[people/stevee/selinux-policy.git] / policy / modules / system / fstools.te


policy_module(fstools,1.4.1)

########################################
#
# Declarations
#

type fsadm_t;
type fsadm_exec_t;
init_system_domain(fsadm_t,fsadm_exec_t)
mls_file_read_up(fsadm_t)
role system_r types fsadm_t;

type fsadm_log_t;
logging_log_file(fsadm_log_t)

type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)

type swapfile_t; # customizable
files_type(swapfile_t)

########################################
#
# local policy
#

# ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_file_perms;
allow fsadm_t self:sock_file r_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
allow fsadm_t self:unix_dgram_socket sendto;
allow fsadm_t self:unix_stream_socket connectto;
allow fsadm_t self:shm create_shm_perms;
allow fsadm_t self:sem create_sem_perms;
allow fsadm_t self:msgq create_msgq_perms;
allow fsadm_t self:msg { send receive };

can_exec(fsadm_t, fsadm_exec_t)

allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
allow fsadm_t fsadm_tmp_t:file create_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })

# log files
allow fsadm_t fsadm_log_t:file manage_file_perms;
allow fsadm_t fsadm_log_t:dir { rw_dir_perms setattr };
logging_log_filetrans(fsadm_t,fsadm_log_t,file)

# Enable swapping to files
allow fsadm_t swapfile_t:file { read write getattr swapon };

kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
kernel_getattr_proc(fsadm_t)
kernel_getattr_core_if(fsadm_t)
# Access to /initrd devices
kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t)

files_getattr_boot_dirs(fsadm_t)

dev_getattr_all_chr_files(fsadm_t)
dev_dontaudit_getattr_all_blk_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
# Recreate /dev/cdrom.
dev_manage_generic_symlinks(fsadm_t)
# fdisk needs this for early boot
dev_manage_generic_blk_files(fsadm_t)
# Access to /initrd devices
dev_search_usbfs(fsadm_t)
# for swapon
dev_read_sysfs(fsadm_t)
# Access to /initrd devices
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)

fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
fs_rw_ramfs_pipes(fsadm_t)
fs_rw_tmpfs_files(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
# for /dev/shm
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)

mls_file_read_up(fsadm_t)
mls_file_write_down(fsadm_t)

storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
storage_swapon_fixed_disk(fsadm_t)

term_use_console(fsadm_t)

corecmd_list_bin(fsadm_t)
corecmd_list_sbin(fsadm_t)
corecmd_read_bin_symlinks(fsadm_t)
corecmd_read_sbin_symlinks(fsadm_t)
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)

# cjp: these are probably not needed:
corecmd_read_bin_files(fsadm_t)
corecmd_read_bin_pipes(fsadm_t)
corecmd_read_bin_sockets(fsadm_t)
corecmd_read_sbin_files(fsadm_t)
corecmd_read_sbin_pipes(fsadm_t)
corecmd_read_sbin_sockets(fsadm_t)

domain_use_interactive_fds(fsadm_t)

files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
files_manage_isid_type_dirs(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t,file)
# Access to /initrd devices
files_rw_isid_type_dirs(fsadm_t)
files_rw_isid_type_blk_files(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
files_search_all(fsadm_t)

init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)

libs_use_ld_so(fsadm_t)
libs_use_shared_libs(fsadm_t)

logging_send_syslog_msg(fsadm_t)

miscfiles_read_localization(fsadm_t)

modutils_read_module_config(fsadm_t)

seutil_read_config(fsadm_t)

userdom_use_unpriv_users_fds(fsadm_t)

ifdef(`targeted_policy',`
	term_use_unallocated_ttys(fsadm_t)
	term_use_generic_ptys(fsadm_t)
')

tunable_policy(`read_default_t',`
	files_list_default(fsadm_t)
	files_read_default_files(fsadm_t)
	files_read_default_symlinks(fsadm_t)
	files_read_default_sockets(fsadm_t)
	files_read_default_pipes(fsadm_t)
')

optional_policy(`
	amanda_rw_dumpdates_files(fsadm_t)
	amanda_append_log_files(fsadm_t)
')

optional_policy(`
	# for smartctl cron jobs
	cron_system_entry(fsadm_t,fsadm_exec_t)
')

optional_policy(`
	nis_use_ypbind(fsadm_t)
')

