_stub(mount_t)
3eaa9939 DW	245
3eaa9939 DW	246	rpc_domtrans_rpcd(mount_t)
daa0e0b0 CP	247	')
daa0e0b0 CP	248
bb7170f6	249	optional_policy(`
1c1ac67f	250	apm_use_fds(mount_t)
4483ee84 CP	251	')
4483ee84 CP	252
3eaa9939 DW	253	optional_policy(`
	254	cron_system_entry(mount_t, mount_exec_t)
	255	')
	256
773094ba DW	257	optional_policy(`
	258	devicekit_read_state_power(mount_t)
	259	')
	260
3eaa9939 DW	261	optional_policy(`
	262	dbus_system_bus_client(mount_t)
	263
	264	optional_policy(`
	265	hal_dbus_chat(mount_t)
	266	')
	267	')
	268
3eaa9939 DW	269	optional_policy(`
	270	hal_write_log(mount_t)
	271	hal_use_fds(mount_t)
	272	hal_dontaudit_rw_pipes(mount_t)
	273	')
	274
bb7170f6	275	optional_policy(`
c8d5b357 CP	276	ifdef(`hide_broken_symptoms',`
	277	# for a bug in the X server
	278	rhgb_dontaudit_rw_stream_sockets(mount_t)
	279	term_dontaudit_use_ptmx(mount_t)
	280	')
	281	')
	282
3eaa9939 DW	283	# Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711
	284	optional_policy(`
	285	lvm_domtrans(mount_t)
	286	')
	287
2371d8d8 MG	288	optional_policy(`
2371d8d8 MG	289	modutils_domtrans_insmod(mount_t)
b280894b	290	modutils_read_module_deps(mount_t)
2371d8d8 MG	291	')
	292
	293	optional_policy(`
	294	fstools_domtrans(mount_t)
	295	')
	296
d255399f DW	297	optional_policy(`
	298	rhcs_stream_connect_gfs_controld(mount_t)
	299	')
	300
b24f35d8	301	# for kernel package installation
bb7170f6	302	optional_policy(`
1815bad1	303	rpm_rw_pipes(mount_t)
c2dae985	304	rpm_dontaudit_leaks(mount_t)
b24f35d8 CP	305	')
b24f35d8 CP	306
bb7170f6	307	optional_policy(`
84c92239	308	samba_domtrans_smbmount(mount_t)
3eaa9939 DW	309	samba_read_config(mount_t)
	310	')
	311
	312	optional_policy(`
	313	ssh_exec(mount_t)
	314	')
	315
	316	optional_policy(`
	317	usbmuxd_stream_connect(mount_t)
	318	')
	319
02f4697f DW	320	optional_policy(`
	321	userhelper_exec_console(mount_t)
	322	')
	323
773094ba DW	324	optional_policy(`
	325	virt_read_blk_images(mount_t)
	326	')
	327
3eaa9939 DW	328	optional_policy(`
3eaa9939 DW	329	vmware_exec_host(mount_t)
84c92239	330	')
85a0f967	331
3eaa9939 DW	332	######################################
	333	#
	334	# showmount local policy
	335	#
	336
	337	allow showmount_t self:tcp_socket create_stream_socket_perms;
	338	allow showmount_t self:udp_socket create_socket_perms;
	339
	340	kernel_read_system_state(showmount_t)
	341
	342	corenet_all_recvfrom_unlabeled(showmount_t)
	343	corenet_all_recvfrom_netlabel(showmount_t)
	344	corenet_tcp_sendrecv_generic_if(showmount_t)
	345	corenet_udp_sendrecv_generic_if(showmount_t)
	346	corenet_tcp_sendrecv_generic_node(showmount_t)
	347	corenet_udp_sendrecv_generic_node(showmount_t)
	348	corenet_tcp_sendrecv_all_ports(showmount_t)
	349	corenet_udp_sendrecv_all_ports(showmount_t)
	350	corenet_tcp_bind_generic_node(showmount_t)
	351	corenet_udp_bind_generic_node(showmount_t)
	352	corenet_tcp_bind_all_rpc_ports(showmount_t)
	353	corenet_udp_bind_all_rpc_ports(showmount_t)
	354	corenet_tcp_connect_all_ports(showmount_t)
	355
	356	files_read_etc_files(showmount_t)
82e4d007	357	files_read_etc_runtime_files(showmount_t)
3eaa9939 DW	358
	359	miscfiles_read_localization(showmount_t)
	360
	361	sysnet_dns_name_resolve(showmount_t)
	362
af2d8802	363	userdom_use_inherited_user_terminals(showmount_t)