[people/stevee/selinux-policy.git] / policy / modules / system / mount.te


policy_module(mount,1.8.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow mount to mount any file
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)

type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;

type mount_loopback_t; # customizable
files_type(mount_loopback_t)

type mount_tmp_t;
files_tmp_file(mount_tmp_t)

# causes problems with interfaces when
# this is optionally declared in monolithic
# policy--duplicate type declaration
type unconfined_mount_t;
application_domain(unconfined_mount_t,mount_exec_t)

########################################
#
# mount local policy
#

# setuid/setgid needed to mount cifs 
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };

allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;

allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;

can_exec(mount_t, mount_exec_t)

files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })

kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)

dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)

storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)

fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)

term_use_all_terms(mount_t)

# required for mount.smbfs
corecmd_exec_bin(mount_t)

domain_use_interactive_fds(mount_t)

files_search_all(mount_t)
files_read_etc_files(mount_t)
files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t,file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized.  Only admin, initrc should have it:
files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
# cjp: this seems wrong, the type should probably be etc
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)

init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)

libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)

logging_send_syslog_msg(mount_t)

miscfiles_read_localization(mount_t)

mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)

sysnet_use_portmap(mount_t)

selinux_get_enforce_mode(mount_t)
seutil_read_config(mount_t)

userdom_use_all_users_fds(mount_t)

ifdef(`distro_redhat',`
	optional_policy(`
		auth_read_pam_console_data(mount_t)
		# mount config by default sets fscontext=removable_t
		fs_relabelfrom_dos_fs(mount_t)
	')
')

tunable_policy(`allow_mount_anyfile',`
	auth_read_all_dirs_except_shadow(mount_t)
	auth_read_all_files_except_shadow(mount_t)
	files_mounton_non_security(mount_t)
')

optional_policy(`
	# for nfs
	corenet_all_recvfrom_unlabeled(mount_t)
	corenet_all_recvfrom_netlabel(mount_t)
	corenet_tcp_sendrecv_all_if(mount_t)
	corenet_raw_sendrecv_all_if(mount_t)
	corenet_udp_sendrecv_all_if(mount_t)
	corenet_tcp_sendrecv_all_nodes(mount_t)
	corenet_raw_sendrecv_all_nodes(mount_t)
	corenet_udp_sendrecv_all_nodes(mount_t)
	corenet_tcp_sendrecv_all_ports(mount_t)
	corenet_udp_sendrecv_all_ports(mount_t)
	corenet_tcp_bind_all_nodes(mount_t)
	corenet_udp_bind_all_nodes(mount_t)
	corenet_tcp_bind_generic_port(mount_t)
	corenet_udp_bind_generic_port(mount_t)
	corenet_tcp_bind_reserved_port(mount_t)
	corenet_udp_bind_reserved_port(mount_t)
	corenet_tcp_bind_all_rpc_ports(mount_t)
	corenet_udp_bind_all_rpc_ports(mount_t)
	corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
	corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
	corenet_tcp_connect_all_ports(mount_t)

	fs_search_rpc(mount_t)

	sysnet_dns_name_resolve(mount_t)

	rpc_stub(mount_t)

	optional_policy(`
		nis_use_ypbind(mount_t)
	')
')

optional_policy(`
	apm_use_fds(mount_t)
')

optional_policy(`
	ifdef(`hide_broken_symptoms',`
		# for a bug in the X server
		rhgb_dontaudit_rw_stream_sockets(mount_t)
		term_dontaudit_use_ptmx(mount_t)
	')
')

# for kernel package installation
optional_policy(`
	rpm_rw_pipes(mount_t)
')

optional_policy(`
	samba_domtrans_smbmount(mount_t)
')

optional_policy(`
	nscd_socket_use(mount_t)
')

