|
Chris PeBenito |
e32d52 |
## <summary>Policy for filesystems.</summary>
|
|
Chris PeBenito |
274547 |
## <required val="true">
|
|
Chris PeBenito |
274547 |
## Contains the initial SID for the filesystems.
|
|
Chris PeBenito |
274547 |
## </required>
|
|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Transform specified type into a filesystem type.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
cbca03 |
interface(`fs_type',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
typeattribute $1 filesystem_type;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Transform specified type into a filesystem
|
|
Chris PeBenito |
414e41 |
## type which does not have extended attribute
|
|
Chris PeBenito |
414e41 |
## support.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
0fd9dc |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_noxattr_type',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
attribute noxattrfs;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0fd9dc |
|
|
Chris PeBenito |
cbca03 |
fs_type($1)
|
|
Chris PeBenito |
0fd9dc |
|
|
Chris PeBenito |
0fd9dc |
typeattribute $1 noxattrfs;
|
|
Chris PeBenito |
0fd9dc |
')
|
|
Chris PeBenito |
0fd9dc |
|
|
Chris PeBenito |
0fd9dc |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Associate the specified file type to persistent
|
|
Chris PeBenito |
414e41 |
## filesystems with extended attributes. This
|
|
Chris PeBenito |
414e41 |
## allows a file of this type to be created on
|
|
Chris PeBenito |
414e41 |
## a filesystem such as ext3, JFS, and XFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="file_type">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the to be associated.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
5d7812 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_associate',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 fs_t:filesystem associate;
|
|
Chris PeBenito |
5d7812 |
')
|
|
Chris PeBenito |
5d7812 |
|
|
Chris PeBenito |
5d7812 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Associate the specified file type to
|
|
Chris PeBenito |
414e41 |
## filesystems which lack extended attributes
|
|
Chris PeBenito |
414e41 |
## support. This allows a file of this type
|
|
Chris PeBenito |
414e41 |
## to be created on a filesystem such as
|
|
Chris PeBenito |
414e41 |
## FAT32, and NFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="file_type">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the to be associated.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
5d7812 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_associate_noxattr',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
attribute noxattrfs;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
fe040c |
allow $1 noxattrfs:filesystem associate;
|
|
Chris PeBenito |
5d7812 |
')
|
|
Chris PeBenito |
5d7812 |
|
|
Chris PeBenito |
5d7812 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
2ec4c9 |
## Execute files on a filesystem that does
|
|
Chris PeBenito |
2ec4c9 |
## not support extended attributes.
|
|
Chris PeBenito |
2ec4c9 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
2ec4c9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
2ec4c9 |
## </param>
|
|
Chris PeBenito |
2ec4c9 |
#
|
|
Chris PeBenito |
2ec4c9 |
interface(`fs_exec_noxattr',`
|
|
Chris PeBenito |
2ec4c9 |
gen_require(`
|
|
Chris PeBenito |
2ec4c9 |
attribute noxattrfs;
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
2ec4c9 |
can_exec($1,noxattrfs)
|
|
Chris PeBenito |
2ec4c9 |
')
|
|
Chris PeBenito |
2ec4c9 |
|
|
Chris PeBenito |
2ec4c9 |
########################################
|
|
Chris PeBenito |
2ec4c9 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a persistent filesystem which
|
|
Chris PeBenito |
414e41 |
## has extended attributes, such as
|
|
Chris PeBenito |
414e41 |
## ext3, JFS, or XFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
5d7812 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_xattr_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 fs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a persistent filesystem which
|
|
Chris PeBenito |
414e41 |
## has extended attributes, such as
|
|
Chris PeBenito |
414e41 |
## ext3, JFS, or XFS. This allows
|
|
Chris PeBenito |
414e41 |
## some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_xattr_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 fs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a persistent filesystem which
|
|
Chris PeBenito |
414e41 |
## has extended attributes, such as
|
|
Chris PeBenito |
414e41 |
## ext3, JFS, or XFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_xattr_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 fs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a persistent
|
|
Chris PeBenito |
414e41 |
## filesystem which has extended
|
|
Chris PeBenito |
414e41 |
## attributes, such as ext3, JFS, or XFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_xattr_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 fs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to
|
|
Chris PeBenito |
414e41 |
## get the attributes of a persistent
|
|
Chris PeBenito |
414e41 |
## filesystem which has extended
|
|
Chris PeBenito |
414e41 |
## attributes, such as ext3, JFS, or XFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_dontaudit_getattr_xattr_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 fs_t:filesystem getattr;
|
|
Chris PeBenito |
053f6a |
')
|
|
Chris PeBenito |
053f6a |
|
|
Chris PeBenito |
053f6a |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow changing of the label of a
|
|
Chris PeBenito |
414e41 |
## filesystem with extended attributes
|
|
Chris PeBenito |
414e41 |
## using the context= mount option.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
053f6a |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_relabelfrom_xattr_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 fs_t:filesystem relabelfrom;
|
|
Chris PeBenito |
dc771f |
')
|
|
Chris PeBenito |
dc771f |
|
|
Chris PeBenito |
dc771f |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
052c95 |
## Get the filesystem quotas of a filesystem
|
|
Chris PeBenito |
052c95 |
## with extended attributes.
|
|
Chris PeBenito |
052c95 |
## </summary>
|
|
Chris PeBenito |
052c95 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
052c95 |
## </param>
|
|
Chris PeBenito |
052c95 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_get_xattr_fs_quotas',`
|
|
Chris PeBenito |
052c95 |
gen_require(`
|
|
Chris PeBenito |
052c95 |
type fs_t;
|
|
Chris PeBenito |
052c95 |
')
|
|
Chris PeBenito |
052c95 |
|
|
Chris PeBenito |
052c95 |
allow $1 fs_t:filesystem quotaget;
|
|
Chris PeBenito |
052c95 |
')
|
|
Chris PeBenito |
052c95 |
|
|
Chris PeBenito |
052c95 |
########################################
|
|
Chris PeBenito |
052c95 |
## <summary>
|
|
Chris PeBenito |
052c95 |
## Set the filesystem quotas of a filesystem
|
|
Chris PeBenito |
052c95 |
## with extended attributes.
|
|
Chris PeBenito |
052c95 |
## </summary>
|
|
Chris PeBenito |
052c95 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
052c95 |
## </param>
|
|
Chris PeBenito |
052c95 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_set_xattr_fs_quotas',`
|
|
Chris PeBenito |
052c95 |
gen_require(`
|
|
Chris PeBenito |
052c95 |
type fs_t;
|
|
Chris PeBenito |
052c95 |
')
|
|
Chris PeBenito |
052c95 |
|
|
Chris PeBenito |
052c95 |
allow $1 fs_t:filesystem quotamod;
|
|
Chris PeBenito |
052c95 |
')
|
|
Chris PeBenito |
052c95 |
|
|
Chris PeBenito |
052c95 |
########################################
|
|
Chris PeBenito |
052c95 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount an automount pseudo filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_autofs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type autofs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 autofs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
fe040c |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount an automount pseudo filesystem
|
|
Chris PeBenito |
414e41 |
## This allows some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_autofs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type autofs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 autofs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount an automount pseudo filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_autofs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type autofs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 autofs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of an automount
|
|
Chris PeBenito |
414e41 |
## pseudo filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_autofs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type autofs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 autofs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
ab940a |
## <summary>
|
|
Chris PeBenito |
ab940a |
## Search automount filesystem to use automatically
|
|
Chris PeBenito |
ab940a |
## mounted filesystems.
|
|
Chris PeBenito |
ab940a |
## </summary>
|
|
Chris PeBenito |
ab940a |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ab940a |
## </param>
|
|
Chris PeBenito |
ab940a |
#
|
|
Chris PeBenito |
ab940a |
interface(`fs_search_auto_mountpoints',`
|
|
Chris PeBenito |
ab940a |
gen_require(`
|
|
Chris PeBenito |
ab940a |
type autofs_t;
|
|
Chris PeBenito |
ab940a |
')
|
|
Chris PeBenito |
ab940a |
|
|
Chris PeBenito |
ab940a |
allow $1 autofs_t:dir { getattr search };
|
|
Chris PeBenito |
ab940a |
')
