policy/modules/system/mount.te

   1 policy_module(mount, 1.11.1)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 ## <desc>
   9 ## <p>
  10 ## Allow the mount command to mount any directory or file.
  11 ## </p>
  12 ## </desc>
  13 gen_tunable(allow_mount_anyfile, false)
  14
  15 type mount_t;
  16 type mount_exec_t;
  17 init_system_domain(mount_t, mount_exec_t)
  18 role system_r types mount_t;
  19
  20 type mount_loopback_t; # customizable
  21 files_type(mount_loopback_t)
  22
  23 type mount_tmp_t;
  24 files_tmp_file(mount_tmp_t)
  25
  26 # causes problems with interfaces when
  27 # this is optionally declared in monolithic
  28 # policy--duplicate type declaration
  29 type unconfined_mount_t;
  30 application_domain(unconfined_mount_t, mount_exec_t)
  31
  32 ########################################
  33 #
  34 # mount local policy
  35 #
  36
  37 # setuid/setgid needed to mount cifs
  38 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
  39
  40 allow mount_t mount_loopback_t:file read_file_perms;
  41
  42 allow mount_t mount_tmp_t:file manage_file_perms;
  43 allow mount_t mount_tmp_t:dir manage_dir_perms;
  44
  45 can_exec(mount_t, mount_exec_t)
  46
  47 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
  48
  49 kernel_read_system_state(mount_t)
  50 kernel_read_kernel_sysctls(mount_t)
  51 kernel_dontaudit_getattr_core_if(mount_t)
  52
  53 # required for mount.smbfs
  54 corecmd_exec_bin(mount_t)
  55
  56 dev_getattr_all_blk_files(mount_t)
  57 dev_list_all_dev_nodes(mount_t)
  58 dev_rw_lvm_control(mount_t)
  59 dev_dontaudit_getattr_all_chr_files(mount_t)
  60 dev_dontaudit_getattr_memory_dev(mount_t)
  61 dev_getattr_sound_dev(mount_t)
  62 # Early devtmpfs, before udev relabel
  63 dev_dontaudit_rw_generic_chr_files(mount_t)
  64
  65 domain_use_interactive_fds(mount_t)
  66
  67 files_search_all(mount_t)
  68 files_read_etc_files(mount_t)
  69 files_manage_etc_runtime_files(mount_t)
  70 files_etc_filetrans_etc_runtime(mount_t, file)
  71 files_mounton_all_mountpoints(mount_t)
  72 files_unmount_rootfs(mount_t)
  73 # These rules need to be generalized.  Only admin, initrc should have it:
  74 files_relabelto_all_file_type_fs(mount_t)
  75 files_mount_all_file_type_fs(mount_t)
  76 files_unmount_all_file_type_fs(mount_t)
  77 # for when /etc/mtab loses its type
  78 # cjp: this seems wrong, the type should probably be etc
  79 files_read_isid_type_files(mount_t)
  80 # For reading cert files
  81 files_read_usr_files(mount_t)
  82 files_list_mnt(mount_t)
  83
  84 fs_getattr_xattr_fs(mount_t)
  85 fs_getattr_cifs(mount_t)
  86 fs_mount_all_fs(mount_t)
  87 fs_unmount_all_fs(mount_t)
  88 fs_remount_all_fs(mount_t)
  89 fs_relabelfrom_all_fs(mount_t)
  90 fs_list_auto_mountpoints(mount_t)
  91 fs_rw_tmpfs_chr_files(mount_t)
  92 fs_read_tmpfs_symlinks(mount_t)
  93
  94 mls_file_read_all_levels(mount_t)
  95 mls_file_write_all_levels(mount_t)
  96
  97 selinux_get_enforce_mode(mount_t)
  98
  99 storage_raw_read_fixed_disk(mount_t)
 100 storage_raw_write_fixed_disk(mount_t)
 101 storage_raw_read_removable_device(mount_t)
 102 storage_raw_write_removable_device(mount_t)
 103
 104 term_use_all_terms(mount_t)
 105
 106 auth_use_nsswitch(mount_t)
 107
 108 init_use_fds(mount_t)
 109 init_use_script_ptys(mount_t)
 110 init_dontaudit_getattr_initctl(mount_t)
 111
 112 logging_send_syslog_msg(mount_t)
 113
 114 miscfiles_read_localization(mount_t)
 115
 116 sysnet_use_portmap(mount_t)
 117
 118 seutil_read_config(mount_t)
 119
 120 userdom_use_all_users_fds(mount_t)
 121
 122 ifdef(`distro_redhat',`
 123         optional_policy(`
 124                 auth_read_pam_console_data(mount_t)
 125                 # mount config by default sets fscontext=removable_t
 126                 fs_relabelfrom_dos_fs(mount_t)
 127         ')
 128 ')
 129
 130 ifdef(`distro_ubuntu',`
 131         optional_policy(`
 132                 unconfined_domain(mount_t)
 133         ')
 134 ')
 135
 136 tunable_policy(`allow_mount_anyfile',`
 137         auth_read_all_dirs_except_shadow(mount_t)
 138         auth_read_all_files_except_shadow(mount_t)
 139         files_mounton_non_security(mount_t)
 140 ')
 141
 142 optional_policy(`
 143         # for nfs
 144         corenet_all_recvfrom_unlabeled(mount_t)
 145         corenet_all_recvfrom_netlabel(mount_t)
 146         corenet_tcp_sendrecv_all_if(mount_t)
 147         corenet_raw_sendrecv_all_if(mount_t)
 148         corenet_udp_sendrecv_all_if(mount_t)
 149         corenet_tcp_sendrecv_all_nodes(mount_t)
 150         corenet_raw_sendrecv_all_nodes(mount_t)
 151         corenet_udp_sendrecv_all_nodes(mount_t)
 152         corenet_tcp_sendrecv_all_ports(mount_t)
 153         corenet_udp_sendrecv_all_ports(mount_t)
 154         corenet_tcp_bind_all_nodes(mount_t)
 155         corenet_udp_bind_all_nodes(mount_t)
 156         corenet_tcp_bind_generic_port(mount_t)
 157         corenet_udp_bind_generic_port(mount_t)
 158         corenet_tcp_bind_reserved_port(mount_t)
 159         corenet_udp_bind_reserved_port(mount_t)
 160         corenet_tcp_bind_all_rpc_ports(mount_t)
 161         corenet_udp_bind_all_rpc_ports(mount_t)
 162         corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
 163         corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
 164         corenet_tcp_connect_all_ports(mount_t)
 165
 166         fs_search_rpc(mount_t)
 167
 168         rpc_stub(mount_t)
 169 ')
 170
 171 optional_policy(`
 172         apm_use_fds(mount_t)
 173 ')
 174
 175 optional_policy(`
 176         ifdef(`hide_broken_symptoms',`
 177                 # for a bug in the X server
 178                 rhgb_dontaudit_rw_stream_sockets(mount_t)
 179                 term_dontaudit_use_ptmx(mount_t)
 180         ')
 181 ')
 182
 183 # for kernel package installation
 184 optional_policy(`
 185         rpm_rw_pipes(mount_t)
 186 ')
 187
 188 optional_policy(`
 189         samba_domtrans_smbmount(mount_t)
 190 ')
 191
 192 ########################################
 193 #
 194 # Unconfined mount local policy
 195 #
 196
 197 optional_policy(`
 198         files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
 199         unconfined_domain(unconfined_mount_t)
 200 ')