2005-06-01 14:17:43 +00:00
|
|
|
## <summary>Policy for filesystems.</summary>
|
2005-07-05 17:47:15 +00:00
|
|
|
## <required val="true">
|
|
|
|
## Contains the initial SID for the filesystems.
|
|
|
|
## </required>
|
2005-04-20 19:07:16 +00:00
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Transform specified type into a filesystem type.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-28 17:48:59 +00:00
|
|
|
interface(`fs_type',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
typeattribute $1 filesystem_type;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-06-10 01:01:13 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Transform specified type into a filesystem
|
|
|
|
## type which does not have extended attribute
|
|
|
|
## support.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-06-10 01:01:13 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_noxattr_type',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
2005-06-10 01:01:13 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
fs_type($1)
|
2005-06-10 01:01:13 +00:00
|
|
|
|
|
|
|
typeattribute $1 noxattrfs;
|
|
|
|
')
|
|
|
|
|
2005-04-16 17:20:59 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Associate the specified file type to persistent
|
|
|
|
## filesystems with extended attributes. This
|
|
|
|
## allows a file of this type to be created on
|
|
|
|
## a filesystem such as ext3, JFS, and XFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="file_type">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## The type of the to be associated.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-16 17:20:59 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_associate',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 fs_t:filesystem associate;
|
2005-04-16 17:20:59 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Associate the specified file type to
|
|
|
|
## filesystems which lack extended attributes
|
|
|
|
## support. This allows a file of this type
|
|
|
|
## to be created on a filesystem such as
|
|
|
|
## FAT32, and NFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="file_type">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## The type of the to be associated.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-16 17:20:59 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_associate_noxattr',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-09 15:20:31 +00:00
|
|
|
allow $1 noxattrfs:filesystem associate;
|
2005-04-16 17:20:59 +00:00
|
|
|
')
|
|
|
|
|
2005-07-19 18:40:31 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute files on a filesystem that does
|
|
|
|
## not support extended attributes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-19 18:40:31 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-19 18:40:31 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-07-19 18:40:31 +00:00
|
|
|
#
|
|
|
|
interface(`fs_exec_noxattr',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
can_exec($1, noxattrfs)
|
2005-07-19 18:40:31 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a persistent filesystem which
|
|
|
|
## has extended attributes, such as
|
|
|
|
## ext3, JFS, or XFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_xattr_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 fs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a persistent filesystem which
|
|
|
|
## has extended attributes, such as
|
|
|
|
## ext3, JFS, or XFS. This allows
|
|
|
|
## some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_xattr_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 fs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a persistent filesystem which
|
|
|
|
## has extended attributes, such as
|
|
|
|
## ext3, JFS, or XFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_xattr_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 fs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2010-03-01 19:50:55 +00:00
|
|
|
## Get the attributes of persistent
|
|
|
|
## filesystems which have extended
|
2005-06-23 21:30:57 +00:00
|
|
|
## attributes, such as ext3, JFS, or XFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2010-03-01 19:50:55 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Allow the specified domain to
|
|
|
|
## get the attributes of a persistent
|
|
|
|
## filesystems which have extended
|
|
|
|
## attributes, such as ext3, JFS, or XFS.
|
|
|
|
## Example attributes:
|
|
|
|
## </p>
|
|
|
|
## <ul>
|
|
|
|
## <li>Type of the file system (e.g., ext3)</li>
|
|
|
|
## <li>Size of the file system</li>
|
|
|
|
## <li>Available space on the file system</li>
|
|
|
|
## </ul>
|
|
|
|
## </desc>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2010-03-01 19:50:55 +00:00
|
|
|
## <infoflow type="read" weight="5"/>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_xattr_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 fs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-10-13 20:59:36 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to
|
|
|
|
## get the attributes of a persistent
|
|
|
|
## filesystem which has extended
|
|
|
|
## attributes, such as ext3, JFS, or XFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-19 18:56:47 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_dontaudit_getattr_xattr_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
dontaudit $1 fs_t:filesystem getattr;
|
2005-04-19 18:56:47 +00:00
|
|
|
')
|
|
|
|
|
2005-05-24 15:55:57 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow changing of the label of a
|
|
|
|
## filesystem with extended attributes
|
|
|
|
## using the context= mount option.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-24 15:55:57 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_relabelfrom_xattr_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 fs_t:filesystem relabelfrom;
|
2005-05-24 15:55:57 +00:00
|
|
|
')
|
|
|
|
|
2005-08-11 14:49:58 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the filesystem quotas of a filesystem
|
|
|
|
## with extended attributes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-11 14:49:58 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-08-11 14:49:58 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_get_xattr_fs_quotas',`
|
2005-08-11 14:49:58 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 fs_t:filesystem quotaget;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Set the filesystem quotas of a filesystem
|
|
|
|
## with extended attributes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-11 14:49:58 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-08-11 14:49:58 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_set_xattr_fs_quotas',`
|
2005-08-11 14:49:58 +00:00
|
|
|
gen_require(`
|
|
|
|
type fs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 fs_t:filesystem quotamod;
|
|
|
|
')
|
|
|
|
|
2007-08-08 20:04:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read files on anon_inodefs file systems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_anon_inodefs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type anon_inodefs_t;
|
|
|
|
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
|
2007-08-08 20:04:28 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write files on anon_inodefs
|
|
|
|
## file systems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_rw_anon_inodefs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type anon_inodefs_t;
|
|
|
|
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
rw_files_pattern($1, anon_inodefs_t, anon_inodefs_t)
|
2007-08-08 20:04:28 +00:00
|
|
|
')
|
|
|
|
|
2009-11-23 18:16:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read or write files on
|
|
|
|
## anon_inodefs file systems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_rw_anon_inodefs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type anon_inodefs_t;
|
|
|
|
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 anon_inodefs_t:file rw_file_perms;
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount an automount pseudo filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_autofs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 autofs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount an automount pseudo filesystem
|
|
|
|
## This allows some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_autofs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 autofs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount an automount pseudo filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_autofs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 autofs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of an automount
|
|
|
|
## pseudo filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_autofs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 autofs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-06-27 16:30:55 +00:00
