selinux-policy/policy/modules/system/mount.te

policy_module(mount,1.6.1)

########################################
#
# Declarations
#

ifdef(`targeted_policy',`
## <desc>
## <p>
## Allow mount to mount any file
## </p>
## </desc>
gen_tunable(allow_mount_anyfile,false)
')

type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;

type mount_loopback_t; # customizable
files_type(mount_loopback_t)

type mount_tmp_t;
files_tmp_file(mount_tmp_t)

ifdef(`targeted_policy',`
	type unconfined_mount_t;
	domain_type(unconfined_mount_t)
	domain_entry_file(unconfined_mount_t,mount_exec_t)
')

########################################
#
# mount local policy
#

# setuid/setgid needed to mount cifs 
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };

allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;

allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;

can_exec(mount_t, mount_exec_t)

files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })

kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)

dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_rw_lvm_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)

storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)

fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)

term_use_all_terms(mount_t)

# required for mount.smbfs
corecmd_exec_bin(mount_t)

domain_use_interactive_fds(mount_t)

files_search_all(mount_t)
files_read_etc_files(mount_t)
files_manage_etc_runtime_files(mount_t)
files_etc_filetrans_etc_runtime(mount_t,file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized.  Only admin, initrc should have it:
files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
# cjp: this seems wrong, the type should probably be etc
files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)

init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)

libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)

logging_send_syslog_msg(mount_t)

miscfiles_read_localization(mount_t)

mls_file_read_up(mount_t)
mls_file_write_down(mount_t)

sysnet_use_portmap(mount_t)

selinux_get_enforce_mode(mount_t)
seutil_read_config(mount_t)

userdom_use_all_users_fds(mount_t)

ifdef(`distro_redhat',`
	optional_policy(`
		auth_read_pam_console_data(mount_t)
		# mount config by default sets fscontext=removable_t
		fs_relabelfrom_dos_fs(mount_t)
	')
')

ifdef(`targeted_policy',`
	tunable_policy(`allow_mount_anyfile',`
		auth_read_all_dirs_except_shadow(mount_t)
		auth_read_all_files_except_shadow(mount_t)
		files_mounton_non_security(mount_t)
	')
')

optional_policy(`
	# for nfs
	corenet_all_recvfrom_unlabeled(mount_t)
	corenet_all_recvfrom_netlabel(mount_t)
	corenet_tcp_sendrecv_all_if(mount_t)
	corenet_raw_sendrecv_all_if(mount_t)
	corenet_udp_sendrecv_all_if(mount_t)
	corenet_tcp_sendrecv_all_nodes(mount_t)
	corenet_raw_sendrecv_all_nodes(mount_t)
	corenet_udp_sendrecv_all_nodes(mount_t)
	corenet_tcp_sendrecv_all_ports(mount_t)
	corenet_udp_sendrecv_all_ports(mount_t)
	corenet_tcp_bind_all_nodes(mount_t)
	corenet_udp_bind_all_nodes(mount_t)
	corenet_tcp_bind_generic_port(mount_t)
	corenet_udp_bind_generic_port(mount_t)
	corenet_tcp_bind_reserved_port(mount_t)
	corenet_udp_bind_reserved_port(mount_t)
	corenet_tcp_bind_all_rpc_ports(mount_t)
	corenet_udp_bind_all_rpc_ports(mount_t)
	corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
	corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
	corenet_tcp_connect_all_ports(mount_t)

	fs_search_rpc(mount_t)

	sysnet_dns_name_resolve(mount_t)

	rpc_stub(mount_t)

	optional_policy(`
		nis_use_ypbind(mount_t)
	')
')

optional_policy(`
	apm_use_fds(mount_t)
')

optional_policy(`
	ifdef(`hide_broken_symptoms',`
		# for a bug in the X server
		rhgb_dontaudit_rw_stream_sockets(mount_t)
		term_dontaudit_use_ptmx(mount_t)
	')
')

# for kernel package installation
optional_policy(`
	rpm_rw_pipes(mount_t)
')

optional_policy(`
	samba_domtrans_smbmount(mount_t)
')

optional_policy(`
	nscd_socket_use(mount_t)
')

########################################
#
# Unconfined mount local policy
#

ifdef(`targeted_policy',`
	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
	unconfined_domain(unconfined_mount_t)
')