[people/stevee/selinux-policy.git] / refpolicy / policy / modules / system / fstools.te


policy_module(fstools,1.0)

########################################
#
# Declarations
#
type fsadm_t;
type fsadm_exec_t;
init_system_domain(fsadm_t,fsadm_exec_t)
role system_r types fsadm_t;

type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)

type swapfile_t;
files_file_type(swapfile_t)

########################################

# ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
allow fsadm_t self:unix_dgram_socket sendto;
allow fsadm_t self:unix_stream_socket connectto;
allow fsadm_t self:shm create_shm_perms;
allow fsadm_t self:sem create_sem_perms;
allow fsadm_t self:msgq create_msgq_perms;
allow fsadm_t self:msg { send receive };

can_exec(fsadm_t, fsadm_exec_t)

allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
allow fsadm_t fsadm_tmp_t:file create_file_perms;
files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir })

# Enable swapping to files
allow fsadm_t swapfile_t:file { getattr swapon };

kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctl(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)

# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
# Recreate /dev/cdrom.
dev_manage_generic_symlinks(fsadm_t)
# Access to /initrd devices
dev_search_usbfs(fsadm_t)
# for swapon
dev_getattr_sysfs_dir(fsadm_t)
dev_search_sysfs(fsadm_t)

fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)

storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
storage_swapon_fixed_disk(fsadm_t)

domain_use_wide_inherit_fd(fsadm_t)

files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_generic_etc_files(fsadm_t)
files_list_mnt(fsadm_t)
files_manage_lost_found(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
# Access to /initrd devices
files_rw_isid_type_dir(fsadm_t)
files_rw_isid_type_blk_node(fsadm_t)

init_use_fd(fsadm_t)
init_use_script_pty(fsadm_t)

libs_use_ld_so(fsadm_t)
libs_use_shared_libs(fsadm_t)

logging_send_syslog_msg(fsadm_t)

miscfiles_read_localization(fsadm_t)

modutils_read_module_conf(fsadm_t)

seutil_read_config(fsadm_t)

userdom_use_unpriv_users_fd(fsadm_t)

optional_policy(`cron.te',`
	# for smartctl cron jobs
	cron_system_entry(fsadm_t,fsadm_exec_t)
')

optional_policy(`nis.te',`
	nis_use_ypbind(fsadm_t)
')

ifdef(`TODO',`
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };

allow fsadm_t bin_t:dir r_dir_perms;
allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
allow fsadm_t sbin_t:dir r_dir_perms;
allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
if (read_default_t) {
allow fsadm_t default_t:dir r_dir_perms;
allow fsadm_t default_t:notdevfile_class_set r_file_perms;
}

# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;

allow fsadm_t file_t:dir { search read getattr rmdir create };

# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { rmdir create };

# Access terminals.
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')

# Access to /initrd devices
allow fsadm_t unlabeled_t:dir rw_dir_perms;
allow fsadm_t unlabeled_t:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir getattr;

