]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/system/fstools.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
trunk: bump version numbers for release.
[people/stevee/selinux-policy.git] / policy / modules / system / fstools.te
1
2 policy_module(fstools, 1.11.0)
3
4 ########################################
5 #
6 # Declarations
7 #
8
9 type fsadm_t;
10 type fsadm_exec_t;
11 init_system_domain(fsadm_t,fsadm_exec_t)
12 role system_r types fsadm_t;
13
14 type fsadm_log_t;
15 logging_log_file(fsadm_log_t)
16
17 type fsadm_tmp_t;
18 files_tmp_file(fsadm_tmp_t)
19
20 type swapfile_t; # customizable
21 files_type(swapfile_t)
22
23 ########################################
24 #
25 # local policy
26 #
27
28 # ipc_lock is for losetup
29 allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
30 allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
31 allow fsadm_t self:fd use;
32 allow fsadm_t self:fifo_file rw_fifo_file_perms;
33 allow fsadm_t self:sock_file read_sock_file_perms;
34 allow fsadm_t self:unix_dgram_socket create_socket_perms;
35 allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
36 allow fsadm_t self:unix_dgram_socket sendto;
37 allow fsadm_t self:unix_stream_socket connectto;
38 allow fsadm_t self:shm create_shm_perms;
39 allow fsadm_t self:sem create_sem_perms;
40 allow fsadm_t self:msgq create_msgq_perms;
41 allow fsadm_t self:msg { send receive };
42
43 can_exec(fsadm_t, fsadm_exec_t)
44
45 allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
46 allow fsadm_t fsadm_tmp_t:file manage_file_perms;
47 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
48
49 # log files
50 allow fsadm_t fsadm_log_t:dir setattr;
51 manage_files_pattern(fsadm_t,fsadm_log_t,fsadm_log_t)
52 logging_log_filetrans(fsadm_t,fsadm_log_t,file)
53
54 # Enable swapping to files
55 allow fsadm_t swapfile_t:file { rw_file_perms swapon };
56
57 kernel_read_system_state(fsadm_t)
58 kernel_read_kernel_sysctls(fsadm_t)
59 # Allow console log change (updfstab)
60 kernel_change_ring_buffer_level(fsadm_t)
61 # mkreiserfs needs this
62 kernel_getattr_proc(fsadm_t)
63 kernel_getattr_core_if(fsadm_t)
64 # Access to /initrd devices
65 kernel_rw_unlabeled_dirs(fsadm_t)
66 kernel_rw_unlabeled_blk_files(fsadm_t)
67
68 files_getattr_boot_dirs(fsadm_t)
69
70 dev_getattr_all_chr_files(fsadm_t)
71 dev_dontaudit_getattr_all_blk_files(fsadm_t)
72 dev_dontaudit_getattr_generic_files(fsadm_t)
73 # mkreiserfs and other programs need this for UUID
74 dev_read_rand(fsadm_t)
75 dev_read_urand(fsadm_t)
76 # Recreate /dev/cdrom.
77 dev_manage_generic_symlinks(fsadm_t)
78 # fdisk needs this for early boot
79 dev_manage_generic_blk_files(fsadm_t)
80 # Access to /initrd devices
81 dev_search_usbfs(fsadm_t)
82 # for swapon
83 dev_read_sysfs(fsadm_t)
84 # Access to /initrd devices
85 dev_getattr_usbfs_dirs(fsadm_t)
86 # Access to /dev/mapper/control
87 dev_rw_lvm_control(fsadm_t)
88
89 fs_search_auto_mountpoints(fsadm_t)
90 fs_getattr_xattr_fs(fsadm_t)
91 fs_rw_ramfs_pipes(fsadm_t)
92 fs_rw_tmpfs_files(fsadm_t)
93 # remount file system to apply changes
94 fs_remount_xattr_fs(fsadm_t)
95 # for /dev/shm
96 fs_search_tmpfs(fsadm_t)
97 fs_getattr_tmpfs_dirs(fsadm_t)
98 fs_read_tmpfs_symlinks(fsadm_t)
99
100 mls_file_read_all_levels(fsadm_t)
101 mls_file_write_all_levels(fsadm_t)
102
103 storage_raw_read_fixed_disk(fsadm_t)
104 storage_raw_write_fixed_disk(fsadm_t)
105 storage_raw_read_removable_device(fsadm_t)
106 storage_raw_write_removable_device(fsadm_t)
107 storage_read_scsi_generic(fsadm_t)
108 storage_swapon_fixed_disk(fsadm_t)
109
110 term_use_console(fsadm_t)
111
112 corecmd_exec_bin(fsadm_t)
113 #RedHat bug #201164
114 corecmd_exec_shell(fsadm_t)
115
116 # cjp: these are probably not needed:
117 corecmd_read_bin_files(fsadm_t)
118 corecmd_read_bin_pipes(fsadm_t)
119 corecmd_read_bin_sockets(fsadm_t)
120
121 domain_use_interactive_fds(fsadm_t)
122
123 files_list_home(fsadm_t)
124 files_read_usr_files(fsadm_t)
125 files_read_etc_files(fsadm_t)
126 files_manage_lost_found(fsadm_t)
127 files_manage_isid_type_dirs(fsadm_t)
128 # Write to /etc/mtab.
129 files_manage_etc_runtime_files(fsadm_t)
130 files_etc_filetrans_etc_runtime(fsadm_t,file)
131 # Access to /initrd devices
132 files_rw_isid_type_dirs(fsadm_t)
133 files_rw_isid_type_blk_files(fsadm_t)
134 files_read_isid_type_files(fsadm_t)
135
136 # Recreate /mnt/cdrom.
137 files_manage_mnt_dirs(fsadm_t)
138 # for tune2fs
139 files_search_all(fsadm_t)
140
141 init_use_fds(fsadm_t)
142 init_use_script_ptys(fsadm_t)
143 init_dontaudit_getattr_initctl(fsadm_t)
144
145 libs_use_ld_so(fsadm_t)
146 libs_use_shared_libs(fsadm_t)
147
148 logging_send_syslog_msg(fsadm_t)
149
150 miscfiles_read_localization(fsadm_t)
151
152 modutils_read_module_config(fsadm_t)
153
154 seutil_read_config(fsadm_t)
155
156 userdom_use_unpriv_users_fds(fsadm_t)
157
158 tunable_policy(`read_default_t',`
159 files_list_default(fsadm_t)
160 files_read_default_files(fsadm_t)
161 files_read_default_symlinks(fsadm_t)
162 files_read_default_sockets(fsadm_t)
163 files_read_default_pipes(fsadm_t)
164 ')
165
166 optional_policy(`
167 amanda_rw_dumpdates_files(fsadm_t)
168 amanda_append_log_files(fsadm_t)
169 ')
170
171 optional_policy(`
172 # for smartctl cron jobs
173 cron_system_entry(fsadm_t,fsadm_exec_t)
174 ')
175
176 optional_policy(`
177 nis_use_ypbind(fsadm_t)
178 ')
179
180 optional_policy(`
181 fs_dontaudit_write_ramfs_pipes(fsadm_t)
182 rhgb_stub(fsadm_t)
183 ')
184
185 optional_policy(`
186 xen_append_log(fsadm_t)
187 ')
The IPFire selinux policy.