|
|
|
## <summary>
|
|
|
|
## Search automount filesystem to use automatically
|
|
|
|
## mounted filesystems.
|
|
|
|
## </summary>
|
2010-03-01 19:50:55 +00:00
|
|
|
## <desc>
|
|
|
|
## Allow the specified domain to search mount points
|
|
|
|
## that have filesystems that are mounted by
|
|
|
|
## the automount service. Generally this will
|
|
|
|
## be required for any domain that accesses objects
|
|
|
|
## on these filesystems.
|
|
|
|
## </desc>
|
2005-06-27 16:30:55 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-27 16:30:55 +00:00
|
|
|
## </param>
|
2010-03-01 19:50:55 +00:00
|
|
|
## <infoflow type="read" weight="5"/>
|
2005-06-27 16:30:55 +00:00
|
|
|
#
|
|
|
|
interface(`fs_search_auto_mountpoints',`
|
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 autofs_t:dir search_dir_perms;
|
2005-06-27 16:30:55 +00:00
|
|
|
')
|
|
|
|
|
2005-12-09 20:08:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read directories of automatically
|
|
|
|
## mounted filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-09 20:08:10 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-12-09 20:08:10 +00:00
|
|
|
#
|
|
|
|
interface(`fs_list_auto_mountpoints',`
|
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 autofs_t:dir list_dir_perms;
|
2005-12-09 20:08:10 +00:00
|
|
|
')
|
|
|
|
|
2006-01-12 23:23:22 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to list directories of automatically
|
|
|
|
## mounted filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_list_auto_mountpoints',`
|
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 autofs_t:dir list_dir_perms;
|
2006-01-12 23:23:22 +00:00
|
|
|
')
|
|
|
|
|
2006-10-31 21:01:48 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete symbolic links
|
|
|
|
## on an autofs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_autofs_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_lnk_files_pattern($1, autofs_t, autofs_t)
|
2006-10-31 21:01:48 +00:00
|
|
|
')
|
|
|
|
|
2006-06-07 17:43:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of directories on
|
2009-11-23 18:16:28 +00:00
|
|
|
## binfmt_misc filesystems.
|
2006-06-07 17:43:10 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_binfmt_misc_dirs',`
|
|
|
|
gen_require(`
|
2008-05-22 15:24:52 +00:00
|
|
|
type binfmt_misc_fs_t;
|
2006-06-07 17:43:10 +00:00
|
|
|
')
|
|
|
|
|
2008-05-23 13:50:38 +00:00
|
|
|
allow $1 binfmt_misc_fs_t:dir getattr;
|
2006-06-07 17:43:10 +00:00
|
|
|
|
|
|
|
')
|
|
|
|
|
2005-06-27 16:30:55 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Register an interpreter for new binary
|
|
|
|
## file types, using the kernel binfmt_misc
|
2006-05-10 18:09:08 +00:00
|
|
|
## support.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Register an interpreter for new binary
|
|
|
|
## file types, using the kernel binfmt_misc
|
|
|
|
## support.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## A common use for this is to
|
2005-06-23 21:30:57 +00:00
|
|
|
## register a JVM as an interpreter for
|
|
|
|
## Java byte code. Registered binaries
|
|
|
|
## can be directly executed on a command line
|
|
|
|
## without specifying the interpreter.
|
2006-05-10 18:09:08 +00:00
|
|
|
## </p>
|
|
|
|
## </desc>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_register_binary_executable_type',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type binfmt_misc_fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_cifs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 cifs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a CIFS or SMB network filesystem.
|
|
|
|
## This allows some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_cifs',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 cifs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_cifs',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-08-31 16:54:19 +00:00
|
|
|
allow $1 cifs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a CIFS or
|
|
|
|
## SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_cifs',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 cifs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-08-08 21:03:23 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search directories on a CIFS or SMB filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-08 21:03:23 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_cifs',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 cifs_t:dir search_dir_perms;
|
2005-08-08 21:03:23 +00:00
|
|
|
')
|
|
|
|
|
2005-09-14 18:33:53 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## List the contents of directories on a
|
|
|
|
## CIFS or SMB filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-14 18:33:53 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_list_cifs',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 cifs_t:dir list_dir_perms;
|
2005-09-14 18:33:53 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to list the contents
|
|
|
|
## of directories on a CIFS or SMB filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_list_cifs',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 cifs_t:dir list_dir_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Mounton a CIFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_mounton_cifs',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 cifs_t:dir mounton;
|
|
|
|
')
|
|
|
|
|
2005-06-16 20:33:51 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read files on a CIFS or SMB filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-06-16 20:33:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_read_cifs_files',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 cifs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, cifs_t, cifs_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
')
|
|
|
|
|
2006-11-13 03:24:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of filesystems that
|
|
|
|
## do not have extended attribute support.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_noxattr_fs',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 noxattrfs:filesystem getattr;
|
|
|
|
')
|
|
|
|
|
2005-10-24 01:53:13 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read all noxattrfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_list_noxattr_fs',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 noxattrfs:dir list_dir_perms;
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
2006-09-06 22:07:25 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete all noxattrfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_noxattr_fs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 noxattrfs:dir manage_dir_perms;
|
|
|
|
')
|
|
|
|
|
2005-10-24 01:53:13 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read all noxattrfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_noxattr_fs_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, noxattrfs, noxattrfs)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
2009-06-08 17:18:26 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Dont audit attempts to write to noxattrfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_write_noxattr_fs_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 noxattrfs:file write;
|
|
|
|
')
|
|
|
|
|
2006-09-06 22:07:25 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete all noxattrfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_noxattr_fs_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_files_pattern($1, noxattrfs, noxattrfs)
|
2006-09-06 22:07:25 +00:00
|
|
|
')
|
|
|
|
|
2005-10-24 01:53:13 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read all noxattrfs symbolic links.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_noxattr_fs_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_lnk_files_pattern($1, noxattrfs, noxattrfs)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read
|
|
|
|
## files on a CIFS or SMB filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_read_cifs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 cifs_t:file read_file_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Append files
|
|
|
|
## on a CIFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_append_cifs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
append_files_pattern($1, cifs_t, cifs_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## dontaudit Append files
|
|
|
|
## on a CIFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_append_cifs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 cifs_t:file append_file_perms;
|
|
|
|
')
|
|
|
|
|
2005-06-16 20:33:51 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to read or
|
|
|
|
## write files on a CIFS or SMB filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-06-16 20:33:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_dontaudit_rw_cifs_files',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 cifs_t:file { read write };
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read symbolic links on a CIFS or SMB filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-06-16 20:33:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_read_cifs_symlinks',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 cifs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
