Chris PeBenito e32d52
## <summary>Policy for filesystems.</summary>
Chris PeBenito 274547
## <required val="true">
Chris PeBenito 274547
##	Contains the initial SID for the filesystems.
Chris PeBenito 274547
## </required>
Chris PeBenito e181fe
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Transform specified type into a filesystem type.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
interface(`fs_type',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	typeattribute $1 filesystem_type;
Chris PeBenito c3cf66
Chris PeBenito c3cf66
	allow $1 self:filesystem associate;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Transform specified type into a filesystem
Chris PeBenito 414e41
##	type which does not have extended attribute
Chris PeBenito 414e41
##	support.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito 0fd9dc
#
Chris PeBenito 199895
interface(`fs_make_noxattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		attribute noxattrfs;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0fd9dc
Chris PeBenito cbca03
	fs_type($1)
Chris PeBenito 0fd9dc
Chris PeBenito 0fd9dc
	typeattribute $1 noxattrfs;
Chris PeBenito 0fd9dc
')
Chris PeBenito 0fd9dc
Chris PeBenito 0fd9dc
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Associate the specified file type to persistent
Chris PeBenito 414e41
##	filesystems with extended attributes.  This
Chris PeBenito 414e41
##	allows a file of this type to be created on
Chris PeBenito 414e41
##	a filesystem such as ext3, JFS, and XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="file_type">
Chris PeBenito 414e41
##	The type of the to be associated.
Chris PeBenito 414e41
## </param>
Chris PeBenito 5d7812
#
Chris PeBenito 199895
interface(`fs_associate',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem associate;
Chris PeBenito 5d7812
')
Chris PeBenito 5d7812
Chris PeBenito 5d7812
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Associate the specified file type to
Chris PeBenito 414e41
##	filesystems which lack extended attributes
Chris PeBenito 414e41
##	support.  This allows a file of this type
Chris PeBenito 414e41
##	to be created on a filesystem such as
Chris PeBenito 414e41
##	FAT32, and NFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="file_type">
Chris PeBenito 414e41
##	The type of the to be associated.
Chris PeBenito 414e41
## </param>
Chris PeBenito 5d7812
#
Chris PeBenito 199895
interface(`fs_associate_noxattr',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		attribute noxattrfs;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito fe040c
	allow $1 noxattrfs:filesystem associate;
Chris PeBenito 5d7812
')
Chris PeBenito 5d7812
Chris PeBenito 5d7812
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 2ec4c9
##	Execute files on a filesystem that does
Chris PeBenito 2ec4c9
##	not support extended attributes.
Chris PeBenito 2ec4c9
## </summary>
Chris PeBenito 2ec4c9
## <param name="domain">
Chris PeBenito 2ec4c9
##	Domain allowed access.
Chris PeBenito 2ec4c9
## </param>
Chris PeBenito 2ec4c9
#
Chris PeBenito 2ec4c9
interface(`fs_exec_noxattr',`
Chris PeBenito 2ec4c9
	gen_require(`
Chris PeBenito 2ec4c9
		attribute noxattrfs;
Chris PeBenito 2ec4c9
	')
Chris PeBenito 2ec4c9
Chris PeBenito 2ec4c9
	can_exec($1,noxattrfs)
Chris PeBenito 2ec4c9
')
Chris PeBenito 2ec4c9
Chris PeBenito 2ec4c9
########################################
Chris PeBenito 2ec4c9
## <summary>
Chris PeBenito 414e41
##	Mount a persistent filesystem which
Chris PeBenito 414e41
##	has extended attributes, such as
Chris PeBenito 414e41
##	ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito 5d7812
#
Chris PeBenito 199895
interface(`fs_mount_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a persistent filesystem which
Chris PeBenito 414e41
##	has extended attributes, such as
Chris PeBenito 414e41
##	ext3, JFS, or XFS.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a persistent filesystem which
Chris PeBenito 414e41
##	has extended attributes, such as
Chris PeBenito 414e41
##	ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a persistent
Chris PeBenito 414e41
##	filesystem which has extended
Chris PeBenito 414e41
##	attributes, such as ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 77f6e2
##	Get the quotas of a persistent
Chris PeBenito 77f6e2
##	filesystem which has extended
Chris PeBenito 77f6e2
##	attributes, such as ext3, JFS, or XFS.
Chris PeBenito 77f6e2
## </summary>
Chris PeBenito 77f6e2
## <param name="domain">
Chris PeBenito 77f6e2
##	The type of the domain getting quotas.
Chris PeBenito 77f6e2
## </param>
Chris PeBenito 77f6e2
#
Chris PeBenito 77f6e2
interface(`fs_get_xattr_fs_quotas',`
Chris PeBenito 77f6e2
	gen_require(`
Chris PeBenito 77f6e2
		type fs_t;
Chris PeBenito 77f6e2
	')
Chris PeBenito 77f6e2
Chris PeBenito 77f6e2
	allow $1 fs_t:filesystem quotaget;
Chris PeBenito 77f6e2
')
Chris PeBenito 77f6e2
Chris PeBenito 77f6e2
########################################
Chris PeBenito 77f6e2
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to
Chris PeBenito 414e41
##	get the attributes of a persistent
Chris PeBenito 414e41
##	filesystem which has extended
Chris PeBenito 414e41
##	attributes, such as ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_dontaudit_getattr_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	dontaudit $1 fs_t:filesystem getattr;
Chris PeBenito 053f6a
')
Chris PeBenito 053f6a
Chris PeBenito 053f6a
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Allow changing of the label of a
Chris PeBenito 414e41
##	filesystem with extended attributes
Chris PeBenito 414e41
##	using the context= mount option.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito 053f6a
#
Chris PeBenito 199895
interface(`fs_relabelfrom_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem relabelfrom;
Chris PeBenito dc771f
')
Chris PeBenito dc771f
Chris PeBenito dc771f
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 052c95
##	Get the filesystem quotas of a filesystem
Chris PeBenito 052c95
##	with extended attributes.
Chris PeBenito 052c95
## </summary>
Chris PeBenito 052c95
## <param name="domain">
Chris PeBenito 052c95
##	The type of the domain mounting the filesystem.
Chris PeBenito 052c95
## </param>
Chris PeBenito 052c95
#
Chris PeBenito 052c95
interface(`fs_get_xattr_fs_quota',`
Chris PeBenito 052c95
	gen_require(`
Chris PeBenito 052c95
		type fs_t;
Chris PeBenito 052c95
	')
Chris PeBenito 052c95
Chris PeBenito 052c95
	allow $1 fs_t:filesystem quotaget;
Chris PeBenito 052c95
')
Chris PeBenito 052c95
Chris PeBenito 052c95
########################################
Chris PeBenito 052c95
## <summary>
Chris PeBenito 052c95
##	Set the filesystem quotas of a filesystem
Chris PeBenito 052c95
##	with extended attributes.
Chris PeBenito 052c95
## </summary>
Chris PeBenito 052c95
## <param name="domain">
Chris PeBenito 052c95
##	The type of the domain mounting the filesystem.
Chris PeBenito 052c95
## </param>
Chris PeBenito 052c95
#
Chris PeBenito 052c95
interface(`fs_set_xattr_fs_quota',`
Chris PeBenito 052c95
	gen_require(`
Chris PeBenito 052c95
		type fs_t;
Chris PeBenito 052c95
	')
Chris PeBenito 052c95
Chris PeBenito 052c95
	allow $1 fs_t:filesystem quotamod;
Chris PeBenito 052c95
')
Chris PeBenito 052c95
Chris PeBenito 052c95
########################################
Chris PeBenito 052c95
## <summary>
Chris PeBenito 414e41
##	Mount an automount pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito fe040c
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount an automount pseudo filesystem
Chris PeBenito 414e41
##	This allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount an automount pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of an automount
