]>
Commit | Line | Data |
---|---|---|
17910a2a | 1 | policy_module(mount, 1.12.1) |
7a2f20a3 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
56e1b3d2 CP |
8 | ## <desc> |
9 | ## <p> | |
dd9e1de3 | 10 | ## Allow the mount command to mount any directory or file. |
56e1b3d2 CP |
11 | ## </p> |
12 | ## </desc> | |
3f67f722 | 13 | gen_tunable(allow_mount_anyfile, false) |
56e1b3d2 | 14 | |
f0574fa9 | 15 | type mount_t; |
3016a9ff | 16 | type mount_exec_t; |
3f67f722 | 17 | init_system_domain(mount_t, mount_exec_t) |
bbd6a621 | 18 | role system_r types mount_t; |
3016a9ff | 19 | |
3eaa9939 DW |
20 | type fusermount_exec_t; |
21 | domain_entry_file(mount_t, fusermount_exec_t) | |
22 | ||
23 | typealias mount_t alias mount_ntfs_t; | |
24 | typealias mount_exec_t alias mount_ntfs_exec_t; | |
25 | ||
eac818f0 CP |
26 | type mount_loopback_t; # customizable |
27 | files_type(mount_loopback_t) | |
3eaa9939 | 28 | typealias mount_loopback_t alias mount_loop_t; |
eac818f0 | 29 | |
3016a9ff | 30 | type mount_tmp_t; |
c9428d33 | 31 | files_tmp_file(mount_tmp_t) |
3016a9ff | 32 | |
3eaa9939 DW |
33 | type mount_var_run_t; |
34 | files_pid_file(mount_var_run_t) | |
634d6b31 | 35 | dev_associate(mount_var_run_t) |
3eaa9939 DW |
36 | |
37 | # showmount - show mount information for an NFS server | |
38 | ||
39 | type showmount_t; | |
40 | type showmount_exec_t; | |
41 | application_domain(showmount_t, showmount_exec_t) | |
42 | role system_r types showmount_t; | |
85a0f967 | 43 | |
3016a9ff CP |
44 | ######################################## |
45 | # | |
46 | # mount local policy | |
47 | # | |
48 | ||
8cfa5a00 | 49 | # setuid/setgid needed to mount cifs |
633cf006 DW |
50 | allow mount_t self:capability { fsetid fowner ipc_lock setpcap sys_rawio sys_resource sys_admin dac_override dac_read_search chown sys_tty_config setuid setgid sys_nice }; |
51 | allow mount_t self:process { getcap getsched setsched setcap setrlimit signal }; | |
995bdbb1 | 52 | tunable_policy(`deny_ptrace',`',` |
53 | allow mount_t self:process ptrace; | |
54 | ') | |
55 | ||
3eaa9939 DW |
56 | allow mount_t self:fifo_file rw_fifo_file_perms; |
57 | allow mount_t self:unix_stream_socket create_stream_socket_perms; | |
58 | allow mount_t self:unix_dgram_socket create_socket_perms; | |
3016a9ff | 59 | |
c0868a7a | 60 | allow mount_t mount_loopback_t:file read_file_perms; |
d6d16b97 | 61 | |
c0868a7a CP |
62 | allow mount_t mount_tmp_t:file manage_file_perms; |
63 | allow mount_t mount_tmp_t:dir manage_dir_perms; | |
64 | ||
d6d16b97 | 65 | can_exec(mount_t, mount_exec_t) |
eac818f0 | 66 | |
3f67f722 | 67 | files_tmp_filetrans(mount_t, mount_tmp_t, { file dir }) |
3016a9ff | 68 | |
3eaa9939 DW |
69 | manage_dirs_pattern(mount_t,mount_var_run_t,mount_var_run_t) |
70 | manage_files_pattern(mount_t,mount_var_run_t,mount_var_run_t) | |
71 | files_pid_filetrans(mount_t,mount_var_run_t,dir) | |
