selinux-policy/policy/modules/services/automount.if

## <summary>Filesystem automounter service.</summary>

########################################
## <summary>
##	Execute automount in the automount domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`automount_domtrans',`
	gen_require(`
		type automount_t, automount_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, automount_exec_t, automount_t)
')

########################################
## <summary>
##	Send automount a signal
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
#
interface(`automount_signal',`
	gen_require(`
		type automount_t;
	')

	allow $1 automount_t:process signal;
')

########################################
## <summary>
##	Execute automount in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`automount_exec_config',`
	refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
	files_exec_etc_files($1)
')

########################################
## <summary>
##	Allow the domain to read state files in /proc.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to allow access.
##	</summary>
## </param>
#
interface(`automount_read_state',`
	gen_require(`
		type automount_t;
	')

	read_files_pattern($1, automount_t, automount_t)
')

########################################
## <summary>
##	Do not audit attempts to file descriptors for automount.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`automount_dontaudit_use_fds',`
	gen_require(`
		type automount_t;
	')

	dontaudit $1 automount_t:fd use;
')

########################################
## <summary>
##	Do not audit attempts to write automount daemon unnamed pipes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`automount_dontaudit_write_pipes',`
	gen_require(`
		type automount_t;
	')

	dontaudit $1 automount_t:fifo_file write;
')

########################################
## <summary>
##	Do not audit attempts to get the attributes
##	of automount temporary directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`automount_dontaudit_getattr_tmp_dirs',`
	gen_require(`
		type automount_tmp_t;
	')

	dontaudit $1 automount_tmp_t:dir getattr;
')

########################################
## <summary>
##	All of the rules required to administrate 
##	an automount environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to be allowed to manage the automount domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`automount_admin',`
	gen_require(`
		type automount_t, automount_lock_t, automount_tmp_t;
		type automount_var_run_t, automount_initrc_exec_t;
	')

	allow $1 automount_t:process { ptrace signal_perms getattr };
	ps_process_pattern($1, automount_t)

	init_labeled_script_domtrans($1, automount_initrc_exec_t)
	domain_system_change_exemption($1)
	role_transition $2 automount_initrc_exec_t system_r;
	allow $2 system_r;

	files_list_var($1)
	admin_pattern($1, automount_lock_t)

	files_list_tmp($1)
	admin_pattern($1, automount_tmp_t)

	files_list_pids($1)
	admin_pattern($1, automount_var_run_t)
')
add automount 2005-12-09 20:08:10 +00:00			`## <summary>Filesystem automounter service.</summary>`

			`########################################`
			`## <summary>`
			`## Execute automount in the automount domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add automount 2005-12-09 20:08:10 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add automount 2005-12-09 20:08:10 +00:00			`## </param>`
			`#`
			interface(`automount_domtrans',`
			gen_require(`
			`type automount_t, automount_exec_t;`
			`')`

Merge sbin_t and ls_exec_t into bin_t. 2007-03-23 23:24:59 +00:00			`corecmd_search_bin($1)`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`domtrans_pattern($1, automount_exec_t, automount_t)`
add automount 2005-12-09 20:08:10 +00:00			`')`

automount patch from dan. 2009-07-29 12:59:26 +00:00			`########################################`
			`## <summary>`
			`## Send automount a signal`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Interface documentation standardization patch from Dan Walsh. 2010-08-02 13:22:09 +00:00			`## Domain allowed access.`
automount patch from dan. 2009-07-29 12:59:26 +00:00			`## </summary>`
			`## </param>`
			`#`
			`#`
			interface(`automount_signal',`
			gen_require(`
			`type automount_t;`
			`')`

			`allow $1 automount_t:process signal;`
			`')`

add automount 2005-12-09 20:08:10 +00:00			`########################################`
			`## <summary>`
			`## Execute automount in the caller domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add automount 2005-12-09 20:08:10 +00:00			`## Domain allowed access.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add automount 2005-12-09 20:08:10 +00:00			`## </param>`
			`#`
fix interface 2005-12-12 16:52:25 +00:00			interface(`automount_exec_config',`
trunk: a pile of misc fixes. 2008-10-13 13:36:50 +00:00			refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.')
			`files_exec_etc_files($1)`
add automount 2005-12-09 20:08:10 +00:00			`')`
patch from dan Thu, 09 Feb 2006 13:39:41 -0500 2006-02-13 22:05:08 +00:00
add evolution, bug 1384 2006-03-13 21:36:49 +00:00			`########################################`
			`## <summary>`
			`## Allow the domain to read state files in /proc.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to allow access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`automount_read_state',`
			gen_require(`
			`type automount_t;`
			`')`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`read_files_pattern($1, automount_t, automount_t)`
add evolution, bug 1384 2006-03-13 21:36:49 +00:00			`')`

trunk: 8 patches from dan. 2008-10-08 20:03:24 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to file descriptors for automount.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`automount_dontaudit_use_fds',`
			gen_require(`
			`type automount_t;`
			`')`

			`dontaudit $1 automount_t:fd use;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to write automount daemon unnamed pipes.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`automount_dontaudit_write_pipes',`
			gen_require(`
			`type automount_t;`
			`')`

			`dontaudit $1 automount_t:fifo_file write;`
			`')`

patch from dan Thu, 09 Feb 2006 13:39:41 -0500 2006-02-13 22:05:08 +00:00			`########################################`
			`## <summary>`
			`## Do not audit attempts to get the attributes`
			`## of automount temporary directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain to not audit.`
			`## </summary>`
			`## </param>`
			`#`
			interface(`automount_dontaudit_getattr_tmp_dirs',`
			gen_require(`
			`type automount_tmp_t;`
			`')`

			`dontaudit $1 automount_tmp_t:dir getattr;`
			`')`
trunk: 8 patches from dan. 2008-10-08 20:03:24 +00:00
			`########################################`
			`## <summary>`
			`## All of the rules required to administrate`
			`## an automount environment`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
			`## Domain allowed access.`
			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to be allowed to manage the automount domain.`
			`## </summary>`
			`## </param>`
			`## <rolecap/>`
			`#`
			interface(`automount_admin',`
			gen_require(`
			`type automount_t, automount_lock_t, automount_tmp_t;`
			`type automount_var_run_t, automount_initrc_exec_t;`
			`')`

			`allow $1 automount_t:process { ptrace signal_perms getattr };`
			`ps_process_pattern($1, automount_t)`

			`init_labeled_script_domtrans($1, automount_initrc_exec_t)`
			`domain_system_change_exemption($1)`
			`role_transition $2 automount_initrc_exec_t system_r;`
			`allow $2 system_r;`

			`files_list_var($1)`
			`admin_pattern($1, automount_lock_t)`

			`files_list_tmp($1)`
			`admin_pattern($1, automount_tmp_t)`

			`files_list_pids($1)`
			`admin_pattern($1, automount_var_run_t)`
			`')`