Chris PeBenito 414e41
##	pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito ab940a
## <summary>
Chris PeBenito ab940a
##	Search automount filesystem to use automatically
Chris PeBenito ab940a
##	mounted filesystems.
Chris PeBenito ab940a
## </summary>
Chris PeBenito ab940a
## <param name="domain">
Chris PeBenito ab940a
##	The type of the domain performing this action.
Chris PeBenito ab940a
## </param>
Chris PeBenito ab940a
#
Chris PeBenito ab940a
interface(`fs_search_auto_mountpoints',`
Chris PeBenito ab940a
	gen_require(`
Chris PeBenito ab940a
		type autofs_t;
Chris PeBenito ab940a
	')
Chris PeBenito ab940a
Chris PeBenito ab940a
	allow $1 autofs_t:dir { getattr search };
Chris PeBenito ab940a
')
Chris PeBenito ab940a
Chris PeBenito ab940a
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 7576fa
##	Read directories of automatically
Chris PeBenito 7576fa
##	mounted filesystems.
Chris PeBenito 7576fa
## </summary>
Chris PeBenito 7576fa
## <param name="domain">
Chris PeBenito 7576fa
##	The type of the domain performing this action.
Chris PeBenito 7576fa
## </param>
Chris PeBenito 7576fa
#
Chris PeBenito 7576fa
interface(`fs_list_auto_mountpoints',`
Chris PeBenito 7576fa
	gen_require(`
Chris PeBenito 7576fa
		type autofs_t;
Chris PeBenito 7576fa
	')
Chris PeBenito 7576fa
Chris PeBenito 7576fa
	allow $1 autofs_t:dir r_dir_perms;
Chris PeBenito 7576fa
')
Chris PeBenito 7576fa
Chris PeBenito 7576fa
########################################
Chris PeBenito 7576fa
## <summary>
Chris PeBenito 4ec694
##	Do not audit attempts to list directories of automatically
Chris PeBenito 4ec694
##	mounted filesystems.
Chris PeBenito 4ec694
## </summary>
Chris PeBenito 4ec694
## <param name="domain">
Chris PeBenito 4ec694
##	The type of the domain performing this action.
Chris PeBenito 4ec694
## </param>
Chris PeBenito 4ec694
#
Chris PeBenito 4ec694
interface(`fs_dontaudit_list_auto_mountpoints',`
Chris PeBenito 4ec694
	gen_require(`
Chris PeBenito 4ec694
		type autofs_t;
Chris PeBenito 4ec694
	')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
	dontaudit $1 autofs_t:dir r_dir_perms;
Chris PeBenito 4ec694
')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
########################################
Chris PeBenito 4ec694
## <summary>
Chris PeBenito 414e41
##	Register an interpreter for new binary
Chris PeBenito 414e41
##	file types, using the kernel binfmt_misc
Chris PeBenito 414e41
##	support.  A common use for this is to
Chris PeBenito 414e41
##	register a JVM as an interpreter for
Chris PeBenito 414e41
##	Java byte code.  Registered binaries
Chris PeBenito 414e41
##	can be directly executed on a command line
Chris PeBenito 414e41
##	without specifying the interpreter.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain registering
Chris PeBenito 414e41
##	the interpreter.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_register_binary_executable_type',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type binfmt_misc_fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 binfmt_misc_fs_t:dir { getattr search };
Chris PeBenito 0c73cd
	allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_cifs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a CIFS or SMB network filesystem.
Chris PeBenito 414e41
##	This allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_cifs',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_cifs',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 6af06c
	allow $1 cifs_t:filesystem unmount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a CIFS or
Chris PeBenito 414e41
##	SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_cifs',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 948914
##	Search directories on a CIFS or SMB filesystem.
Chris PeBenito 948914
## </summary>
Chris PeBenito 948914
## <param name="domain">
Chris PeBenito 725926
##	Domain allowed access.
Chris PeBenito 948914
## </param>
Chris PeBenito 948914
#
Chris PeBenito 948914
interface(`fs_search_cifs',`
Chris PeBenito 948914
	gen_require(`
Chris PeBenito 948914
		type cifs_t;
Chris PeBenito 948914
	')
Chris PeBenito 948914
Chris PeBenito 948914
	allow $1 cifs_t:dir search;
Chris PeBenito 948914
')
Chris PeBenito 948914
Chris PeBenito 948914
########################################
Chris PeBenito 948914
## <summary>
Chris PeBenito 84c922
##	List the contents of directories on a
Chris PeBenito 84c922
##	CIFS or SMB filesystem.
Chris PeBenito 84c922
## </summary>
Chris PeBenito 84c922
## <param name="domain">
Chris PeBenito 725926
##	Domain allowed access.
Chris PeBenito 84c922
## </param>
Chris PeBenito 84c922
#
Chris PeBenito 84c922
interface(`fs_list_cifs',`
Chris PeBenito 84c922
	gen_require(`
Chris PeBenito 84c922
		type cifs_t;
Chris PeBenito 84c922
	')
Chris PeBenito 84c922
Chris PeBenito 84c922
	allow $1 cifs_t:dir r_dir_perms;
Chris PeBenito 84c922
')
Chris PeBenito 84c922
Chris PeBenito 84c922
########################################
Chris PeBenito 84c922
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to list the contents
Chris PeBenito a1fcff
##	of directories on a CIFS or SMB filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	Domain to not audit.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_list_cifs',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type cifs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 cifs_t:dir r_dir_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito 414e41
##	Read files on a CIFS or SMB filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 725926
##	Domain allowed access.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_cifs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito d35c62
	allow $1 cifs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 cifs_t:file r_file_perms;
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 43989f
##	Read all noxattrfs directories.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	Domain allowed access.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_list_noxattr_fs',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		attribute noxattrfs;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 noxattrfs:dir r_dir_perms;
Chris PeBenito 43989f
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 43989f
##	Read all noxattrfs files.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	Domain allowed access.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_read_noxattr_fs_files',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		attribute noxattrfs;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 noxattrfs:dir search;
Chris PeBenito 43989f
	allow $1 noxattrfs:file r_file_perms;
Chris PeBenito 43989f
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 43989f
##	Read all noxattrfs symbolic links.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	Domain allowed access.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_read_noxattr_fs_symlinks',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		attribute noxattrfs;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 noxattrfs:dir search;
Chris PeBenito 43989f
	allow $1 noxattrfs:lnk_file r_file_perms;
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to read
Chris PeBenito a1fcff
##	files on a CIFS or SMB filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	The type of the domain to not audit.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_read_cifs_files',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type cifs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 cifs_t:file r_file_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to read or
Chris PeBenito 414e41
##	write files on a CIFS or SMB filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_dontaudit_rw_cifs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	dontaudit $1 cifs_t:file { read write };
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read symbolic links on a CIFS or SMB filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain reading the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_cifs_symlinks',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	allow $1 cifs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 cifs_t:lnk_file r_file_perms;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Execute files on a CIFS or SMB
Chris PeBenito 414e41
##	network filesystem, in the caller
Chris PeBenito 414e41
##	domain.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain executing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_execute_cifs_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir r_dir_perms;
Chris PeBenito c2c00b
	can_exec($1, cifs_t)
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete directories
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the directories.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_dirs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito a1fcff
	allow $1 cifs_t:dir create_dir_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to create, read,
Chris PeBenito a1fcff
##	write, and delete directories
Chris PeBenito a1fcff
##	on a CIFS or SMB network filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	The type of the domain managing the directories.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_manage_cifs_dirs',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type cifs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 cifs_t:dir create_dir_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete files
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to create, read,
Chris PeBenito a1fcff
##	write, and delete files
Chris PeBenito a1fcff
##	on a CIFS or SMB network filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	Domain to not audit.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_manage_cifs_files',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type cifs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 cifs_t:file create_file_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete symbolic links
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_symlinks',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:lnk_file create_lnk_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named pipes
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the pipes.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_named_pipes',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:fifo_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named sockets
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the sockets.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_named_sockets',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_file_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:sock_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito df00b2