|
|
Chris PeBenito |
ab940a |
|
|
Chris PeBenito |
ab940a |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
7576fa |
## Read directories of automatically
|
|
Chris PeBenito |
7576fa |
## mounted filesystems.
|
|
Chris PeBenito |
7576fa |
## </summary>
|
|
Chris PeBenito |
7576fa |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
7576fa |
## </param>
|
|
Chris PeBenito |
7576fa |
#
|
|
Chris PeBenito |
7576fa |
interface(`fs_list_auto_mountpoints',`
|
|
Chris PeBenito |
7576fa |
gen_require(`
|
|
Chris PeBenito |
7576fa |
type autofs_t;
|
|
Chris PeBenito |
7576fa |
')
|
|
Chris PeBenito |
7576fa |
|
|
Chris PeBenito |
7576fa |
allow $1 autofs_t:dir r_dir_perms;
|
|
Chris PeBenito |
7576fa |
')
|
|
Chris PeBenito |
7576fa |
|
|
Chris PeBenito |
7576fa |
########################################
|
|
Chris PeBenito |
7576fa |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Do not audit attempts to list directories of automatically
|
|
Chris PeBenito |
4ec694 |
## mounted filesystems.
|
|
Chris PeBenito |
4ec694 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## </param>
|
|
Chris PeBenito |
4ec694 |
#
|
|
Chris PeBenito |
4ec694 |
interface(`fs_dontaudit_list_auto_mountpoints',`
|
|
Chris PeBenito |
4ec694 |
gen_require(`
|
|
Chris PeBenito |
4ec694 |
type autofs_t;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
dontaudit $1 autofs_t:dir r_dir_perms;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
########################################
|
|
Chris PeBenito |
4ec694 |
## <summary>
|
|
Chris PeBenito |
522b59 |
## Get the attributes of directories on
|
|
Chris PeBenito |
522b59 |
## binfmt_misc filesystems.
|
|
Chris PeBenito |
522b59 |
## </summary>
|
|
Chris PeBenito |
522b59 |
## <param name="domain">
|
|
Chris PeBenito |
522b59 |
## <summary>
|
|
Chris PeBenito |
522b59 |
## Domain allowed access.
|
|
Chris PeBenito |
522b59 |
## </summary>
|
|
Chris PeBenito |
522b59 |
## </param>
|
|
Chris PeBenito |
522b59 |
#
|
|
Chris PeBenito |
522b59 |
interface(`fs_getattr_binfmt_misc_dirs',`
|
|
Chris PeBenito |
522b59 |
gen_require(`
|
|
Chris PeBenito |
522b59 |
type binfmt_misc_t;
|
|
Chris PeBenito |
522b59 |
')
|
|
Chris PeBenito |
522b59 |
|
|
Chris PeBenito |
522b59 |
allow $1 binfmt_misc_t:dir getattr;
|
|
Chris PeBenito |
522b59 |
|
|
Chris PeBenito |
522b59 |
')
|
|
Chris PeBenito |
522b59 |
|
|
Chris PeBenito |
522b59 |
########################################
|
|
Chris PeBenito |
522b59 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Register an interpreter for new binary
|
|
Chris PeBenito |
414e41 |
## file types, using the kernel binfmt_misc
|
|
Chris PeBenito |
ac9db9 |
## support.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <desc>
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
## Register an interpreter for new binary
|
|
Chris PeBenito |
ac9db9 |
## file types, using the kernel binfmt_misc
|
|
Chris PeBenito |
ac9db9 |
## support.
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
## A common use for this is to
|
|
Chris PeBenito |
414e41 |
## register a JVM as an interpreter for
|
|
Chris PeBenito |
414e41 |
## Java byte code. Registered binaries
|
|
Chris PeBenito |
414e41 |
## can be directly executed on a command line
|
|
Chris PeBenito |
414e41 |
## without specifying the interpreter.
|
|
Chris PeBenito |
ac9db9 |
##
|
|
Chris PeBenito |
ac9db9 |
## </desc>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_register_binary_executable_type',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type binfmt_misc_fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 binfmt_misc_fs_t:dir { getattr search };
|
|
Chris PeBenito |
0c73cd |
allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_cifs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type cifs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
414e41 |
## This allows some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_cifs',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type cifs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_cifs',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type cifs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
6af06c |
allow $1 cifs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a CIFS or
|
|
Chris PeBenito |
414e41 |
## SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_cifs',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type cifs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
d35c62 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
948914 |
## Search directories on a CIFS or SMB filesystem.
|
|
Chris PeBenito |
948914 |
## </summary>
|
|
Chris PeBenito |
948914 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
725926 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
948914 |
## </param>
|
|
Chris PeBenito |
948914 |
#
|
|
Chris PeBenito |
948914 |
interface(`fs_search_cifs',`
|
|
Chris PeBenito |
948914 |
gen_require(`
|
|
Chris PeBenito |
948914 |
type cifs_t;
|
|
Chris PeBenito |
948914 |
')
|
|
Chris PeBenito |
948914 |
|
|
Chris PeBenito |
948914 |
allow $1 cifs_t:dir search;
|
|
Chris PeBenito |
948914 |
')
|
|
Chris PeBenito |
948914 |
|
|
Chris PeBenito |
948914 |
########################################
|
|
Chris PeBenito |
948914 |
## <summary>
|
|
Chris PeBenito |
84c922 |
## List the contents of directories on a
|
|
Chris PeBenito |
84c922 |
## CIFS or SMB filesystem.
|
|
Chris PeBenito |
84c922 |
## </summary>
|
|
Chris PeBenito |
84c922 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
725926 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
84c922 |
## </param>
|
|
Chris PeBenito |
84c922 |
#
|
|
Chris PeBenito |
84c922 |
interface(`fs_list_cifs',`
|
|
Chris PeBenito |
84c922 |
gen_require(`
|
|
Chris PeBenito |
84c922 |
type cifs_t;
|
|
Chris PeBenito |
84c922 |
')
|
|
Chris PeBenito |
84c922 |
|
|
Chris PeBenito |
84c922 |
allow $1 cifs_t:dir r_dir_perms;
|
|
Chris PeBenito |
84c922 |
')
|
|
Chris PeBenito |
84c922 |
|
|
Chris PeBenito |
84c922 |
########################################
|
|
Chris PeBenito |
84c922 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to list the contents
|
|
Chris PeBenito |
a1fcff |
## of directories on a CIFS or SMB filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_list_cifs',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type cifs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 cifs_t:dir r_dir_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read files on a CIFS or SMB filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
725926 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d35c62 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_read_cifs_files',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type cifs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
d35c62 |
allow $1 cifs_t:dir r_dir_perms;
|
|
Chris PeBenito |
d35c62 |
allow $1 cifs_t:file r_file_perms;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read all noxattrfs directories.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
43989f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_list_noxattr_fs',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
attribute noxattrfs;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
allow $1 noxattrfs:dir r_dir_perms;
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read all noxattrfs files.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
43989f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_read_noxattr_fs_files',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
attribute noxattrfs;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:dir search_dir_perms;
|
|
Chris PeBenito |
43989f |
allow $1 noxattrfs:file r_file_perms;
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read all noxattrfs symbolic links.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
43989f |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_read_noxattr_fs_symlinks',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
attribute noxattrfs;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:dir search_dir_perms;
|
|
Chris PeBenito |
43989f |
allow $1 noxattrfs:lnk_file r_file_perms;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to read
|
|
Chris PeBenito |
a1fcff |
## files on a CIFS or SMB filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_read_cifs_files',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type cifs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 cifs_t:file r_file_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to read or
|
|
Chris PeBenito |
414e41 |
## write files on a CIFS or SMB filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d35c62 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_dontaudit_rw_cifs_files',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type cifs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
dontaudit $1 cifs_t:file { read write };
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read symbolic links on a CIFS or SMB filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d35c62 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_read_cifs_symlinks',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type cifs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
allow $1 cifs_t:dir r_dir_perms;
|
|
Chris PeBenito |
d35c62 |
allow $1 cifs_t:lnk_file r_file_perms;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Execute files on a CIFS or SMB
|
|
Chris PeBenito |
414e41 |
## network filesystem, in the caller
|
|
Chris PeBenito |
414e41 |
## domain.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_exec_cifs_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type cifs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:dir r_dir_perms;
|
|
Chris PeBenito |
c2c00b |
can_exec($1, cifs_t)
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete directories
|
|
Chris PeBenito |
414e41 |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_cifs_dirs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type cifs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
a1fcff |
allow $1 cifs_t:dir create_dir_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to create, read,
|
|
Chris PeBenito |
a1fcff |
## write, and delete directories
|
|
Chris PeBenito |
a1fcff |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_manage_cifs_dirs',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type cifs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 cifs_t:dir create_dir_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete files
|
|
Chris PeBenito |
414e41 |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_cifs_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type cifs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:file create_file_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to create, read,
|
|
Chris PeBenito |
a1fcff |
## write, and delete files
|
|
Chris PeBenito |
a1fcff |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_manage_cifs_files',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type cifs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 cifs_t:file create_file_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete symbolic links
|
|
Chris PeBenito |
414e41 |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_cifs_symlinks',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type cifs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete named pipes
|
|
Chris PeBenito |
414e41 |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_cifs_named_pipes',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type cifs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:fifo_file create_file_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete named sockets
|
|
Chris PeBenito |
414e41 |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_cifs_named_sockets',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type cifs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:dir rw_file_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 cifs_t:sock_file create_file_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
df00b2 |
## Execute a file on a CIFS or SMB filesystem
|
|
Chris PeBenito |
df00b2 |
## in the specified domain.
|
|
Chris PeBenito |
df00b2 |
## </summary>
|
|
Chris PeBenito |
df00b2 |
## <desc>
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## Execute a file on a CIFS or SMB filesystem
