[people/stevee/selinux-policy.git] / policy / modules / system / fstools.te


policy_module(fstools, 1.14.0)

########################################
#
# Declarations
#

type fsadm_t;
type fsadm_exec_t;
init_system_domain(fsadm_t, fsadm_exec_t)
role system_r types fsadm_t;

type fsadm_log_t;
logging_log_file(fsadm_log_t)

type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)

type swapfile_t; # customizable
files_type(swapfile_t)

########################################
#
# local policy
#

# ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_fifo_file_perms;
allow fsadm_t self:sock_file read_sock_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
allow fsadm_t self:unix_dgram_socket sendto;
allow fsadm_t self:unix_stream_socket connectto;
allow fsadm_t self:shm create_shm_perms;
allow fsadm_t self:sem create_sem_perms;
allow fsadm_t self:msgq create_msgq_perms;
allow fsadm_t self:msg { send receive };

can_exec(fsadm_t, fsadm_exec_t)

allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
allow fsadm_t fsadm_tmp_t:file manage_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })

# log files
allow fsadm_t fsadm_log_t:dir setattr;
manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
logging_log_filetrans(fsadm_t, fsadm_log_t, file)

# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };

kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
kernel_getattr_proc(fsadm_t)
kernel_getattr_core_if(fsadm_t)
# Access to /initrd devices
kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t)

corecmd_exec_bin(fsadm_t)
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
# cjp: these are probably not needed:
corecmd_read_bin_files(fsadm_t)
corecmd_read_bin_pipes(fsadm_t)
corecmd_read_bin_sockets(fsadm_t)

dev_getattr_all_chr_files(fsadm_t)
dev_dontaudit_getattr_all_blk_files(fsadm_t)
dev_dontaudit_getattr_generic_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
# Recreate /dev/cdrom.
dev_manage_generic_symlinks(fsadm_t)
# fdisk needs this for early boot
dev_manage_generic_blk_files(fsadm_t)
# Access to /initrd devices
dev_search_usbfs(fsadm_t)
# for swapon
dev_read_sysfs(fsadm_t)
# Access to /initrd devices
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)

domain_use_interactive_fds(fsadm_t)

files_getattr_boot_dirs(fsadm_t)
files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
# Access to /initrd devices
files_rw_isid_type_dirs(fsadm_t)
files_rw_isid_type_blk_files(fsadm_t)
files_read_isid_type_files(fsadm_t)

fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
fs_rw_ramfs_pipes(fsadm_t)
fs_rw_tmpfs_files(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
# for /dev/shm
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
files_search_all(fsadm_t)

mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)

storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
storage_swapon_fixed_disk(fsadm_t)

term_use_console(fsadm_t)

init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)

logging_send_syslog_msg(fsadm_t)

miscfiles_read_localization(fsadm_t)

modutils_read_module_config(fsadm_t)
modutils_read_module_deps(fsadm_t)

seutil_read_config(fsadm_t)

userdom_use_user_terminals(fsadm_t)

ifdef(`distro_redhat',`
	optional_policy(`
		unconfined_domain(fsadm_t)
	')
')

optional_policy(`
	amanda_rw_dumpdates_files(fsadm_t)
	amanda_append_log_files(fsadm_t)
')

optional_policy(`
	# for smartctl cron jobs
	cron_system_entry(fsadm_t, fsadm_exec_t)
')

optional_policy(`
	nis_use_ypbind(fsadm_t)
')

optional_policy(`
	fs_dontaudit_write_ramfs_pipes(fsadm_t)
	rhgb_stub(fsadm_t)
')