##	Execute a file on a CIFS or SMB filesystem
Chris PeBenito df00b2
##	in the specified domain.
Chris PeBenito df00b2
## </summary>
Chris PeBenito df00b2
## <desc>
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	Execute a file on a CIFS or SMB filesystem
Chris PeBenito df00b2
##	in the specified domain.  This allows
Chris PeBenito df00b2
##	the specified domain to execute any file
Chris PeBenito df00b2
##	on these filesystems in the specified
Chris PeBenito df00b2
##	domain.  This is not suggested.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	No interprocess communication (signals, pipes,
Chris PeBenito df00b2
##	etc.) is provided by this interface since
Chris PeBenito df00b2
##	the domains are not owned by this module.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	This interface was added to handle
Chris PeBenito df00b2
##	home directories on CIFS/SMB filesystems,
Chris PeBenito df00b2
##	in particular used by the ssh-agent policy.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
## </desc>
Chris PeBenito df00b2
## <param name="domain">
Chris PeBenito df00b2
##	The type of the process performing this action.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
## <param name="target_domain">
Chris PeBenito df00b2
##	The type of the new process.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
#
Chris PeBenito df00b2
interface(`fs_cifs_domtrans',`
Chris PeBenito df00b2
	gen_require(`
Chris PeBenito df00b2
		type cifs_t;
Chris PeBenito df00b2
	')
Chris PeBenito df00b2
Chris PeBenito df00b2
	allow $1 cifs_t:dir search;
Chris PeBenito df00b2
Chris PeBenito df00b2
	domain_auto_trans($1,cifs_t,$2)
Chris PeBenito df00b2
')
Chris PeBenito df00b2
Chris PeBenito df00b2
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Mount a DOS filesystem, such as
Chris PeBenito 414e41
##	FAT32 or NTFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a DOS filesystem, such as
Chris PeBenito 414e41
##	FAT32 or NTFS.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a DOS filesystem, such as
Chris PeBenito 414e41
##	FAT32 or NTFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a DOS
Chris PeBenito 414e41
##	filesystem, such as FAT32 or NTFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Allow changing of the label of a
Chris PeBenito 414e41
##	DOS filesystem using the context= mount option.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito dc771f
#
Chris PeBenito 199895
interface(`fs_relabelfrom_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem relabelfrom;
Chris PeBenito dc771f
')
Chris PeBenito dc771f
Chris PeBenito dc771f
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 93727e
##	Read eventpollfs files
Chris PeBenito 93727e
## </summary>
Chris PeBenito 93727e
## <param name="domain">
Chris PeBenito 93727e
##	Domain allowed access.
Chris PeBenito 93727e
## </param>
Chris PeBenito 93727e
#
Chris PeBenito 93727e
interface(`fs_read_eventpollfs',`
Chris PeBenito 93727e
	gen_require(`
Chris PeBenito 93727e
		type eventpollfs_t;
Chris PeBenito 93727e
	')
Chris PeBenito 93727e
Chris PeBenito 93727e
	allow $1 eventpollfs_t:dir search_dir_perms;
Chris PeBenito 93727e
	allow $1 eventpollfs_t:file r_file_perms;
Chris PeBenito 93727e
')
Chris PeBenito 93727e
Chris PeBenito 93727e
########################################
Chris PeBenito 93727e
## <summary>
Chris PeBenito 51a89c
##	Search inotifyfs filesystem. 
Chris PeBenito 51a89c
## </summary>
Chris PeBenito 51a89c
## <param name="domain">
Chris PeBenito 51a89c
##	Domain allowed access.
Chris PeBenito 51a89c
## </param>
Chris PeBenito 51a89c
#
Chris PeBenito 51a89c
interface(`fs_search_inotifyfs',`
Chris PeBenito 51a89c
	gen_require(`
Chris PeBenito 51a89c
		type inotifyfs_t;
Chris PeBenito 51a89c
	')
Chris PeBenito 51a89c
Chris PeBenito 51a89c
	allow $1 inotifyfs_t:dir search_dir_perms;
Chris PeBenito 51a89c
')
Chris PeBenito 51a89c
Chris PeBenito 51a89c
########################################
Chris PeBenito 51a89c
## <summary>
Chris PeBenito 414e41
##	Mount an iso9660 filesystem, which
Chris PeBenito 414e41
##	is usually used on CDs.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito dc771f
#
Chris PeBenito 199895
interface(`fs_mount_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount an iso9660 filesystem, which
Chris PeBenito 414e41
##	is usually used on CDs.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount an iso9660 filesystem, which
Chris PeBenito 414e41
##	is usually used on CDs.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of an iso9660
Chris PeBenito 414e41
##	filesystem, which is usually used on CDs.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a NFS filesystem.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 948914
##	Search directories on a NFS filesystem.
Chris PeBenito 948914
## </summary>
Chris PeBenito 948914
## <param name="domain">
Chris PeBenito 725926
##	Domain allowed access.
Chris PeBenito 948914
## </param>
Chris PeBenito 948914
#
Chris PeBenito 948914
interface(`fs_search_nfs',`
Chris PeBenito 948914
	gen_require(`
Chris PeBenito 948914
		type nfs_t;
Chris PeBenito 948914
	')
Chris PeBenito 948914
Chris PeBenito 948914
	allow $1 nfs_t:dir search;
Chris PeBenito 948914
')
Chris PeBenito 948914
Chris PeBenito 948914
########################################
Chris PeBenito 948914
## <summary>
Chris PeBenito c8ba68
##	List NFS filesystem.
Chris PeBenito c8ba68
## </summary>
Chris PeBenito c8ba68
## <param name="domain">
Chris PeBenito c8ba68
##	Domain allowed access.
Chris PeBenito c8ba68
## </param>
Chris PeBenito c8ba68
#
Chris PeBenito c8ba68
interface(`fs_list_nfs',`
Chris PeBenito c8ba68
	gen_require(`
Chris PeBenito c8ba68
		type nfs_t;
Chris PeBenito c8ba68
	')
Chris PeBenito c8ba68
Chris PeBenito c8ba68
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito c8ba68
')
Chris PeBenito c8ba68
Chris PeBenito c8ba68
########################################
Chris PeBenito c8ba68
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to list the contents
Chris PeBenito a1fcff
##	of directories on a NFS filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	Domain to not audit.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_list_nfs',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type nfs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 nfs_t:dir r_dir_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito 414e41
##	Read files on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 725926
##	Domain allowed access.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_nfs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 nfs_t:file r_file_perms;
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to read
Chris PeBenito a1fcff
##	files on a NFS filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	The type of the domain to not audit.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_read_nfs_files',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type nfs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 nfs_t:file r_file_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito 725926
