projects / people / stevee / selinux-policy.git / blame
| Commit | Line | Data |
|---|---|---|
| 58c3da55 | 1 | |
| d3d27022 | 2 | policy_module(fstools,1.2.0) |
| 58c3da55 CP |
3 | |
| 4 | ######################################## | |
| 5 | # | |
| 6 | # Declarations | |
| 7 | # | |
| fd89e19f | 8 | |
| f0574fa9 | 9 | type fsadm_t; |
| 58c3da55 CP |
10 | type fsadm_exec_t; |
| 11 | init_system_domain(fsadm_t,fsadm_exec_t) | |
| f0574fa9 | 12 | mls_file_read_up(fsadm_t) |
| 58c3da55 CP |
13 | role system_r types fsadm_t; |
| 14 | ||
| 15 | type fsadm_tmp_t; | |
| 16 | files_tmp_file(fsadm_tmp_t) | |
| 17 | ||
| 18 | type swapfile_t; | |
| 8fd36732 | 19 | files_type(swapfile_t) |
| 58c3da55 CP |
20 | |
| 21 | ######################################## | |
| fd89e19f CP |
22 | # |
| 23 | # local policy | |
| 24 | # | |
| 58c3da55 CP |
25 | |
| 26 | # ipc_lock is for losetup | |
| a0824843 | 27 | allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; |
| 9d3bdc25 | 28 | allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap }; |
| 58c3da55 CP |
29 | allow fsadm_t self:fd use; |
| 30 | allow fsadm_t self:fifo_file rw_file_perms; | |
| 725926c5 | 31 | allow fsadm_t self:sock_file r_file_perms; |
| 58c3da55 CP |
32 | allow fsadm_t self:unix_dgram_socket create_socket_perms; |
| 33 | allow fsadm_t self:unix_stream_socket create_stream_socket_perms; | |
| 34 | allow fsadm_t self:unix_dgram_socket sendto; | |
| 35 | allow fsadm_t self:unix_stream_socket connectto; | |
| 36 | allow fsadm_t self:shm create_shm_perms; | |
| 37 | allow fsadm_t self:sem create_sem_perms; | |
| 38 | allow fsadm_t self:msgq create_msgq_perms; | |
| 39 | allow fsadm_t self:msg { send receive }; | |
| 40 | ||
| 41 | can_exec(fsadm_t, fsadm_exec_t) | |
| 42 | ||
| 43 | allow fsadm_t fsadm_tmp_t:dir create_dir_perms; | |
| 44 | allow fsadm_t fsadm_tmp_t:file create_file_perms; | |
| 9d594986 | 45 | files_filetrans_tmp(fsadm_t, fsadm_tmp_t, { file dir }) |
| 58c3da55 CP |
46 | |
| 47 | # Enable swapping to files | |
| 48 | allow fsadm_t swapfile_t:file { getattr swapon }; | |
| 49 | ||
| 50 | kernel_read_system_state(fsadm_t) | |
| 445522dc | 51 | kernel_read_kernel_sysctls(fsadm_t) |
| 58c3da55 CP |
52 | # Allow console log change (updfstab) |
| 53 | kernel_change_ring_buffer_level(fsadm_t) | |
| a42ca7eb CP |
54 | # mkreiserfs needs this |
| 55 | kernel_getattr_proc(fsadm_t) | |
| 56 | # Access to /initrd devices | |
| 445522dc CP |
57 | kernel_rw_unlabeled_dirs(fsadm_t) |
| 58 | kernel_rw_unlabeled_blk_files(fsadm_t) | |
| 58c3da55 | 59 | |
| a1fcff33 | 60 | dev_getattr_all_chr_files(fsadm_t) |
| 58c3da55 CP |
61 | # mkreiserfs and other programs need this for UUID |
| 62 | dev_read_rand(fsadm_t) | |
| 63 | dev_read_urand(fsadm_t) | |
| 64 | # Recreate /dev/cdrom. | |
| 65 | dev_manage_generic_symlinks(fsadm_t) | |
| 66 | # Access to /initrd devices | |
| 67 | dev_search_usbfs(fsadm_t) | |
| 783b3834 | 68 | # for swapon |
| a0824843 | 69 | dev_read_sysfs(fsadm_t) |
| a42ca7eb | 70 | # Access to /initrd devices |
| 207c4763 | 71 | dev_getattr_usbfs_dirs(fsadm_t) |
| a77e6524 CP |
72 | # Access to /dev/mapper/control |
| 73 | dev_rw_lvm_control(fsadm_t) | |
| 58c3da55 CP |
74 | |
| 75 | fs_search_auto_mountpoints(fsadm_t) | |
| 76 | fs_getattr_xattr_fs(fsadm_t) | |
| 4d851fe9 CP |
