|
Chris PeBenito |
31b7c0 |
#DESC mdadm - Linux RAID tool
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
# Author: Colin Walters <walters@redhat.com>
|
|
Chris PeBenito |
31b7c0 |
#
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
daemon_base_domain(mdadm, `, fs_domain, privmail')
|
|
Chris PeBenito |
31b7c0 |
role sysadm_r types mdadm_t;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
allow initrc_t mdadm_var_run_t:file create_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Kernel filesystem permissions
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(mdadm_t, proc_t)
|
|
Chris PeBenito |
31b7c0 |
allow mdadm_t proc_mdstat_t:file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
read_sysctl(mdadm_t)
|
|
Chris PeBenito |
31b7c0 |
r_dir_file(mdadm_t, sysfs_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Configuration
|
|
Chris PeBenito |
31b7c0 |
allow mdadm_t { etc_t etc_runtime_t }:file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
read_locale(mdadm_t)
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Linux capabilities
|
|
Chris PeBenito |
31b7c0 |
allow mdadm_t self:capability { dac_override sys_admin ipc_lock };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Helper program access
|
|
Chris PeBenito |
31b7c0 |
can_exec(mdadm_t, { bin_t sbin_t })
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# RAID block device access
|
|
Chris PeBenito |
31b7c0 |
allow mdadm_t fixed_disk_device_t:blk_file create_file_perms;
|
|
Chris PeBenito |
31b7c0 |
allow mdadm_t device_t:lnk_file { getattr read };
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Ignore attempts to read every device file
|
|
Chris PeBenito |
31b7c0 |
dontaudit mdadm_t device_type:{ chr_file blk_file } getattr;
|
|
Chris PeBenito |
31b7c0 |
dontaudit mdadm_t device_t:{ fifo_file file dir chr_file blk_file } { read getattr };
|
|
Chris PeBenito |
31b7c0 |
dontaudit mdadm_t devpts_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Ignore attempts to read/write sysadmin tty
|
|
Chris PeBenito |
31b7c0 |
dontaudit mdadm_t sysadm_tty_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
31b7c0 |
|
|
Chris PeBenito |
31b7c0 |
# Other random ignores
|
|
Chris PeBenito |
31b7c0 |
dontaudit mdadm_t tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
31b7c0 |
dontaudit mdadm_t initctl_t:fifo_file getattr;
|
|
Chris PeBenito |
31b7c0 |
var_run_domain(mdadm)
|
|
Chris PeBenito |
31b7c0 |
allow mdadm_t var_t:dir { getattr search };
|