#DESC Fsadm - Disk and file system administration # # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount # ################################# # # Rules for the fsadm_t domain. # # fsadm_t is the domain for disk and file system # administration. # fsadm_exec_t is the type of the corresponding programs. # type fsadm_t, domain, privlog, fs_domain, mlsfileread; role system_r types fsadm_t; role sysadm_r types fsadm_t; general_domain_access(fsadm_t) # for swapon r_dir_file(fsadm_t, sysfs_t) # Read system information files in /proc. r_dir_file(fsadm_t, proc_t) # Read system variables in /proc/sys read_sysctl(fsadm_t) # for /dev/shm allow fsadm_t tmpfs_t:dir { getattr search }; allow fsadm_t tmpfs_t:file { read write }; base_file_read_access(fsadm_t) # Read /etc. r_dir_file(fsadm_t, etc_t) # Read module-related files. allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms; # Read /dev directories and any symbolic links. allow fsadm_t device_t:dir r_dir_perms; allow fsadm_t device_t:lnk_file r_file_perms; uses_shlib(fsadm_t) type fsadm_exec_t, file_type, sysadmfile, exec_type; domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t) ifdef(`targeted_policy', `', ` domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t) ') tmp_domain(fsadm) # remount file system to apply changes allow fsadm_t fs_t:filesystem remount; allow fsadm_t fs_t:filesystem getattr; # mkreiserfs needs this allow fsadm_t proc_t:filesystem getattr; # mkreiserfs and other programs need this for UUID allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read }; # Use capabilities. ipc_lock is for losetup allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search }; # Write to /etc/mtab. file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file) # Inherit and use descriptors from init. allow fsadm_t init_t:fd use; # Run other fs admin programs in the fsadm_t domain. can_exec(fsadm_t, fsadm_exec_t) # Access disk devices. allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms; allow fsadm_t removable_device_t:devfile_class_set rw_file_perms; allow fsadm_t scsi_generic_device_t:chr_file r_file_perms; # Access lost+found. allow fsadm_t lost_found_t:dir create_dir_perms; allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms; allow fsadm_t lost_found_t:lnk_file create_lnk_perms; allow fsadm_t file_t:dir { search read getattr rmdir create }; # Recreate /mnt/cdrom. allow fsadm_t mnt_t:dir { search read getattr rmdir create }; # Recreate /dev/cdrom. allow fsadm_t device_t:dir rw_dir_perms; allow fsadm_t device_t:lnk_file { unlink create }; # Enable swapping to devices and files allow fsadm_t swapfile_t:file { getattr swapon }; allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon }; # Allow console log change (updfstab) allow fsadm_t kernel_t:system syslog_console; # Access terminals. can_access_pty(fsadm_t, initrc) allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms; ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;') allow fsadm_t privfd:fd use; read_locale(fsadm_t) # for smartctl cron jobs system_crond_entry(fsadm_exec_t, fsadm_t) # Access to /initrd devices allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms; allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms; allow fsadm_t usbfs_t:dir { getattr search }; allow fsadm_t ramfs_t:fifo_file rw_file_perms; allow fsadm_t device_type:chr_file getattr; # for tune2fs allow fsadm_t file_type:dir { getattr search };