]>
Commit | Line | Data |
---|---|---|
3016a9ff | 1 | |
3480f3f2 | 2 | policy_module(mount,1.8.0) |
7a2f20a3 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
56e1b3d2 CP |
9 | ## <desc> |
10 | ## <p> | |
11 | ## Allow mount to mount any file | |
12 | ## </p> | |
13 | ## </desc> | |
14 | gen_tunable(allow_mount_anyfile,false) | |
56e1b3d2 | 15 | |
f0574fa9 | 16 | type mount_t; |
3016a9ff | 17 | type mount_exec_t; |
c9428d33 | 18 | init_system_domain(mount_t,mount_exec_t) |
bbd6a621 | 19 | role system_r types mount_t; |
3016a9ff | 20 | |
eac818f0 CP |
21 | type mount_loopback_t; # customizable |
22 | files_type(mount_loopback_t) | |
23 | ||
3016a9ff | 24 | type mount_tmp_t; |
c9428d33 | 25 | files_tmp_file(mount_tmp_t) |
3016a9ff | 26 | |
350b6ab7 CP |
27 | # causes problems with interfaces when |
28 | # this is optionally declared in monolithic | |
29 | # policy--duplicate type declaration | |
30 | type unconfined_mount_t; | |
31 | application_domain(unconfined_mount_t,mount_exec_t) | |
85a0f967 | 32 | |
3016a9ff CP |
33 | ######################################## |
34 | # | |
35 | # mount local policy | |
36 | # | |
37 | ||
8cfa5a00 CP |
38 | # setuid/setgid needed to mount cifs |
39 | allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid }; | |
3016a9ff | 40 | |
c0868a7a | 41 | allow mount_t mount_loopback_t:file read_file_perms; |
d6d16b97 CP |
42 | allow mount_t self:netlink_route_socket r_netlink_socket_perms; |
43 | ||
c0868a7a CP |
44 | allow mount_t mount_tmp_t:file manage_file_perms; |
45 | allow mount_t mount_tmp_t:dir manage_dir_perms; | |
46 | ||
d6d16b97 | 47 | can_exec(mount_t, mount_exec_t) |
eac818f0 | 48 | |
103fe280 | 49 | files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir }) |
3016a9ff CP |
50 | |
51 | kernel_read_system_state(mount_t) | |
d9845ae9 | 52 | kernel_read_kernel_sysctls(mount_t) |
a3cf80d8 | 53 | kernel_dontaudit_getattr_core_if(mount_t) |
3016a9ff | 54 | |
f0c985ca KM |
55 | dev_getattr_all_blk_files(mount_t) |
56 | dev_list_all_dev_nodes(mount_t) | |
93727e3f | 57 | dev_rw_lvm_control(mount_t) |
a3cf80d8 | 58 | dev_dontaudit_getattr_all_chr_files(mount_t) |
b0d2243c CP |
59 | dev_dontaudit_getattr_memory_dev(mount_t) |
60 | dev_getattr_sound_dev(mount_t) | |
3016a9ff CP |
61 | |
62 | storage_raw_read_fixed_disk(mount_t) | |
63 | storage_raw_write_fixed_disk(mount_t) | |
64 | storage_raw_read_removable_device(mount_t) | |
65 | storage_raw_write_removable_device(mount_t) | |
66 | ||
0fd9dc55 | 67 | fs_getattr_xattr_fs(mount_t) |
8cfa5a00 | 68 | fs_getattr_cifs(mount_t) |
763c441e CP |
69 | fs_mount_all_fs(mount_t) |
70 | fs_unmount_all_fs(mount_t) | |
71 | fs_remount_all_fs(mount_t) | |
cf6a7d89 | 72 | fs_relabelfrom_all_fs(mount_t) |
0f27d98d | 73 | fs_list_auto_mountpoints(mount_t) |
4d851fe9 | 74 | fs_rw_tmpfs_chr_files(mount_t) |
a524921a | 75 | fs_read_tmpfs_symlinks(mount_t) |
3016a9ff | 76 | |
93727e3f | 77 | term_use_all_terms(mount_t) |
3016a9ff | 78 | |
daa0e0b0 | 79 | # required for mount.smbfs |
c9428d33 | 80 | corecmd_exec_bin(mount_t) |
a2d8246b | 81 | |
15722ec9 | 82 | domain_use_interactive_fds(mount_t) |
a2d8246b | 83 | |
9e04f5c5 | 84 | files_search_all(mount_t) |
8fd36732 | 85 | files_read_etc_files(mount_t) |
c9428d33 | 86 | files_manage_etc_runtime_files(mount_t) |
6714c268 | 87 | files_etc_filetrans_etc_runtime(mount_t,file) |
c9428d33 CP |
88 | files_mounton_all_mountpoints(mount_t) |
89 | files_unmount_rootfs(mount_t) | |
dc771ff4 | 90 | # These rules need to be generalized. Only admin, initrc should have it: |
763c441e CP |
91 | files_relabelto_all_file_type_fs(mount_t) |
92 | files_mount_all_file_type_fs(mount_t) | |
ce1b44aa | 93 | files_unmount_all_file_type_fs(mount_t) |
ae9e2716 CP |
94 | # for when /etc/mtab loses its type |
95 | # cjp: this seems wrong, the type should probably be etc | |
9e04f5c5 | 96 | files_read_isid_type_files(mount_t) |
72492557 CP |
97 | # For reading cert files |
98 | files_read_usr_files(mount_t) | |