77 | fs_rw_ramfs_pipes(fsadm_t) |
| 78 | fs_rw_tmpfs_files(fsadm_t) | |
| 58c3da55 CP |
79 | # remount file system to apply changes |
| 80 | fs_remount_xattr_fs(fsadm_t) | |
| a42ca7eb CP |
81 | # for /dev/shm |
| 82 | fs_search_tmpfs(fsadm_t) | |
| 4d851fe9 | 83 | fs_getattr_tmpfs_dirs(fsadm_t) |
| a524921a | 84 | fs_read_tmpfs_symlinks(fsadm_t) |
| 58c3da55 | 85 | |
| 8967bf8b CP |
86 | mls_file_write_down(fsadm_t) |
| 87 | ||
| 58c3da55 CP |
88 | storage_raw_read_fixed_disk(fsadm_t) |
| 89 | storage_raw_write_fixed_disk(fsadm_t) | |
| 90 | storage_raw_read_removable_device(fsadm_t) | |
| 91 | storage_raw_write_removable_device(fsadm_t) | |
| 92 | storage_read_scsi_generic(fsadm_t) | |
| 783b3834 | 93 | storage_swapon_fixed_disk(fsadm_t) |
| 58c3da55 | 94 | |
| a0824843 CP |
95 | term_use_console(fsadm_t) |
| 96 | ||
| ae9e2716 CP |
97 | corecmd_list_bin(fsadm_t) |
| 98 | corecmd_list_sbin(fsadm_t) | |
| 99 | corecmd_read_bin_symlink(fsadm_t) | |
| 100 | corecmd_read_sbin_symlink(fsadm_t) | |
| 101 | # cjp: these are probably not needed: | |
| 102 | corecmd_read_bin_file(fsadm_t) | |
| 103 | corecmd_read_bin_pipe(fsadm_t) | |
| 104 | corecmd_read_bin_socket(fsadm_t) | |
| 105 | corecmd_read_sbin_file(fsadm_t) | |
| 106 | corecmd_read_sbin_pipe(fsadm_t) | |
| 107 | corecmd_read_sbin_socket(fsadm_t) | |
| 108 | ||
| 58c3da55 CP |
109 | domain_use_wide_inherit_fd(fsadm_t) |
| 110 | ||
| 111 | files_list_home(fsadm_t) | |
| 112 | files_read_usr_files(fsadm_t) | |
| 8fd36732 | 113 | files_read_etc_files(fsadm_t) |
| cbca03f5 | 114 | files_manage_lost_found(fsadm_t) |
| 9e04f5c5 | 115 | files_manage_isid_type_dirs(fsadm_t) |
| 58c3da55 CP |
116 | # Write to /etc/mtab. |
| 117 | files_manage_etc_runtime_files(fsadm_t) | |
| 118 | # Access to /initrd devices | |
| 9e04f5c5 CP |
119 | files_rw_isid_type_dirs(fsadm_t) |
| 120 | files_rw_isid_type_blk_files(fsadm_t) | |
| a42ca7eb CP |
121 | # Recreate /mnt/cdrom. |
| 122 | files_manage_mnt_dirs(fsadm_t) | |
| d8636fc9 CP |
123 | # for tune2fs |
| 124 | files_search_all(fsadm_t) | |
| 58c3da55 CP |
125 | |
| 126 | init_use_fd(fsadm_t) | |
| 127 | init_use_script_pty(fsadm_t) | |
| 128 | ||
| 129 | libs_use_ld_so(fsadm_t) | |
| 130 | libs_use_shared_libs(fsadm_t) | |
| 131 | ||
| 132 | logging_send_syslog_msg(fsadm_t) | |
| 133 | ||
| 134 | miscfiles_read_localization(fsadm_t) | |
| 135 | ||
| 136 | modutils_read_module_conf(fsadm_t) | |
| 137 | ||
| 138 | seutil_read_config(fsadm_t) | |
| 139 | ||
| 140 | userdom_use_unpriv_users_fd(fsadm_t) | |
| 141 | ||
| 725926c5 CP |
142 | ifdef(`targeted_policy',` |
| 143 | term_use_unallocated_tty(fsadm_t) | |
| 144 | term_use_generic_pty(fsadm_t) | |
| 145 | ') | |
| 146 | ||
| a42ca7eb CP |
147 | tunable_policy(`read_default_t',` |
| 148 | files_list_default(fsadm_t) | |
| 149 | files_read_default_files(fsadm_t) | |
| 150 | files_read_default_symlinks(fsadm_t) | |
| 151 | files_read_default_sockets(fsadm_t) | |
| 152 | files_read_default_pipes(fsadm_t) | |
| 153 | ') | |
| 154 | ||
| 1328802a | 155 | optional_policy(`cron',` |
| 783b3834 CP |
156 | # for smartctl cron jobs |
| 157 | cron_system_entry(fsadm_t,fsadm_exec_t) | |
| 158 | ') | |
| 159 | ||
| 1328802a | 160 | optional_policy(`nis',` |
| 58c3da55 CP |
161 | nis_use_ypbind(fsadm_t) |
| 162 | ') |