## <summary>
Chris PeBenito 725926
##	Read files on a NFS filesystem.
Chris PeBenito 725926
## </summary>
Chris PeBenito 725926
## <param name="domain">
Chris PeBenito 725926
##	Domain allowed access.
Chris PeBenito 725926
## </param>
Chris PeBenito 725926
#
Chris PeBenito 725926
interface(`fs_write_nfs_files',`
Chris PeBenito 725926
	gen_require(`
Chris PeBenito 725926
		type nfs_t;
Chris PeBenito 725926
	')
Chris PeBenito 725926
Chris PeBenito 725926
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito 725926
	allow $1 nfs_t:file write;
Chris PeBenito 725926
')
Chris PeBenito 725926
Chris PeBenito 725926
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito 414e41
##	Execute files on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain executing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_execute_nfs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito c2c00b
	can_exec($1, nfs_t)
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to read or
Chris PeBenito 414e41
##	write files on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_dontaudit_rw_nfs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito d35c62
	dontaudit $1 nfs_t:file { read write };
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read symbolic links on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain reading the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_nfs_symlinks',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 nfs_t:lnk_file r_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 43989f
##	Read directories of RPC file system pipes.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	The type of the domain reading the symbolic links.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 6f81e1
interface(`fs_getattr_rpc_dirs',`
Chris PeBenito 6f81e1
	gen_require(`
Chris PeBenito 6f81e1
		type rpc_pipefs_t;
Chris PeBenito 6f81e1
	')
Chris PeBenito 6f81e1
Chris PeBenito 6f81e1
	allow $1 rpc_pipefs_t:dir getattr;
Chris PeBenito 6f81e1
Chris PeBenito 6f81e1
')
Chris PeBenito 6f81e1
Chris PeBenito 6f81e1
########################################
Chris PeBenito 6f81e1
## <summary>
Chris PeBenito bb4372
##	Search directories of RPC file system pipes.
Chris PeBenito bb4372
## </summary>
Chris PeBenito bb4372
## <param name="domain">
Chris PeBenito bb4372
##	The type of the domain reading the symbolic links.
Chris PeBenito bb4372
## </param>
Chris PeBenito bb4372
#
Chris PeBenito bb4372
interface(`fs_search_rpc_dirs',`
Chris PeBenito bb4372
	gen_require(`
Chris PeBenito bb4372
		type rpc_pipefs_t;
Chris PeBenito bb4372
	')
Chris PeBenito bb4372
Chris PeBenito bb4372
	allow $1 rpc_pipefs_t:dir search_dir_perms;
Chris PeBenito bb4372
')
Chris PeBenito bb4372
Chris PeBenito bb4372
########################################
Chris PeBenito bb4372
## <summary>
Chris PeBenito 4ec694
##	Search removable storage directories.
Chris PeBenito 4ec694
## </summary>
Chris PeBenito 4ec694
## <param name="domain">
Chris PeBenito 4ec694
##	Domain allowed access.
Chris PeBenito 4ec694
## </param>
Chris PeBenito 4ec694
#
Chris PeBenito 4ec694
interface(`fs_search_removable_dirs',`
Chris PeBenito 4ec694
	gen_require(`
Chris PeBenito 4ec694
		type removable_t;
Chris PeBenito 4ec694
	')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
	allow $1 removable_t:dir { getattr read search };
Chris PeBenito 4ec694
Chris PeBenito 4ec694
')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
########################################
Chris PeBenito 4ec694
## <summary>
Chris PeBenito 4ec694
##	Do not audit attempts to list removable storage directories.
Chris PeBenito 4ec694
## </summary>
Chris PeBenito 4ec694
## <param name="domain">
Chris PeBenito 4ec694
##	Domain not to audit.
Chris PeBenito 4ec694
## </param>
Chris PeBenito 4ec694
#
Chris PeBenito 4ec694
interface(`fs_dontaudit_list_removable_dirs',`
Chris PeBenito 4ec694
	gen_require(`
Chris PeBenito 4ec694
		type removable_t;
Chris PeBenito 4ec694
	')
Chris PeBenito 4ec694
	dontaudit $1 removable_t:dir r_dir_perms;
Chris PeBenito 4ec694
')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
########################################
Chris PeBenito 4ec694
## <summary>
Chris PeBenito 4ec694
##	Read removable storage files.
Chris PeBenito 4ec694
## </summary>
Chris PeBenito 4ec694
## <param name="domain">
Chris PeBenito 4ec694
##	Domain allowed access.
Chris PeBenito 4ec694
## </param>
Chris PeBenito 4ec694
#
Chris PeBenito 4ec694
interface(`fs_read_removable_files',`
Chris PeBenito 4ec694
	gen_require(`
Chris PeBenito 4ec694
		type removable_t;
Chris PeBenito 4ec694
	')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
	allow $1 removable_t:file { read getattr };
Chris PeBenito 4ec694
Chris PeBenito 4ec694
')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
########################################
Chris PeBenito 4ec694
## <summary>
Chris PeBenito 4ec694
##	Do not audit attempts to read removable storage files.
Chris PeBenito 4ec694
## </summary>
Chris PeBenito 4ec694
## <param name="domain">
Chris PeBenito 4ec694
##	Domain not to audit.
Chris PeBenito 4ec694
## </param>
Chris PeBenito 4ec694
#
Chris PeBenito 4ec694
interface(`fs_donaudit_read_removable_files',`
Chris PeBenito 4ec694
	gen_require(`
Chris PeBenito 4ec694
		type removable_t;
Chris PeBenito 4ec694
	')
Chris PeBenito 4ec694
	dontaudit $1 removable_t:file r_file_perms;
Chris PeBenito 4ec694
')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
########################################
Chris PeBenito 4ec694
## <summary>
Chris PeBenito 4ec694
##	Read removable storage symbolic links.
Chris PeBenito 4ec694
## </summary>
Chris PeBenito 4ec694
## <param name="domain">
Chris PeBenito 4ec694
##	Domain allowed access.
Chris PeBenito 4ec694
## </param>
Chris PeBenito 4ec694
#
Chris PeBenito 4ec694
interface(`fs_read_removable_symlinks',`
Chris PeBenito 4ec694
	gen_require(`
Chris PeBenito 4ec694
		type removable_t;
Chris PeBenito 4ec694
	')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
	allow $1 removable_t:lnk_file { getattr read };
Chris PeBenito 4ec694
Chris PeBenito 4ec694
')
Chris PeBenito 4ec694
Chris PeBenito 4ec694
########################################
Chris PeBenito 4ec694
## <summary>
Chris PeBenito 6f81e1
##	Read directories of RPC file system pipes.
Chris PeBenito 6f81e1
## </summary>
Chris PeBenito 6f81e1
## <param name="domain">
Chris PeBenito 6f81e1
##	The type of the domain reading the symbolic links.
Chris PeBenito 6f81e1
## </param>
Chris PeBenito 6f81e1
#
Chris PeBenito 43989f
interface(`fs_read_rpc_dirs',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		type rpc_pipefs_t;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 rpc_pipefs_t:dir { getattr read search };
Chris PeBenito 43989f
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 43989f
##	Read files of RPC file system pipes.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	The type of the domain reading the symbolic links.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_read_rpc_files',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		type rpc_pipefs_t;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 rpc_pipefs_t:file { read getattr };
Chris PeBenito 43989f
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 43989f
##	Read symbolic links of RPC file system pipes.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	The type of the domain reading the symbolic links.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_read_rpc_symlinks',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		type rpc_pipefs_t;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 rpc_pipefs_t:lnk_file { getattr read };
Chris PeBenito 43989f
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 43989f
##	Read sockets of RPC file system pipes.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	The type of the domain reading the symbolic links.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_read_rpc_sockets',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		type rpc_pipefs_t;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 rpc_pipefs_t:sock_file { read write };
Chris PeBenito 43989f
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete directories
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the directories.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_dirs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir create_dir_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to create, read,
Chris PeBenito a1fcff
##	write, and delete directories
Chris PeBenito a1fcff
##	on a NFS filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	Domain to not audit.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_manage_nfs_dirs',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type nfs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 nfs_t:dir create_dir_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete files
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito a1fcff
##	Do not audit attempts to create,
Chris PeBenito a1fcff
##	read, write, and delete files
Chris PeBenito a1fcff
##	on a NFS filesystem.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	Domain to not audit.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_dontaudit_manage_nfs_files',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		type nfs_t;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
	dontaudit $1 nfs_t:file create_file_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito fe040c
#########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete symbolic links
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_symlinks',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:lnk_file create_lnk_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito fe040c
#########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named pipes
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the pipes.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_named_pipes',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:fifo_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito fe040c
#########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named sockets
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the sockets.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_named_sockets',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:sock_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito df00b2