read_lnk_files_pattern($1, cifs_t, cifs_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2008-05-15 13:10:34 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read named pipes
|
|
|
|
## on a CIFS or SMB network filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_cifs_named_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_fifo_files_pattern($1, cifs_t, cifs_t)
|
2008-05-15 13:10:34 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read named pipes
|
|
|
|
## on a CIFS or SMB network filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_cifs_named_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_sock_files_pattern($1, cifs_t, cifs_t)
|
2008-05-15 13:10:34 +00:00
|
|
|
')
|
|
|
|
|
2005-05-16 21:10:33 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Execute files on a CIFS or SMB
|
|
|
|
## network filesystem, in the caller
|
|
|
|
## domain.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_exec_cifs_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 cifs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
exec_files_pattern($1, cifs_t, cifs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete directories
|
|
|
|
## on a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_cifs_dirs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 cifs_t:dir manage_dir_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create, read,
|
|
|
|
## write, and delete directories
|
|
|
|
## on a CIFS or SMB network filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_cifs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 cifs_t:dir manage_dir_perms;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete files
|
|
|
|
## on a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_cifs_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_files_pattern($1, cifs_t, cifs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create, read,
|
|
|
|
## write, and delete files
|
|
|
|
## on a CIFS or SMB network filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_cifs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 cifs_t:file manage_file_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2005-05-16 21:10:33 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete symbolic links
|
|
|
|
## on a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_cifs_symlinks',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_lnk_files_pattern($1, cifs_t, cifs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete named pipes
|
|
|
|
## on a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_cifs_named_pipes',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_fifo_files_pattern($1, cifs_t, cifs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete named sockets
|
|
|
|
## on a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_cifs_named_sockets',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_sock_files_pattern($1, cifs_t, cifs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-07-13 18:29:08 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute a file on a CIFS or SMB filesystem
|
|
|
|
## in the specified domain.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Execute a file on a CIFS or SMB filesystem
|
|
|
|
## in the specified domain. This allows
|
|
|
|
## the specified domain to execute any file
|
|
|
|
## on these filesystems in the specified
|
|
|
|
## domain. This is not suggested.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## No interprocess communication (signals, pipes,
|
|
|
|
## etc.) is provided by this interface since
|
|
|
|
## the domains are not owned by this module.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface was added to handle
|
|
|
|
## home directories on CIFS/SMB filesystems,
|
|
|
|
## in particular used by the ssh-agent policy.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-13 18:29:08 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="target_domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-13 18:29:08 +00:00
|
|
|
## The type of the new process.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-13 18:29:08 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_cifs_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type cifs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 cifs_t:dir search_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
domain_auto_transition_pattern($1, cifs_t, $2)
|
2005-07-13 18:29:08 +00:00
|
|
|
')
|
|
|
|
|
2009-11-23 18:16:28 +00:00
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete dirs
|
|
|
|
## on a configfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_configfs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type configfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
manage_dirs_pattern($1, configfs_t, configfs_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete files
|
|
|
|
## on a configfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_configfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type configfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
manage_files_pattern($1, configfs_t, configfs_t)
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a DOS filesystem, such as
|
|
|
|
## FAT32 or NTFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_dos_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 dosfs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a DOS filesystem, such as
|
|
|
|
## FAT32 or NTFS. This allows
|
|
|
|
## some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_dos_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 dosfs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a DOS filesystem, such as
|
|
|
|
## FAT32 or NTFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_dos_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 dosfs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a DOS
|
|
|
|
## filesystem, such as FAT32 or NTFS.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_dos_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 dosfs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-05-24 15:55:57 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow changing of the label of a
|
|
|
|
## DOS filesystem using the context= mount option.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-24 15:55:57 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_relabelfrom_dos_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 dosfs_t:filesystem relabelfrom;
|
2005-05-24 15:55:57 +00:00
|
|
|
')
|
|
|
|
|
2007-06-20 19:47:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2009-11-23 18:16:28 +00:00
|
|
|
## Search dosfs filesystem.
|
2007-06-20 19:47:10 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_dos',`
|
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 dosfs_t:dir search_dir_perms;
|
|
|
|
')
|
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete dirs
|
|
|
|
## on a DOS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_dos_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
manage_dirs_pattern($1, dosfs_t, dosfs_t)
|
|
|
|
')
|
|
|
|
|
2007-03-26 20:47:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read files on a DOS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_dos_files',`
|
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, dosfs_t, dosfs_t)
|
2007-03-26 20:47:29 +00:00
|
|
|
')
|
|
|
|
|
2006-07-28 15:13:58 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete files
|
|
|
|
## on a DOS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_dos_files',`
|
|
|
|
gen_require(`
|
|
|
|
type dosfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_files_pattern($1, dosfs_t, dosfs_t)
|
2006-07-28 15:13:58 +00:00
|
|
|
')
|
|
|
|
|
2006-01-17 17:50:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2006-06-28 20:28:09 +00:00
|
|
|
## Read eventpollfs files.
|
2006-01-17 17:50:10 +00:00
|
|
|
## </summary>
|
2006-06-28 20:28:09 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Read eventpollfs files
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface has been deprecated, and will
|
|
|
|
## be removed in the future.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
2006-01-17 17:50:10 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-17 17:50:10 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-17 17:50:10 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_eventpollfs',`
|
2006-07-25 17:27:00 +00:00
|
|
|
refpolicywarn(`$0($*) has been deprecated.')
|
2006-01-17 17:50:10 +00:00
|
|
|
')
|
|
|
|
|
2007-06-20 19:47:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2008-12-03 19:16:20 +00:00
|
|
|
## Mount a FUSE filesystem.
|
2007-06-20 19:47:10 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2008-12-03 19:16:20 +00:00
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
2007-06-20 19:47:10 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_mount_fusefs',`
|
2008-12-03 18:33:19 +00:00
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
2007-06-20 19:47:10 +00:00
|
|
|
|
2008-12-03 18:33:19 +00:00
|
|
|
allow $1 fusefs_t:filesystem mount;
|
2007-06-20 19:47:10 +00:00
|
|
|
')
|
|
|
|
|
2007-08-08 20:04:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2008-12-03 19:16:20 +00:00