optional_policy(`
	xen_append_log(fsadm_t)
	xen_rw_image_files(fsadm_t)
')
Commit	Line	Data
58c3da55	1
29af4c13	2	policy_module(fstools, 1.14.0)
58c3da55 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
fd89e19f	8
f0574fa9	9	type fsadm_t;
58c3da55	10	type fsadm_exec_t;
3f67f722	11	init_system_domain(fsadm_t, fsadm_exec_t)
58c3da55 CP	12	role system_r types fsadm_t;
58c3da55 CP	13
13d7cec6 CP	14	type fsadm_log_t;
	15	logging_log_file(fsadm_log_t)
	16
58c3da55 CP	17	type fsadm_tmp_t;
	18	files_tmp_file(fsadm_tmp_t)
	19
46c69cb2	20	type swapfile_t; # customizable
8fd36732	21	files_type(swapfile_t)
58c3da55 CP	22
58c3da55 CP	23	########################################
fd89e19f CP	24	#
	25	# local policy
	26	#
58c3da55 CP	27
58c3da55 CP	28	# ipc_lock is for losetup
6b19be33	29	allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
9d3bdc25	30	allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
58c3da55	31	allow fsadm_t self:fd use;
ef659a47 CP	32	allow fsadm_t self:fifo_file rw_fifo_file_perms;
ef659a47 CP	33	allow fsadm_t self:sock_file read_sock_file_perms;
58c3da55 CP	34	allow fsadm_t self:unix_dgram_socket create_socket_perms;
	35	allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
	36	allow fsadm_t self:unix_dgram_socket sendto;
	37	allow fsadm_t self:unix_stream_socket connectto;
	38	allow fsadm_t self:shm create_shm_perms;
	39	allow fsadm_t self:sem create_sem_perms;
	40	allow fsadm_t self:msgq create_msgq_perms;
	41	allow fsadm_t self:msg { send receive };
	42
	43	can_exec(fsadm_t, fsadm_exec_t)
	44
c0868a7a CP	45	allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
c0868a7a CP	46	allow fsadm_t fsadm_tmp_t:file manage_file_perms;
103fe280	47	files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
58c3da55	48
13d7cec6	49	# log files
c0868a7a	50	allow fsadm_t fsadm_log_t:dir setattr;
3f67f722 CP	51	manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
3f67f722 CP	52	logging_log_filetrans(fsadm_t, fsadm_log_t, file)
13d7cec6	53
58c3da55	54	# Enable swapping to files
6b19be33	55	allow fsadm_t swapfile_t:file { rw_file_perms swapon };
58c3da55 CP	56
58c3da55 CP	57	kernel_read_system_state(fsadm_t)
445522dc	58	kernel_read_kernel_sysctls(fsadm_t)
58c3da55 CP	59	# Allow console log change (updfstab)
58c3da55 CP	60	kernel_change_ring_buffer_level(fsadm_t)
a42ca7eb CP	61	# mkreiserfs needs this
a42ca7eb CP	62	kernel_getattr_proc(fsadm_t)
a3cf80d8	63	kernel_getattr_core_if(fsadm_t)
a42ca7eb	64	# Access to /initrd devices
445522dc CP	65	kernel_rw_unlabeled_dirs(fsadm_t)
445522dc CP	66	kernel_rw_unlabeled_blk_files(fsadm_t)
58c3da55	67
79ca728b CP	68	corecmd_exec_bin(fsadm_t)
	69	#RedHat bug #201164
	70	corecmd_exec_shell(fsadm_t)
	71	# cjp: these are probably not needed:
	72	corecmd_read_bin_files(fsadm_t)
	73	corecmd_read_bin_pipes(fsadm_t)
	74	corecmd_read_bin_sockets(fsadm_t)
b0d2243c	75
a1fcff33	76	dev_getattr_all_chr_files(fsadm_t)
a3cf80d8	77	dev_dontaudit_getattr_all_blk_files(fsadm_t)
8d2c3419	78	dev_dontaudit_getattr_generic_files(fsadm_t)
58c3da55 CP	79	# mkreiserfs and other programs need this for UUID
	80	dev_read_rand(fsadm_t)
	81	dev_read_urand(fsadm_t)
	82	# Recreate /dev/cdrom.
	83	dev_manage_generic_symlinks(fsadm_t)