##	Execute a file on a NFS filesystem
Chris PeBenito df00b2
##	in the specified domain.
Chris PeBenito df00b2
## </summary>
Chris PeBenito df00b2
## <desc>
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	Execute a file on a NFS filesystem
Chris PeBenito df00b2
##	in the specified domain.  This allows
Chris PeBenito df00b2
##	the specified domain to execute any file
Chris PeBenito df00b2
##	on a NFS filesystem in the specified
Chris PeBenito df00b2
##	domain.  This is not suggested.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	No interprocess communication (signals, pipes,
Chris PeBenito df00b2
##	etc.) is provided by this interface since
Chris PeBenito df00b2
##	the domains are not owned by this module.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	This interface was added to handle
Chris PeBenito df00b2
##	home directories on NFS filesystems,
Chris PeBenito df00b2
##	in particular used by the ssh-agent policy.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
## </desc>
Chris PeBenito df00b2
## <param name="domain">
Chris PeBenito df00b2
##	The type of the process performing this action.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
## <param name="target_domain">
Chris PeBenito df00b2
##	The type of the new process.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
#
Chris PeBenito df00b2
interface(`fs_nfs_domtrans',`
Chris PeBenito df00b2
	gen_require(`
Chris PeBenito df00b2
		type nfs_t;
Chris PeBenito df00b2
	')
Chris PeBenito df00b2
Chris PeBenito df00b2
	allow $1 nfs_t:dir search;
Chris PeBenito df00b2
Chris PeBenito df00b2
	domain_auto_trans($1,nfs_t,$2)
Chris PeBenito df00b2
')
Chris PeBenito df00b2
Chris PeBenito df00b2
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Mount a NFS server pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a NFS server pseudo filesystem.
Chris PeBenito 414e41
##	This allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a NFS server pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a NFS server
Chris PeBenito 414e41
##	pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 43989f
##	Search NFS server directories.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	The type of the domain doing the
Chris PeBenito 43989f
##	search on nfsd directories.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_search_nfsd_fs',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		type nfsd_fs_t;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 nfsd_fs_t:dir search;
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 43989f
##	Read and write NFS server files.
Chris PeBenito 43989f
## </summary>
Chris PeBenito 43989f
## <param name="domain">
Chris PeBenito 43989f
##	The type of the domain doing the
Chris PeBenito 43989f
##	read or write on nfsd files.
Chris PeBenito 43989f
## </param>
Chris PeBenito 43989f
#
Chris PeBenito 43989f
interface(`fs_rw_nfsd_fs',`
Chris PeBenito 43989f
	gen_require(`
Chris PeBenito 43989f
		type nfsd_fs_t;
Chris PeBenito 43989f
	')
Chris PeBenito 43989f
Chris PeBenito 43989f
	allow $1 nfsd_fs_t:file rw_file_perms;
Chris PeBenito 43989f
')
Chris PeBenito 43989f
Chris PeBenito 43989f
########################################
Chris PeBenito 43989f
## <summary>
Chris PeBenito 414e41
##	Mount a RAM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a RAM filesystem.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a RAM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a RAM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 842859
##	Search directories on a ramfs
Chris PeBenito 842859
## </summary>
Chris PeBenito 842859
## <param name="domain">
Chris PeBenito 842859
##	Domain allowed access.
Chris PeBenito 842859
## </param>
Chris PeBenito 842859
#
Chris PeBenito 842859
interface(`fs_search_ramfs',`
Chris PeBenito 842859
	gen_require(`
Chris PeBenito 842859
		type ramfs_t;
Chris PeBenito 842859
	')
Chris PeBenito 842859
Chris PeBenito 842859
	allow $1 ramfs_t:dir search;
Chris PeBenito 842859
')
Chris PeBenito 842859
Chris PeBenito 842859
########################################
Chris PeBenito 842859
## <summary>
Chris PeBenito a225f9
##	Dontaudit Search directories on a ramfs
Chris PeBenito a225f9
## </summary>
Chris PeBenito a225f9
## <param name="domain">
Chris PeBenito a225f9
##	Domain allowed access.
Chris PeBenito a225f9
## </param>
Chris PeBenito a225f9
#
Chris PeBenito a225f9
interface(`fs_dontaudit_search_ramfs',`
Chris PeBenito a225f9
	gen_require(`
Chris PeBenito a225f9
		type ramfs_t;
Chris PeBenito a225f9
	')
Chris PeBenito a225f9
Chris PeBenito a225f9
	dontaudit $1 ramfs_t:dir search;
Chris PeBenito a225f9
')
Chris PeBenito a225f9
Chris PeBenito a225f9
########################################
Chris PeBenito a225f9
## <summary>
Chris PeBenito 005a9a
##	Write to named pipe on a ramfs filesystem.
Chris PeBenito 005a9a
## </summary>
Chris PeBenito 005a9a
## <param name="domain">
Chris PeBenito 005a9a
##	Domain allowed access.
Chris PeBenito 005a9a
## </param>
Chris PeBenito 005a9a
#
Chris PeBenito 005a9a
interface(`fs_write_ramfs_pipe',`
Chris PeBenito 005a9a
	gen_require(`
Chris PeBenito 005a9a
		type ramfs_t;
Chris PeBenito 005a9a
	')
Chris PeBenito 005a9a
Chris PeBenito 005a9a
	allow $1 ramfs_t:fifo_file write;
Chris PeBenito 005a9a
')
Chris PeBenito 005a9a
Chris PeBenito 005a9a
########################################
Chris PeBenito 005a9a
## <summary>
Chris PeBenito 9fd4b8
##	Read and write a named pipe on a ramfs filesystem.
Chris PeBenito 9fd4b8
## </summary>
Chris PeBenito 9fd4b8
## <param name="domain">
Chris PeBenito 9fd4b8
##	Domain allowed access.
Chris PeBenito 9fd4b8
## </param>
Chris PeBenito 9fd4b8
#
Chris PeBenito 9fd4b8
interface(`fs_rw_ramfs_pipe',`
Chris PeBenito 9fd4b8
	gen_require(`
Chris PeBenito 9fd4b8
		type ramfs_t;
Chris PeBenito 9fd4b8
	')
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
	allow $1 ramfs_t:fifo_file rw_file_perms;
Chris PeBenito 9fd4b8
')
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
########################################
Chris PeBenito 9fd4b8
## <summary>
Chris PeBenito 842859
##	Write to named socket on a ramfs filesystem.
Chris PeBenito 842859
## </summary>
Chris PeBenito 842859
## <param name="domain">
Chris PeBenito 842859
##	Domain allowed access.
Chris PeBenito 842859
## </param>
Chris PeBenito 842859
#
Chris PeBenito 842859
interface(`fs_write_ramfs_socket',`
Chris PeBenito 842859
	gen_require(`
Chris PeBenito 842859
		type ramfs_t;
Chris PeBenito 842859
	')
Chris PeBenito 842859
Chris PeBenito 842859
	allow $1 ramfs_t:sock_file write;
Chris PeBenito 842859
')
Chris PeBenito 842859
Chris PeBenito 842859
########################################
Chris PeBenito 842859
## <summary>
Chris PeBenito 414e41
##	Mount a ROM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a ROM filesystem.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a ROM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a ROM
Chris PeBenito 414e41
##	filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a RPC pipe filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a RPC pipe filesystem.  This
Chris PeBenito 414e41
##	allows some mount option to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a RPC pipe filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a RPC pipe
Chris PeBenito 414e41
##	filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a tmpfs filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a tmpfs filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a tmpfs filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a tmpfs
Chris PeBenito 414e41
##	filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Allow the type to associate to tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="type">
Chris PeBenito 414e41
##	The type of the object to be associated.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_associate_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem associate;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a42ca7