a5e2133b | 99 | files_list_mnt(mount_t) |
3016a9ff | 100 | |
1c1ac67f | 101 | init_use_fds(mount_t) |
1815bad1 | 102 | init_use_script_ptys(mount_t) |
a3cf80d8 | 103 | init_dontaudit_getattr_initctl(mount_t) |
daa0e0b0 | 104 | |
c9428d33 CP |
105 | libs_use_ld_so(mount_t) |
106 | libs_use_shared_libs(mount_t) | |
3016a9ff | 107 | |
c9428d33 | 108 | logging_send_syslog_msg(mount_t) |
3016a9ff CP |
109 | |
110 | miscfiles_read_localization(mount_t) | |
111 | ||
f8233ab7 CP |
112 | mls_file_read_all_levels(mount_t) |
113 | mls_file_write_all_levels(mount_t) | |
f0574fa9 | 114 | |
98a8ead4 CP |
115 | sysnet_use_portmap(mount_t) |
116 | ||
a5e2133b | 117 | selinux_get_enforce_mode(mount_t) |
d9845ae9 | 118 | seutil_read_config(mount_t) |
a5e2133b | 119 | |
15722ec9 | 120 | userdom_use_all_users_fds(mount_t) |
daa0e0b0 | 121 | |
254bbc7b | 122 | ifdef(`distro_redhat',` |
bb7170f6 | 123 | optional_policy(` |
c9428d33 | 124 | auth_read_pam_console_data(mount_t) |
0c73cd25 | 125 | # mount config by default sets fscontext=removable_t |
763c441e | 126 | fs_relabelfrom_dos_fs(mount_t) |
0c73cd25 CP |
127 | ') |
128 | ') | |
daa0e0b0 | 129 | |
350b6ab7 CP |
130 | tunable_policy(`allow_mount_anyfile',` |
131 | auth_read_all_dirs_except_shadow(mount_t) | |
132 | auth_read_all_files_except_shadow(mount_t) | |
133 | files_mounton_non_security(mount_t) | |
165b42d2 CP |
134 | ') |
135 | ||
bb7170f6 | 136 | optional_policy(` |
0c73cd25 | 137 | # for nfs |
19006686 CP |
138 | corenet_all_recvfrom_unlabeled(mount_t) |
139 | corenet_all_recvfrom_netlabel(mount_t) | |
0fd9dc55 CP |
140 | corenet_tcp_sendrecv_all_if(mount_t) |
141 | corenet_raw_sendrecv_all_if(mount_t) | |
142 | corenet_udp_sendrecv_all_if(mount_t) | |
143 | corenet_tcp_sendrecv_all_nodes(mount_t) | |
144 | corenet_raw_sendrecv_all_nodes(mount_t) | |
145 | corenet_udp_sendrecv_all_nodes(mount_t) | |
146 | corenet_tcp_sendrecv_all_ports(mount_t) | |
147 | corenet_udp_sendrecv_all_ports(mount_t) | |
148 | corenet_tcp_bind_all_nodes(mount_t) | |
149 | corenet_udp_bind_all_nodes(mount_t) | |
150 | corenet_tcp_bind_generic_port(mount_t) | |
151 | corenet_udp_bind_generic_port(mount_t) | |
152 | corenet_tcp_bind_reserved_port(mount_t) | |
153 | corenet_udp_bind_reserved_port(mount_t) | |
e9935943 CP |
154 | corenet_tcp_bind_all_rpc_ports(mount_t) |
155 | corenet_udp_bind_all_rpc_ports(mount_t) | |
35a4b349 CP |
156 | corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t) |
157 | corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) | |
98a8ead4 | 158 | corenet_tcp_connect_all_ports(mount_t) |
ab940a4c | 159 | |
4d851fe9 | 160 | fs_search_rpc(mount_t) |
bb437244 | 161 | |
0d96ff33 CP |
162 | sysnet_dns_name_resolve(mount_t) |
163 | ||
164 | rpc_stub(mount_t) | |
165 | ||
bb7170f6 | 166 | optional_policy(` |
ab940a4c CP |
167 | nis_use_ypbind(mount_t) |
168 | ') | |
daa0e0b0 CP |
169 | ') |
170 | ||
bb7170f6 | 171 | optional_policy(` |
1c1ac67f | 172 | apm_use_fds(mount_t) |
4483ee84 CP |
173 | ') |
174 | ||
bb7170f6 | 175 | optional_policy(` |
c8d5b357 CP |
176 | ifdef(`hide_broken_symptoms',` |
177 | # for a bug in the X server | |
178 | rhgb_dontaudit_rw_stream_sockets(mount_t) | |
179 | term_dontaudit_use_ptmx(mount_t) | |
180 | ') | |
181 | ') | |
182 | ||
b24f35d8 | 183 | # for kernel package installation |
bb7170f6 | 184 | optional_policy(` |
1815bad1 | 185 | rpm_rw_pipes(mount_t) |
b24f35d8 CP |
186 | ') |
187 | ||
bb7170f6 | 188 | optional_policy(` |
84c92239 CP |
189 | samba_domtrans_smbmount(mount_t) |
190 | ') | |
85a0f967 | 191 | |
a5e2133b CP |
192 | optional_policy(` |
193 | nscd_socket_use(mount_t) | |
194 | ') | |
195 | ||
85a0f967 CP |
196 | ######################################## |
197 | # | |
198 | # Unconfined mount local policy | |
199 | # | |
200 | ||
350b6ab7 | 201 | optional_policy(` |
6714c268 | 202 | files_etc_filetrans_etc_runtime(unconfined_mount_t,file) |
85a0f967 CP |
203 | unconfined_domain(unconfined_mount_t) |
204 | ') |