|
|
Chris PeBenito |
df00b2 |
## in the specified domain. This allows
|
|
Chris PeBenito |
df00b2 |
## the specified domain to execute any file
|
|
Chris PeBenito |
df00b2 |
## on these filesystems in the specified
|
|
Chris PeBenito |
df00b2 |
## domain. This is not suggested.
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## No interprocess communication (signals, pipes,
|
|
Chris PeBenito |
df00b2 |
## etc.) is provided by this interface since
|
|
Chris PeBenito |
df00b2 |
## the domains are not owned by this module.
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## This interface was added to handle
|
|
Chris PeBenito |
df00b2 |
## home directories on CIFS/SMB filesystems,
|
|
Chris PeBenito |
df00b2 |
## in particular used by the ssh-agent policy.
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## </desc>
|
|
Chris PeBenito |
df00b2 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
df00b2 |
## </param>
|
|
Chris PeBenito |
df00b2 |
## <param name="target_domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
df00b2 |
## The type of the new process.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
df00b2 |
## </param>
|
|
Chris PeBenito |
df00b2 |
#
|
|
Chris PeBenito |
df00b2 |
interface(`fs_cifs_domtrans',`
|
|
Chris PeBenito |
df00b2 |
gen_require(`
|
|
Chris PeBenito |
df00b2 |
type cifs_t;
|
|
Chris PeBenito |
df00b2 |
')
|
|
Chris PeBenito |
df00b2 |
|
|
Chris PeBenito |
df00b2 |
allow $1 cifs_t:dir search;
|
|
Chris PeBenito |
df00b2 |
|
|
Chris PeBenito |
df00b2 |
domain_auto_trans($1,cifs_t,$2)
|
|
Chris PeBenito |
df00b2 |
')
|
|
Chris PeBenito |
df00b2 |
|
|
Chris PeBenito |
df00b2 |
########################################
|
|
Chris PeBenito |
df00b2 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a DOS filesystem, such as
|
|
Chris PeBenito |
414e41 |
## FAT32 or NTFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_dos_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type dosfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 dosfs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a DOS filesystem, such as
|
|
Chris PeBenito |
414e41 |
## FAT32 or NTFS. This allows
|
|
Chris PeBenito |
414e41 |
## some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_dos_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type dosfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 dosfs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a DOS filesystem, such as
|
|
Chris PeBenito |
414e41 |
## FAT32 or NTFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_dos_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type dosfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 dosfs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a DOS
|
|
Chris PeBenito |
414e41 |
## filesystem, such as FAT32 or NTFS.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_dos_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type dosfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 dosfs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow changing of the label of a
|
|
Chris PeBenito |
414e41 |
## DOS filesystem using the context= mount option.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
dc771f |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_relabelfrom_dos_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type dosfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 dosfs_t:filesystem relabelfrom;
|
|
Chris PeBenito |
dc771f |
')
|
|
Chris PeBenito |
dc771f |
|
|
Chris PeBenito |
dc771f |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
93727e |
## Read eventpollfs files
|
|
Chris PeBenito |
93727e |
## </summary>
|
|
Chris PeBenito |
93727e |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
93727e |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
93727e |
## </param>
|
|
Chris PeBenito |
93727e |
#
|
|
Chris PeBenito |
93727e |
interface(`fs_read_eventpollfs',`
|
|
Chris PeBenito |
93727e |
gen_require(`
|
|
Chris PeBenito |
93727e |
type eventpollfs_t;
|
|
Chris PeBenito |
93727e |
')
|
|
Chris PeBenito |
93727e |
|
|
Chris PeBenito |
93727e |
allow $1 eventpollfs_t:dir search_dir_perms;
|
|
Chris PeBenito |
93727e |
allow $1 eventpollfs_t:file r_file_perms;
|
|
Chris PeBenito |
93727e |
')
|
|
Chris PeBenito |
93727e |
|
|
Chris PeBenito |
93727e |
########################################
|
|
Chris PeBenito |
93727e |
## <summary>
|
|
Chris PeBenito |
51a89c |
## Search inotifyfs filesystem.
|
|
Chris PeBenito |
51a89c |
## </summary>
|
|
Chris PeBenito |
51a89c |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
51a89c |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
51a89c |
## </param>
|
|
Chris PeBenito |
51a89c |
#
|
|
Chris PeBenito |
51a89c |
interface(`fs_search_inotifyfs',`
|
|
Chris PeBenito |
51a89c |
gen_require(`
|
|
Chris PeBenito |
51a89c |
type inotifyfs_t;
|
|
Chris PeBenito |
51a89c |
')
|
|
Chris PeBenito |
51a89c |
|
|
Chris PeBenito |
51a89c |
allow $1 inotifyfs_t:dir search_dir_perms;
|
|
Chris PeBenito |
51a89c |
')
|
|
Chris PeBenito |
51a89c |
|
|
Chris PeBenito |
51a89c |
########################################
|
|
Chris PeBenito |
51a89c |
## <summary>
|
|
Chris PeBenito |
b0d224 |
## List inotifyfs filesystem.
|
|
Chris PeBenito |
b0d224 |
## </summary>
|
|
Chris PeBenito |
b0d224 |
## <param name="domain">
|
|
Chris PeBenito |
b0d224 |
## <summary>
|
|
Chris PeBenito |
b0d224 |
## Domain allowed access.
|
|
Chris PeBenito |
b0d224 |
## </summary>
|
|
Chris PeBenito |
b0d224 |
## </param>
|
|
Chris PeBenito |
b0d224 |
#
|
|
Chris PeBenito |
b0d224 |
interface(`fs_list_inotifyfs',`
|
|
Chris PeBenito |
b0d224 |
gen_require(`
|
|
Chris PeBenito |
b0d224 |
type inotifyfs_t;
|
|
Chris PeBenito |
b0d224 |
')
|
|
Chris PeBenito |
b0d224 |
|
|
Chris PeBenito |
b0d224 |
allow $1 inotifyfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
b0d224 |
')
|
|
Chris PeBenito |
b0d224 |
|
|
Chris PeBenito |
b0d224 |
########################################
|
|
Chris PeBenito |
b0d224 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount an iso9660 filesystem, which
|
|
Chris PeBenito |
414e41 |
## is usually used on CDs.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
dc771f |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_iso9660_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type iso9660_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 iso9660_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount an iso9660 filesystem, which
|
|
Chris PeBenito |
414e41 |
## is usually used on CDs. This allows
|
|
Chris PeBenito |
414e41 |
## some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_iso9660_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type iso9660_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 iso9660_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount an iso9660 filesystem, which
|
|
Chris PeBenito |
414e41 |
## is usually used on CDs.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_iso9660_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type iso9660_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 iso9660_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of an iso9660
|
|
Chris PeBenito |
414e41 |
## filesystem, which is usually used on CDs.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_iso9660_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type iso9660_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 iso9660_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
f30e6e |
## Read files on an iso9660 filesystem, which
|
|
Chris PeBenito |
f30e6e |
## is usually used on CDs.
|
|
Chris PeBenito |
f30e6e |
## </summary>
|
|
Chris PeBenito |
f30e6e |
## <param name="domain">
|
|
Chris PeBenito |
f30e6e |
## <summary>
|
|
Chris PeBenito |
f30e6e |
## Domain allowed access.
|
|
Chris PeBenito |
f30e6e |
## </summary>
|
|
Chris PeBenito |
f30e6e |
## </param>
|
|
Chris PeBenito |
f30e6e |
#
|
|
Chris PeBenito |
f30e6e |
interface(`fs_read_iso9660_files',`
|
|
Chris PeBenito |
f30e6e |
gen_require(`
|
|
Chris PeBenito |
f30e6e |
type iso9660_t;
|
|
Chris PeBenito |
f30e6e |
')
|
|
Chris PeBenito |
f30e6e |
|
|
Chris PeBenito |
f30e6e |
allow $1 iso9660_t:dir list_dir_perms;
|
|
Chris PeBenito |
f30e6e |
allow $1 iso9660_t:file read_file_perms;
|
|
Chris PeBenito |
f30e6e |
allow $1 iso9660_t:lnk_file { getattr read };
|
|
Chris PeBenito |
f30e6e |
')
|
|
Chris PeBenito |
f30e6e |
|
|
Chris PeBenito |
f30e6e |
########################################
|
|
Chris PeBenito |
f30e6e |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_nfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a NFS filesystem. This allows
|
|
Chris PeBenito |
414e41 |
## some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_nfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_nfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 nfs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_nfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