72 | files_var_filetrans(mount_t,mount_var_run_t,dir) | |
634d6b31 | 73 | dev_filetrans(mount_t, mount_var_run_t, dir) |
3eaa9939 DW |
74 | |
75 | # In order to mount reiserfs_t | |
76 | kernel_dontaudit_getattr_core_if(mount_t) | |
77 | kernel_list_unlabeled(mount_t) | |
78 | kernel_mount_unlabeled(mount_t) | |
79 | kernel_unmount_unlabeled(mount_t) | |
3016a9ff | 80 | kernel_read_system_state(mount_t) |
3eaa9939 | 81 | kernel_read_network_state(mount_t) |
d9845ae9 | 82 | kernel_read_kernel_sysctls(mount_t) |
cbadf720 | 83 | kernel_manage_debugfs(mount_t) |
3eaa9939 DW |
84 | kernel_setsched(mount_t) |
85 | kernel_use_fds(mount_t) | |
86 | kernel_request_load_module(mount_t) | |
a861c7c6 CR |
87 | kernel_dontaudit_write_debugfs_dirs(mount_t) |
88 | kernel_dontaudit_write_proc_dirs(mount_t) | |
a2307ca2 CP |
89 | # To load binfmt_misc kernel module |
90 | kernel_request_load_module(mount_t) | |
3016a9ff | 91 | |
f0e959b4 CP |
92 | # required for mount.smbfs |
93 | corecmd_exec_bin(mount_t) | |
94 | ||
3eaa9939 | 95 | dev_getattr_generic_blk_files(mount_t) |
f0c985ca KM |
96 | dev_getattr_all_blk_files(mount_t) |
97 | dev_list_all_dev_nodes(mount_t) | |
3eaa9939 DW |
98 | dev_read_usbfs(mount_t) |
99 | dev_read_rand(mount_t) | |
5d321e63 | 100 | dev_read_urand(mount_t) |
3eaa9939 | 101 | dev_read_sysfs(mount_t) |
66ef236c | 102 | dev_dontaudit_write_sysfs_dirs(mount_t) |
93727e3f | 103 | dev_rw_lvm_control(mount_t) |
a3cf80d8 | 104 | dev_dontaudit_getattr_all_chr_files(mount_t) |
b0d2243c CP |
105 | dev_dontaudit_getattr_memory_dev(mount_t) |
106 | dev_getattr_sound_dev(mount_t) | |
6304ef30 | 107 | |
3eaa9939 DW |
108 | ifdef(`hide_broken_symptoms',` |
109 | dev_rw_generic_blk_files(mount_t) | |
110 | ') | |
6304ef30 | 111 | |
2fc79f1e JS |
112 | # Early devtmpfs, before udev relabel |
113 | dev_dontaudit_rw_generic_chr_files(mount_t) | |
3016a9ff | 114 | |
15722ec9 | 115 | domain_use_interactive_fds(mount_t) |
fa25968a | 116 | domain_read_all_domains_state(mount_t) |
a2d8246b | 117 | |
9e04f5c5 | 118 | files_search_all(mount_t) |
8fd36732 | 119 | files_read_etc_files(mount_t) |
82e4d007 | 120 | files_read_etc_runtime_files(mount_t) |
c9428d33 | 121 | files_manage_etc_runtime_files(mount_t) |
3f67f722 | 122 | files_etc_filetrans_etc_runtime(mount_t, file) |
79bff2bb DW |
123 | # for when /etc/mtab loses its type |
124 | files_delete_etc_files(mount_t) | |
c9428d33 | 125 | files_mounton_all_mountpoints(mount_t) |
ef394695 | 126 | files_setattr_all_mountpoints(mount_t) |
3eaa9939 DW |
127 | # ntfs-3g checks whether the mountpoint is writable before mounting |
128 | files_write_all_mountpoints(mount_t) | |
c9428d33 | 129 | files_unmount_rootfs(mount_t) |
79bff2bb | 130 | |
dc771ff4 | 131 | # These rules need to be generalized. Only admin, initrc should have it: |
3eaa9939 | 132 | files_relabel_all_file_type_fs(mount_t) |