72492557 CP	84	# fdisk needs this for early boot
72492557 CP	85	dev_manage_generic_blk_files(fsadm_t)
58c3da55 CP	86	# Access to /initrd devices
58c3da55 CP	87	dev_search_usbfs(fsadm_t)
783b3834	88	# for swapon
a0824843	89	dev_read_sysfs(fsadm_t)
a42ca7eb	90	# Access to /initrd devices
207c4763	91	dev_getattr_usbfs_dirs(fsadm_t)
a77e6524 CP	92	# Access to /dev/mapper/control
a77e6524 CP	93	dev_rw_lvm_control(fsadm_t)
58c3da55	94
79ca728b CP	95	domain_use_interactive_fds(fsadm_t)
	96
	97	files_getattr_boot_dirs(fsadm_t)
	98	files_list_home(fsadm_t)
	99	files_read_usr_files(fsadm_t)
	100	files_read_etc_files(fsadm_t)
	101	files_manage_lost_found(fsadm_t)
	102	files_manage_isid_type_dirs(fsadm_t)
	103	# Write to /etc/mtab.
	104	files_manage_etc_runtime_files(fsadm_t)
	105	files_etc_filetrans_etc_runtime(fsadm_t, file)
	106	# Access to /initrd devices
	107	files_rw_isid_type_dirs(fsadm_t)
	108	files_rw_isid_type_blk_files(fsadm_t)
	109	files_read_isid_type_files(fsadm_t)
	110
58c3da55 CP	111	fs_search_auto_mountpoints(fsadm_t)
58c3da55 CP	112	fs_getattr_xattr_fs(fsadm_t)
4d851fe9 CP	113	fs_rw_ramfs_pipes(fsadm_t)
4d851fe9 CP	114	fs_rw_tmpfs_files(fsadm_t)
58c3da55 CP	115	# remount file system to apply changes
58c3da55 CP	116	fs_remount_xattr_fs(fsadm_t)
a42ca7eb CP	117	# for /dev/shm
a42ca7eb CP	118	fs_search_tmpfs(fsadm_t)
4d851fe9	119	fs_getattr_tmpfs_dirs(fsadm_t)
a524921a	120	fs_read_tmpfs_symlinks(fsadm_t)
79ca728b CP	121	# Recreate /mnt/cdrom.
	122	files_manage_mnt_dirs(fsadm_t)
	123	# for tune2fs
	124	files_search_all(fsadm_t)
58c3da55	125
f8233ab7 CP	126	mls_file_read_all_levels(fsadm_t)
f8233ab7 CP	127	mls_file_write_all_levels(fsadm_t)
8967bf8b	128
58c3da55 CP	129	storage_raw_read_fixed_disk(fsadm_t)
	130	storage_raw_write_fixed_disk(fsadm_t)
	131	storage_raw_read_removable_device(fsadm_t)
	132	storage_raw_write_removable_device(fsadm_t)
	133	storage_read_scsi_generic(fsadm_t)
783b3834	134	storage_swapon_fixed_disk(fsadm_t)
58c3da55	135
a0824843 CP	136	term_use_console(fsadm_t)
a0824843 CP	137
1c1ac67f	138	init_use_fds(fsadm_t)
1815bad1	139	init_use_script_ptys(fsadm_t)
a3cf80d8	140	init_dontaudit_getattr_initctl(fsadm_t)
58c3da55	141
58c3da55 CP	142	logging_send_syslog_msg(fsadm_t)
	143
	144	miscfiles_read_localization(fsadm_t)
	145
1815bad1	146	modutils_read_module_config(fsadm_t)
77c71b54	147	modutils_read_module_deps(fsadm_t)
58c3da55 CP	148
	149	seutil_read_config(fsadm_t)
	150
296273a7	151	userdom_use_user_terminals(fsadm_t)
58c3da55	152
d6605bc4 CP	153	ifdef(`distro_redhat',`
	154	optional_policy(`
	155	unconfined_domain(fsadm_t)
	156	')
	157	')
	158
bb7170f6	159	optional_policy(`
46c69cb2 CP	160	amanda_rw_dumpdates_files(fsadm_t)
	161	amanda_append_log_files(fsadm_t)
	162	')
	163
bb7170f6	164	optional_policy(`
783b3834	165	# for smartctl cron jobs
3f67f722	166	cron_system_entry(fsadm_t, fsadm_exec_t)
783b3834 CP	167	')
783b3834 CP	168
bb7170f6	169	optional_policy(`
58c3da55 CP	170	nis_use_ypbind(fsadm_t)
58c3da55 CP	171	')
c8d5b357	172
bb7170f6	173	optional_policy(`
c8d5b357 CP	174	fs_dontaudit_write_ramfs_pipes(fsadm_t)
	175	rhgb_stub(fsadm_t)
	176	')
8d2c3419 CP	177
	178	optional_policy(`
	179	xen_append_log(fsadm_t)
77c71b54	180	xen_rw_image_files(fsadm_t)
8d2c3419	181	')