948914 |
## Search directories on a NFS filesystem.
|
|
Chris PeBenito |
948914 |
## </summary>
|
|
Chris PeBenito |
948914 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
725926 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
948914 |
## </param>
|
|
Chris PeBenito |
948914 |
#
|
|
Chris PeBenito |
948914 |
interface(`fs_search_nfs',`
|
|
Chris PeBenito |
948914 |
gen_require(`
|
|
Chris PeBenito |
948914 |
type nfs_t;
|
|
Chris PeBenito |
948914 |
')
|
|
Chris PeBenito |
948914 |
|
|
Chris PeBenito |
948914 |
allow $1 nfs_t:dir search;
|
|
Chris PeBenito |
948914 |
')
|
|
Chris PeBenito |
948914 |
|
|
Chris PeBenito |
948914 |
########################################
|
|
Chris PeBenito |
948914 |
## <summary>
|
|
Chris PeBenito |
c8ba68 |
## List NFS filesystem.
|
|
Chris PeBenito |
c8ba68 |
## </summary>
|
|
Chris PeBenito |
c8ba68 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
c8ba68 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
c8ba68 |
## </param>
|
|
Chris PeBenito |
c8ba68 |
#
|
|
Chris PeBenito |
c8ba68 |
interface(`fs_list_nfs',`
|
|
Chris PeBenito |
c8ba68 |
gen_require(`
|
|
Chris PeBenito |
c8ba68 |
type nfs_t;
|
|
Chris PeBenito |
c8ba68 |
')
|
|
Chris PeBenito |
c8ba68 |
|
|
Chris PeBenito |
c8ba68 |
allow $1 nfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
c8ba68 |
')
|
|
Chris PeBenito |
c8ba68 |
|
|
Chris PeBenito |
c8ba68 |
########################################
|
|
Chris PeBenito |
c8ba68 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to list the contents
|
|
Chris PeBenito |
a1fcff |
## of directories on a NFS filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_list_nfs',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type nfs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 nfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read files on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
725926 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d35c62 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_read_nfs_files',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type nfs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
allow $1 nfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
d35c62 |
allow $1 nfs_t:file r_file_perms;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to read
|
|
Chris PeBenito |
a1fcff |
## files on a NFS filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_read_nfs_files',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type nfs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 nfs_t:file r_file_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
725926 |
## <summary>
|
|
Chris PeBenito |
725926 |
## Read files on a NFS filesystem.
|
|
Chris PeBenito |
725926 |
## </summary>
|
|
Chris PeBenito |
725926 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
725926 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
725926 |
## </param>
|
|
Chris PeBenito |
725926 |
#
|
|
Chris PeBenito |
725926 |
interface(`fs_write_nfs_files',`
|
|
Chris PeBenito |
725926 |
gen_require(`
|
|
Chris PeBenito |
725926 |
type nfs_t;
|
|
Chris PeBenito |
725926 |
')
|
|
Chris PeBenito |
725926 |
|
|
Chris PeBenito |
725926 |
allow $1 nfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
725926 |
allow $1 nfs_t:file write;
|
|
Chris PeBenito |
725926 |
')
|
|
Chris PeBenito |
725926 |
|
|
Chris PeBenito |
725926 |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Execute files on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_exec_nfs_files',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type nfs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
c2c00b |
can_exec($1, nfs_t)
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
d35c62 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to read or
|
|
Chris PeBenito |
414e41 |
## write files on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d35c62 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_dontaudit_rw_nfs_files',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type nfs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
d35c62 |
dontaudit $1 nfs_t:file { read write };
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read symbolic links on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d35c62 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_read_nfs_symlinks',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type nfs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
d35c62 |
|
|
Chris PeBenito |
d35c62 |
allow $1 nfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
d35c62 |
allow $1 nfs_t:lnk_file r_file_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read directories of RPC file system pipes.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
6f81e1 |
interface(`fs_getattr_rpc_dirs',`
|
|
Chris PeBenito |
6f81e1 |
gen_require(`
|
|
Chris PeBenito |
6f81e1 |
type rpc_pipefs_t;
|
|
Chris PeBenito |
6f81e1 |
')
|
|
Chris PeBenito |
6f81e1 |
|
|
Chris PeBenito |
6f81e1 |
allow $1 rpc_pipefs_t:dir getattr;
|
|
Chris PeBenito |
6f81e1 |
|
|
Chris PeBenito |
6f81e1 |
')
|
|
Chris PeBenito |
6f81e1 |
|
|
Chris PeBenito |
6f81e1 |
########################################
|
|
Chris PeBenito |
6f81e1 |
## <summary>
|
|
Chris PeBenito |
bb4372 |
## Search directories of RPC file system pipes.
|
|
Chris PeBenito |
bb4372 |
## </summary>
|
|
Chris PeBenito |
bb4372 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
bb4372 |
## </param>
|
|
Chris PeBenito |
bb4372 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_search_rpc',`
|
|
Chris PeBenito |
bb4372 |
gen_require(`
|
|
Chris PeBenito |
bb4372 |
type rpc_pipefs_t;
|
|
Chris PeBenito |
bb4372 |
')
|
|
Chris PeBenito |
bb4372 |
|
|
Chris PeBenito |
bb4372 |
allow $1 rpc_pipefs_t:dir search_dir_perms;
|
|
Chris PeBenito |
bb4372 |
')
|
|
Chris PeBenito |
bb4372 |
|
|
Chris PeBenito |
bb4372 |
########################################
|
|
Chris PeBenito |
bb4372 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Search removable storage directories.
|
|
Chris PeBenito |
4ec694 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## </param>
|
|
Chris PeBenito |
4ec694 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_search_removable',`
|
|
Chris PeBenito |
4ec694 |
gen_require(`
|
|
Chris PeBenito |
4ec694 |
type removable_t;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
allow $1 removable_t:dir { getattr read search };
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
########################################
|
|
Chris PeBenito |
4ec694 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Do not audit attempts to list removable storage directories.
|
|
Chris PeBenito |
4ec694 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Domain not to audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## </param>
|
|
Chris PeBenito |
4ec694 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_dontaudit_list_removable',`
|
|
Chris PeBenito |
4ec694 |
gen_require(`
|
|
Chris PeBenito |
4ec694 |
type removable_t;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
dontaudit $1 removable_t:dir r_dir_perms;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
########################################
|
|
Chris PeBenito |
4ec694 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Read removable storage files.
|
|
Chris PeBenito |
4ec694 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## </param>
|
|
Chris PeBenito |
4ec694 |
#
|
|
Chris PeBenito |
4ec694 |
interface(`fs_read_removable_files',`
|
|
Chris PeBenito |
4ec694 |
gen_require(`
|
|
Chris PeBenito |
4ec694 |
type removable_t;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
allow $1 removable_t:file { read getattr };
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
########################################
|
|
Chris PeBenito |
4ec694 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Do not audit attempts to read removable storage files.
|
|
Chris PeBenito |
4ec694 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Domain not to audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## </param>
|
|
Chris PeBenito |
4ec694 |
#
|
|
Chris PeBenito |
e99359 |
interface(`fs_dontaudit_read_removable_files',`
|
|
Chris PeBenito |
4ec694 |
gen_require(`
|
|
Chris PeBenito |
4ec694 |
type removable_t;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
dontaudit $1 removable_t:file r_file_perms;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
########################################
|
|
Chris PeBenito |
4ec694 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Read removable storage symbolic links.
