## <summary>Policy for filesystems.</summary> ## <required val="true"> ## Contains the initial SID for the filesystems. ## </required> ######################################## ## <desc> ## Transform specified type into a filesystem type. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_type',` gen_require(` attribute filesystem_type; ') typeattribute $1 filesystem_type; ') ######################################## ## <desc> ## Transform specified type into a filesystem ## type which does not have extended attribute ## support. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_make_noxattr_fs',` gen_require(` attribute noxattrfs; ') fs_type($1) typeattribute $1 noxattrfs; ') ######################################## ## <desc> ## Associate the specified file type to persistent ## filesystems with extended attributes. This ## allows a file of this type to be created on ## a filesystem such as ext3, JFS, and XFS. ## </desc> ## <param name="file_type"> ## The type of the to be associated. ## </param> # interface(`fs_associate',` gen_require(` type fs_t; class filesystem associate; ') allow $1 fs_t:filesystem associate; ') ######################################## ## <desc> ## Associate the specified file type to ## filesystems which lack extended attributes ## support. This allows a file of this type ## to be created on a filesystem such as ## FAT32, and NFS. ## </desc> ## <param name="file_type"> ## The type of the to be associated. ## </param> # interface(`fs_associate_noxattr',` gen_require(` attribute noxattrfs; class filesystem associate; ') allow $1 noxattrfs:filesystem associate; ') ######################################## ## <desc> ## Mount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_xattr_fs',` gen_require(` type fs_t; class filesystem mount; ') allow $1 fs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. This allows ## some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_xattr_fs',` gen_require(` type fs_t; class filesystem remount; ') allow $1 fs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_xattr_fs',` gen_require(` type fs_t; class filesystem unmount; ') allow $1 fs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a persistent ## filesystem which has extended ## attributes, such as ext3, JFS, or XFS. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_xattr_fs',` gen_require(` type fs_t; class filesystem getattr; ') allow $1 fs_t:filesystem getattr; ') ######################################## ## <desc> ## Do not audit attempts to ## get the attributes of a persistent ## filesystem which has extended ## attributes, such as ext3, JFS, or XFS. ## </desc> ## <param name="domain"> ## The type of the domain to not audit. ## </param> # interface(`fs_dontaudit_getattr_xattr_fs',` gen_require(` type fs_t; class filesystem getattr; ') dontaudit $1 fs_t:filesystem getattr; ') ######################################## ## <desc> ## Allow changing of the label of a ## filesystem with extended attributes ## using the context= mount option. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_relabelfrom_xattr_fs',` gen_require(` type fs_t; class filesystem relabelfrom; ') allow $1 fs_t:filesystem relabelfrom; ') ######################################## ## <desc> ## Mount an automount pseudo filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_autofs',` gen_require(` type autofs_t; class filesystem mount; ') allow $1 autofs_t:filesystem mount; ') ######################################## ## <desc> ## Remount an automount pseudo filesystem ## This allows some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_autofs',` gen_require(` type autofs_t; class filesystem remount; ') allow $1 autofs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount an automount pseudo filesystem. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_autofs',` gen_require(` type autofs_t; class filesystem unmount; ') allow $1 autofs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of an automount ## pseudo filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_autofs',` gen_require(` type autofs_t; class filesystem getattr; ') allow $1 autofs_t:filesystem getattr; ') ######################################## ## <summary> ## Search automount filesystem to use automatically ## mounted filesystems. ## </summary> ## <param name="domain"> ## The type of the domain performing this action. ## </param> # interface(`fs_search_auto_mountpoints',` gen_require(` type autofs_t; class dir { getattr search }; ') allow $1 autofs_t:dir { getattr search }; ') ######################################## ## <desc> ## Register an interpreter for new binary ## file types, using the kernel binfmt_misc ## support. A common use for this is to ## register a JVM as an interpreter for ## Java byte code. Registered binaries ## can be directly executed on a command line ## without specifying the interpreter. ## </desc> ## <param name="domain"> ## The type of the domain registering ## the interpreter. ## </param> # interface(`fs_register_binary_executable_type',` gen_require(` type binfmt_misc_fs_t; class dir { getattr search }; class file { getattr ioctl write }; ') allow $1 binfmt_misc_fs_t:dir { getattr search }; allow $1 binfmt_misc_fs_t:file { getattr ioctl write }; ') ######################################## ## <desc> ## Mount a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_cifs',` gen_require(` type cifs_t; class