#DESC Fsadm - Disk and file system administration
#
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
#

#################################
#
# Rules for the fsadm_t domain.
#
# fsadm_t is the domain for disk and file system
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
type fsadm_t, domain, privlog, fs_domain, mlsfileread;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;

general_domain_access(fsadm_t)

# for swapon
r_dir_file(fsadm_t, sysfs_t)

# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)

# Read system variables in /proc/sys
read_sysctl(fsadm_t)

# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t tmpfs_t:file { read write };

base_file_read_access(fsadm_t)

# Read /etc.
r_dir_file(fsadm_t, etc_t)

# Read module-related files.
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;

# Read /dev directories and any symbolic links.
allow fsadm_t device_t:dir r_dir_perms;
allow fsadm_t device_t:lnk_file r_file_perms;

uses_shlib(fsadm_t)

type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
')
tmp_domain(fsadm)

# remount file system to apply changes
allow fsadm_t fs_t:filesystem remount;

allow fsadm_t fs_t:filesystem getattr;

# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;

# mkreiserfs and other programs need this for UUID
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };

# Use capabilities.  ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };

# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)

# Inherit and use descriptors from init.
allow fsadm_t init_t:fd use;

# Run other fs admin programs in the fsadm_t domain.
can_exec(fsadm_t, fsadm_exec_t)

# Access disk devices.
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;

# Access lost+found.
allow fsadm_t lost_found_t:dir create_dir_perms;
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;

allow fsadm_t file_t:dir { search read getattr rmdir create };

# Recreate /mnt/cdrom. 
allow fsadm_t mnt_t:dir { search read getattr rmdir create };

# Recreate /dev/cdrom.
allow fsadm_t device_t:dir rw_dir_perms;
allow fsadm_t device_t:lnk_file { unlink create };

# Enable swapping to devices and files
allow fsadm_t swapfile_t:file { getattr swapon };
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };

# Allow console log change (updfstab)
allow fsadm_t kernel_t:system syslog_console;

# Access terminals.
can_access_pty(fsadm_t, initrc)
allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;

read_locale(fsadm_t)

# for smartctl cron jobs
system_crond_entry(fsadm_exec_t, fsadm_t)

# Access to /initrd devices
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
allow fsadm_t device_type:chr_file getattr;

# for tune2fs
allow fsadm_t file_type:dir { getattr search };