|
|
Chris PeBenito |
4ec694 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4ec694 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4ec694 |
## </param>
|
|
Chris PeBenito |
4ec694 |
#
|
|
Chris PeBenito |
4ec694 |
interface(`fs_read_removable_symlinks',`
|
|
Chris PeBenito |
4ec694 |
gen_require(`
|
|
Chris PeBenito |
4ec694 |
type removable_t;
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
allow $1 removable_t:lnk_file { getattr read };
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
')
|
|
Chris PeBenito |
4ec694 |
|
|
Chris PeBenito |
4ec694 |
########################################
|
|
Chris PeBenito |
4ec694 |
## <summary>
|
|
Chris PeBenito |
6f81e1 |
## Read directories of RPC file system pipes.
|
|
Chris PeBenito |
6f81e1 |
## </summary>
|
|
Chris PeBenito |
6f81e1 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
6f81e1 |
## </param>
|
|
Chris PeBenito |
6f81e1 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_list_rpc',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
type rpc_pipefs_t;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
allow $1 rpc_pipefs_t:dir { getattr read search };
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read files of RPC file system pipes.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_read_rpc_files',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
type rpc_pipefs_t;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
allow $1 rpc_pipefs_t:file { read getattr };
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read symbolic links of RPC file system pipes.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_read_rpc_symlinks',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
type rpc_pipefs_t;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
allow $1 rpc_pipefs_t:lnk_file { getattr read };
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read sockets of RPC file system pipes.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_read_rpc_sockets',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
type rpc_pipefs_t;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
allow $1 rpc_pipefs_t:sock_file { read write };
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete directories
|
|
Chris PeBenito |
414e41 |
## on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_nfs_dirs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:dir create_dir_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to create, read,
|
|
Chris PeBenito |
a1fcff |
## write, and delete directories
|
|
Chris PeBenito |
a1fcff |
## on a NFS filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_manage_nfs_dirs',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type nfs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 nfs_t:dir create_dir_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete files
|
|
Chris PeBenito |
414e41 |
## on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_nfs_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:file create_file_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Do not audit attempts to create,
|
|
Chris PeBenito |
a1fcff |
## read, write, and delete files
|
|
Chris PeBenito |
a1fcff |
## on a NFS filesystem.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_dontaudit_manage_nfs_files',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
type nfs_t;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
dontaudit $1 nfs_t:file create_file_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
fe040c |
#########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete symbolic links
|
|
Chris PeBenito |
414e41 |
## on a CIFS or SMB network filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_nfs_symlinks',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type nfs_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:lnk_file create_lnk_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
fe040c |
#########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete named pipes
|
|
Chris PeBenito |
414e41 |
## on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_nfs_named_pipes',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:fifo_file create_file_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
fe040c |
#########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete named sockets
|
|
Chris PeBenito |
414e41 |
## on a NFS filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_manage_nfs_named_sockets',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 nfs_t:sock_file create_file_perms;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
df00b2 |
## Execute a file on a NFS filesystem
|
|
Chris PeBenito |
df00b2 |
## in the specified domain.
|
|
Chris PeBenito |
df00b2 |
## </summary>
|
|
Chris PeBenito |
df00b2 |
## <desc>
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## Execute a file on a NFS filesystem
|
|
Chris PeBenito |
df00b2 |
## in the specified domain. This allows
|
|
Chris PeBenito |
df00b2 |
## the specified domain to execute any file
|
|
Chris PeBenito |
df00b2 |
## on a NFS filesystem in the specified
|
|
Chris PeBenito |
df00b2 |
## domain. This is not suggested.
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## No interprocess communication (signals, pipes,
|
|
Chris PeBenito |
df00b2 |
## etc.) is provided by this interface since
|
|
Chris PeBenito |
df00b2 |
## the domains are not owned by this module.
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## This interface was added to handle
|
|
Chris PeBenito |
df00b2 |
## home directories on NFS filesystems,
|
|
Chris PeBenito |
df00b2 |
## in particular used by the ssh-agent policy.
|
|
Chris PeBenito |
df00b2 |
##
|
|
Chris PeBenito |
df00b2 |
## </desc>
|
|
Chris PeBenito |
df00b2 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
df00b2 |
## </param>
|
|
Chris PeBenito |
df00b2 |
## <param name="target_domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
df00b2 |
## The type of the new process.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
df00b2 |
## </param>
|
|
Chris PeBenito |
df00b2 |
#
|
|
Chris PeBenito |
df00b2 |
interface(`fs_nfs_domtrans',`
|
|
Chris PeBenito |
df00b2 |
gen_require(`
|
|
Chris PeBenito |
df00b2 |
type nfs_t;
|
|
Chris PeBenito |
df00b2 |
')
|
|
Chris PeBenito |
df00b2 |
|
|
Chris PeBenito |
df00b2 |
allow $1 nfs_t:dir search;
|
|
Chris PeBenito |
df00b2 |
|
|
Chris PeBenito |
df00b2 |
domain_auto_trans($1,nfs_t,$2)
|
|
Chris PeBenito |
df00b2 |
')
|
|
Chris PeBenito |
df00b2 |
|
|
Chris PeBenito |
df00b2 |
########################################
|
|
Chris PeBenito |
df00b2 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a NFS server pseudo filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_nfsd_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfsd_fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfsd_fs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a NFS server pseudo filesystem.
|
|
Chris PeBenito |
414e41 |
## This allows some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_nfsd_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfsd_fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfsd_fs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a NFS server pseudo filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_nfsd_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfsd_fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 nfsd_fs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a NFS server
|
|
Chris PeBenito |
414e41 |
## pseudo filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_nfsd_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type nfsd_fs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 nfsd_fs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
43989f |
## Search NFS server directories.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_search_nfsd_fs',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
type nfsd_fs_t;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
allow $1 nfsd_fs_t:dir search;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
43989f |
## Read and write NFS server files.
|
|
Chris PeBenito |
43989f |
## </summary>
|
|
Chris PeBenito |
43989f |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
43989f |
## </param>
|
|
Chris PeBenito |
43989f |
#
|
|
Chris PeBenito |
43989f |
interface(`fs_rw_nfsd_fs',`
|
|
Chris PeBenito |
43989f |
gen_require(`
|
|
Chris PeBenito |
43989f |
type nfsd_fs_t;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
allow $1 nfsd_fs_t:file rw_file_perms;
|
|
Chris PeBenito |
43989f |
')
|
|
Chris PeBenito |
43989f |
|
|
Chris PeBenito |
43989f |
########################################
|
|
Chris PeBenito |
43989f |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a RAM filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_ramfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type ramfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 ramfs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a RAM filesystem. This allows
|
|
Chris PeBenito |
414e41 |
## some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_ramfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type ramfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 ramfs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a RAM filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_ramfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type ramfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 ramfs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a RAM filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_ramfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type ramfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 ramfs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
842859 |
## Search directories on a ramfs
|
|
Chris PeBenito |
842859 |
## </summary>
|
|
Chris PeBenito |
842859 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
842859 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
842859 |
## </param>
|
|
Chris PeBenito |
842859 |
#
|
|
Chris PeBenito |
842859 |
interface(`fs_search_ramfs',`
|
|
Chris PeBenito |
842859 |
gen_require(`
|
|
Chris PeBenito |
842859 |
type ramfs_t;
|
|
Chris PeBenito |
842859 |
')
|
|
Chris PeBenito |
842859 |
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:dir search_dir_perms;
|
|
Chris PeBenito |
842859 |
')
|
|
Chris PeBenito |
842859 |
|
|
Chris PeBenito |
842859 |
########################################
|
|
Chris PeBenito |
842859 |
## <summary>
|
|
Chris PeBenito |
a225f9 |
## Dontaudit Search directories on a ramfs
|
|
Chris PeBenito |
a225f9 |
## </summary>
|
|
Chris PeBenito |
a225f9 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a225f9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a225f9 |
## </param>
|
|
Chris PeBenito |
a225f9 |
#
|
|
Chris PeBenito |
a225f9 |
interface(`fs_dontaudit_search_ramfs',`
|
|
Chris PeBenito |
a225f9 |
gen_require(`
|
|
Chris PeBenito |
a225f9 |
type ramfs_t;
|
|
Chris PeBenito |
a225f9 |
')
|
|
Chris PeBenito |
a225f9 |
|
|
Chris PeBenito |
a225f9 |
dontaudit $1 ramfs_t:dir search;
|
|
Chris PeBenito |
a225f9 |
')