########################################
#
# Unconfined mount local policy
#

optional_policy(`
	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
	unconfined_domain(unconfined_mount_t)
')
Commit	Line	Data
3016a9ff	1
3480f3f2	2	policy_module(mount,1.8.0)
7a2f20a3 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
56e1b3d2 CP	9	## <desc>
	10	## <p>
	11	## Allow mount to mount any file
	12	## </p>
	13	## </desc>
	14	gen_tunable(allow_mount_anyfile,false)
56e1b3d2	15
f0574fa9	16	type mount_t;
3016a9ff	17	type mount_exec_t;
c9428d33	18	init_system_domain(mount_t,mount_exec_t)
bbd6a621	19	role system_r types mount_t;
3016a9ff	20
eac818f0 CP	21	type mount_loopback_t; # customizable
	22	files_type(mount_loopback_t)
	23
3016a9ff	24	type mount_tmp_t;
c9428d33	25	files_tmp_file(mount_tmp_t)
3016a9ff	26
350b6ab7 CP	27	# causes problems with interfaces when
	28	# this is optionally declared in monolithic
	29	# policy--duplicate type declaration
	30	type unconfined_mount_t;
	31	application_domain(unconfined_mount_t,mount_exec_t)
85a0f967	32
3016a9ff CP	33	########################################
	34	#
	35	# mount local policy
	36	#
	37
8cfa5a00 CP	38	# setuid/setgid needed to mount cifs
8cfa5a00 CP	39	allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
3016a9ff	40
c0868a7a	41	allow mount_t mount_loopback_t:file read_file_perms;
d6d16b97 CP	42	allow mount_t self:netlink_route_socket r_netlink_socket_perms;
d6d16b97 CP	43
c0868a7a CP	44	allow mount_t mount_tmp_t:file manage_file_perms;
	45	allow mount_t mount_tmp_t:dir manage_dir_perms;
	46
d6d16b97	47	can_exec(mount_t, mount_exec_t)
eac818f0	48
103fe280	49	files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
3016a9ff CP	50
3016a9ff CP	51	kernel_read_system_state(mount_t)
d9845ae9	52	kernel_read_kernel_sysctls(mount_t)
a3cf80d8	53	kernel_dontaudit_getattr_core_if(mount_t)
3016a9ff	54
f0c985ca KM	55	dev_getattr_all_blk_files(mount_t)
f0c985ca KM	56	dev_list_all_dev_nodes(mount_t)
93727e3f	57	dev_rw_lvm_control(mount_t)
a3cf80d8	58	dev_dontaudit_getattr_all_chr_files(mount_t)
b0d2243c CP	59	dev_dontaudit_getattr_memory_dev(mount_t)
b0d2243c CP	60	dev_getattr_sound_dev(mount_t)
3016a9ff CP	61
	62	storage_raw_read_fixed_disk(mount_t)
	63	storage_raw_write_fixed_disk(mount_t)
	64	storage_raw_read_removable_device(mount_t)
	65	storage_raw_write_removable_device(mount_t)
	66
0fd9dc55	67	fs_getattr_xattr_fs(mount_t)
8cfa5a00	68	fs_getattr_cifs(mount_t)
763c441e CP	69	fs_mount_all_fs(mount_t)
	70	fs_unmount_all_fs(mount_t)
	71	fs_remount_all_fs(mount_t)
cf6a7d89	72	fs_relabelfrom_all_fs(mount_t)
0f27d98d	73	fs_list_auto_mountpoints(mount_t)
4d851fe9	74	fs_rw_tmpfs_chr_files(mount_t)
a524921a	75	fs_read_tmpfs_symlinks(mount_t)
3016a9ff	76
93727e3f	77	term_use_all_terms(mount_t)
3016a9ff	78
daa0e0b0	79	# required for mount.smbfs
c9428d33	80	corecmd_exec_bin(mount_t)
a2d8246b	81
15722ec9	82	domain_use_interactive_fds(mount_t)
a2d8246b	83
9e04f5c5	84	files_search_all(mount_t)
8fd36732	85	files_read_etc_files(mount_t)
c9428d33	86	files_manage_etc_runtime_files(mount_t)
6714c268	87	files_etc_filetrans_etc_runtime(mount_t,file)
c9428d33 CP	88	files_mounton_all_mountpoints(mount_t)
c9428d33 CP	89	files_unmount_rootfs(mount_t)
dc771ff4	90	# These rules need to be generalized. Only admin, initrc should have it:
763c441e CP	91	files_relabelto_all_file_type_fs(mount_t)
763c441e CP	92	files_mount_all_file_type_fs(mount_t)
ce1b44aa	93	files_unmount_all_file_type_fs(mount_t)
ae9e2716 CP	94	# for when /etc/mtab loses its type
ae9e2716 CP	95	# cjp: this seems wrong, the type should probably be etc
9e04f5c5	96	files_read_isid_type_files(mount_t)