optional_policy(`
	fs_dontaudit_write_ramfs_pipes(fsadm_t)
	rhgb_stub(fsadm_t)
')
Commit	Line	Data
58c3da55	1
d9845ae9	2	policy_module(fstools,1.4.1)
58c3da55 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
fd89e19f	8
f0574fa9	9	type fsadm_t;
58c3da55 CP	10	type fsadm_exec_t;
58c3da55 CP	11	init_system_domain(fsadm_t,fsadm_exec_t)
f0574fa9	12	mls_file_read_up(fsadm_t)
58c3da55 CP	13	role system_r types fsadm_t;
58c3da55 CP	14
13d7cec6 CP	15	type fsadm_log_t;
	16	logging_log_file(fsadm_log_t)
	17
58c3da55 CP	18	type fsadm_tmp_t;
	19	files_tmp_file(fsadm_tmp_t)
	20
46c69cb2	21	type swapfile_t; # customizable
8fd36732	22	files_type(swapfile_t)
58c3da55 CP	23
58c3da55 CP	24	########################################
fd89e19f CP	25	#
	26	# local policy
	27	#
58c3da55 CP	28
58c3da55 CP	29	# ipc_lock is for losetup
a0824843	30	allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
9d3bdc25	31	allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
58c3da55 CP	32	allow fsadm_t self:fd use;
58c3da55 CP	33	allow fsadm_t self:fifo_file rw_file_perms;
725926c5	34	allow fsadm_t self:sock_file r_file_perms;
58c3da55 CP	35	allow fsadm_t self:unix_dgram_socket create_socket_perms;
	36	allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
	37	allow fsadm_t self:unix_dgram_socket sendto;
	38	allow fsadm_t self:unix_stream_socket connectto;
	39	allow fsadm_t self:shm create_shm_perms;
	40	allow fsadm_t self:sem create_sem_perms;
	41	allow fsadm_t self:msgq create_msgq_perms;
	42	allow fsadm_t self:msg { send receive };
	43
	44	can_exec(fsadm_t, fsadm_exec_t)
	45
	46	allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
	47	allow fsadm_t fsadm_tmp_t:file create_file_perms;
103fe280	48	files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
58c3da55	49
13d7cec6 CP	50	# log files
	51	allow fsadm_t fsadm_log_t:file manage_file_perms;
	52	allow fsadm_t fsadm_log_t:dir { rw_dir_perms setattr };
	53	logging_log_filetrans(fsadm_t,fsadm_log_t,file)
	54
58c3da55	55	# Enable swapping to files
0f27d98d	56	allow fsadm_t swapfile_t:file { read write getattr swapon };
58c3da55 CP	57
58c3da55 CP	58	kernel_read_system_state(fsadm_t)
445522dc	59	kernel_read_kernel_sysctls(fsadm_t)
58c3da55 CP	60	# Allow console log change (updfstab)
58c3da55 CP	61	kernel_change_ring_buffer_level(fsadm_t)
a42ca7eb CP	62	# mkreiserfs needs this
a42ca7eb CP	63	kernel_getattr_proc(fsadm_t)
a3cf80d8	64	kernel_getattr_core_if(fsadm_t)
a42ca7eb	65	# Access to /initrd devices
445522dc CP	66	kernel_rw_unlabeled_dirs(fsadm_t)
445522dc CP	67	kernel_rw_unlabeled_blk_files(fsadm_t)
58c3da55	68
1c1ac67f	69	files_getattr_boot_dirs(fsadm_t)
b0d2243c	70
a1fcff33	71	dev_getattr_all_chr_files(fsadm_t)
a3cf80d8	72	dev_dontaudit_getattr_all_blk_files(fsadm_t)
58c3da55 CP	73	# mkreiserfs and other programs need this for UUID
	74	dev_read_rand(fsadm_t)
	75	dev_read_urand(fsadm_t)
	76	# Recreate /dev/cdrom.
	77	dev_manage_generic_symlinks(fsadm_t)
72492557 CP	78	# fdisk needs this for early boot
72492557 CP	79	dev_manage_generic_blk_files(fsadm_t)
58c3da55 CP	80	# Access to /initrd devices
58c3da55 CP	81	dev_search_usbfs(fsadm_t)
783b3834	82	# for swapon
a0824843	83	dev_read_sysfs(fsadm_t)
a42ca7eb	84	# Access to /initrd devices
207c4763	85	dev_getattr_usbfs_dirs(fsadm_t)
a77e6524 CP	86	# Access to /dev/mapper/control
a77e6524 CP	87	dev_rw_lvm_control(fsadm_t)
58c3da55 CP	88
	89	fs_search_auto_mountpoints(fsadm_t)
	90	fs_getattr_xattr_fs(fsadm_t)
4d851fe9 CP	91	fs_rw_ramfs_pipes(fsadm_t)