|
|
Chris PeBenito |
a225f9 |
|
|
Chris PeBenito |
a225f9 |
########################################
|
|
Chris PeBenito |
a225f9 |
## <summary>
|
|
Chris PeBenito |
b0d224 |
## Dontaudit read on a ramfs files.
|
|
Chris PeBenito |
b0d224 |
## </summary>
|
|
Chris PeBenito |
b0d224 |
## <param name="domain">
|
|
Chris PeBenito |
b0d224 |
## <summary>
|
|
Chris PeBenito |
b0d224 |
## Domain allowed access.
|
|
Chris PeBenito |
b0d224 |
## </summary>
|
|
Chris PeBenito |
b0d224 |
## </param>
|
|
Chris PeBenito |
b0d224 |
#
|
|
Chris PeBenito |
b0d224 |
interface(`fs_dontaudit_read_ramfs_files',`
|
|
Chris PeBenito |
b0d224 |
gen_require(`
|
|
Chris PeBenito |
b0d224 |
type ramfs_t;
|
|
Chris PeBenito |
b0d224 |
')
|
|
Chris PeBenito |
b0d224 |
|
|
Chris PeBenito |
b0d224 |
dontaudit $1 ramfs_t:file read;
|
|
Chris PeBenito |
b0d224 |
')
|
|
Chris PeBenito |
b0d224 |
|
|
Chris PeBenito |
b0d224 |
########################################
|
|
Chris PeBenito |
b0d224 |
## <summary>
|
|
Chris PeBenito |
b0d224 |
## Dontaudit read on a ramfs fifo_files.
|
|
Chris PeBenito |
b0d224 |
## </summary>
|
|
Chris PeBenito |
b0d224 |
## <param name="domain">
|
|
Chris PeBenito |
b0d224 |
## <summary>
|
|
Chris PeBenito |
b0d224 |
## Domain allowed access.
|
|
Chris PeBenito |
b0d224 |
## </summary>
|
|
Chris PeBenito |
b0d224 |
## </param>
|
|
Chris PeBenito |
b0d224 |
#
|
|
Chris PeBenito |
b0d224 |
interface(`fs_dontaudit_read_ramfs_pipes',`
|
|
Chris PeBenito |
b0d224 |
gen_require(`
|
|
Chris PeBenito |
b0d224 |
type ramfs_t;
|
|
Chris PeBenito |
b0d224 |
')
|
|
Chris PeBenito |
b0d224 |
|
|
Chris PeBenito |
b0d224 |
dontaudit $1 ramfs_t:fifo_file read;
|
|
Chris PeBenito |
b0d224 |
')
|
|
Chris PeBenito |
b0d224 |
|
|
Chris PeBenito |
b0d224 |
########################################
|
|
Chris PeBenito |
b0d224 |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Create, read, write, and delete
|
|
Chris PeBenito |
c8d5b3 |
## files on a ramfs filesystem.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## <param name="domain">
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Domain allowed access.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## </param>
|
|
Chris PeBenito |
c8d5b3 |
#
|
|
Chris PeBenito |
c8d5b3 |
interface(`fs_manage_ramfs_files',`
|
|
Chris PeBenito |
c8d5b3 |
gen_require(`
|
|
Chris PeBenito |
c8d5b3 |
type ramfs_t;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:file manage_file_perms;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
########################################
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
005a9a |
## Write to named pipe on a ramfs filesystem.
|
|
Chris PeBenito |
005a9a |
## </summary>
|
|
Chris PeBenito |
005a9a |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
005a9a |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
005a9a |
## </param>
|
|
Chris PeBenito |
005a9a |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_write_ramfs_pipes',`
|
|
Chris PeBenito |
005a9a |
gen_require(`
|
|
Chris PeBenito |
005a9a |
type ramfs_t;
|
|
Chris PeBenito |
005a9a |
')
|
|
Chris PeBenito |
005a9a |
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:dir search_dir_perms;
|
|
Chris PeBenito |
005a9a |
allow $1 ramfs_t:fifo_file write;
|
|
Chris PeBenito |
005a9a |
')
|
|
Chris PeBenito |
005a9a |
|
|
Chris PeBenito |
005a9a |
########################################
|
|
Chris PeBenito |
005a9a |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Do not audit attempts to write to named
|
|
Chris PeBenito |
c8d5b3 |
## pipes on a ramfs filesystem.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## <param name="domain">
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Domain allowed access.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## </param>
|
|
Chris PeBenito |
c8d5b3 |
#
|
|
Chris PeBenito |
c8d5b3 |
interface(`fs_dontaudit_write_ramfs_pipes',`
|
|
Chris PeBenito |
c8d5b3 |
gen_require(`
|
|
Chris PeBenito |
c8d5b3 |
type ramfs_t;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
dontaudit $1 ramfs_t:fifo_file write;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
########################################
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
9fd4b8 |
## Read and write a named pipe on a ramfs filesystem.
|
|
Chris PeBenito |
9fd4b8 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
9fd4b8 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## </param>
|
|
Chris PeBenito |
9fd4b8 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_rw_ramfs_pipes',`
|
|
Chris PeBenito |
9fd4b8 |
gen_require(`
|
|
Chris PeBenito |
9fd4b8 |
type ramfs_t;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:dir search_dir_perms;
|
|
Chris PeBenito |
9fd4b8 |
allow $1 ramfs_t:fifo_file rw_file_perms;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
9fd4b8 |
########################################
|
|
Chris PeBenito |
9fd4b8 |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Create, read, write, and delete
|
|
Chris PeBenito |
c8d5b3 |
## named pipes on a ramfs filesystem.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## <param name="domain">
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Domain allowed access.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## </param>
|
|
Chris PeBenito |
c8d5b3 |
#
|
|
Chris PeBenito |
c8d5b3 |
interface(`fs_manage_ramfs_pipes',`
|
|
Chris PeBenito |
c8d5b3 |
gen_require(`
|
|
Chris PeBenito |
c8d5b3 |
type ramfs_t;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:fifo_file manage_file_perms;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
########################################
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
842859 |
## Write to named socket on a ramfs filesystem.
|
|
Chris PeBenito |
842859 |
## </summary>
|
|
Chris PeBenito |
842859 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
842859 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
842859 |
## </param>
|
|
Chris PeBenito |
842859 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_write_ramfs_sockets',`
|
|
Chris PeBenito |
842859 |
gen_require(`
|
|
Chris PeBenito |
842859 |
type ramfs_t;
|
|
Chris PeBenito |
842859 |
')
|
|
Chris PeBenito |
842859 |
|
|
Chris PeBenito |
842859 |
allow $1 ramfs_t:sock_file write;
|
|
Chris PeBenito |
842859 |
')
|
|
Chris PeBenito |
842859 |
|
|
Chris PeBenito |
842859 |
########################################
|
|
Chris PeBenito |
842859 |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Create, read, write, and delete
|
|
Chris PeBenito |
c8d5b3 |
## named sockets on a ramfs filesystem.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## <param name="domain">
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
c8d5b3 |
## Domain allowed access.
|
|
Chris PeBenito |
c8d5b3 |
## </summary>
|
|
Chris PeBenito |
c8d5b3 |
## </param>
|
|
Chris PeBenito |
c8d5b3 |
#
|
|
Chris PeBenito |
c8d5b3 |
interface(`fs_manage_ramfs_sockets',`
|
|
Chris PeBenito |
c8d5b3 |
gen_require(`
|
|
Chris PeBenito |
c8d5b3 |
type ramfs_t;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
c8d5b3 |
allow $1 ramfs_t:sock_file manage_file_perms;
|
|
Chris PeBenito |
c8d5b3 |
')
|
|
Chris PeBenito |
c8d5b3 |
|
|
Chris PeBenito |
c8d5b3 |
########################################
|
|
Chris PeBenito |
c8d5b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a ROM filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_romfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type romfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 romfs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a ROM filesystem. This allows
|
|
Chris PeBenito |
414e41 |
## some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_romfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type romfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 romfs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a ROM filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_romfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type romfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 romfs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a ROM
|
|
Chris PeBenito |
414e41 |
## filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_romfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type romfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 romfs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a RPC pipe filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_rpc_pipefs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type rpc_pipefs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 rpc_pipefs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a RPC pipe filesystem. This
|
|
Chris PeBenito |
414e41 |
## allows some mount option to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_rpc_pipefs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type rpc_pipefs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 rpc_pipefs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a RPC pipe filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_rpc_pipefs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type rpc_pipefs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 rpc_pipefs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a RPC pipe
|
|
Chris PeBenito |
414e41 |
## filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_rpc_pipefs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type rpc_pipefs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 rpc_pipefs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount a tmpfs filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_tmpfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount a tmpfs filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_tmpfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount a tmpfs filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_tmpfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
955019 |
allow $1 tmpfs_t:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of a tmpfs
|
|
Chris PeBenito |
414e41 |
## filesystem.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_tmpfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:filesystem getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the type to associate to tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="type">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the object to be associated.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_associate_tmpfs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:filesystem associate;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
a42ca7 |
## Get the attributes of tmpfs directories.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
a42ca7 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a42ca7 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a42ca7 |
## </param>
|
|
Chris PeBenito |
a42ca7 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_getattr_tmpfs_dirs',`
|
|
Chris PeBenito |
a42ca7 |
gen_require(`
|
|
Chris PeBenito |
a42ca7 |
type tmpfs_t;
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
allow $1 tmpfs_t:dir getattr;