763c441e | 133 | files_mount_all_file_type_fs(mount_t) |
ce1b44aa | 134 | files_unmount_all_file_type_fs(mount_t) |
9e04f5c5 | 135 | files_read_isid_type_files(mount_t) |
72492557 CP |
136 | # For reading cert files |
137 | files_read_usr_files(mount_t) | |
a5e2133b | 138 | files_list_mnt(mount_t) |
82afdf6f | 139 | files_write_all_dirs(mount_t) |
a861c7c6 | 140 | files_dontaudit_write_root_dirs(mount_t) |
3016a9ff | 141 | |
3eaa9939 DW |
142 | fs_list_all(mount_t) |
143 | fs_getattr_all_fs(mount_t) | |
f0e959b4 CP |
144 | fs_mount_all_fs(mount_t) |
145 | fs_unmount_all_fs(mount_t) | |
146 | fs_remount_all_fs(mount_t) | |
147 | fs_relabelfrom_all_fs(mount_t) | |
3eaa9939 | 148 | fs_rw_anon_inodefs_files(mount_t) |
f0e959b4 | 149 | fs_rw_tmpfs_chr_files(mount_t) |
3eaa9939 | 150 | fs_rw_nfsd_fs(mount_t) |
397ecfb1 | 151 | fs_rw_removable_blk_files(mount_t) |
6304ef30 | 152 | #fs_manage_tmpfs_dirs(mount_t) |
f0e959b4 | 153 | fs_read_tmpfs_symlinks(mount_t) |
3eaa9939 DW |
154 | fs_read_fusefs_files(mount_t) |
155 | fs_manage_nfs_dirs(mount_t) | |
156 | fs_read_nfs_symlinks(mount_t) | |
3034a8d9 DW |
157 | fs_manage_cgroup_dirs(mount_t) |
158 | fs_manage_cgroup_files(mount_t) | |
a861c7c6 | 159 | fs_dontaudit_write_tmpfs_dirs(mount_t) |
f0e959b4 | 160 | |
9f805998 DW |
161 | mls_file_read_to_clearance(mount_t) |
162 | mls_file_write_to_clearance(mount_t) | |
163 | mls_process_write_to_clearance(mount_t) | |
f0e959b4 CP |
164 | |
165 | selinux_get_enforce_mode(mount_t) | |
0fc1dfbb | 166 | selinux_mounton_fs(mount_t) |
f0e959b4 CP |
167 | |
168 | storage_raw_read_fixed_disk(mount_t) | |
169 | storage_raw_write_fixed_disk(mount_t) | |
170 | storage_raw_read_removable_device(mount_t) | |
171 | storage_raw_write_removable_device(mount_t) | |
3eaa9939 | 172 | storage_rw_fuse(mount_t) |
f0e959b4 | 173 | |
af2d8802 | 174 | term_use_all_inherited_terms(mount_t) |
f0e959b4 CP |
175 | |
176 | auth_use_nsswitch(mount_t) | |
177 | ||
1c1ac67f | 178 | init_use_fds(mount_t) |
1815bad1 | 179 | init_use_script_ptys(mount_t) |
a3cf80d8 | 180 | init_dontaudit_getattr_initctl(mount_t) |
3eaa9939 DW |
181 | init_stream_connect_script(mount_t) |
182 | init_rw_script_stream_sockets(mount_t) | |
daa0e0b0 | 183 | |
c9428d33 | 184 | logging_send_syslog_msg(mount_t) |
3016a9ff CP |
185 | |
186 | miscfiles_read_localization(mount_t) | |
187 | ||
98a8ead4 CP |
188 | sysnet_use_portmap(mount_t) |
189 | ||
d9845ae9 | 190 | seutil_read_config(mount_t) |
a5e2133b | 191 | |
15722ec9 | 192 | userdom_use_all_users_fds(mount_t) |
3eaa9939 DW |
193 | userdom_manage_user_home_content_dirs(mount_t) |
194 | userdom_read_user_home_content_symlinks(mount_t) | |
195 | ||
254bbc7b | 196 | ifdef(`distro_redhat',` |
bb7170f6 | 197 | optional_policy(` |
c9428d33 | 198 | auth_read_pam_console_data(mount_t) |
0c73cd25 | 199 | # mount config by default sets fscontext=removable_t |