##	Get the attributes of tmpfs directories.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito a42ca7
## <param name="domain">
Chris PeBenito a42ca7
##	Domain allowed access.
Chris PeBenito a42ca7
## </param>
Chris PeBenito a42ca7
#
Chris PeBenito a42ca7
interface(`fs_getattr_tmpfs_dir',`
Chris PeBenito a42ca7
	gen_require(`
Chris PeBenito a42ca7
		type tmpfs_t;
Chris PeBenito a42ca7
	')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
	allow $1 tmpfs_t:dir getattr;
Chris PeBenito a42ca7
')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a42ca7
##	Set the attributes of tmpfs directories.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito a42ca7
## <param name="domain">
Chris PeBenito a42ca7
##	Domain allowed access.
Chris PeBenito a42ca7
## </param>
Chris PeBenito a42ca7
#
Chris PeBenito a42ca7
interface(`fs_setattr_tmpfs_dir',`
Chris PeBenito a42ca7
	gen_require(`
Chris PeBenito a42ca7
		type tmpfs_t;
Chris PeBenito a42ca7
	')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
	allow $1 tmpfs_t:dir setattr;
Chris PeBenito a42ca7
')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a42ca7
##	Search tmpfs directories.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito a42ca7
## <param name="domain">
Chris PeBenito a42ca7
##	Domain allowed access.
Chris PeBenito a42ca7
## </param>
Chris PeBenito a42ca7
#
Chris PeBenito a42ca7
interface(`fs_search_tmpfs',`
Chris PeBenito a42ca7
	gen_require(`
Chris PeBenito a42ca7
		type tmpfs_t;
Chris PeBenito a42ca7
	')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
	allow $1 tmpfs_t:dir search;
Chris PeBenito a42ca7
')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
########################################
Chris PeBenito a5f339
## <summary>
Chris PeBenito a5f339
##	List the contents of generic tmpfs directories.
Chris PeBenito a5f339
## </summary>
Chris PeBenito a5f339
## <param name="domain">
Chris PeBenito a5f339
##	Domain allowed access.
Chris PeBenito a5f339
## </param>
Chris PeBenito a5f339
#
Chris PeBenito a5f339
interface(`fs_list_tmpfs',`
Chris PeBenito a5f339
	gen_require(`
Chris PeBenito a5f339
		type tmpfs_t;
Chris PeBenito a5f339
	')
Chris PeBenito a5f339
Chris PeBenito a5f339
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito a5f339
')
Chris PeBenito a5f339
Chris PeBenito a5f339
########################################
Chris PeBenito a5f339
## <summary>
Chris PeBenito a5f339
##	Do not audit attempts to list the
Chris PeBenito a5f339
##	contents of generic tmpfs directories.
Chris PeBenito a5f339
## </summary>
Chris PeBenito a5f339
## <param name="domain">
Chris PeBenito a5f339
##	Domain to not audit.
Chris PeBenito a5f339
## </param>
Chris PeBenito a5f339
#
Chris PeBenito a5f339
interface(`fs_dontaudit_list_tmpfs',`
Chris PeBenito a5f339
	gen_require(`
Chris PeBenito a5f339
		type tmpfs_t;
Chris PeBenito a5f339
	')
Chris PeBenito a5f339
Chris PeBenito a5f339
	dontaudit $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito a5f339
')
Chris PeBenito a5f339
Chris PeBenito a5f339
########################################
Chris PeBenito 98a8ea
## <summary>
Chris PeBenito 98a8ea
##	Create, read, write, and delete
Chris PeBenito 98a8ea
##	tmpfs directories
Chris PeBenito 98a8ea
## </summary>
Chris PeBenito 98a8ea
## <param name="domain">
Chris PeBenito 98a8ea
##	Domain allowed access.
Chris PeBenito 98a8ea
## </param>
Chris PeBenito 98a8ea
#
Chris PeBenito 98a8ea
interface(`fs_manage_tmpfs_dirs',`
Chris PeBenito 98a8ea
	gen_require(`
Chris PeBenito 98a8ea
		type tmpfs_t;
Chris PeBenito 98a8ea
	')
Chris PeBenito 98a8ea
Chris PeBenito 98a8ea
	allow $1 tmpfs_t:dir create_dir_perms;
Chris PeBenito 98a8ea
')
Chris PeBenito 98a8ea
Chris PeBenito 98a8ea
########################################
Chris PeBenito b4cd15
#
Chris PeBenito 9d5949
# fs_filetrans_tmpfs(domain,derivedtype,[class])
Chris PeBenito b4cd15
#
Chris PeBenito 9d5949
interface(`fs_filetrans_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $2 tmpfs_t:filesystem associate;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	ifelse(`$3',`',`
Chris PeBenito 0c73cd
		type_transition $1 tmpfs_t:file $2;
Chris PeBenito 0c73cd
	',`
Chris PeBenito 0c73cd
		type_transition $1 tmpfs_t:$3 $2;
Chris PeBenito 0c73cd
	')
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 3ffe29
##	Do not audit attempts to read or write
Chris PeBenito 3ffe29
##	generic tmpfs files.
Chris PeBenito 3ffe29
## </summary>
Chris PeBenito 3ffe29
## <param name="domain">
Chris PeBenito 3ffe29
##	Domain to not audit.
Chris PeBenito 3ffe29
## </param>
Chris PeBenito 3ffe29
#
Chris PeBenito 3ffe29
interface(`fs_dontaudit_rw_tmpfs_files',`
Chris PeBenito 3ffe29
	gen_require(`
Chris PeBenito 3ffe29
		type tmp_t;
Chris PeBenito 3ffe29
	')
Chris PeBenito 3ffe29
Chris PeBenito 3ffe29
	dontaudit $1 tmpfs_t:file { read write };
Chris PeBenito 3ffe29
')
Chris PeBenito 3ffe29
Chris PeBenito 3ffe29
########################################
Chris PeBenito 3ffe29
## <summary>
Chris PeBenito 7576fa
##	Create, read, write, and delete
Chris PeBenito 7576fa
##	auto moutpoints.
Chris PeBenito 7576fa
## </summary>
Chris PeBenito 7576fa
## <param name="domain">
Chris PeBenito 7576fa
##	Domain allowed access.
Chris PeBenito 7576fa
## </param>
Chris PeBenito 7576fa
#
Chris PeBenito 7576fa
interface(`fs_manage_auto_mountpoints',`
Chris PeBenito 7576fa
	gen_require(`
Chris PeBenito 7576fa
		type autofs_t;
Chris PeBenito 7576fa
	')
Chris PeBenito 7576fa
Chris PeBenito 7576fa
	allow $1 autofs_t:dir manage_dir_perms;
Chris PeBenito 7576fa
')