|
|
|
## Unmount a FUSE filesystem.
|
2007-08-08 20:04:28 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2008-12-03 19:16:20 +00:00
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
2007-08-08 20:04:28 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_unmount_fusefs',`
|
2008-12-03 18:33:19 +00:00
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
2007-08-08 20:04:28 +00:00
|
|
|
|
2008-12-03 18:33:19 +00:00
|
|
|
allow $1 fusefs_t:filesystem unmount;
|
2007-08-08 20:04:28 +00:00
|
|
|
')
|
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search directories
|
|
|
|
## on a FUSEFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_search_fusefs',`
|
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 fusefs_t:dir search_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete directories
|
|
|
|
## on a FUSEFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_fusefs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 fusefs_t:dir manage_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create, read,
|
|
|
|
## write, and delete directories
|
|
|
|
## on a FUSEFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_fusefs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 fusefs_t:dir manage_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read, a FUSEFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_read_fusefs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
read_files_pattern($1, fusefs_t, fusefs_t)
|
2009-03-04 15:53:07 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete files
|
|
|
|
## on a FUSEFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_fusefs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
manage_files_pattern($1, fusefs_t, fusefs_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create,
|
|
|
|
## read, write, and delete files
|
|
|
|
## on a FUSEFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_fusefs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 fusefs_t:file manage_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read symbolic links on a FUSEFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_fusefs_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
type fusefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 fusefs_t:dir list_dir_perms;
|
|
|
|
read_lnk_files_pattern($1, fusefs_t, fusefs_t)
|
|
|
|
')
|
|
|
|
|
2008-08-14 15:10:41 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write hugetlbfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_rw_hugetlbfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type hugetlbfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t)
|
|
|
|
')
|
|
|
|
|
2006-01-27 20:13:08 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2009-11-23 18:16:28 +00:00
|
|
|
## Allow the type to associate to hugetlbfs filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="type">
|
|
|
|
## <summary>
|
|
|
|
## The type of the object to be associated.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_associate_hugetlbfs',`
|
|
|
|
gen_require(`
|
|
|
|
type hugetlbfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 hugetlbfs_t:filesystem associate;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search inotifyfs filesystem.
|
2006-01-27 20:13:08 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-27 20:13:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-27 20:13:08 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_inotifyfs',`
|
|
|
|
gen_require(`
|
|
|
|
type inotifyfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 inotifyfs_t:dir search_dir_perms;
|
|
|
|
')
|
|
|
|
|
2006-02-13 22:05:08 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2009-11-23 18:16:28 +00:00
|
|
|
## List inotifyfs filesystem.
|
2006-02-13 22:05:08 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_list_inotifyfs',`
|
|
|
|
gen_require(`
|
|
|
|
type inotifyfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 inotifyfs_t:dir list_dir_perms;
|
2006-02-13 22:05:08 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount an iso9660 filesystem, which
|
|
|
|
## is usually used on CDs.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_iso9660_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type iso9660_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 iso9660_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount an iso9660 filesystem, which
|
|
|
|
## is usually used on CDs. This allows
|
|
|
|
## some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_iso9660_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type iso9660_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 iso9660_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount an iso9660 filesystem, which
|
|
|
|
## is usually used on CDs.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_iso9660_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type iso9660_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 iso9660_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of an iso9660
|
|
|
|
## filesystem, which is usually used on CDs.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_iso9660_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type iso9660_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 iso9660_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2007-06-20 19:47:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read files on an iso9660 filesystem, which
|
|
|
|
## is usually used on CDs.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_iso9660_files',`
|
|
|
|
gen_require(`
|
|
|
|
type iso9660_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 iso9660_t:dir list_dir_perms;
|
|
|
|
allow $1 iso9660_t:file getattr;
|
|
|
|
')
|
|
|
|
|
2006-04-28 18:30:02 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read files on an iso9660 filesystem, which
|
|
|
|
## is usually used on CDs.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_iso9660_files',`
|
|
|
|
gen_require(`
|
|
|
|
type iso9660_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 iso9660_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, iso9660_t, iso9660_t)
|
|
|
|
read_lnk_files_pattern($1, iso9660_t, iso9660_t)
|
2006-04-28 18:30:02 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_nfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 nfs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a NFS filesystem. This allows
|
|
|
|
## some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_nfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 nfs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_nfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 nfs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_nfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 nfs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-08-08 21:03:23 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search directories on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-08 21:03:23 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_nfs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir search_dir_perms;
|
2005-08-08 21:03:23 +00:00
|
|
|
')
|
|
|
|
|
2006-01-11 18:10:49 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## List NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-11 18:10:49 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-11 18:10:49 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_list_nfs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir list_dir_perms;
|
2006-01-11 18:10:49 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to list the contents
|
|
|
|
## of directories on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_list_nfs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 nfs_t:dir list_dir_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Mounton a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_mounton_nfs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 nfs_t:dir mounton;
|
|
|
|
')
|
|
|
|
|
2005-06-16 20:33:51 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read files on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-06-16 20:33:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_read_nfs_files',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, nfs_t, nfs_t)
|
2005-06-16 20:33:51 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read
|
|
|
|
## files on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_read_nfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 nfs_t:file read_file_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2005-05-16 21:10:33 +00:00
|
|
|
########################################
|
2005-11-08 22:00:30 +00:00
|
|
|
## <summary>
|
|
|
|
## Read files on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-08 22:00:30 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_write_nfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
write_files_pattern($1, nfs_t, nfs_t)
|
2005-11-08 22:00:30 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Execute files on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_exec_nfs_files',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
exec_files_pattern($1, nfs_t, nfs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Append files
|
|
|
|
## on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_append_nfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
append_files_pattern($1, nfs_t, nfs_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## dontaudit Append files
|
|
|
|
## on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_append_nfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 nfs_t:file append_file_perms;
|
|
|
|
')
|
|
|
|
|
2005-06-16 20:33:51 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to read or
|
|
|
|
## write files on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-06-16 20:33:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_dontaudit_rw_nfs_files',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
dontaudit $1 nfs_t:file rw_file_perms;
|
2005-06-16 20:33:51 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read symbolic links on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-06-16 20:33:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_read_nfs_symlinks',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
read_lnk_files_pattern($1, nfs_t, nfs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2008-05-15 13:10:34 +00:00
|
|
|
#########################################
|
|
|
|
## <summary>
|
|
|
|
## Read named sockets on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_nfs_named_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_sock_files_pattern($1, nfs_t, nfs_t)
