121 lines
3.5 KiB
Plaintext
121 lines
3.5 KiB
Plaintext
#DESC Fsadm - Disk and file system administration
|
|
#
|
|
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
|
|
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the fsadm_t domain.
|
|
#
|
|
# fsadm_t is the domain for disk and file system
|
|
# administration.
|
|
# fsadm_exec_t is the type of the corresponding programs.
|
|
#
|
|
type fsadm_t, domain, privlog, fs_domain, mlsfileread;
|
|
role system_r types fsadm_t;
|
|
role sysadm_r types fsadm_t;
|
|
|
|
general_domain_access(fsadm_t)
|
|
|
|
# for swapon
|
|
r_dir_file(fsadm_t, sysfs_t)
|
|
|
|
# Read system information files in /proc.
|
|
r_dir_file(fsadm_t, proc_t)
|
|
|
|
# Read system variables in /proc/sys
|
|
read_sysctl(fsadm_t)
|
|
|
|
# for /dev/shm
|
|
allow fsadm_t tmpfs_t:dir { getattr search };
|
|
allow fsadm_t tmpfs_t:file { read write };
|
|
|
|
base_file_read_access(fsadm_t)
|
|
|
|
# Read /etc.
|
|
r_dir_file(fsadm_t, etc_t)
|
|
|
|
# Read module-related files.
|
|
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
|
|
|
|
# Read /dev directories and any symbolic links.
|
|
allow fsadm_t device_t:dir r_dir_perms;
|
|
allow fsadm_t device_t:lnk_file r_file_perms;
|
|
|
|
uses_shlib(fsadm_t)
|
|
|
|
type fsadm_exec_t, file_type, sysadmfile, exec_type;
|
|
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
|
|
ifdef(`targeted_policy', `', `
|
|
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
|
|
')
|
|
tmp_domain(fsadm)
|
|
|
|
# remount file system to apply changes
|
|
allow fsadm_t fs_t:filesystem remount;
|
|
|
|
allow fsadm_t fs_t:filesystem getattr;
|
|
|
|
# mkreiserfs needs this
|
|
allow fsadm_t proc_t:filesystem getattr;
|
|
|
|
# mkreiserfs and other programs need this for UUID
|
|
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
|
|
|
|
# Use capabilities. ipc_lock is for losetup
|
|
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
|
|
|
|
# Write to /etc/mtab.
|
|
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
|
|
|
|
# Inherit and use descriptors from init.
|
|
allow fsadm_t init_t:fd use;
|
|
|
|
# Run other fs admin programs in the fsadm_t domain.
|
|
can_exec(fsadm_t, fsadm_exec_t)
|
|
|
|
# Access disk devices.
|
|
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
|
|
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
|
|
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
|
|
|
|
# Access lost+found.
|
|
allow fsadm_t lost_found_t:dir create_dir_perms;
|
|
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
|
|
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
|
|
|
|
allow fsadm_t file_t:dir { search read getattr rmdir create };
|
|
|
|
# Recreate /mnt/cdrom.
|
|
allow fsadm_t mnt_t:dir { search read getattr rmdir create };
|
|
|
|
# Recreate /dev/cdrom.
|
|
allow fsadm_t device_t:dir rw_dir_perms;
|
|
allow fsadm_t device_t:lnk_file { unlink create };
|
|
|
|
# Enable swapping to devices and files
|
|
allow fsadm_t swapfile_t:file { getattr swapon };
|
|
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
|
|
|
|
# Allow console log change (updfstab)
|
|
allow fsadm_t kernel_t:system syslog_console;
|
|
|
|
# Access terminals.
|
|
allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
|
|
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
|
|
allow fsadm_t privfd:fd use;
|
|
allow fsadm_t devpts_t:dir { getattr search };
|
|
|
|
read_locale(fsadm_t)
|
|
|
|
# for smartctl cron jobs
|
|
system_crond_entry(fsadm_exec_t, fsadm_t)
|
|
|
|
# Access to /initrd devices
|
|
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
|
|
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
|
|
allow fsadm_t usbfs_t:dir { getattr search };
|
|
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
|
|
allow fsadm_t device_type:chr_file getattr;
|