Chris PeBenito 7576fa
Chris PeBenito 7576fa
########################################
Chris PeBenito 7576fa
## <summary>
Chris PeBenito 9fd4b8
##	Read and write generic tmpfs files.
Chris PeBenito 9fd4b8
## </summary>
Chris PeBenito 9fd4b8
## <param name="domain">
Chris PeBenito 9fd4b8
##	The type of the process performing this action.
Chris PeBenito 9fd4b8
## </param>
Chris PeBenito 9fd4b8
#
Chris PeBenito 9fd4b8
interface(`fs_rw_tmpfs_file',`
Chris PeBenito 9fd4b8
	gen_require(`
Chris PeBenito 9fd4b8
		type tmpfs_t;
Chris PeBenito 9fd4b8
	')
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
	fs_search_tmpfs($1)
Chris PeBenito 9fd4b8
	allow $1 tmpfs_t:file rw_file_perms;
Chris PeBenito 9fd4b8
')
Chris PeBenito 9fd4b8
Chris PeBenito 9fd4b8
########################################
Chris PeBenito 9fd4b8
## <summary>
Chris PeBenito a52492
##	Read tmpfs link files.
Chris PeBenito a52492
## </summary>
Chris PeBenito a52492
## <param name="domain">
Chris PeBenito a52492
##	The type of the process performing this action.
Chris PeBenito a52492
## </param>
Chris PeBenito a52492
#
Chris PeBenito a52492
interface(`fs_read_tmpfs_symlinks',`
Chris PeBenito a52492
	gen_require(`
Chris PeBenito a52492
		type tmpfs_t;
Chris PeBenito a52492
	')
Chris PeBenito a52492
Chris PeBenito a52492
	fs_search_tmpfs($1)
Chris PeBenito a52492
	allow $1 tmpfs_t:lnk_file read;
Chris PeBenito a52492
')
Chris PeBenito a52492
Chris PeBenito a52492
########################################
Chris PeBenito a52492
## <summary>
Chris PeBenito 414e41
##	Read and write character nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_use_tmpfs_chr_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:chr_file rw_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 93727e
##	dontaudit Read and write character nodes on tmpfs filesystems.
Chris PeBenito 93727e
## </summary>
Chris PeBenito 93727e
## <param name="domain">
Chris PeBenito 93727e
##	The type of the process performing this action.
Chris PeBenito 93727e
## </param>
Chris PeBenito 93727e
#
Chris PeBenito 93727e
interface(`fs_dontaudit_use_tmpfs_chr_dev',`
Chris PeBenito 93727e
	gen_require(`
Chris PeBenito 93727e
		type tmpfs_t;
Chris PeBenito 93727e
	')
Chris PeBenito 93727e
Chris PeBenito 93727e
	dontaudit $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 93727e
	dontaudit $1 tmpfs_t:chr_file rw_file_perms;
Chris PeBenito 93727e
')
Chris PeBenito 93727e
Chris PeBenito 93727e
########################################
Chris PeBenito 93727e
## <summary>
Chris PeBenito 414e41
##	Relabel character nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito efd8ed
#
Chris PeBenito ebdc3b
interface(`fs_relabel_tmpfs_chr_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
Chris PeBenito efd8ed
')
Chris PeBenito efd8ed
Chris PeBenito efd8ed
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read and write block nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_use_tmpfs_blk_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:blk_file rw_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Relabel block nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito efd8ed
#
Chris PeBenito ebdc3b
interface(`fs_relabel_tmpfs_blk_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
Chris PeBenito efd8ed
')
Chris PeBenito efd8ed
Chris PeBenito efd8ed
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 98a8ea
##	Read and write, create and delete generic
Chris PeBenito 98a8ea
##	files on tmpfs filesystems.
Chris PeBenito 98a8ea
## </summary>
Chris PeBenito 98a8ea
## <param name="domain">
Chris PeBenito 98a8ea
##	The type of the process performing this action.
Chris PeBenito 98a8ea
## </param>
Chris PeBenito 98a8ea
#
Chris PeBenito 98a8ea
interface(`fs_manage_tmpfs_files',`
Chris PeBenito 98a8ea
	gen_require(`
Chris PeBenito 98a8ea
		type tmpfs_t;
Chris PeBenito 98a8ea
	')
Chris PeBenito 98a8ea
Chris PeBenito 98a8ea
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito 98a8ea
	allow $1 tmpfs_t:file create_file_perms;
Chris PeBenito 98a8ea
')
Chris PeBenito 98a8ea
Chris PeBenito 98a8ea
########################################
Chris PeBenito 98a8ea
## <summary>
Chris PeBenito ebdc3b
##	Read and write, create and delete symbolic
Chris PeBenito ebdc3b
##	links on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito ebdc3b
## <param name="domain">
Chris PeBenito ebdc3b
##	The type of the process performing this action.
Chris PeBenito ebdc3b
## </param>
Chris PeBenito ebdc3b
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_symlinks',`
Chris PeBenito ebdc3b
	gen_require(`
Chris PeBenito ebdc3b
		type tmpfs_t;
Chris PeBenito ebdc3b
	')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:chr_file create_lnk_perms;
Chris PeBenito ebdc3b
')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito ebdc3b
##	Read and write, create and delete socket
Chris PeBenito ebdc3b
##	files on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito ebdc3b
## <param name="domain">
Chris PeBenito ebdc3b
##	The type of the process performing this action.
Chris PeBenito ebdc3b
## </param>
Chris PeBenito ebdc3b
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_sockets',`
Chris PeBenito ebdc3b
	gen_require(`
Chris PeBenito ebdc3b
		type tmpfs_t;
Chris PeBenito ebdc3b
	')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:sock_file create_file_perms;
Chris PeBenito ebdc3b
')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read and write, create and delete character
Chris PeBenito 414e41
##	nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_chr_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:chr_file create_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read and write, create and delete block nodes
Chris PeBenito 414e41
##	on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_blk_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:blk_file create_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount all filesystems.  This
Chris PeBenito 414e41
##	allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem unmount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito 219bcf
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of all persistent
Chris PeBenito 414e41
##	filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito 219bcf
#
Chris PeBenito 199895
interface(`fs_getattr_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem getattr;
Chris PeBenito 219bcf
')
Chris PeBenito 219bcf
Chris PeBenito 075c4f
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to get the attributes
Chris PeBenito 414e41
##	all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito 9ccd96
#
Chris PeBenito 9ccd96
interface(`fs_dontaudit_getattr_all_fs',`
Chris PeBenito 9ccd96
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito 9ccd96
	')
Chris PeBenito 9ccd96
Chris PeBenito cbca03
	dontaudit $1 filesystem_type:filesystem getattr;
Chris PeBenito 9ccd96
')
Chris PeBenito 9ccd96
Chris PeBenito 9ccd96
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the quotas of all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain getting quotas.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_get_all_fs_quotas',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem quotaget;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Set the quotas of all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain setting quotas.
Chris PeBenito 414e41
## </param>
Chris PeBenito 759ba0
#
Chris PeBenito 199895
interface(`fs_set_all_quotas',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem quotamod;
Chris PeBenito 759ba0
')
Chris PeBenito 759ba0
Chris PeBenito 759ba0
########################################
Chris PeBenito ae9e27
## <summary>
Chris PeBenito cf6a7d
##	Relabelfrom all filesystems.
Chris PeBenito cf6a7d
## </summary>
Chris PeBenito cf6a7d
## <param name="domain">
Chris PeBenito cf6a7d
##	The type of the domain doing the
Chris PeBenito cf6a7d
##	getattr on the filesystem.
Chris PeBenito cf6a7d
## </param>
Chris PeBenito cf6a7d
#
Chris PeBenito cf6a7d
interface(`fs_relabelfrom_all_fs',`
Chris PeBenito cf6a7d
	gen_require(`
Chris PeBenito cf6a7d
		attribute filesystem_type;
Chris PeBenito cf6a7d
	')
Chris PeBenito cf6a7d
Chris PeBenito cf6a7d
	allow $1 filesystem_type:filesystem relabelfrom;
Chris PeBenito cf6a7d
')