|
2008-05-15 13:10:34 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
#########################################
|
|
|
|
## <summary>
|
2008-12-03 19:16:20 +00:00
|
|
|
## Read named pipes on a NFS network filesystem.
|
2008-05-15 13:10:34 +00:00
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_read_nfs_named_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_fifo_files_pattern($1, nfs_t, nfs_t)
|
2008-05-15 13:10:34 +00:00
|
|
|
')
|
|
|
|
|
2005-12-02 22:06:05 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read directories of RPC file system pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-02 22:06:05 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_rpc_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 rpc_pipefs_t:dir getattr;
|
|
|
|
|
|
|
|
')
|
|
|
|
|
2005-12-12 21:47:43 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search directories of RPC file system pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-12 21:47:43 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_search_rpc',`
|
2005-12-12 21:47:43 +00:00
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 rpc_pipefs_t:dir search_dir_perms;
|
|
|
|
')
|
|
|
|
|
2006-01-12 23:23:22 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search removable storage directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_search_removable',`
|
2006-01-12 23:23:22 +00:00
|
|
|
gen_require(`
|
|
|
|
type removable_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 removable_t:dir search_dir_perms;
|
2006-01-12 23:23:22 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to list removable storage directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## Domain not to audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_dontaudit_list_removable',`
|
2006-01-12 23:23:22 +00:00
|
|
|
gen_require(`
|
|
|
|
type removable_t;
|
|
|
|
')
|
2006-12-12 20:08:08 +00:00
|
|
|
|
|
|
|
dontaudit $1 removable_t:dir list_dir_perms;
|
2006-01-12 23:23:22 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read removable storage files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_removable_files',`
|
|
|
|
gen_require(`
|
|
|
|
type removable_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, removable_t, removable_t)
|
2006-01-12 23:23:22 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read removable storage files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## Domain not to audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-05-03 19:58:01 +00:00
|
|
|
interface(`fs_dontaudit_read_removable_files',`
|
2006-01-12 23:23:22 +00:00
|
|
|
gen_require(`
|
|
|
|
type removable_t;
|
|
|
|
')
|
2006-12-12 20:08:08 +00:00
|
|
|
|
|
|
|
dontaudit $1 removable_t:file read_file_perms;
|
2006-01-12 23:23:22 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read removable storage symbolic links.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-12 23:23:22 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_removable_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
type removable_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_lnk_files_pattern($1, removable_t, removable_t)
|
2006-01-12 23:23:22 +00:00
|
|
|
')
|
|
|
|
|
2009-03-04 15:53:07 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write block nodes on removable filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_rw_removable_blk_files',`
|
|
|
|
gen_require(`
|
|
|
|
type removable_t;
|
|
|
|
')
|
|
|
|
|
2009-06-08 17:18:26 +00:00
|
|
|
allow $1 removable_t:dir list_dir_perms;
|
2009-03-04 15:53:07 +00:00
|
|
|
rw_blk_files_pattern($1, removable_t, removable_t)
|
|
|
|
')
|
|
|
|
|
2005-10-24 01:53:13 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read directories of RPC file system pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_list_rpc',`
|
2005-10-24 01:53:13 +00:00
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 rpc_pipefs_t:dir list_dir_perms;
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read files of RPC file system pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_rpc_files',`
|
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read symbolic links of RPC file system pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_rpc_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read sockets of RPC file system pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_rpc_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
|
|
|
|
2009-02-24 20:00:15 +00:00
|
|
|
allow $1 rpc_pipefs_t:sock_file read;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write sockets of RPC file system pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_rw_rpc_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
|
|
|
|
2005-10-24 01:53:13 +00:00
|
|
|
allow $1 rpc_pipefs_t:sock_file { read write };
|
|
|
|
')
|
|
|
|
|
2005-05-16 21:10:33 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete directories
|
|
|
|
## on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_nfs_dirs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir manage_dir_perms;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create, read,
|
|
|
|
## write, and delete directories
|
|
|
|
## on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_nfs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 nfs_t:dir manage_dir_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2005-05-16 21:10:33 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete files
|
|
|
|
## on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_nfs_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_files_pattern($1, nfs_t, nfs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create,
|
|
|
|
## read, write, and delete files
|
|
|
|
## on a NFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_nfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 nfs_t:file manage_file_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2005-06-09 15:20:31 +00:00
|
|
|
#########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete symbolic links
|
|
|
|
## on a CIFS or SMB network filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_nfs_symlinks',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_lnk_files_pattern($1, nfs_t, nfs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-06-09 15:20:31 +00:00
|
|
|
#########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete named pipes
|
|
|
|
## on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_nfs_named_pipes',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_fifo_files_pattern($1, nfs_t, nfs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-06-09 15:20:31 +00:00
|
|
|
#########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete named sockets
|
|
|
|
## on a NFS filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_manage_nfs_named_sockets',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_sock_files_pattern($1, nfs_t, nfs_t)
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-07-13 18:29:08 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Execute a file on a NFS filesystem
|
|
|
|
## in the specified domain.
|
|
|
|
## </summary>
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Execute a file on a NFS filesystem
|
|
|
|
## in the specified domain. This allows
|
|
|
|
## the specified domain to execute any file
|
|
|
|
## on a NFS filesystem in the specified
|
|
|
|
## domain. This is not suggested.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## No interprocess communication (signals, pipes,
|
|
|
|
## etc.) is provided by this interface since
|
|
|
|
## the domains are not owned by this module.
|
|
|
|
## </p>
|
|
|
|
## <p>
|
|
|
|
## This interface was added to handle
|
|
|
|
## home directories on NFS filesystems,
|
|
|
|
## in particular used by the ssh-agent policy.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-13 18:29:08 +00:00
|
|
|
## </param>
|
|
|
|
## <param name="target_domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-13 18:29:08 +00:00
|
|
|
## The type of the new process.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-13 18:29:08 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_nfs_domtrans',`
|
|
|
|
gen_require(`
|
|
|
|
type nfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfs_t:dir search_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
domain_auto_transition_pattern($1, nfs_t, $2)
|
2005-07-13 18:29:08 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a NFS server pseudo filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_nfsd_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 nfsd_fs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a NFS server pseudo filesystem.
