selinux-policy/targeted/domains/program/fsadm.te
2005-11-07 20:09:28 +00:00

124 lines
3.6 KiB
Plaintext

#DESC Fsadm - Disk and file system administration
#
# Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
#
#################################
#
# Rules for the fsadm_t domain.
#
# fsadm_t is the domain for disk and file system
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
r_dir_file(fsadm_t, sysfs_t)
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
# Read system variables in /proc/sys
read_sysctl(fsadm_t)
# for /dev/shm
allow fsadm_t tmpfs_t:dir { getattr search };
allow fsadm_t tmpfs_t:file { read write };
base_file_read_access(fsadm_t)
# Read /etc.
r_dir_file(fsadm_t, etc_t)
# Read module-related files.
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
# Read /dev directories and any symbolic links.
allow fsadm_t device_t:dir r_dir_perms;
allow fsadm_t device_t:lnk_file r_file_perms;
uses_shlib(fsadm_t)
type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
')
tmp_domain(fsadm)
# remount file system to apply changes
allow fsadm_t fs_t:filesystem remount;
allow fsadm_t fs_t:filesystem getattr;
# mkreiserfs needs this
allow fsadm_t proc_t:filesystem getattr;
# mkreiserfs and other programs need this for UUID
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
# Inherit and use descriptors from init.
allow fsadm_t init_t:fd use;
# Run other fs admin programs in the fsadm_t domain.
can_exec(fsadm_t, fsadm_exec_t)
# Access disk devices.
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
# Access lost+found.
allow fsadm_t lost_found_t:dir create_dir_perms;
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
allow fsadm_t file_t:dir { search read getattr rmdir create };
# Recreate /mnt/cdrom.
allow fsadm_t mnt_t:dir { search read getattr rmdir create };
# Recreate /dev/cdrom.
allow fsadm_t device_t:dir rw_dir_perms;
allow fsadm_t device_t:lnk_file { unlink create };
# Enable swapping to devices and files
allow fsadm_t swapfile_t:file { getattr swapon };
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
# Allow console log change (updfstab)
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
can_access_pty(fsadm_t, initrc)
allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
read_locale(fsadm_t)
# for smartctl cron jobs
system_crond_entry(fsadm_exec_t, fsadm_t)
# Access to /initrd devices
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
allow fsadm_t device_type:chr_file getattr;
# for tune2fs
allow fsadm_t file_type:dir { getattr search };