Chris PeBenito cf6a7d
Chris PeBenito cf6a7d
########################################
Chris PeBenito cf6a7d
## <summary>
Chris PeBenito ac9aa2
##	Get the attributes of all directories
Chris PeBenito ac9aa2
##	with a filesystem type.
Chris PeBenito ac9aa2
## </summary>
Chris PeBenito ac9aa2
## <param name="domain">
Chris PeBenito ac9aa2
##	Domain allowed access.
Chris PeBenito ac9aa2
## </param>
Chris PeBenito ac9aa2
#
Chris PeBenito ac9aa2
interface(`fs_getattr_all_dirs',`
Chris PeBenito ac9aa2
	gen_require(`
Chris PeBenito ac9aa2
		attribute filesystem_type;
Chris PeBenito ac9aa2
	')
Chris PeBenito ac9aa2
Chris PeBenito cbe327
	allow $1 filesystem_type:dir getattr;
Chris PeBenito ac9aa2
')
Chris PeBenito ac9aa2
Chris PeBenito ac9aa2
########################################
Chris PeBenito ac9aa2
## <summary>
Chris PeBenito a1fcff
##	Search all directories with a filesystem type.
Chris PeBenito a1fcff
## </summary>
Chris PeBenito a1fcff
## <param name="domain">
Chris PeBenito a1fcff
##	Domain allowed access.
Chris PeBenito a1fcff
## </param>
Chris PeBenito a1fcff
#
Chris PeBenito a1fcff
interface(`fs_search_all',`
Chris PeBenito a1fcff
	gen_require(`
Chris PeBenito a1fcff
		attribute filesystem_type;
Chris PeBenito a1fcff
	')
Chris PeBenito a1fcff
Chris PeBenito ac9aa2
	allow $1 filesystem_type:dir search_dir_perms;
Chris PeBenito a1fcff
')
Chris PeBenito a1fcff
Chris PeBenito a1fcff
########################################
Chris PeBenito a1fcff
## <summary>
Chris PeBenito ae9e27
##	List all directories with a filesystem type.
Chris PeBenito ae9e27
## </summary>
Chris PeBenito ae9e27
## <param name="domain">
Chris PeBenito ae9e27
##	Domain allowed access.
Chris PeBenito ae9e27
## </param>
Chris PeBenito ae9e27
#
Chris PeBenito ae9e27
interface(`fs_list_all',`
Chris PeBenito ae9e27
	gen_require(`
Chris PeBenito ae9e27
		attribute filesystem_type;
Chris PeBenito ae9e27
	')
Chris PeBenito ae9e27
Chris PeBenito ae9e27
	allow $1 filesystem_type:dir r_dir_perms;
Chris PeBenito ae9e27
')
Chris PeBenito ae9e27
Chris PeBenito ae9e27
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 4483ee
##	Get the attributes of all files with
Chris PeBenito 4483ee
##	a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 075c4f
#
Chris PeBenito 199895
interface(`fs_getattr_all_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:dir { search getattr };
Chris PeBenito cbca03
	allow $1 filesystem_type:file getattr;
Chris PeBenito 4483ee
')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 4483ee
##	Get the attributes of all symbolic links with
Chris PeBenito 4483ee
##	a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 4483ee
#
Chris PeBenito 4483ee
interface(`fs_getattr_all_symlinks',`
Chris PeBenito 4483ee
	gen_require(`
Chris PeBenito 4483ee
		attribute filesystem_type;
Chris PeBenito 4483ee
	')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
	allow $1 filesystem_type:dir { search getattr };
Chris PeBenito cbca03
	allow $1 filesystem_type:lnk_file getattr;
Chris PeBenito 4483ee
')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 4483ee
##	Get the attributes of all named pipes with
Chris PeBenito 4483ee
##	a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 4483ee
#
Chris PeBenito 4483ee
interface(`fs_getattr_all_pipes',`
Chris PeBenito 4483ee
	gen_require(`
Chris PeBenito 4483ee
		attribute filesystem_type;
Chris PeBenito 4483ee
	')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
	allow $1 filesystem_type:dir { search getattr };
Chris PeBenito cbca03
	allow $1 filesystem_type:fifo_file getattr;
Chris PeBenito 4483ee
')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 4483ee
##	Get the attributes of all named sockets with
Chris PeBenito 4483ee
##	a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 4483ee
#
Chris PeBenito 4483ee
interface(`fs_getattr_all_sockets',`
Chris PeBenito 4483ee
	gen_require(`
Chris PeBenito 4483ee
		attribute filesystem_type;
Chris PeBenito 4483ee
	')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
	allow $1 filesystem_type:dir { search getattr };
Chris PeBenito cbca03
	allow $1 filesystem_type:sock_file getattr;
Chris PeBenito 075c4f
')
Chris PeBenito 075c4f
Chris PeBenito 9726b3
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 4483ee
##	Do not audit attempts to get the attributes
Chris PeBenito 4483ee
##	of all files with a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 4483ee
#
Chris PeBenito 4483ee
interface(`fs_dontaudit_getattr_all_files',`
Chris PeBenito 4483ee
	gen_require(`
Chris PeBenito 4483ee
		attribute filesystem_type;
Chris PeBenito 4483ee
	')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
	dontaudit $1 filesystem_type:file getattr;
Chris PeBenito 4483ee
')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 4483ee
##	Do not audit attempts to get the attributes
Chris PeBenito 4483ee
##	of all symbolic links with a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 4483ee
#
Chris PeBenito 4483ee
interface(`fs_dontaudit_getattr_all_symlinks',`
Chris PeBenito 4483ee
	gen_require(`
Chris PeBenito 4483ee
		attribute filesystem_type;
Chris PeBenito 4483ee
	')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
	dontaudit $1 filesystem_type:lnk_file getattr;
Chris PeBenito 4483ee
')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 4483ee
##	Do not audit attempts to get the attributes
Chris PeBenito 4483ee
##	of all named pipes with a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 4483ee
#
Chris PeBenito 4483ee
interface(`fs_dontaudit_getattr_all_pipes',`
Chris PeBenito 4483ee
	gen_require(`
Chris PeBenito 4483ee
		attribute filesystem_type;
Chris PeBenito 4483ee
	')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
	dontaudit $1 filesystem_type:fifo_file getattr;
Chris PeBenito 4483ee
')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 4483ee
##	Do not audit attempts to get the attributes
Chris PeBenito 4483ee
##	of all named sockets with a filesystem type.
Chris PeBenito 4483ee
## </summary>
Chris PeBenito 4483ee
## <param name="domain">
Chris PeBenito 4483ee
##	Domain allowed access.
Chris PeBenito 4483ee
## </param>
Chris PeBenito 4483ee
#
Chris PeBenito 4483ee
interface(`fs_dontaudit_getattr_all_sockets',`
Chris PeBenito 4483ee
	gen_require(`
Chris PeBenito 4483ee
		attribute filesystem_type;
Chris PeBenito 4483ee
	')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
	dontaudit $1 filesystem_type:sock_file getattr;
Chris PeBenito 4483ee
')
Chris PeBenito 4483ee
Chris PeBenito 4483ee
########################################
Chris PeBenito 4483ee
## <summary>
Chris PeBenito 9726b3
##	Unconfined access to filesystems
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 9726b3
## <param name="domain">
Chris PeBenito 9726b3
##	Domain allowed access.
Chris PeBenito 9726b3
## </param>
Chris PeBenito 9726b3
#
Chris PeBenito 9726b3
interface(`fs_unconfined',`
Chris PeBenito 9726b3
	gen_require(`
Chris PeBenito 9726b3
		attribute filesystem_type;
Chris PeBenito 9726b3
	')
Chris PeBenito 9726b3
Chris PeBenito 9726b3
	allow $1 filesystem_type:filesystem *;
Chris PeBenito 9726b3
Chris PeBenito 9726b3
	# Create/access other files.  fs_type is to pick up various
Chris PeBenito 9726b3
	# pseudo filesystem types that are applied to both the filesystem
Chris PeBenito 9726b3
	# and its files.
Chris PeBenito e6a2ea
	allow $1 filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
Chris PeBenito 9726b3
')