') dnl end TODO
Commit	Line	Data
58c3da55 CP	1
	2	policy_module(fstools,1.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8	type fsadm_t;
	9	type fsadm_exec_t;
	10	init_system_domain(fsadm_t,fsadm_exec_t)
	11	role system_r types fsadm_t;
	12
	13	type fsadm_tmp_t;
	14	files_tmp_file(fsadm_tmp_t)
	15
	16	type swapfile_t;
	17	files_file_type(swapfile_t)
	18
	19	########################################
	20
	21	# ipc_lock is for losetup
	22	allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
	23	allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
	24	allow fsadm_t self:fd use;
	25	allow fsadm_t self:fifo_file rw_file_perms;
	26	allow fsadm_t self:unix_dgram_socket create_socket_perms;
	27	allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
	28	allow fsadm_t self:unix_dgram_socket sendto;
	29	allow fsadm_t self:unix_stream_socket connectto;
	30	allow fsadm_t self:shm create_shm_perms;
	31	allow fsadm_t self:sem create_sem_perms;
	32	allow fsadm_t self:msgq create_msgq_perms;
	33	allow fsadm_t self:msg { send receive };
	34
	35	can_exec(fsadm_t, fsadm_exec_t)
	36
	37	allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
	38	allow fsadm_t fsadm_tmp_t:file create_file_perms;
	39	files_create_tmp_files(fsadm_t, fsadm_tmp_t, { file dir })
	40
	41	# Enable swapping to files
	42	allow fsadm_t swapfile_t:file { getattr swapon };
	43
	44	kernel_read_system_state(fsadm_t)
	45	kernel_read_kernel_sysctl(fsadm_t)
	46	# Allow console log change (updfstab)
	47	kernel_change_ring_buffer_level(fsadm_t)
	48
	49	# mkreiserfs and other programs need this for UUID
	50	dev_read_rand(fsadm_t)
	51	dev_read_urand(fsadm_t)
	52	# Recreate /dev/cdrom.
	53	dev_manage_generic_symlinks(fsadm_t)
	54	# Access to /initrd devices
	55	dev_search_usbfs(fsadm_t)
783b3834 CP	56	# for swapon
	57	dev_getattr_sysfs_dir(fsadm_t)
	58	dev_search_sysfs(fsadm_t)
58c3da55 CP	59
	60	fs_search_auto_mountpoints(fsadm_t)
	61	fs_getattr_xattr_fs(fsadm_t)
	62	# remount file system to apply changes
	63	fs_remount_xattr_fs(fsadm_t)
	64
	65	storage_raw_read_fixed_disk(fsadm_t)
	66	storage_raw_write_fixed_disk(fsadm_t)
	67	storage_raw_read_removable_device(fsadm_t)
	68	storage_raw_write_removable_device(fsadm_t)
	69	storage_read_scsi_generic(fsadm_t)
783b3834	70	storage_swapon_fixed_disk(fsadm_t)
58c3da55 CP	71
	72	domain_use_wide_inherit_fd(fsadm_t)
	73
	74	files_list_home(fsadm_t)
	75	files_read_usr_files(fsadm_t)
	76	files_read_generic_etc_files(fsadm_t)
	77	files_list_mnt(fsadm_t)
cbca03f5	78	files_manage_lost_found(fsadm_t)
58c3da55 CP	79	# Write to /etc/mtab.
	80	files_manage_etc_runtime_files(fsadm_t)
	81	# Access to /initrd devices
	82	files_rw_isid_type_dir(fsadm_t)
	83	files_rw_isid_type_blk_node(fsadm_t)
	84
	85	init_use_fd(fsadm_t)
	86	init_use_script_pty(fsadm_t)
	87
	88	libs_use_ld_so(fsadm_t)
	89	libs_use_shared_libs(fsadm_t)
	90
	91	logging_send_syslog_msg(fsadm_t)
	92
	93	miscfiles_read_localization(fsadm_t)
	94
	95	modutils_read_module_conf(fsadm_t)
	96
	97	seutil_read_config(fsadm_t)
	98
	99	userdom_use_unpriv_users_fd(fsadm_t)
	100
783b3834 CP	101	optional_policy(`cron.te',`
	102	# for smartctl cron jobs
	103	cron_system_entry(fsadm_t,fsadm_exec_t)
	104	')
	105
58c3da55 CP	106	optional_policy(`nis.te',`
	107	nis_use_ypbind(fsadm_t)
	108	')
	109
	110	ifdef(`TODO',`
58c3da55 CP	111	# for /dev/shm
	112	allow fsadm_t tmpfs_t:dir { getattr search };
	113
	114	allow fsadm_t bin_t:dir r_dir_perms;
	115	allow fsadm_t bin_t:notdevfile_class_set r_file_perms;
	116	allow fsadm_t sbin_t:dir r_dir_perms;
	117	allow fsadm_t sbin_t:notdevfile_class_set r_file_perms;
	118	if (read_default_t) {
	119	allow fsadm_t default_t:dir r_dir_perms;
	120	allow fsadm_t default_t:notdevfile_class_set r_file_perms;
	121	}
	122
	123	# mkreiserfs needs this
	124	allow fsadm_t proc_t:filesystem getattr;
	125
58c3da55 CP	126	allow fsadm_t file_t:dir { search read getattr rmdir create };
	127
	128	# Recreate /mnt/cdrom.
	129	allow fsadm_t mnt_t:dir { rmdir create };
	130
58c3da55 CP	131	# Access terminals.
	132	ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
	133
58c3da55 CP	134	# Access to /initrd devices
	135	allow fsadm_t unlabeled_t:dir rw_dir_perms;
	136	allow fsadm_t unlabeled_t:blk_file rw_file_perms;
	137	allow fsadm_t usbfs_t:dir getattr;
	138
	139	') dnl end TODO