#DESC Quota - File system quota management utilities # # Author: Russell Coker <russell@coker.com.au> # X-Debian-Packages: quota quotatool # ################################# # # Rules for the quota_t domain. # # needs auth attribute because it has read access to shadow_t because checkquota # is buggy daemon_base_domain(quota, `, auth, fs_domain') # so the administrator can run quotacheck domain_auto_trans(sysadm_t, quota_exec_t, quota_t) role sysadm_r types quota_t; allow quota_t admin_tty_type:chr_file { read write }; type quota_flag_t, file_type, sysadmfile; type quota_db_t, file_type, sysadmfile; rw_dir_create_file(initrc_t, quota_flag_t) allow quota_t fs_t:filesystem { getattr quotaget quotamod remount }; # quotacheck creates new quota_db_t files file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file) # for some reason it wants dac_override not dac_read_search allow quota_t self:capability { sys_admin dac_override }; allow quota_t file_type:{ fifo_file sock_file } getattr; allow quota_t file_t:file quotaon; # for quotacheck allow quota_t file_type:dir r_dir_perms; # The following line is apparently necessary, although read and # ioctl seem to be more than should be required. allow quota_t file_type:file { getattr read ioctl }; allow quota_t file_type:{ fifo_file sock_file } getattr; allow quota_t file_type:lnk_file { read getattr }; allow quota_t device_type:{ chr_file blk_file } getattr; allow quota_t fixed_disk_device_t:blk_file { getattr read }; # for /quota.* allow quota_t quota_db_t:file { read write }; dontaudit unpriv_userdomain quota_db_t:file getattr; allow quota_t quota_db_t:file quotaon; # Read /etc/mtab. allow quota_t etc_runtime_t:file { read getattr }; allow quota_t device_t:dir r_dir_perms; allow quota_t fixed_disk_device_t:blk_file getattr; allow quota_t boot_t:dir r_dir_perms; allow quota_t sysctl_t:dir { getattr search }; allow quota_t initrc_devpts_t:chr_file rw_file_perms; allow quota_t proc_t:file getattr;