4d851fe9 CP	92	fs_rw_tmpfs_files(fsadm_t)
58c3da55 CP	93	# remount file system to apply changes
58c3da55 CP	94	fs_remount_xattr_fs(fsadm_t)
a42ca7eb CP	95	# for /dev/shm
a42ca7eb CP	96	fs_search_tmpfs(fsadm_t)
4d851fe9	97	fs_getattr_tmpfs_dirs(fsadm_t)
a524921a	98	fs_read_tmpfs_symlinks(fsadm_t)
58c3da55	99
d9845ae9	100	mls_file_read_up(fsadm_t)
8967bf8b CP	101	mls_file_write_down(fsadm_t)
8967bf8b CP	102
58c3da55 CP	103	storage_raw_read_fixed_disk(fsadm_t)
	104	storage_raw_write_fixed_disk(fsadm_t)
	105	storage_raw_read_removable_device(fsadm_t)
	106	storage_raw_write_removable_device(fsadm_t)
	107	storage_read_scsi_generic(fsadm_t)
783b3834	108	storage_swapon_fixed_disk(fsadm_t)
58c3da55	109
a0824843 CP	110	term_use_console(fsadm_t)
a0824843 CP	111
ae9e2716 CP	112	corecmd_list_bin(fsadm_t)
ae9e2716 CP	113	corecmd_list_sbin(fsadm_t)
1815bad1 CP	114	corecmd_read_bin_symlinks(fsadm_t)
1815bad1 CP	115	corecmd_read_sbin_symlinks(fsadm_t)
8708d9be CP	116	#RedHat bug #201164
	117	corecmd_exec_shell(fsadm_t)
	118
ae9e2716	119	# cjp: these are probably not needed:
1815bad1 CP	120	corecmd_read_bin_files(fsadm_t)
	121	corecmd_read_bin_pipes(fsadm_t)
	122	corecmd_read_bin_sockets(fsadm_t)
	123	corecmd_read_sbin_files(fsadm_t)
	124	corecmd_read_sbin_pipes(fsadm_t)
	125	corecmd_read_sbin_sockets(fsadm_t)
ae9e2716	126
15722ec9	127	domain_use_interactive_fds(fsadm_t)
58c3da55 CP	128
	129	files_list_home(fsadm_t)
	130	files_read_usr_files(fsadm_t)
8fd36732	131	files_read_etc_files(fsadm_t)
cbca03f5	132	files_manage_lost_found(fsadm_t)
9e04f5c5	133	files_manage_isid_type_dirs(fsadm_t)
58c3da55 CP	134	# Write to /etc/mtab.
58c3da55 CP	135	files_manage_etc_runtime_files(fsadm_t)
6714c268	136	files_etc_filetrans_etc_runtime(fsadm_t,file)
58c3da55	137	# Access to /initrd devices
9e04f5c5 CP	138	files_rw_isid_type_dirs(fsadm_t)
9e04f5c5 CP	139	files_rw_isid_type_blk_files(fsadm_t)
a42ca7eb CP	140	# Recreate /mnt/cdrom.
a42ca7eb CP	141	files_manage_mnt_dirs(fsadm_t)
d8636fc9 CP	142	# for tune2fs
d8636fc9 CP	143	files_search_all(fsadm_t)
58c3da55	144
1c1ac67f	145	init_use_fds(fsadm_t)
1815bad1	146	init_use_script_ptys(fsadm_t)
a3cf80d8	147	init_dontaudit_getattr_initctl(fsadm_t)
58c3da55 CP	148
	149	libs_use_ld_so(fsadm_t)
	150	libs_use_shared_libs(fsadm_t)
	151
	152	logging_send_syslog_msg(fsadm_t)
	153
	154	miscfiles_read_localization(fsadm_t)
	155
1815bad1	156	modutils_read_module_config(fsadm_t)
58c3da55 CP	157
	158	seutil_read_config(fsadm_t)
	159
103fe280	160	userdom_use_unpriv_users_fds(fsadm_t)
58c3da55	161
725926c5	162	ifdef(`targeted_policy',`
1815bad1 CP	163	term_use_unallocated_ttys(fsadm_t)
1815bad1 CP	164	term_use_generic_ptys(fsadm_t)
725926c5 CP	165	')
725926c5 CP	166
a42ca7eb CP	167	tunable_policy(`read_default_t',`
	168	files_list_default(fsadm_t)
	169	files_read_default_files(fsadm_t)
	170	files_read_default_symlinks(fsadm_t)
	171	files_read_default_sockets(fsadm_t)
	172	files_read_default_pipes(fsadm_t)
	173	')
	174
bb7170f6	175	optional_policy(`
46c69cb2 CP	176	amanda_rw_dumpdates_files(fsadm_t)
	177	amanda_append_log_files(fsadm_t)
	178	')
	179
bb7170f6	180	optional_policy(`
783b3834 CP	181	# for smartctl cron jobs
	182	cron_system_entry(fsadm_t,fsadm_exec_t)
	183	')
	184
bb7170f6	185	optional_policy(`
58c3da55 CP	186	nis_use_ypbind(fsadm_t)
58c3da55 CP	187	')
c8d5b357	188
bb7170f6	189	optional_policy(`
c8d5b357 CP	190	fs_dontaudit_write_ramfs_pipes(fsadm_t)
	191	rhgb_stub(fsadm_t)
	192	')