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
eeb8ea |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
eeb8ea |
## of tmpfs directories.
|
|
Chris PeBenito |
eeb8ea |
## </summary>
|
|
Chris PeBenito |
eeb8ea |
## <param name="domain">
|
|
Chris PeBenito |
eeb8ea |
## <summary>
|
|
Chris PeBenito |
eeb8ea |
## Domain allowed access.
|
|
Chris PeBenito |
eeb8ea |
## </summary>
|
|
Chris PeBenito |
eeb8ea |
## </param>
|
|
Chris PeBenito |
eeb8ea |
#
|
|
Chris PeBenito |
eeb8ea |
interface(`fs_dontaudit_getattr_tmpfs_dirs',`
|
|
Chris PeBenito |
eeb8ea |
gen_require(`
|
|
Chris PeBenito |
eeb8ea |
type tmpfs_t;
|
|
Chris PeBenito |
eeb8ea |
')
|
|
Chris PeBenito |
eeb8ea |
|
|
Chris PeBenito |
eeb8ea |
dontaudit $1 tmpfs_t:dir getattr;
|
|
Chris PeBenito |
eeb8ea |
')
|
|
Chris PeBenito |
eeb8ea |
|
|
Chris PeBenito |
eeb8ea |
########################################
|
|
Chris PeBenito |
eeb8ea |
## <summary>
|
|
Chris PeBenito |
a42ca7 |
## Set the attributes of tmpfs directories.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
a42ca7 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a42ca7 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a42ca7 |
## </param>
|
|
Chris PeBenito |
a42ca7 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_setattr_tmpfs_dirs',`
|
|
Chris PeBenito |
a42ca7 |
gen_require(`
|
|
Chris PeBenito |
a42ca7 |
type tmpfs_t;
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
allow $1 tmpfs_t:dir setattr;
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
a42ca7 |
## Search tmpfs directories.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
a42ca7 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a42ca7 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a42ca7 |
## </param>
|
|
Chris PeBenito |
a42ca7 |
#
|
|
Chris PeBenito |
a42ca7 |
interface(`fs_search_tmpfs',`
|
|
Chris PeBenito |
a42ca7 |
gen_require(`
|
|
Chris PeBenito |
a42ca7 |
type tmpfs_t;
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
allow $1 tmpfs_t:dir search;
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
########################################
|
|
Chris PeBenito |
a5f339 |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## List the contents of generic tmpfs directories.
|
|
Chris PeBenito |
a5f339 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## </param>
|
|
Chris PeBenito |
a5f339 |
#
|
|
Chris PeBenito |
a5f339 |
interface(`fs_list_tmpfs',`
|
|
Chris PeBenito |
a5f339 |
gen_require(`
|
|
Chris PeBenito |
a5f339 |
type tmpfs_t;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
allow $1 tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
########################################
|
|
Chris PeBenito |
a5f339 |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## Do not audit attempts to list the
|
|
Chris PeBenito |
a5f339 |
## contents of generic tmpfs directories.
|
|
Chris PeBenito |
a5f339 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a5f339 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a5f339 |
## </param>
|
|
Chris PeBenito |
a5f339 |
#
|
|
Chris PeBenito |
a5f339 |
interface(`fs_dontaudit_list_tmpfs',`
|
|
Chris PeBenito |
a5f339 |
gen_require(`
|
|
Chris PeBenito |
a5f339 |
type tmpfs_t;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
dontaudit $1 tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
a5f339 |
')
|
|
Chris PeBenito |
a5f339 |
|
|
Chris PeBenito |
a5f339 |
########################################
|
|
Chris PeBenito |
98a8ea |
## <summary>
|
|
Chris PeBenito |
98a8ea |
## Create, read, write, and delete
|
|
Chris PeBenito |
98a8ea |
## tmpfs directories
|
|
Chris PeBenito |
98a8ea |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
98a8ea |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## </param>
|
|
Chris PeBenito |
98a8ea |
#
|
|
Chris PeBenito |
98a8ea |
interface(`fs_manage_tmpfs_dirs',`
|
|
Chris PeBenito |
98a8ea |
gen_require(`
|
|
Chris PeBenito |
98a8ea |
type tmpfs_t;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
allow $1 tmpfs_t:dir create_dir_perms;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
########################################
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Create an object in a tmpfs filesystem, with a private
|
|
Chris PeBenito |
ac9db9 |
## type using a type transition.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## <param name="domain">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
ac9db9 |
## <param name="private type">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## The type of the object to be created.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
ac9db9 |
## <param name="object">
|
|
Chris PeBenito |
ac9db9 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## The object class of the object being created.
|
|
Chris PeBenito |
ac9db9 |
## </summary>
|
|
Chris PeBenito |
ac9db9 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
103fe2 |
interface(`fs_tmpfs_filetrans',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $2 tmpfs_t:filesystem associate;
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
1c1ac6 |
type_transition $1 tmpfs_t:$3 $2;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
3ffe29 |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
3ffe29 |
## generic tmpfs files.
|
|
Chris PeBenito |
3ffe29 |
## </summary>
|
|
Chris PeBenito |
3ffe29 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
3ffe29 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
3ffe29 |
## </param>
|
|
Chris PeBenito |
3ffe29 |
#
|
|
Chris PeBenito |
3ffe29 |
interface(`fs_dontaudit_rw_tmpfs_files',`
|
|
Chris PeBenito |
3ffe29 |
gen_require(`
|
|
Chris PeBenito |
41b25f |
type tmpfs_t;
|
|
Chris PeBenito |
3ffe29 |
')
|
|
Chris PeBenito |
3ffe29 |
|
|
Chris PeBenito |
3ffe29 |
dontaudit $1 tmpfs_t:file { read write };
|
|
Chris PeBenito |
3ffe29 |
')
|
|
Chris PeBenito |
3ffe29 |
|
|
Chris PeBenito |
3ffe29 |
########################################
|
|
Chris PeBenito |
3ffe29 |
## <summary>
|
|
Chris PeBenito |
7576fa |
## Create, read, write, and delete
|
|
Chris PeBenito |
7576fa |
## auto moutpoints.
|
|
Chris PeBenito |
7576fa |
## </summary>
|
|
Chris PeBenito |
7576fa |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
7576fa |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
7576fa |
## </param>
|
|
Chris PeBenito |
7576fa |
#
|
|
Chris PeBenito |
7576fa |
interface(`fs_manage_auto_mountpoints',`
|
|
Chris PeBenito |
7576fa |
gen_require(`
|
|
Chris PeBenito |
7576fa |
type autofs_t;
|
|
Chris PeBenito |
7576fa |
')
|
|
Chris PeBenito |
7576fa |
|
|
Chris PeBenito |
7576fa |
allow $1 autofs_t:dir manage_dir_perms;
|
|
Chris PeBenito |
7576fa |
')
|
|
Chris PeBenito |
7576fa |
|
|
Chris PeBenito |
7576fa |
########################################
|
|
Chris PeBenito |
7576fa |
## <summary>
|
|
Chris PeBenito |
9fd4b8 |
## Read and write generic tmpfs files.
|
|
Chris PeBenito |
9fd4b8 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
9fd4b8 |
## </param>
|
|
Chris PeBenito |
9fd4b8 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_rw_tmpfs_files',`
|
|
Chris PeBenito |
9fd4b8 |
gen_require(`
|
|
Chris PeBenito |
9fd4b8 |
type tmpfs_t;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
9fd4b8 |
fs_search_tmpfs($1)
|
|
Chris PeBenito |
9fd4b8 |
allow $1 tmpfs_t:file rw_file_perms;
|
|
Chris PeBenito |
9fd4b8 |
')
|
|
Chris PeBenito |
9fd4b8 |
|
|
Chris PeBenito |
9fd4b8 |
########################################
|
|
Chris PeBenito |
9fd4b8 |
## <summary>
|
|
Chris PeBenito |
a52492 |
## Read tmpfs link files.
|
|
Chris PeBenito |
a52492 |
## </summary>
|
|
Chris PeBenito |
a52492 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a52492 |
## </param>
|
|
Chris PeBenito |
a52492 |
#
|
|
Chris PeBenito |
a52492 |
interface(`fs_read_tmpfs_symlinks',`
|
|
Chris PeBenito |
a52492 |
gen_require(`
|
|
Chris PeBenito |
a52492 |
type tmpfs_t;
|
|
Chris PeBenito |
a52492 |
')
|
|
Chris PeBenito |
a52492 |
|
|
Chris PeBenito |
a52492 |
fs_search_tmpfs($1)
|
|
Chris PeBenito |
a52492 |
allow $1 tmpfs_t:lnk_file read;
|
|
Chris PeBenito |
a52492 |
')
|
|
Chris PeBenito |
a52492 |
|
|
Chris PeBenito |
a52492 |
########################################
|
|
Chris PeBenito |
a52492 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read and write character nodes on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
daa0e0 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_rw_tmpfs_chr_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
daa0e0 |
')