763c441e | 200 | fs_relabelfrom_dos_fs(mount_t) |
0c73cd25 CP |
201 | ') |
202 | ') | |
daa0e0b0 | 203 | |
12cf805e CP |
204 | ifdef(`distro_ubuntu',` |
205 | optional_policy(` | |
206 | unconfined_domain(mount_t) | |
207 | ') | |
208 | ') | |
209 | ||
3eaa9939 DW |
210 | corecmd_exec_shell(mount_t) |
211 | ||
350b6ab7 | 212 | tunable_policy(`allow_mount_anyfile',` |
78c4fb1b | 213 | files_read_non_security_files(mount_t) |
350b6ab7 | 214 | files_mounton_non_security(mount_t) |
3eaa9939 | 215 | files_rw_all_inherited_files(mount_t) |
165b42d2 CP |
216 | ') |
217 | ||
bb7170f6 | 218 | optional_policy(` |
0c73cd25 | 219 | # for nfs |
19006686 CP |
220 | corenet_all_recvfrom_unlabeled(mount_t) |
221 | corenet_all_recvfrom_netlabel(mount_t) | |
4bc56eb9 DW |
222 | corenet_tcp_sendrecv_generic_if(mount_t) |
223 | corenet_raw_sendrecv_generic_if(mount_t) | |
224 | corenet_udp_sendrecv_generic_if(mount_t) | |
225 | corenet_tcp_sendrecv_generic_node(mount_t) | |
226 | corenet_raw_sendrecv_generic_node(mount_t) | |
227 | corenet_udp_sendrecv_generic_node(mount_t) | |
0fd9dc55 CP |
228 | corenet_tcp_sendrecv_all_ports(mount_t) |
229 | corenet_udp_sendrecv_all_ports(mount_t) | |
4bc56eb9 DW |
230 | corenet_tcp_bind_generic_node(mount_t) |
231 | corenet_udp_bind_generic_node(mount_t) | |
0fd9dc55 CP |
232 | corenet_tcp_bind_generic_port(mount_t) |
233 | corenet_udp_bind_generic_port(mount_t) | |
234 | corenet_tcp_bind_reserved_port(mount_t) | |
235 | corenet_udp_bind_reserved_port(mount_t) | |
e9935943 CP |
236 | corenet_tcp_bind_all_rpc_ports(mount_t) |
237 | corenet_udp_bind_all_rpc_ports(mount_t) | |
35a4b349 CP |
238 | corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t) |
239 | corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) | |
98a8ead4 | 240 | corenet_tcp_connect_all_ports(mount_t) |
ab940a4c | 241 | |
4d851fe9 | 242 | fs_search_rpc(mount_t) |
bb437244 | 243 | |
0d96ff33 | 244 | rpc_stub(mount_t) |
3eaa9939 DW |
245 | |
246 | rpc_domtrans_rpcd(mount_t) | |
daa0e0b0 CP |
247 | ') |
248 | ||
bb7170f6 | 249 | optional_policy(` |
1c1ac67f | 250 | apm_use_fds(mount_t) |
4483ee84 CP |
251 | ') |
252 | ||
3eaa9939 DW |
253 | optional_policy(` |
254 | cron_system_entry(mount_t, mount_exec_t) | |
255 | ') | |
256 | ||
773094ba DW |
257 | optional_policy(` |
258 | devicekit_read_state_power(mount_t) | |
259 | ') | |
260 | ||
3eaa9939 DW |
261 | optional_policy(` |
262 | dbus_system_bus_client(mount_t) | |
263 | ||
264 | optional_policy(` | |
265 | hal_dbus_chat(mount_t) | |
266 | ') | |
267 | ') | |
268 | ||
3eaa9939 DW |
269 | optional_policy(` |
270 | hal_write_log(mount_t) | |
271 | hal_use_fds(mount_t) | |
272 | hal_dontaudit_rw_pipes(mount_t) | |
273 | ') | |
274 | ||
bb7170f6 | 275 | optional_policy(` |
c8d5b357 CP |
276 | ifdef(`hide_broken_symptoms',` |
277 | # for a bug in the X server | |