|
|
|
|
## This allows some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_nfsd_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 nfsd_fs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a NFS server pseudo filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_nfsd_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 nfsd_fs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a NFS server
|
|
|
|
## pseudo filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_nfsd_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 nfsd_fs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-10-24 01:53:13 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search NFS server directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_nfsd_fs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 nfsd_fs_t:dir search_dir_perms;
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
2009-11-23 18:16:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## List NFS server directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_list_nfsd_fs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 nfsd_fs_t:dir list_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Getattr files on an nfsd filesystem
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_nfsd_files',`
|
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
|
|
|
')
|
|
|
|
|
2005-10-24 01:53:13 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write NFS server files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-24 01:53:13 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_rw_nfsd_fs',`
|
|
|
|
gen_require(`
|
|
|
|
type nfsd_fs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t)
|
2005-10-24 01:53:13 +00:00
|
|
|
')
|
|
|
|
|
2007-10-24 18:37:26 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Allow the type to associate to ramfs filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="type">
|
|
|
|
## <summary>
|
|
|
|
## The type of the object to be associated.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_associate_ramfs',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 ramfs_t:filesystem associate;
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a RAM filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_ramfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 ramfs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a RAM filesystem. This allows
|
|
|
|
## some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_ramfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 ramfs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a RAM filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_ramfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 ramfs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a RAM filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_ramfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 ramfs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-09-23 19:38:34 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search directories on a ramfs
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-23 19:38:34 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-23 19:38:34 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_ramfs',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2006-03-09 19:02:29 +00:00
|
|
|
allow $1 ramfs_t:dir search_dir_perms;
|
2005-09-23 19:38:34 +00:00
|
|
|
')
|
|
|
|
|
2005-10-28 14:34:26 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2006-01-19 23:00:23 +00:00
|
|
|
## Dontaudit Search directories on a ramfs
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-19 23:00:23 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-19 23:00:23 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_search_ramfs',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 ramfs_t:dir search_dir_perms;
|
2006-01-19 23:00:23 +00:00
|
|
|
')
|
|
|
|
|
2006-09-06 16:36:23 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2009-11-23 18:16:28 +00:00
|
|
|
## Create, read, write, and delete
|
2006-09-06 16:36:23 +00:00
|
|
|
## directories on a ramfs.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_ramfs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 ramfs_t:dir manage_dir_perms;
|
|
|
|
')
|
|
|
|
|
2006-02-13 22:05:08 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Dontaudit read on a ramfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_read_ramfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 ramfs_t:file read;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Dontaudit read on a ramfs fifo_files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_read_ramfs_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 ramfs_t:fifo_file read;
|
|
|
|
')
|
|
|
|
|
2006-03-09 19:02:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete
|
|
|
|
## files on a ramfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_ramfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_files_pattern($1, ramfs_t, ramfs_t)
|
2006-03-09 19:02:29 +00:00
|
|
|
')
|
|
|
|
|
2006-01-19 23:00:23 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2005-10-28 14:34:26 +00:00
|
|
|
## Write to named pipe on a ramfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-28 14:34:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-28 14:34:26 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_write_ramfs_pipes',`
|
2005-10-28 14:34:26 +00:00
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
write_fifo_files_pattern($1, ramfs_t, ramfs_t)
|
2005-10-28 14:34:26 +00:00
|
|
|
')
|
|
|
|
|
2006-03-09 19:02:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2009-11-23 18:16:28 +00:00
|
|
|
## Do not audit attempts to write to named
|
2006-03-09 19:02:29 +00:00
|
|
|
## pipes on a ramfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_write_ramfs_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 ramfs_t:fifo_file write;
|
|
|
|
')
|
|
|
|
|
2005-11-29 21:27:15 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write a named pipe on a ramfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-29 21:27:15 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-29 21:27:15 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_rw_ramfs_pipes',`
|
2005-11-29 21:27:15 +00:00
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
rw_fifo_files_pattern($1, ramfs_t, ramfs_t)
|
2005-11-29 21:27:15 +00:00
|
|
|
')
|
|
|
|
|
2006-03-09 19:02:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
2009-11-23 18:16:28 +00:00
|
|
|
## Create, read, write, and delete
|
2006-03-09 19:02:29 +00:00
|
|
|
## named pipes on a ramfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_ramfs_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_fifo_files_pattern($1, ramfs_t, ramfs_t)
|
2006-03-09 19:02:29 +00:00
|
|
|
')
|
|
|
|
|
2005-09-23 19:38:34 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Write to named socket on a ramfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-23 19:38:34 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-23 19:38:34 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_write_ramfs_sockets',`
|
2005-09-23 19:38:34 +00:00
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
write_sock_files_pattern($1, ramfs_t, ramfs_t)
|
2005-09-23 19:38:34 +00:00
|
|
|
')
|
|
|
|
|
2006-03-09 19:02:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete
|
|
|
|
## named sockets on a ramfs filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_ramfs_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type ramfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_sock_files_pattern($1, ramfs_t, ramfs_t)
|
2006-03-09 19:02:29 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a ROM filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_romfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type romfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 romfs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a ROM filesystem. This allows
|
|
|
|
## some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_romfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type romfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 romfs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a ROM filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_romfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type romfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 romfs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a ROM
|
|
|
|
## filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_romfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type romfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 romfs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a RPC pipe filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_rpc_pipefs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 rpc_pipefs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a RPC pipe filesystem. This
|
|
|
|
## allows some mount option to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_rpc_pipefs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 rpc_pipefs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a RPC pipe filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_rpc_pipefs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 rpc_pipefs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a RPC pipe
|
|
|
|
## filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_rpc_pipefs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type rpc_pipefs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 rpc_pipefs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2006-09-22 17:14:35 +00:00
|
|
|
#########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write RPC pipe filesystem named pipes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_rw_rpc_named_pipes',`
|
|
|
|
gen_require(`
|
2008-05-15 13:10:34 +00:00
|
|
|
type rpc_pipefs_t;
|
2006-09-22 17:14:35 +00:00
|
|
|
')
|
|
|
|
|
2008-10-20 16:10:42 +00:00
|
|
|
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
|
2006-09-22 17:14:35 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount a tmpfs filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_tmpfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 tmpfs_t:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount a tmpfs filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_tmpfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 tmpfs_t:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount a tmpfs filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_tmpfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-02-06 22:47:46 +00:00
|
|
|
allow $1 tmpfs_t:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the attributes of a tmpfs
|
|
|
|
## filesystem.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_tmpfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 tmpfs_t:filesystem getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the type to associate to tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="type">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## The type of the object to be associated.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_associate_tmpfs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $1 tmpfs_t:filesystem associate;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-07-08 20:44:57 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of tmpfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_getattr_tmpfs_dirs',`
|
2005-07-08 20:44:57 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 tmpfs_t:dir getattr;
|
|
|
|
')
|
|
