91 lines
2.3 KiB
Plaintext
91 lines
2.3 KiB
Plaintext
#
|
|
# Macros for mount
|
|
#
|
|
# Author: Brian May <bam@snoopy.apana.org.au>
|
|
# Extended by Russell Coker <russell@coker.com.au>
|
|
#
|
|
|
|
#
|
|
# mount_domain(domain_prefix,dst_domain_prefix)
|
|
#
|
|
# Define a derived domain for the mount program for anyone.
|
|
#
|
|
define(`mount_domain', `
|
|
#
|
|
# Rules for the $2_t domain, used by the $1_t domain.
|
|
#
|
|
# $2_t is the domain for the mount process.
|
|
#
|
|
# This macro will not be included by all users and it may be included twice if
|
|
# called from other macros, so we need protection for this do not call this
|
|
# macro if $2_def is defined
|
|
define(`$2_def', `')
|
|
#
|
|
type $2_t, domain, privlog $3, nscd_client_domain;
|
|
|
|
allow $2_t sysfs_t:dir search;
|
|
|
|
uses_shlib($2_t)
|
|
|
|
role $1_r types $2_t;
|
|
# when mount is run by $1 goto $2_t domain
|
|
domain_auto_trans($1_t, mount_exec_t, $2_t)
|
|
|
|
allow $2_t proc_t:dir search;
|
|
allow $2_t proc_t:file { getattr read };
|
|
|
|
#
|
|
# Allow mounting of cdrom by user
|
|
#
|
|
allow $2_t device_type:blk_file getattr;
|
|
|
|
tmp_domain($2)
|
|
|
|
# Use capabilities.
|
|
allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
|
|
|
|
allow $2_t self:unix_stream_socket create_socket_perms;
|
|
|
|
# Create and modify /etc/mtab.
|
|
file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
|
|
|
|
allow $2_t etc_t:file { getattr read };
|
|
|
|
read_locale($2_t)
|
|
|
|
allow $2_t home_root_t:dir search;
|
|
allow $2_t $1_home_dir_t:dir search;
|
|
allow $2_t noexattrfile:filesystem { mount unmount };
|
|
allow $2_t fs_t:filesystem getattr;
|
|
allow $2_t removable_t:filesystem { mount unmount };
|
|
allow $2_t mnt_t:dir { mounton search };
|
|
allow $2_t sbin_t:dir search;
|
|
|
|
# Access the terminal.
|
|
access_terminal($2_t, $1)
|
|
ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
|
|
allow $2_t var_t:dir search;
|
|
allow $2_t var_run_t:dir search;
|
|
|
|
ifdef(`distro_redhat',`
|
|
ifdef(`pamconsole.te',`
|
|
r_dir_file($2_t,pam_var_console_t)
|
|
# mount config by default sets fscontext=removable_t
|
|
allow $2_t dosfs_t:filesystem relabelfrom;
|
|
') dnl end pamconsole.te
|
|
') dnl end distro_redhat
|
|
') dnl end mount_domain
|
|
|
|
# mount_loopback_privs(domain_prefix,dst_domain_prefix)
|
|
#
|
|
# Add loopback mounting privileges to a particular derived
|
|
# mount domain.
|
|
#
|
|
define(`mount_loopback_privs',`
|
|
type $1_$2_source_t, file_type, sysadmfile, $1_file_type;
|
|
allow $1_t $1_$2_source_t:file create_file_perms;
|
|
allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
|
|
allow $2_t $1_$2_source_t:file rw_file_perms;
|
|
')
|
|
|