filesystem mount; ') allow $1 cifs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a CIFS or SMB network filesystem. ## This allows some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_remount_cifs',` gen_require(` type cifs_t; class filesystem remount; ') allow $1 cifs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_unmount_cifs',` gen_require(` type cifs_t; class filesystem unmount; ') allow $1 cifs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a CIFS or ## SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_cifs',` gen_require(` type cifs_t; class filesystem getattr; ') allow $1 cifs_t:filesystem getattr; ') ######################################## ## <desc> ## Read files on a CIFS or SMB filesystem. ## </desc> ## <param name="domain"> ## The type of the domain reading the files. ## </param> # interface(`fs_read_cifs_files',` gen_require(` type cifs_t; class dir r_dir_perms; class file r_file_perms; ') allow $1 cifs_t:dir r_dir_perms; allow $1 cifs_t:file r_file_perms; ') ######################################## ## <desc> ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## </desc> ## <param name="domain"> ## The type of the domain to not audit. ## </param> # interface(`fs_dontaudit_rw_cifs_files',` gen_require(` type cifs_t; class file { read write }; ') dontaudit $1 cifs_t:file { read write }; ') ######################################## ## <desc> ## Read symbolic links on a CIFS or SMB filesystem. ## </desc> ## <param name="domain"> ## The type of the domain reading the symbolic links. ## </param> # interface(`fs_read_cifs_symlinks',` gen_require(` type cifs_t; class dir r_dir_perms; class lnk_file r_file_perms; ') allow $1 cifs_t:dir r_dir_perms; allow $1 cifs_t:lnk_file r_file_perms; ') ######################################## ## <desc> ## Execute files on a CIFS or SMB ## network filesystem, in the caller ## domain. ## </desc> ## <param name="domain"> ## The type of the domain executing the files. ## </param> # interface(`fs_execute_cifs_files',` gen_require(` type cifs_t; class dir r_dir_perms; ') allow $1 cifs_t:dir r_dir_perms; can_exec($1, cifs_t) ') ######################################## ## <desc> ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystems. ## </desc> ## <param name="domain"> ## The type of the domain to not audit. ## </param> # interface(`fs_read_cifs_files',` gen_require(` type cifs_t; class file { read write }; ') dontaudit $1 cifs_t:file { read write }; ') ######################################## ## <desc> ## Create, read, write, and delete directories ## on a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the directories. ## </param> # interface(`fs_manage_cifs_dirs',` gen_require(` type cifs_t; class dir create_dir_perms; ') allow $1 cifs_t:dir create_file_perms; ') ######################################## ## <desc> ## Create, read, write, and delete files ## on a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the files. ## </param> # interface(`fs_manage_cifs_files',` gen_require(` type cifs_t; class dir rw_dir_perms; class file create_file_perms; ') allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:file create_file_perms; ') ######################################## ## <desc> ## Create, read, write, and delete symbolic links ## on a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the symbolic links. ## </param> # interface(`fs_manage_cifs_symlinks',` gen_require(` type cifs_t; class dir rw_dir_perms; class lnk_file create_lnk_perms; ') allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:lnk_file create_lnk_perms; ') ######################################## ## <desc> ## Create, read, write, and delete named pipes ## on a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the pipes. ## </param> # interface(`fs_manage_cifs_named_pipes',` gen_require(` type cifs_t; class dir rw_dir_perms; class fifo_file create_file_perms; ') allow $1 cifs_t:dir rw_dir_perms; allow $1 cifs_t:fifo_file create_file_perms; ') ######################################## ## <desc> ## Create, read, write, and delete named sockets ## on a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the sockets. ## </param> # interface(`fs_manage_cifs_named_sockets',` gen_require(` type cifs_t; class dir rw_dir_perms; class sock_file create_file_perms; ') allow $1 cifs_t:dir rw_file_perms; allow $1 cifs_t:sock_file create_file_perms; ') ######################################## ## <desc> ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_dos_fs',` gen_require(` type dosfs_t; class filesystem mount; ') allow $1 dosfs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a DOS filesystem, such as ## FAT32 or NTFS. This allows ## some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_dos_fs',` gen_require(` type dosfs_t; class filesystem remount; ') allow $1 dosfs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a DOS filesystem, such as ## FAT32 or NTFS. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_dos_fs',` gen_require(` type dosfs_t; class filesystem unmount; ') allow $1 dosfs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a DOS ## filesystem, such as FAT32 or NTFS. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_dos_fs',` gen_require(` type dosfs_t; class filesystem getattr; ') allow $1 dosfs_t:filesystem getattr; ') ######################################## ## <desc> ## Allow changing of the label of a ## DOS filesystem using the context= mount option. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_relabelfrom_dos_fs',` gen_require(` type dosfs_t; class filesystem relabelfrom; ') allow $1 dosfs_t:filesystem relabelfrom; ') ######################################## ## <desc> ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_iso9660_fs',` gen_require(` type iso9660_t; class filesystem mount; ') allow $1 iso9660_t:filesystem mount; ') ######################################## ## <desc> ## Remount an iso9660 filesystem, which ## is usually used on CDs. This allows ## some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_iso9660_fs',` gen_require(` type iso9660_t; class filesystem remount; ') allow $1 iso9660_t:filesystem remount; ') ######################################## ## <desc> ## Unmount an iso9660 filesystem, which ## is usually used on CDs. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_iso9660_fs',` gen_require(` type iso9660_t; class filesystem unmount; ') allow $1 iso9660_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of an iso9660 ## filesystem, which is usually used on CDs. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_iso9660_fs',` gen_require(` type iso9660_t; class filesystem getattr; ') allow $1 iso9660_t:filesystem getattr; ') ######################################## ## <desc> ## Mount a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_nfs',` gen_require(` type nfs_t; class filesystem mount; ') allow $1 nfs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a NFS filesystem. This allows ## some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_nfs',` gen_require(` type nfs_t; class filesystem remount; ') allow $1 nfs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_nfs',` gen_require(` type nfs_t; class filesystem unmount; ') allow $1 nfs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_nfs',` gen_require(` type nfs_t; class filesystem getattr; ') allow $1 nfs_t:filesystem getattr; ') ######################################## ## <desc> ## Read files on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain reading the files. ## </param> # interface(`fs_read_nfs_files',` gen_require(` type nfs_t; class dir r_dir_perms; class file r_file_perms; ') allow $1 nfs_t:dir r_dir_perms; allow $1 nfs_t:file r_file_perms; ') ######################################## ## <desc> ## Execute files on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain executing the files. ## </param> # interface(`fs_execute_nfs_files',` gen_require(` type nfs_t; class dir r_dir_perms; ') allow $1 nfs_t:dir r_dir_perms; can_exec($1, nfs_t) ') ######################################## ## <desc> ## Do not audit attempts to read or ## write files on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain to not audit. ## </param> # interface(`fs_dontaudit_rw_nfs_files',` gen_require(` type nfs_t; class file { read write }; ') dontaudit $1 nfs_t:file { read write }; ') ######################################## ## <desc> ## Read symbolic links on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain reading the symbolic links. ## </param> # interface(`fs_read_nfs_symlinks',` gen_require(` type nfs_t; class dir r_dir_perms; class lnk_file r_file_perms; ') allow $1 nfs_t:dir r_dir_perms; allow $1 nfs_t:lnk_file r_file_perms; ') ######################################## ## <desc> ## Create, read, write, and delete directories ## on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the directories. ## </param> # interface(`fs_manage_nfs_dirs',` gen_require(` type nfs_t; class dir create_dir_perms; ') allow $1 nfs_t:dir create_dir_perms; ') ######################################## ## <desc> ## Create, read, write, and delete files ## on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the files. ## </param> # interface(`fs_manage_nfs_files',` gen_require(` type nfs_t; class dir rw_dir_perms; class file create_file_perms; ') allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:file create_file_perms; ') ######################################### ## <desc> ## Create, read, write, and delete symbolic links ## on a CIFS or SMB network filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the symbolic links. ## </param> # interface(`fs_manage_nfs_symlinks',` gen_require(` type nfs_t; class dir r_dir_perms; class lnk_file create_lnk_perms; ') allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:lnk_file create_lnk_perms; ') ######################################### ## <desc> ## Create, read, write, and delete named pipes ## on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the pipes. ## </param> # interface(`fs_manage_nfs_named_pipes',` gen_require(` type nfs_t; class dir rw_dir_perms; class fifo_file create_file_perms; ') allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:fifo_file create_file_perms; ') ######################################### ## <desc> ## Create, read, write, and delete named sockets ## on a NFS filesystem. ## </desc> ## <param name="domain"> ## The type of the domain managing the sockets. ## </param> # interface(`fs_manage_nfs_named_sockets',` gen_require(` type nfs_t; class dir rw_dir_perms; class sock_file create_file_perms; ') allow $1 nfs_t:dir rw_dir_perms; allow $1 nfs_t:sock_file create_file_perms; ') ######################################## ## <desc> ## Mount a NFS server pseudo filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem mount; ') allow $1 nfsd_fs_t:filesystem mount; ') ######################################## ## <desc> ## Mount a NFS server pseudo filesystem. ## This allows some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem remount; ') allow $1 nfsd_fs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a NFS server pseudo filesystem. