## Policy for mount. ######################################## ## ## Execute mount in the mount domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mount_domtrans',` gen_require(` type mount_t, mount_exec_t; ') domtrans_pattern($1, mount_exec_t, mount_t) mount_domtrans_fusermount($1) ifdef(`hide_broken_symptoms', ` dontaudit mount_t $1:unix_stream_socket { read write }; dontaudit mount_t $1:tcp_socket { read write }; dontaudit mount_t $1:udp_socket { read write }; ') ') ######################################## ## ## Execute mount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`mount_run',` gen_require(` type mount_t; ') mount_domtrans($1) role $2 types mount_t; optional_policy(` fstools_run(mount_t, $2) ') # Needed for mount crypt https://bugzilla.redhat.com/show_bug.cgi?id=418711 optional_policy(` lvm_run(mount_t, $2) ') optional_policy(` modutils_run_insmod(mount_t, $2) ') optional_policy(` rpc_run_rpcd(mount_t, $2) ') optional_policy(` samba_run_smbmount(mount_t, $2) ') ') ######################################## ## ## Execute fusermount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to be allowed the mount domain. ## ## ## # interface(`mount_run_fusermount',` gen_require(` type mount_t; ') mount_domtrans_fusermount($1) role $2 types mount_t; fstools_run(mount_t, $2) ') ######################################## ## ## Execute mount in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`mount_exec',` gen_require(` type mount_exec_t; ') # cjp: this should be removed: allow $1 mount_exec_t:dir list_dir_perms; allow $1 mount_exec_t:lnk_file read_lnk_file_perms; can_exec($1, mount_exec_t) ') ######################################## ## ## Send a generic signal to mount. ## ## ## ## Domain allowed access. ## ## # interface(`mount_signal',` gen_require(` type mount_t; type unconfined_mount_t; ') allow $1 mount_t:process signal; allow $1 unconfined_mount_t:process signal; ') ######################################## ## ## Use file descriptors for mount. ## ## ## ## Domain allowed access. ## ## # interface(`mount_use_fds',` gen_require(` type mount_t; ') allow $1 mount_t:fd use; ') ######################################## ## ## Allow the mount domain to send nfs requests for mounting ## network drives ## ## ## ## Allow the mount domain to send nfs requests for mounting ## network drives ## ## ## This interface has been deprecated as these rules were ## a side effect of leaked mount file descriptors. This ## interface has no effect. ## ## ## ## ## Domain allowed access. ## ## # interface(`mount_send_nfs_client_request',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Execute mount in the unconfined mount domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mount_domtrans_unconfined',` gen_require(` type unconfined_mount_t, mount_exec_t; ') domtrans_pattern($1, mount_exec_t, unconfined_mount_t) ') ######################################## ## ## Execute mount in the unconfined mount domain, and ## allow the specified role the unconfined mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`mount_run_unconfined',` gen_require(` type unconfined_mount_t; ') mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; optional_policy(` rpc_run_rpcd(unconfined_mount_t, $2) ') optional_policy(` samba_run_smbmount(unconfined_mount_t, $2) ') ') ######################################## ## ## Execute fusermount in the mount domain. ## ## ## ## Domain allowed access. ## ## # interface(`mount_domtrans_fusermount',` gen_require(` type mount_t, fusermount_exec_t; ') domtrans_pattern($1, fusermount_exec_t, mount_t) ') ######################################## ## ## Execute fusermount. ## ## ## ## Domain allowed access. ## ## # interface(`mount_exec_fusermount',` gen_require(` type fusermount_exec_t; ') can_exec($1, fusermount_exec_t) ') ######################################## ## ## dontaudit Execute fusermount. ## ## ## ## Domain allowed access. ## ## # interface(`mount_dontaudit_exec_fusermount',` gen_require(` type fusermount_exec_t; ') dontaudit $1 fusermount_exec_t:file exec_file_perms; ') ###################################### ## ## Execute a domain transition to run showmount. ## ## ## ## Domain allowed to transition. ## ## # interface(`mount_domtrans_showmount',` gen_require(` type showmount_t, showmount_exec_t; ') domtrans_pattern($1, showmount_exec_t, showmount_t) ') ###################################### ## ## Execute showmount in the showmount domain, and ## allow the specified role the showmount domain. ## ## ## ## Domain allowed access ## ## ## ## ## The role to be allowed the showmount domain. ## ## # interface(`mount_run_showmount',` gen_require(` type showmount_t; ') mount_domtrans_showmount($1) role $2 types showmount_t; ')
## Allow the mount domain to send nfs requests for mounting ## network drives ##
## This interface has been deprecated as these rules were ## a side effect of leaked mount file descriptors. This ## interface has no effect. ##