|
|
|
2006-04-17 19:51:46 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of tmpfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_getattr_tmpfs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 tmpfs_t:dir getattr;
|
|
|
|
')
|
|
|
|
|
2005-07-08 20:44:57 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Set the attributes of tmpfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_setattr_tmpfs_dirs',`
|
2005-07-08 20:44:57 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 tmpfs_t:dir setattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search tmpfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-08 20:44:57 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_tmpfs',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 tmpfs_t:dir search_dir_perms;
|
2005-07-08 20:44:57 +00:00
|
|
|
')
|
|
|
|
|
2005-07-18 18:31:49 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## List the contents of generic tmpfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_list_tmpfs',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 tmpfs_t:dir list_dir_perms;
|
2005-07-18 18:31:49 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to list the
|
|
|
|
## contents of generic tmpfs directories.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-18 18:31:49 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_list_tmpfs',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 tmpfs_t:dir list_dir_perms;
|
2005-07-18 18:31:49 +00:00
|
|
|
')
|
|
|
|
|
2005-09-15 21:03:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete
|
|
|
|
## tmpfs directories
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-15 21:03:29 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-15 21:03:29 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_tmpfs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 tmpfs_t:dir manage_dir_perms;
|
2005-09-15 21:03:29 +00:00
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2006-05-10 18:09:08 +00:00
|
|
|
## <summary>
|
|
|
|
## Create an object in a tmpfs filesystem, with a private
|
|
|
|
## type using a type transition.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="private type">
|
|
|
|
## <summary>
|
|
|
|
## The type of the object to be created.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <param name="object">
|
|
|
|
## <summary>
|
|
|
|
## The object class of the object being created.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2006-02-21 18:40:44 +00:00
|
|
|
interface(`fs_tmpfs_filetrans',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
allow $2 tmpfs_t:filesystem associate;
|
2008-07-23 21:38:39 +00:00
|
|
|
filetrans_pattern($1, tmpfs_t, $2, $3)
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to getattr
|
|
|
|
## generic tmpfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_getattr_tmpfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 tmpfs_t:file getattr;
|
|
|
|
')
|
|
|
|
|
2006-01-12 22:26:46 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to read or write
|
|
|
|
## generic tmpfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-01-12 22:26:46 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-12 22:26:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_rw_tmpfs_files',`
|
|
|
|
gen_require(`
|
2006-03-29 14:31:10 +00:00
|
|
|
type tmpfs_t;
|
2006-01-12 22:26:46 +00:00
|
|
|
')
|
|
|
|
|
2007-02-16 23:01:42 +00:00
|
|
|
dontaudit $1 tmpfs_t:file rw_file_perms;
|
2006-01-12 22:26:46 +00:00
|
|
|
')
|
|
|
|
|
2005-12-09 20:08:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete
|
|
|
|
## auto moutpoints.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-12-09 20:08:10 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-12-09 20:08:10 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_auto_mountpoints',`
|
|
|
|
gen_require(`
|
|
|
|
type autofs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 autofs_t:dir manage_dir_perms;
|
|
|
|
')
|
|
|
|
|
2005-11-29 21:27:15 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write generic tmpfs files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-29 21:27:15 +00:00
|
|
|
## </param>
|
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_rw_tmpfs_files',`
|
2005-11-29 21:27:15 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
rw_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-11-29 21:27:15 +00:00
|
|
|
')
|
|
|
|
|
2006-01-25 15:53:35 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read tmpfs link files.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-25 15:53:35 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_read_tmpfs_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
read_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
|
2006-01-25 15:53:35 +00:00
|
|
|
')
|
|
|
|
|
2005-05-19 21:06:06 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read and write character nodes on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-19 21:06:06 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_rw_tmpfs_chr_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 tmpfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
rw_chr_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
2006-01-17 17:50:10 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## dontaudit Read and write character nodes on tmpfs filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2006-01-17 17:50:10 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
dontaudit $1 tmpfs_t:dir list_dir_perms;
|
|
|
|
dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms;
|
2006-01-17 17:50:10 +00:00
|
|
|
')
|
|
|
|
|
2005-05-25 20:58:21 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Relabel character nodes on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-25 20:58:21 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_relabel_tmpfs_chr_file',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 tmpfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-05-25 20:58:21 +00:00
|
|
|
')
|
|
|
|
|
2005-05-19 21:06:06 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read and write block nodes on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-19 21:06:06 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_rw_tmpfs_blk_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 tmpfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
rw_blk_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Relabel block nodes on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-25 20:58:21 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_relabel_tmpfs_blk_file',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 tmpfs_t:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-05-25 20:58:21 +00:00
|
|
|
')
|
|
|
|
|
2005-09-15 21:03:29 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Read and write, create and delete generic
|
|
|
|
## files on tmpfs filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-15 21:03:29 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_tmpfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-09-15 21:03:29 +00:00
|
|
|
')
|
|
|
|
|
2005-06-29 20:53:53 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-29 20:53:53 +00:00
|
|
|
## Read and write, create and delete symbolic
|
|
|
|
## links on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-29 20:53:53 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-29 20:53:53 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_tmpfs_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-06-29 20:53:53 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-29 20:53:53 +00:00
|
|
|
## Read and write, create and delete socket
|
|
|
|
## files on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-29 20:53:53 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-29 20:53:53 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_tmpfs_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_sock_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-06-29 20:53:53 +00:00
|
|
|
')
|
|
|
|
|
2005-05-25 20:58:21 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read and write, create and delete character
|
|
|
|
## nodes on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-19 21:06:06 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_manage_tmpfs_chr_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_chr_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Read and write, create and delete block nodes
|
|
|
|
## on tmpfs filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-05-19 21:06:06 +00:00
|
|
|
#
|
2006-01-31 20:29:27 +00:00
|
|
|
interface(`fs_manage_tmpfs_blk_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
|
|
|
type tmpfs_t;
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
manage_blk_files_pattern($1, tmpfs_t, tmpfs_t)
|
2005-05-19 21:06:06 +00:00
|
|
|
')
|
|
|
|
|
2009-11-23 18:16:28 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Mount a XENFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_mount_xenfs',`
|
|
|
|
gen_require(`
|
|
|
|
type xenfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 xenfs_t:filesystem mount;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete directories
|
|
|
|
## on a XENFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_xenfs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type xenfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 xenfs_t:dir manage_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create, read,
|
|
|
|
## write, and delete directories
|
|
|
|
## on a XENFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_xenfs_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
type xenfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 xenfs_t:dir manage_dir_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Create, read, write, and delete files
|
|
|
|
## on a XENFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
## <rolecap/>
|
|
|
|
#
|
|
|
|
interface(`fs_manage_xenfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type xenfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
manage_files_pattern($1, xenfs_t, xenfs_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to create,
|
|
|
|
## read, write, and delete files
|
|
|
|
## on a XENFS filesystem.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain to not audit.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_manage_xenfs_files',`
|
|
|
|
gen_require(`
|
|
|
|
type xenfs_t;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 xenfs_t:file manage_file_perms;
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Mount all filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_mount_all_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
allow $1 filesystem_type:filesystem mount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Remount all filesystems. This
|
|
|
|
## allows some mount options to be changed.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_remount_all_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
allow $1 filesystem_type:filesystem remount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Unmount all filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_unmount_all_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
allow $1 filesystem_type:filesystem unmount;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
2005-04-25 19:54:27 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2010-03-01 19:50:55 +00:00
|
|
|
## Get the attributes of all filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2010-03-01 19:50:55 +00:00
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Allow the specified domain to