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem unmount; ') allow $1 nfsd_fs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a NFS server ## pseudo filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_nfsd_fs',` gen_require(` type nfsd_fs_t; class filesystem getattr; ') allow $1 nfsd_fs_t:filesystem getattr; ') ######################################## ## <desc> ## Mount a RAM filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_ramfs',` gen_require(` type ramfs_t; class filesystem mount; ') allow $1 ramfs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a RAM filesystem. This allows ## some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_ramfs',` gen_require(` type ramfs_t; class filesystem remount; ') allow $1 ramfs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a RAM filesystem. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_ramfs',` gen_require(` type ramfs_t; class filesystem unmount; ') allow $1 ramfs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a RAM filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_ramfs',` gen_require(` type ramfs_t; class filesystem getattr; ') allow $1 ramfs_t:filesystem getattr; ') ######################################## ## <desc> ## Mount a ROM filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_romfs',` gen_require(` type romfs_t; class filesystem mount; ') allow $1 romfs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a ROM filesystem. This allows ## some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_romfs',` gen_require(` type romfs_t; class filesystem remount; ') allow $1 romfs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a ROM filesystem. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_romfs',` gen_require(` type romfs_t; class filesystem unmount; ') allow $1 romfs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a ROM ## filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_romfs',` gen_require(` type romfs_t; class filesystem getattr; ') allow $1 romfs_t:filesystem getattr; ') ######################################## ## <desc> ## Mount a RPC pipe filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem mount; ') allow $1 rpc_pipefs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a RPC pipe filesystem. This ## allows some mount option to be changed. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem remount; ') allow $1 rpc_pipefs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a RPC pipe filesystem. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem unmount; ') allow $1 rpc_pipefs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a RPC pipe ## filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_rpc_pipefs',` gen_require(` type rpc_pipefs_t; class filesystem getattr; ') allow $1 rpc_pipefs_t:filesystem getattr; ') ######################################## ## <desc> ## Mount a tmpfs filesystem. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_tmpfs',` gen_require(` type tmpfs_t; class filesystem mount; ') allow $1 tmpfs_t:filesystem mount; ') ######################################## ## <desc> ## Remount a tmpfs filesystem. ## </desc> ## <param name="domain"> ## The type of the domain remounting the filesystem. ## </param> # interface(`fs_remount_tmpfs',` gen_require(` type tmpfs_t; class filesystem remount; ') allow $1 tmpfs_t:filesystem remount; ') ######################################## ## <desc> ## Unmount a tmpfs filesystem. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_tmpfs',` gen_require(` type tmpfs_t; class filesystem unmount; ') allow $1 tmpfs_t:filesystem mount; ') ######################################## ## <desc> ## Get the attributes of a tmpfs ## filesystem. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_tmpfs',` gen_require(` type tmpfs_t; class filesystem getattr; ') allow $1 tmpfs_t:filesystem getattr; ') ######################################## ## <desc> ## Allow the type to associate to tmpfs filesystems. ## </desc> ## <param name="type"> ## The type of the object to be associated. ## </param> # interface(`fs_associate_tmpfs',` gen_require(` type tmpfs_t; class filesystem associate; ') allow $1 tmpfs_t:filesystem associate; ') ######################################## # # fs_create_tmpfs_data(domain,derivedtype,[class]) # interface(`fs_create_tmpfs_data',` gen_require(` type tmpfs_t; class filesystem associate; class dir rw_dir_perms; ') allow $2 tmpfs_t:filesystem associate; allow $1 tmpfs_t:dir rw_dir_perms; ifelse(`$3',`',` type_transition $1 tmpfs_t:file $2; ',` type_transition $1 tmpfs_t:$3 $2; ') ') ######################################## ## <desc> ## Read and write character nodes on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_use_tmpfs_chr_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; class chr_file rw_file_perms; ') allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:chr_file rw_file_perms; ') ######################################## ## <desc> ## Relabel character nodes on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_relabel_tmpfs_chr_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; class chr_file { getattr relabelfrom relabelto }; ') allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto }; ') ######################################## ## <desc> ## Read and write block nodes on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_use_tmpfs_blk_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; class blk_file rw_file_perms; ') allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:blk_file rw_file_perms; ') ######################################## ## <desc> ## Relabel block nodes on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_relabel_tmpfs_blk_dev',` gen_require(` type tmpfs_t; class dir r_dir_perms; class blk_file { getattr relabelfrom relabelto }; ') allow $1 tmpfs_t:dir r_dir_perms; allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto }; ') ######################################## ## <desc> ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_manage_tmpfs_symlinks',` gen_require(` type tmpfs_t; class dir rw_dir_perms; class chr_file create_lnk_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:chr_file create_lnk_perms; ') ######################################## ## <desc> ## Read and write, create and delete socket ## files on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_manage_tmpfs_sockets',` gen_require(` type tmpfs_t; class dir rw_dir_perms; class sock_file create_file_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:sock_file create_file_perms; ') ######################################## ## <desc> ## Read and write, create and delete character ## nodes on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_manage_tmpfs_chr_dev',` gen_require(` type tmpfs_t; class dir rw_dir_perms; class chr_file create_file_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:chr_file create_file_perms; ') ######################################## ## <desc> ## Read and write, create and delete block nodes ## on tmpfs filesystems. ## </desc> ## <param name="domain"> ## The type of the process performing this action. ## </param> # interface(`fs_manage_tmpfs_blk_dev',` gen_require(` type tmpfs_t; class dir rw_dir_perms; class blk_file create_file_perms; ') allow $1 tmpfs_t:dir rw_dir_perms; allow $1 tmpfs_t:blk_file create_file_perms; ') ######################################## ## <desc> ## Mount all filesystems. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_mount_all_fs',` gen_require(` attribute filesystem_type; class filesystem mount; ') allow $1 filesystem_type:filesystem mount; ') ######################################## ## <desc> ## Remount all filesystems. This ## allows some mount options to be changed. ## </desc> ## <param name="domain"> ## The type of the domain mounting the filesystem. ## </param> # interface(`fs_remount_all_fs',` gen_require(` attribute filesystem_type; class filesystem remount; ') allow $1 filesystem_type:filesystem remount; ') ######################################## ## <desc> ## Unmount all filesystems. ## </desc> ## <param name="domain"> ## The type of the domain unmounting the filesystem. ## </param> # interface(`fs_unmount_all_fs',` gen_require(` attribute filesystem_type; class filesystem unmount; ') allow $1 filesystem_type:filesystem unmount; ') ######################################## ## <desc> ## Get the attributes of all persistent ## filesystems. ## </desc> ## <param name="domain"> ## The type of the domain doing the ## getattr on the filesystem. ## </param> # interface(`fs_getattr_all_fs',` gen_require(` attribute filesystem_type; class filesystem getattr; ') allow $1 filesystem_type:filesystem getattr; ') ######################################## ## <desc> ## Do not audit attempts to get the attributes ## all filesystems. ## </desc> ## <param name="domain"> ## The type of the domain to not audit. ## </param> # interface(`fs_dontaudit_getattr_all_fs',` gen_require(` attribute filesystem_type; class filesystem getattr; ') dontaudit $1 filesystem_type:filesystem getattr; ') ######################################## ## <desc> ## Get the quotas of all filesystems. ## </desc> ## <param name="domain"> ## The type of the domain getting quotas. ## </param> # interface(`fs_get_all_fs_quotas',` gen_require(` attribute filesystem_type; class filesystem quotaget; ') allow $1 filesystem_type:filesystem quotaget; ') ######################################## ## <desc> ## Set the quotas of all filesystems. ## </desc> ## <param name="domain"> ## The type of the domain setting quotas. ## </param> # interface(`fs_set_all_quotas',` gen_require(` attribute filesystem_type; class filesystem quotamod; ') allow $1 filesystem_type:filesystem quotamod; ') ######################################## # # fs_getattr_all_files(type) # interface(`fs_getattr_all_files',` gen_require(` attribute filesystem_type; class dir { search getattr }; class file getattr; class lnk_file getattr; class fifo_file getattr; class sock_file getattr; ') allow $1 filesystem_type:dir { search getattr }; allow $1 filesystem_type:file getattr; allow $1 filesystem_type:lnk_file getattr; allow $1 filesystem_type:fifo_file getattr; allow $1 filesystem_type:sock_file getattr; ') ######################################## ## <summary> ## Unconfined access to filesystems ## </summary> ## <param name="domain"> ## Domain allowed access. ## </param> # interface(`fs_unconfined',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem *; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *; ')