## Policy for mount. ######################################## ## ## Execute mount in the mount domain. ## ## ## ## The type of the process performing this action. ## ## # interface(`mount_domtrans',` gen_require(` type mount_t, mount_exec_t; ') domtrans_pattern($1, mount_exec_t, mount_t) ') ######################################## ## ## Execute mount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. ## ## ## ## The type of the process performing this action. ## ## ## ## ## Role allowed access. ## ## ## # interface(`mount_run',` gen_require(` type mount_t; ') mount_domtrans($1) role $2 types mount_t; optional_policy(` samba_run_smbmount($1, $2) ') ') ######################################## ## ## Execute mount in the caller domain. ## ## ## ## The type of the process performing this action. ## ## # interface(`mount_exec',` gen_require(` type mount_exec_t; ') # cjp: this should be removed: allow $1 mount_exec_t:dir list_dir_perms; allow $1 mount_exec_t:lnk_file read_lnk_file_perms; can_exec($1, mount_exec_t) ') ######################################## ## ## Send a generic signal to mount. ## ## ## ## Domain allowed access. ## ## # interface(`mount_signal',` gen_require(` type mount_t; ') allow $1 mount_t:process signal; ') ######################################## ## ## Use file descriptors for mount. ## ## ## ## The type of the process performing this action. ## ## # interface(`mount_use_fds',` gen_require(` type mount_t; ') allow $1 mount_t:fd use; ') ######################################## ## ## Allow the mount domain to send nfs requests for mounting ## network drives ## ## ##

## Allow the mount domain to send nfs requests for mounting ## network drives ##

##

## This interface has been deprecated as these rules were ## a side effect of leaked mount file descriptors. This ## interface has no effect. ##

##
## ## ## Domain allowed access. ## ## # interface(`mount_send_nfs_client_request',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Execute mount in the unconfined mount domain. ## ## ## ## Domain allowed access. ## ## # interface(`mount_domtrans_unconfined',` gen_require(` type unconfined_mount_t, mount_exec_t; ') domtrans_pattern($1, mount_exec_t, unconfined_mount_t) ') ######################################## ## ## Execute mount in the unconfined mount domain, and ## allow the specified role the unconfined mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`mount_run_unconfined',` gen_require(` type unconfined_mount_t; ') mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ')