# # Macros for mount # # Author: Brian May <bam@snoopy.apana.org.au> # Extended by Russell Coker <russell@coker.com.au> # # # mount_domain(domain_prefix,dst_domain_prefix) # # Define a derived domain for the mount program for anyone. # define(`mount_domain', ` # # Rules for the $2_t domain, used by the $1_t domain. # # $2_t is the domain for the mount process. # # This macro will not be included by all users and it may be included twice if # called from other macros, so we need protection for this do not call this # macro if $2_def is defined define(`$2_def', `') # type $2_t, domain, privlog $3, nscd_client_domain; allow $2_t sysfs_t:dir search; uses_shlib($2_t) role $1_r types $2_t; # when mount is run by $1 goto $2_t domain domain_auto_trans($1_t, mount_exec_t, $2_t) allow $2_t proc_t:dir search; allow $2_t proc_t:file { getattr read }; # # Allow mounting of cdrom by user # allow $2_t device_type:blk_file getattr; tmp_domain($2) # Use capabilities. allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown }; allow $2_t self:unix_stream_socket create_socket_perms; # Create and modify /etc/mtab. file_type_auto_trans($2_t, etc_t, etc_runtime_t, file) allow $2_t etc_t:file { getattr read }; read_locale($2_t) allow $2_t home_root_t:dir search; allow $2_t $1_home_dir_t:dir search; allow $2_t noexattrfile:filesystem { mount unmount }; allow $2_t fs_t:filesystem getattr; allow $2_t removable_t:filesystem { mount unmount }; allow $2_t mnt_t:dir { mounton search }; allow $2_t sbin_t:dir search; # Access the terminal. access_terminal($2_t, $1) ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;') allow $2_t var_t:dir search; allow $2_t var_run_t:dir search; ifdef(`distro_redhat',` ifdef(`pamconsole.te',` r_dir_file($2_t,pam_var_console_t) # mount config by default sets fscontext=removable_t allow $2_t dosfs_t:filesystem relabelfrom; ') dnl end pamconsole.te ') dnl end distro_redhat ') dnl end mount_domain # mount_loopback_privs(domain_prefix,dst_domain_prefix) # # Add loopback mounting privileges to a particular derived # mount domain. # define(`mount_loopback_privs',` type $1_$2_source_t, file_type, sysadmfile, $1_file_type; allow $1_t $1_$2_source_t:file create_file_perms; allow $1_t $1_$2_source_t:file { relabelto relabelfrom }; allow $2_t $1_$2_source_t:file rw_file_perms; ')