82 lines
2.6 KiB
Plaintext
82 lines
2.6 KiB
Plaintext
|
#DESC updfstab - Red Hat utility to change /etc/fstab
|
||
|
#
|
||
|
# Author: Russell Coker <russell@coker.com.au>
|
||
|
#
|
||
|
|
||
|
daemon_base_domain(updfstab, `, fs_domain, etc_writer')
|
||
|
|
||
|
rw_dir_create_file(updfstab_t, etc_t)
|
||
|
create_dir_file(updfstab_t, mnt_t)
|
||
|
|
||
|
# Read /dev directories and modify sym-links
|
||
|
allow updfstab_t device_t:dir rw_dir_perms;
|
||
|
allow updfstab_t device_t:lnk_file create_file_perms;
|
||
|
|
||
|
# Access disk devices.
|
||
|
allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
|
||
|
allow updfstab_t removable_device_t:blk_file rw_file_perms;
|
||
|
allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
|
||
|
|
||
|
# for /proc/partitions
|
||
|
allow updfstab_t proc_t:file { getattr read };
|
||
|
|
||
|
# for /proc/self/mounts
|
||
|
r_dir_file(updfstab_t, self)
|
||
|
|
||
|
# for /etc/mtab
|
||
|
allow updfstab_t etc_runtime_t:file { getattr read };
|
||
|
|
||
|
read_locale(updfstab_t)
|
||
|
|
||
|
ifdef(`dbusd.te', `
|
||
|
dbusd_client(system, updfstab)
|
||
|
allow updfstab_t system_dbusd_t:dbus { send_msg };
|
||
|
allow initrc_t updfstab_t:dbus send_msg;
|
||
|
allow updfstab_t initrc_t:dbus send_msg;
|
||
|
')
|
||
|
|
||
|
# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
|
||
|
# I will not allow it
|
||
|
read_sysctl(updfstab_t)
|
||
|
dontaudit updfstab_t sysctl_kernel_t:file write;
|
||
|
allow updfstab_t modules_conf_t:file { getattr read };
|
||
|
allow updfstab_t sbin_t:dir search;
|
||
|
allow updfstab_t sbin_t:lnk_file read;
|
||
|
allow updfstab_t { var_t var_log_t }:dir search;
|
||
|
|
||
|
allow updfstab_t kernel_t:fd use;
|
||
|
|
||
|
allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
|
||
|
allow updfstab_t self:unix_dgram_socket create_socket_perms;
|
||
|
|
||
|
ifdef(`modutil.te', `
|
||
|
dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
|
||
|
can_exec(updfstab_t, insmod_exec_t)
|
||
|
allow updfstab_t modules_object_t:dir search;
|
||
|
allow updfstab_t modules_dep_t:file { getattr read };
|
||
|
')
|
||
|
|
||
|
ifdef(`pamconsole.te', `
|
||
|
domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
|
||
|
')
|
||
|
allow updfstab_t kernel_t:system syslog_console;
|
||
|
allow updfstab_t sysadm_tty_device_t:chr_file { read write };
|
||
|
allow updfstab_t self:capability dac_override;
|
||
|
dontaudit updfstab_t self:capability sys_admin;
|
||
|
|
||
|
r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
|
||
|
can_getsecurity(updfstab_t)
|
||
|
|
||
|
allow updfstab_t { sbin_t bin_t }:dir { search getattr };
|
||
|
dontaudit updfstab_t devtty_t:chr_file { read write };
|
||
|
allow updfstab_t self:fifo_file { getattr read write ioctl };
|
||
|
can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
|
||
|
dontaudit updfstab_t home_root_t:dir { getattr search };
|
||
|
dontaudit updfstab_t { home_dir_type home_type }:dir search;
|
||
|
allow updfstab_t fs_t:filesystem { getattr };
|
||
|
allow updfstab_t tmpfs_t:dir getattr;
|
||
|
ifdef(`hald.te', `
|
||
|
can_unix_connect(updfstab_t, hald_t)
|
||
|
')
|
||
|
|