60 lines
2.0 KiB
Plaintext
60 lines
2.0 KiB
Plaintext
#DESC Quota - File system quota management utilities
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: quota quotatool
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the quota_t domain.
|
|
#
|
|
# needs auth attribute because it has read access to shadow_t because checkquota
|
|
# is buggy
|
|
daemon_base_domain(quota, `, auth, fs_domain')
|
|
|
|
# so the administrator can run quotacheck
|
|
domain_auto_trans(sysadm_t, quota_exec_t, quota_t)
|
|
role sysadm_r types quota_t;
|
|
allow quota_t admin_tty_type:chr_file { read write };
|
|
|
|
type quota_flag_t, file_type, sysadmfile;
|
|
type quota_db_t, file_type, sysadmfile;
|
|
|
|
rw_dir_create_file(initrc_t, quota_flag_t)
|
|
|
|
allow quota_t fs_t:filesystem { getattr quotaget quotamod remount };
|
|
# quotacheck creates new quota_db_t files
|
|
file_type_auto_trans(quota_t, { root_t home_root_t var_t usr_t src_t var_spool_t }, quota_db_t, file)
|
|
# for some reason it wants dac_override not dac_read_search
|
|
allow quota_t self:capability { sys_admin dac_override };
|
|
allow quota_t file_type:{ fifo_file sock_file } getattr;
|
|
allow quota_t file_t:file quotaon;
|
|
|
|
# for quotacheck
|
|
allow quota_t file_type:dir r_dir_perms;
|
|
# The following line is apparently necessary, although read and
|
|
# ioctl seem to be more than should be required.
|
|
allow quota_t file_type:file { getattr read ioctl };
|
|
allow quota_t file_type:{ fifo_file sock_file } getattr;
|
|
allow quota_t file_type:lnk_file { read getattr };
|
|
allow quota_t device_type:{ chr_file blk_file } getattr;
|
|
|
|
allow quota_t fixed_disk_device_t:blk_file { getattr read };
|
|
|
|
# for /quota.*
|
|
allow quota_t quota_db_t:file { read write };
|
|
dontaudit unpriv_userdomain quota_db_t:file getattr;
|
|
allow quota_t quota_db_t:file quotaon;
|
|
|
|
# Read /etc/mtab.
|
|
allow quota_t etc_runtime_t:file { read getattr };
|
|
|
|
allow quota_t device_t:dir r_dir_perms;
|
|
allow quota_t fixed_disk_device_t:blk_file getattr;
|
|
allow quota_t boot_t:dir r_dir_perms;
|
|
allow quota_t sysctl_t:dir { getattr search };
|
|
|
|
allow quota_t initrc_devpts_t:chr_file rw_file_perms;
|
|
|
|
allow quota_t proc_t:file getattr;
|