278 | rhgb_dontaudit_rw_stream_sockets(mount_t) | |
279 | term_dontaudit_use_ptmx(mount_t) | |
280 | ') | |
281 | ') | |
282 | ||
3eaa9939 DW |
283 | # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 |
284 | optional_policy(` | |
285 | lvm_domtrans(mount_t) | |
286 | ') | |
287 | ||
2371d8d8 MG |
288 | optional_policy(` |
289 | modutils_domtrans_insmod(mount_t) | |
b280894b | 290 | modutils_read_module_deps(mount_t) |
2371d8d8 MG |
291 | ') |
292 | ||
293 | optional_policy(` | |
294 | fstools_domtrans(mount_t) | |
295 | ') | |
296 | ||
d255399f DW |
297 | optional_policy(` |
298 | rhcs_stream_connect_gfs_controld(mount_t) | |
299 | ') | |
300 | ||
b24f35d8 | 301 | # for kernel package installation |
bb7170f6 | 302 | optional_policy(` |
1815bad1 | 303 | rpm_rw_pipes(mount_t) |
c2dae985 | 304 | rpm_dontaudit_leaks(mount_t) |
b24f35d8 CP |
305 | ') |
306 | ||
bb7170f6 | 307 | optional_policy(` |
84c92239 | 308 | samba_domtrans_smbmount(mount_t) |
3eaa9939 DW |
309 | samba_read_config(mount_t) |
310 | ') | |
311 | ||
312 | optional_policy(` | |
313 | ssh_exec(mount_t) | |
314 | ') | |
315 | ||
316 | optional_policy(` | |
317 | usbmuxd_stream_connect(mount_t) | |
318 | ') | |
319 | ||
02f4697f DW |
320 | optional_policy(` |
321 | userhelper_exec_console(mount_t) | |
322 | ') | |
323 | ||
773094ba DW |
324 | optional_policy(` |
325 | virt_read_blk_images(mount_t) | |
326 | ') | |
327 | ||
3eaa9939 DW |
328 | optional_policy(` |
329 | vmware_exec_host(mount_t) | |
84c92239 | 330 | ') |
85a0f967 | 331 | |
3eaa9939 DW |
332 | ###################################### |
333 | # | |
334 | # showmount local policy | |
335 | # | |
336 | ||
337 | allow showmount_t self:tcp_socket create_stream_socket_perms; | |
338 | allow showmount_t self:udp_socket create_socket_perms; | |
339 | ||
340 | kernel_read_system_state(showmount_t) | |
341 | ||
342 | corenet_all_recvfrom_unlabeled(showmount_t) | |
343 | corenet_all_recvfrom_netlabel(showmount_t) | |
344 | corenet_tcp_sendrecv_generic_if(showmount_t) | |
345 | corenet_udp_sendrecv_generic_if(showmount_t) | |
346 | corenet_tcp_sendrecv_generic_node(showmount_t) | |
347 | corenet_udp_sendrecv_generic_node(showmount_t) | |
348 | corenet_tcp_sendrecv_all_ports(showmount_t) | |
349 | corenet_udp_sendrecv_all_ports(showmount_t) | |
350 | corenet_tcp_bind_generic_node(showmount_t) | |
351 | corenet_udp_bind_generic_node(showmount_t) | |
352 | corenet_tcp_bind_all_rpc_ports(showmount_t) | |
353 | corenet_udp_bind_all_rpc_ports(showmount_t) | |
354 | corenet_tcp_connect_all_ports(showmount_t) | |
355 | ||
356 | files_read_etc_files(showmount_t) | |
82e4d007 | 357 | files_read_etc_runtime_files(showmount_t) |
3eaa9939 DW |
358 | |
359 | miscfiles_read_localization(showmount_t) | |
360 | ||
361 | sysnet_dns_name_resolve(showmount_t) | |
362 | ||
af2d8802 | 363 | userdom_use_inherited_user_terminals(showmount_t) |