|
|
|
|
## et the attributes of all filesystems.
|
|
|
|
## Example attributes:
|
|
|
|
## </p>
|
|
|
|
## <ul>
|
|
|
|
## <li>Type of the file system (e.g., ext3)</li>
|
|
|
|
## <li>Size of the file system</li>
|
|
|
|
## <li>Available space on the file system</li>
|
|
|
|
## </ul>
|
|
|
|
## </desc>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2010-03-01 19:50:55 +00:00
|
|
|
## <infoflow type="read" weight="5"/>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-04-25 19:54:27 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_all_fs',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
allow $1 filesystem_type:filesystem getattr;
|
2009-06-08 17:18:26 +00:00
|
|
|
files_getattr_all_file_type_fs($1)
|
2005-04-25 19:54:27 +00:00
|
|
|
')
|
|
|
|
|
2005-06-22 21:14:48 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## all filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain to not audit.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2005-06-22 21:14:48 +00:00
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_getattr_all_fs',`
|
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 21:14:48 +00:00
|
|
|
')
|
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
dontaudit $1 filesystem_type:filesystem getattr;
|
2005-06-22 21:14:48 +00:00
|
|
|
')
|
|
|
|
|
2005-05-16 21:10:33 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get the quotas of all filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## The type of the domain getting quotas.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_get_all_fs_quotas',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
allow $1 filesystem_type:filesystem quotaget;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
2005-05-18 13:20:38 +00:00
|
|
|
########################################
|
2005-07-08 20:44:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Set the quotas of all filesystems.
|
2005-07-08 20:44:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## The type of the domain setting quotas.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-05-18 13:20:38 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_set_all_quotas',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-28 17:48:59 +00:00
|
|
|
allow $1 filesystem_type:filesystem quotamod;
|
2005-05-18 13:20:38 +00:00
|
|
|
')
|
|
|
|
|
2005-09-16 21:20:37 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Relabelfrom all filesystems.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2006-05-10 18:09:08 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-16 21:20:37 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_relabelfrom_all_fs',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
allow $1 filesystem_type:filesystem relabelfrom;
|
|
|
|
')
|
|
|
|
|
2005-11-29 15:49:18 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all directories
|
|
|
|
## with a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-11-29 15:49:18 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-11-29 15:49:18 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_all_dirs',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
2005-12-09 21:07:30 +00:00
|
|
|
allow $1 filesystem_type:dir getattr;
|
2005-11-29 15:49:18 +00:00
|
|
|
')
|
|
|
|
|
2005-09-19 21:17:45 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Search all directories with a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-09-19 21:17:45 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_search_all',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
2005-11-29 15:49:18 +00:00
|
|
|
allow $1 filesystem_type:dir search_dir_perms;
|
2005-09-19 21:17:45 +00:00
|
|
|
')
|
|
|
|
|
2005-07-11 19:02:50 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## List all directories with a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-11 19:02:50 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-11 19:02:50 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_list_all',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 filesystem_type:dir list_dir_perms;
|
2005-07-11 19:02:50 +00:00
|
|
|
')
|
|
|
|
|
2005-05-12 20:50:09 +00:00
|
|
|
########################################
|
2005-10-10 18:11:46 +00:00
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all files with
|
|
|
|
## a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
2005-05-12 20:50:09 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`fs_getattr_all_files',`
|
2005-06-22 16:07:14 +00:00
|
|
|
gen_require(`
|
2005-06-28 17:48:59 +00:00
|
|
|
attribute filesystem_type;
|
2005-06-22 16:07:14 +00:00
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
getattr_files_pattern($1, filesystem_type, filesystem_type)
|
2005-10-10 18:11:46 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all symbolic links with
|
|
|
|
## a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_all_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
getattr_lnk_files_pattern($1, filesystem_type, filesystem_type)
|
2005-10-10 18:11:46 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all named pipes with
|
|
|
|
## a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_all_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
getattr_fifo_files_pattern($1, filesystem_type, filesystem_type)
|
2005-10-10 18:11:46 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Get the attributes of all named sockets with
|
|
|
|
## a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_getattr_all_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
2008-07-23 21:38:39 +00:00
|
|
|
getattr_sock_files_pattern($1, filesystem_type, filesystem_type)
|
2005-05-12 20:50:09 +00:00
|
|
|
')
|
|
|
|
|
2005-10-10 18:11:46 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all files with a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_getattr_all_files',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 filesystem_type:file getattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all symbolic links with a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_getattr_all_symlinks',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 filesystem_type:lnk_file getattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all named pipes with a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_getattr_all_pipes',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 filesystem_type:fifo_file getattr;
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Do not audit attempts to get the attributes
|
|
|
|
## of all named sockets with a filesystem type.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-10 18:11:46 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_dontaudit_getattr_all_sockets',`
|
|
|
|
gen_require(`
|
|
|
|
attribute filesystem_type;
|
|
|
|
')
|
|
|
|
|
|
|
|
dontaudit $1 filesystem_type:sock_file getattr;
|
|
|
|
')
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Unconfined access to filesystems
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-07-05 20:59:51 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-07-05 20:59:51 +00:00
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_unconfined',`
|
|
|
|
gen_require(`
|
2006-04-10 21:04:51 +00:00
|
|
|
attribute filesystem_unconfined_type;
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
2006-04-10 21:04:51 +00:00
|
|
|
typeattribute $1 filesystem_unconfined_type;
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
2006-05-03 19:58:01 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
## <summary>
|
|
|
|
## Relabel all objets from filesystems that
|
|
|
|
## do not support extended attributes.
|
|
|
|
## </summary>
|
|
|
|
## <param name="domain">
|
|
|
|
## <summary>
|
|
|
|
## Domain allowed access.
|
|
|
|
## </summary>
|
|
|
|
## </param>
|
|
|
|
#
|
|
|
|
interface(`fs_relabelfrom_noxattr_fs',`
|
|
|
|
gen_require(`
|
|
|
|
attribute noxattrfs;
|
|
|
|
')
|
|
|
|
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 noxattrfs:dir list_dir_perms;
|
2008-07-23 21:38:39 +00:00
|
|
|
relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs)
|
|
|
|
relabelfrom_files_pattern($1, noxattrfs, noxattrfs)
|
|
|
|
relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs)
|
|
|
|
relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs)
|
|
|
|
relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs)
|
|
|
|
relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
|
|
|
|
relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
|
2006-05-03 19:58:01 +00:00
|
|
|
')
|