policy/modules/system/fstools.te

   1 policy_module(fstools, 1.14.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type fsadm_t;
   9 type fsadm_exec_t;
  10 init_system_domain(fsadm_t, fsadm_exec_t)
  11 role system_r types fsadm_t;
  12
  13 type fsadm_log_t;
  14 logging_log_file(fsadm_log_t)
  15
  16 type fsadm_tmp_t;
  17 files_tmp_file(fsadm_tmp_t)
  18
  19 type swapfile_t; # customizable
  20 files_type(swapfile_t)
  21
  22 ########################################
  23 #
  24 # local policy
  25 #
  26
  27 # ipc_lock is for losetup
  28 allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
  29 allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
  30 allow fsadm_t self:fd use;
  31 allow fsadm_t self:fifo_file rw_fifo_file_perms;
  32 allow fsadm_t self:sock_file read_sock_file_perms;
  33 allow fsadm_t self:unix_dgram_socket create_socket_perms;
  34 allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
  35 allow fsadm_t self:unix_dgram_socket sendto;
  36 allow fsadm_t self:unix_stream_socket connectto;
  37 allow fsadm_t self:shm create_shm_perms;
  38 allow fsadm_t self:sem create_sem_perms;
  39 allow fsadm_t self:msgq create_msgq_perms;
  40 allow fsadm_t self:msg { send receive };
  41
  42 can_exec(fsadm_t, fsadm_exec_t)
  43
  44 allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
  45 allow fsadm_t fsadm_tmp_t:file manage_file_perms;
  46 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
  47
  48 # log files
  49 allow fsadm_t fsadm_log_t:dir setattr;
  50 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
  51 logging_log_filetrans(fsadm_t, fsadm_log_t, file)
  52
  53 # Enable swapping to files
  54 allow fsadm_t swapfile_t:file { rw_file_perms swapon };
  55
  56 kernel_read_system_state(fsadm_t)
  57 kernel_read_kernel_sysctls(fsadm_t)
  58 # Allow console log change (updfstab)
  59 kernel_change_ring_buffer_level(fsadm_t)
  60 # mkreiserfs needs this
  61 kernel_getattr_proc(fsadm_t)
  62 kernel_getattr_core_if(fsadm_t)
  63 # Access to /initrd devices
  64 kernel_rw_unlabeled_dirs(fsadm_t)
  65 kernel_rw_unlabeled_blk_files(fsadm_t)
  66
  67 corecmd_exec_bin(fsadm_t)
  68 #RedHat bug #201164
  69 corecmd_exec_shell(fsadm_t)
  70 # cjp: these are probably not needed:
  71 corecmd_read_bin_files(fsadm_t)
  72 corecmd_read_bin_pipes(fsadm_t)
  73 corecmd_read_bin_sockets(fsadm_t)
  74
  75 dev_getattr_all_chr_files(fsadm_t)
  76 dev_dontaudit_getattr_all_blk_files(fsadm_t)
  77 dev_dontaudit_getattr_generic_files(fsadm_t)
  78 # mkreiserfs and other programs need this for UUID
  79 dev_read_rand(fsadm_t)
  80 dev_read_urand(fsadm_t)
  81 # Recreate /dev/cdrom.
  82 dev_manage_generic_symlinks(fsadm_t)
  83 # fdisk needs this for early boot
  84 dev_manage_generic_blk_files(fsadm_t)
  85 # Access to /initrd devices
  86 dev_search_usbfs(fsadm_t)
  87 # for swapon
  88 dev_read_sysfs(fsadm_t)
  89 # Access to /initrd devices
  90 dev_getattr_usbfs_dirs(fsadm_t)
  91 # Access to /dev/mapper/control
  92 dev_rw_lvm_control(fsadm_t)
  93
  94 domain_use_interactive_fds(fsadm_t)
  95
  96 files_getattr_boot_dirs(fsadm_t)
  97 files_list_home(fsadm_t)
  98 files_read_usr_files(fsadm_t)
  99 files_read_etc_files(fsadm_t)
 100 files_manage_lost_found(fsadm_t)
 101 files_manage_isid_type_dirs(fsadm_t)
 102 # Write to /etc/mtab.
 103 files_manage_etc_runtime_files(fsadm_t)
 104 files_etc_filetrans_etc_runtime(fsadm_t, file)
 105 # Access to /initrd devices
 106 files_rw_isid_type_dirs(fsadm_t)
 107 files_rw_isid_type_blk_files(fsadm_t)
 108 files_read_isid_type_files(fsadm_t)
 109
 110 fs_search_auto_mountpoints(fsadm_t)
 111 fs_getattr_xattr_fs(fsadm_t)
 112 fs_rw_ramfs_pipes(fsadm_t)
 113 fs_rw_tmpfs_files(fsadm_t)
 114 # remount file system to apply changes
 115 fs_remount_xattr_fs(fsadm_t)
 116 # for /dev/shm
 117 fs_search_tmpfs(fsadm_t)
 118 fs_getattr_tmpfs_dirs(fsadm_t)
 119 fs_read_tmpfs_symlinks(fsadm_t)
 120 # Recreate /mnt/cdrom.
 121 files_manage_mnt_dirs(fsadm_t)
 122 # for tune2fs
 123 files_search_all(fsadm_t)
 124
 125 mls_file_read_all_levels(fsadm_t)
 126 mls_file_write_all_levels(fsadm_t)
 127
 128 storage_raw_read_fixed_disk(fsadm_t)
 129 storage_raw_write_fixed_disk(fsadm_t)
 130 storage_raw_read_removable_device(fsadm_t)
 131 storage_raw_write_removable_device(fsadm_t)
 132 storage_read_scsi_generic(fsadm_t)
 133 storage_swapon_fixed_disk(fsadm_t)
 134
 135 term_use_console(fsadm_t)
 136
 137 init_use_fds(fsadm_t)
 138 init_use_script_ptys(fsadm_t)
 139 init_dontaudit_getattr_initctl(fsadm_t)
 140
 141 logging_send_syslog_msg(fsadm_t)
 142
 143 miscfiles_read_localization(fsadm_t)
 144
 145 modutils_read_module_config(fsadm_t)
 146 modutils_read_module_deps(fsadm_t)
 147
 148 seutil_read_config(fsadm_t)
 149
 150 userdom_use_user_terminals(fsadm_t)
 151
 152 ifdef(`distro_redhat',`
 153         optional_policy(`
 154                 unconfined_domain(fsadm_t)
 155         ')
 156 ')
 157
 158 optional_policy(`
 159         amanda_rw_dumpdates_files(fsadm_t)
 160         amanda_append_log_files(fsadm_t)
 161 ')
 162
 163 optional_policy(`
 164         # for smartctl cron jobs
 165         cron_system_entry(fsadm_t, fsadm_exec_t)
 166 ')
 167
 168 optional_policy(`
 169         nis_use_ypbind(fsadm_t)
 170 ')
 171
 172 optional_policy(`
 173         fs_dontaudit_write_ramfs_pipes(fsadm_t)
 174         rhgb_stub(fsadm_t)
 175 ')
 176
 177 optional_policy(`
 178         xen_append_log(fsadm_t)
 179         xen_rw_image_files(fsadm_t)
 180 ')