72492557 CP	97	# For reading cert files
72492557 CP	98	files_read_usr_files(mount_t)
a5e2133b	99	files_list_mnt(mount_t)
3016a9ff	100
1c1ac67f	101	init_use_fds(mount_t)
1815bad1	102	init_use_script_ptys(mount_t)
a3cf80d8	103	init_dontaudit_getattr_initctl(mount_t)
daa0e0b0	104
c9428d33 CP	105	libs_use_ld_so(mount_t)
c9428d33 CP	106	libs_use_shared_libs(mount_t)
3016a9ff	107
c9428d33	108	logging_send_syslog_msg(mount_t)
3016a9ff CP	109
	110	miscfiles_read_localization(mount_t)
	111
f8233ab7 CP	112	mls_file_read_all_levels(mount_t)
f8233ab7 CP	113	mls_file_write_all_levels(mount_t)
f0574fa9	114
98a8ead4 CP	115	sysnet_use_portmap(mount_t)
98a8ead4 CP	116
a5e2133b	117	selinux_get_enforce_mode(mount_t)
d9845ae9	118	seutil_read_config(mount_t)
a5e2133b	119
15722ec9	120	userdom_use_all_users_fds(mount_t)
daa0e0b0	121
254bbc7b	122	ifdef(`distro_redhat',`
bb7170f6	123	optional_policy(`
c9428d33	124	auth_read_pam_console_data(mount_t)
0c73cd25	125	# mount config by default sets fscontext=removable_t
763c441e	126	fs_relabelfrom_dos_fs(mount_t)
0c73cd25 CP	127	')
0c73cd25 CP	128	')
daa0e0b0	129
350b6ab7 CP	130	tunable_policy(`allow_mount_anyfile',`
	131	auth_read_all_dirs_except_shadow(mount_t)
	132	auth_read_all_files_except_shadow(mount_t)
	133	files_mounton_non_security(mount_t)
165b42d2 CP	134	')
165b42d2 CP	135
bb7170f6	136	optional_policy(`
0c73cd25	137	# for nfs
19006686 CP	138	corenet_all_recvfrom_unlabeled(mount_t)
19006686 CP	139	corenet_all_recvfrom_netlabel(mount_t)
0fd9dc55 CP	140	corenet_tcp_sendrecv_all_if(mount_t)
	141	corenet_raw_sendrecv_all_if(mount_t)
	142	corenet_udp_sendrecv_all_if(mount_t)
	143	corenet_tcp_sendrecv_all_nodes(mount_t)
	144	corenet_raw_sendrecv_all_nodes(mount_t)
	145	corenet_udp_sendrecv_all_nodes(mount_t)
	146	corenet_tcp_sendrecv_all_ports(mount_t)
	147	corenet_udp_sendrecv_all_ports(mount_t)
	148	corenet_tcp_bind_all_nodes(mount_t)
	149	corenet_udp_bind_all_nodes(mount_t)
	150	corenet_tcp_bind_generic_port(mount_t)
	151	corenet_udp_bind_generic_port(mount_t)
	152	corenet_tcp_bind_reserved_port(mount_t)
	153	corenet_udp_bind_reserved_port(mount_t)
e9935943 CP	154	corenet_tcp_bind_all_rpc_ports(mount_t)
e9935943 CP	155	corenet_udp_bind_all_rpc_ports(mount_t)
35a4b349 CP	156	corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
35a4b349 CP	157	corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
98a8ead4	158	corenet_tcp_connect_all_ports(mount_t)
ab940a4c	159
4d851fe9	160	fs_search_rpc(mount_t)
bb437244	161
0d96ff33 CP	162	sysnet_dns_name_resolve(mount_t)
	163
	164	rpc_stub(mount_t)
	165
bb7170f6	166	optional_policy(`
ab940a4c CP	167	nis_use_ypbind(mount_t)
ab940a4c CP	168	')
daa0e0b0 CP	169	')
daa0e0b0 CP	170
bb7170f6	171	optional_policy(`
1c1ac67f	172	apm_use_fds(mount_t)
4483ee84 CP	173	')
4483ee84 CP	174
bb7170f6	175	optional_policy(`
c8d5b357 CP	176	ifdef(`hide_broken_symptoms',`
	177	# for a bug in the X server
	178	rhgb_dontaudit_rw_stream_sockets(mount_t)
	179	term_dontaudit_use_ptmx(mount_t)
	180	')
	181	')
	182
b24f35d8	183	# for kernel package installation
bb7170f6	184	optional_policy(`
1815bad1	185	rpm_rw_pipes(mount_t)
b24f35d8 CP	186	')
b24f35d8 CP	187
bb7170f6	188	optional_policy(`
84c92239 CP	189	samba_domtrans_smbmount(mount_t)
84c92239 CP	190	')
85a0f967	191
a5e2133b CP	192	optional_policy(`
	193	nscd_socket_use(mount_t)
	194	')
	195
85a0f967 CP	196	########################################
	197	#
	198	# Unconfined mount local policy
	199	#
	200
350b6ab7	201	optional_policy(`
6714c268	202	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
85a0f967 CP	203	unconfined_domain(unconfined_mount_t)
85a0f967 CP	204	')