policy/modules/system/mount.te

   1
   2 policy_module(mount,1.8.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 ## <desc>
  10 ## <p>
  11 ## Allow mount to mount any file
  12 ## </p>
  13 ## </desc>
  14 gen_tunable(allow_mount_anyfile,false)
  15
  16 type mount_t;
  17 type mount_exec_t;
  18 init_system_domain(mount_t,mount_exec_t)
  19 role system_r types mount_t;
  20
  21 type mount_loopback_t; # customizable
  22 files_type(mount_loopback_t)
  23
  24 type mount_tmp_t;
  25 files_tmp_file(mount_tmp_t)
  26
  27 # causes problems with interfaces when
  28 # this is optionally declared in monolithic
  29 # policy--duplicate type declaration
  30 type unconfined_mount_t;
  31 application_domain(unconfined_mount_t,mount_exec_t)
  32
  33 ########################################
  34 #
  35 # mount local policy
  36 #
  37
  38 # setuid/setgid needed to mount cifs
  39 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
  40
  41 allow mount_t mount_loopback_t:file read_file_perms;
  42 allow mount_t self:netlink_route_socket r_netlink_socket_perms;
  43
  44 allow mount_t mount_tmp_t:file manage_file_perms;
  45 allow mount_t mount_tmp_t:dir manage_dir_perms;
  46
  47 can_exec(mount_t, mount_exec_t)
  48
  49 files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
  50
  51 kernel_read_system_state(mount_t)
  52 kernel_read_kernel_sysctls(mount_t)
  53 kernel_dontaudit_getattr_core_if(mount_t)
  54
  55 dev_getattr_all_blk_files(mount_t)
  56 dev_list_all_dev_nodes(mount_t)
  57 dev_rw_lvm_control(mount_t)
  58 dev_dontaudit_getattr_all_chr_files(mount_t)
  59 dev_dontaudit_getattr_memory_dev(mount_t)
  60 dev_getattr_sound_dev(mount_t)
  61
  62 storage_raw_read_fixed_disk(mount_t)
  63 storage_raw_write_fixed_disk(mount_t)
  64 storage_raw_read_removable_device(mount_t)
  65 storage_raw_write_removable_device(mount_t)
  66
  67 fs_getattr_xattr_fs(mount_t)
  68 fs_getattr_cifs(mount_t)
  69 fs_mount_all_fs(mount_t)
  70 fs_unmount_all_fs(mount_t)
  71 fs_remount_all_fs(mount_t)
  72 fs_relabelfrom_all_fs(mount_t)
  73 fs_list_auto_mountpoints(mount_t)
  74 fs_rw_tmpfs_chr_files(mount_t)
  75 fs_read_tmpfs_symlinks(mount_t)
  76
  77 term_use_all_terms(mount_t)
  78
  79 # required for mount.smbfs
  80 corecmd_exec_bin(mount_t)
  81
  82 domain_use_interactive_fds(mount_t)
  83
  84 files_search_all(mount_t)
  85 files_read_etc_files(mount_t)
  86 files_manage_etc_runtime_files(mount_t)
  87 files_etc_filetrans_etc_runtime(mount_t,file)
  88 files_mounton_all_mountpoints(mount_t)
  89 files_unmount_rootfs(mount_t)
  90 # These rules need to be generalized.  Only admin, initrc should have it:
  91 files_relabelto_all_file_type_fs(mount_t)
  92 files_mount_all_file_type_fs(mount_t)
  93 files_unmount_all_file_type_fs(mount_t)
  94 # for when /etc/mtab loses its type
  95 # cjp: this seems wrong, the type should probably be etc
  96 files_read_isid_type_files(mount_t)
  97 # For reading cert files
  98 files_read_usr_files(mount_t)
  99 files_list_mnt(mount_t)
 100
 101 init_use_fds(mount_t)
 102 init_use_script_ptys(mount_t)
 103 init_dontaudit_getattr_initctl(mount_t)
 104
 105 libs_use_ld_so(mount_t)
 106 libs_use_shared_libs(mount_t)
 107
 108 logging_send_syslog_msg(mount_t)
 109
 110 miscfiles_read_localization(mount_t)
 111
 112 mls_file_read_all_levels(mount_t)
 113 mls_file_write_all_levels(mount_t)
 114
 115 sysnet_use_portmap(mount_t)
 116
 117 selinux_get_enforce_mode(mount_t)
 118 seutil_read_config(mount_t)
 119
 120 userdom_use_all_users_fds(mount_t)
 121
 122 ifdef(`distro_redhat',`
 123         optional_policy(`
 124                 auth_read_pam_console_data(mount_t)
 125                 # mount config by default sets fscontext=removable_t
 126                 fs_relabelfrom_dos_fs(mount_t)
 127         ')
 128 ')
 129
 130 tunable_policy(`allow_mount_anyfile',`
 131         auth_read_all_dirs_except_shadow(mount_t)
 132         auth_read_all_files_except_shadow(mount_t)
 133         files_mounton_non_security(mount_t)
 134 ')
 135
 136 optional_policy(`
 137         # for nfs
 138         corenet_all_recvfrom_unlabeled(mount_t)
 139         corenet_all_recvfrom_netlabel(mount_t)
 140         corenet_tcp_sendrecv_all_if(mount_t)
 141         corenet_raw_sendrecv_all_if(mount_t)
 142         corenet_udp_sendrecv_all_if(mount_t)
 143         corenet_tcp_sendrecv_all_nodes(mount_t)
 144         corenet_raw_sendrecv_all_nodes(mount_t)
 145         corenet_udp_sendrecv_all_nodes(mount_t)
 146         corenet_tcp_sendrecv_all_ports(mount_t)
 147         corenet_udp_sendrecv_all_ports(mount_t)
 148         corenet_tcp_bind_all_nodes(mount_t)
 149         corenet_udp_bind_all_nodes(mount_t)
 150         corenet_tcp_bind_generic_port(mount_t)
 151         corenet_udp_bind_generic_port(mount_t)
 152         corenet_tcp_bind_reserved_port(mount_t)
 153         corenet_udp_bind_reserved_port(mount_t)
 154         corenet_tcp_bind_all_rpc_ports(mount_t)
 155         corenet_udp_bind_all_rpc_ports(mount_t)
 156         corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
 157         corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
 158         corenet_tcp_connect_all_ports(mount_t)
 159
 160         fs_search_rpc(mount_t)
 161
 162         sysnet_dns_name_resolve(mount_t)
 163
 164         rpc_stub(mount_t)
 165
 166         optional_policy(`
 167                 nis_use_ypbind(mount_t)
 168         ')
 169 ')
 170
 171 optional_policy(`
 172         apm_use_fds(mount_t)
 173 ')
 174
 175 optional_policy(`
 176         ifdef(`hide_broken_symptoms',`
 177                 # for a bug in the X server
 178                 rhgb_dontaudit_rw_stream_sockets(mount_t)
 179                 term_dontaudit_use_ptmx(mount_t)
 180         ')
 181 ')
 182
 183 # for kernel package installation
 184 optional_policy(`
 185         rpm_rw_pipes(mount_t)
 186 ')
 187
 188 optional_policy(`
 189         samba_domtrans_smbmount(mount_t)
 190 ')
 191
 192 optional_policy(`
 193         nscd_socket_use(mount_t)
 194 ')
 195
 196 ########################################
 197 #
 198 # Unconfined mount local policy
 199 #
 200
 201 optional_policy(`
 202         files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
 203         unconfined_domain(unconfined_mount_t)
 204 ')