|
|
Chris PeBenito |
daa0e0 |
|
|
Chris PeBenito |
daa0e0 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
93727e |
## dontaudit Read and write character nodes on tmpfs filesystems.
|
|
Chris PeBenito |
93727e |
## </summary>
|
|
Chris PeBenito |
93727e |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
93727e |
## </param>
|
|
Chris PeBenito |
93727e |
#
|
|
Chris PeBenito |
93727e |
interface(`fs_dontaudit_use_tmpfs_chr_dev',`
|
|
Chris PeBenito |
93727e |
gen_require(`
|
|
Chris PeBenito |
93727e |
type tmpfs_t;
|
|
Chris PeBenito |
93727e |
')
|
|
Chris PeBenito |
93727e |
|
|
Chris PeBenito |
93727e |
dontaudit $1 tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
93727e |
dontaudit $1 tmpfs_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
93727e |
')
|
|
Chris PeBenito |
93727e |
|
|
Chris PeBenito |
93727e |
########################################
|
|
Chris PeBenito |
93727e |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Relabel character nodes on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
efd8ed |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_relabel_tmpfs_chr_file',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
|
|
Chris PeBenito |
efd8ed |
')
|
|
Chris PeBenito |
efd8ed |
|
|
Chris PeBenito |
efd8ed |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read and write block nodes on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
daa0e0 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_rw_tmpfs_blk_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:blk_file rw_file_perms;
|
|
Chris PeBenito |
daa0e0 |
')
|
|
Chris PeBenito |
daa0e0 |
|
|
Chris PeBenito |
daa0e0 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Relabel block nodes on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
efd8ed |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_relabel_tmpfs_blk_file',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:dir r_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
|
|
Chris PeBenito |
efd8ed |
')
|
|
Chris PeBenito |
efd8ed |
|
|
Chris PeBenito |
efd8ed |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
98a8ea |
## Read and write, create and delete generic
|
|
Chris PeBenito |
98a8ea |
## files on tmpfs filesystems.
|
|
Chris PeBenito |
98a8ea |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
98a8ea |
## </param>
|
|
Chris PeBenito |
98a8ea |
#
|
|
Chris PeBenito |
98a8ea |
interface(`fs_manage_tmpfs_files',`
|
|
Chris PeBenito |
98a8ea |
gen_require(`
|
|
Chris PeBenito |
98a8ea |
type tmpfs_t;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
allow $1 tmpfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
98a8ea |
allow $1 tmpfs_t:file create_file_perms;
|
|
Chris PeBenito |
98a8ea |
')
|
|
Chris PeBenito |
98a8ea |
|
|
Chris PeBenito |
98a8ea |
########################################
|
|
Chris PeBenito |
98a8ea |
## <summary>
|
|
Chris PeBenito |
ebdc3b |
## Read and write, create and delete symbolic
|
|
Chris PeBenito |
ebdc3b |
## links on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## </param>
|
|
Chris PeBenito |
ebdc3b |
#
|
|
Chris PeBenito |
ebdc3b |
interface(`fs_manage_tmpfs_symlinks',`
|
|
Chris PeBenito |
ebdc3b |
gen_require(`
|
|
Chris PeBenito |
ebdc3b |
type tmpfs_t;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
ebdc3b |
allow $1 tmpfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
ebdc3b |
allow $1 tmpfs_t:chr_file create_lnk_perms;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
ebdc3b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
ebdc3b |
## Read and write, create and delete socket
|
|
Chris PeBenito |
ebdc3b |
## files on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ebdc3b |
## </param>
|
|
Chris PeBenito |
ebdc3b |
#
|
|
Chris PeBenito |
ebdc3b |
interface(`fs_manage_tmpfs_sockets',`
|
|
Chris PeBenito |
ebdc3b |
gen_require(`
|
|
Chris PeBenito |
ebdc3b |
type tmpfs_t;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
ebdc3b |
allow $1 tmpfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
ebdc3b |
allow $1 tmpfs_t:sock_file create_file_perms;
|
|
Chris PeBenito |
ebdc3b |
')
|
|
Chris PeBenito |
ebdc3b |
|
|
Chris PeBenito |
ebdc3b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read and write, create and delete character
|
|
Chris PeBenito |
414e41 |
## nodes on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
daa0e0 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_manage_tmpfs_chr_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:chr_file create_file_perms;
|
|
Chris PeBenito |
daa0e0 |
')
|
|
Chris PeBenito |
daa0e0 |
|
|
Chris PeBenito |
daa0e0 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Read and write, create and delete block nodes
|
|
Chris PeBenito |
414e41 |
## on tmpfs filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
daa0e0 |
#
|
|
Chris PeBenito |
4d851f |
interface(`fs_manage_tmpfs_blk_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbc9d6 |
type tmpfs_t;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0c73cd |
allow $1 tmpfs_t:blk_file create_file_perms;
|
|
Chris PeBenito |
daa0e0 |
')
|
|
Chris PeBenito |
daa0e0 |
|
|
Chris PeBenito |
daa0e0 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Mount all filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_mount_all_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:filesystem mount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Remount all filesystems. This
|
|
Chris PeBenito |
414e41 |
## allows some mount options to be changed.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_remount_all_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:filesystem remount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Unmount all filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_unmount_all_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:filesystem unmount;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
219bcf |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the attributes of all persistent
|
|
Chris PeBenito |
414e41 |
## filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
219bcf |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_all_fs',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:filesystem getattr;
|
|
Chris PeBenito |
219bcf |
')
|
|
Chris PeBenito |
219bcf |
|
|
Chris PeBenito |
075c4f |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
414e41 |
## all filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
9ccd96 |
#
|
|
Chris PeBenito |
9ccd96 |
interface(`fs_dontaudit_getattr_all_fs',`
|
|
Chris PeBenito |
9ccd96 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
9ccd96 |
')
|
|
Chris PeBenito |
9ccd96 |
|
|
Chris PeBenito |
cbca03 |
dontaudit $1 filesystem_type:filesystem getattr;
|
|
Chris PeBenito |
9ccd96 |
')
|
|
Chris PeBenito |
9ccd96 |
|
|
Chris PeBenito |
9ccd96 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Get the quotas of all filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the domain getting quotas.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_get_all_fs_quotas',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:filesystem quotaget;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Set the quotas of all filesystems.
|
|
Chris PeBenito |
a42ca7 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the domain setting quotas.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
759ba0 |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_set_all_quotas',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:filesystem quotamod;
|
|
Chris PeBenito |
759ba0 |
')
|
|
Chris PeBenito |
759ba0 |
|
|
Chris PeBenito |
759ba0 |
########################################
|
|
Chris PeBenito |
ae9e27 |
## <summary>
|
|
Chris PeBenito |
cf6a7d |
## Relabelfrom all filesystems.
|
|
Chris PeBenito |
cf6a7d |
## </summary>
|
|
Chris PeBenito |
cf6a7d |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9db9 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
cf6a7d |
## </param>
|
|
Chris PeBenito |
cf6a7d |
#
|
|
Chris PeBenito |
cf6a7d |
interface(`fs_relabelfrom_all_fs',`
|
|
Chris PeBenito |
cf6a7d |
gen_require(`
|
|
Chris PeBenito |
cf6a7d |
attribute filesystem_type;
|
|
Chris PeBenito |
cf6a7d |
')
|
|
Chris PeBenito |
cf6a7d |
|
|
Chris PeBenito |
cf6a7d |
allow $1 filesystem_type:filesystem relabelfrom;
|
|
Chris PeBenito |
cf6a7d |
')
|
|
Chris PeBenito |
cf6a7d |
|
|
Chris PeBenito |
cf6a7d |
########################################
|
|
Chris PeBenito |
cf6a7d |
## <summary>
|
|
Chris PeBenito |
ac9aa2 |
## Get the attributes of all directories
|
|
Chris PeBenito |
ac9aa2 |
## with a filesystem type.
|
|
Chris PeBenito |
ac9aa2 |
## </summary>
|
|
Chris PeBenito |
ac9aa2 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ac9aa2 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ac9aa2 |
## </param>
|
|
Chris PeBenito |
ac9aa2 |
#
|
|
Chris PeBenito |
ac9aa2 |
interface(`fs_getattr_all_dirs',`
|
|
Chris PeBenito |
ac9aa2 |
gen_require(`
|
|
Chris PeBenito |
ac9aa2 |
attribute filesystem_type;
|
|
Chris PeBenito |
ac9aa2 |
')
|
|
Chris PeBenito |
ac9aa2 |
|
|
Chris PeBenito |
cbe327 |
allow $1 filesystem_type:dir getattr;
|
|
Chris PeBenito |
ac9aa2 |
')
|
|
Chris PeBenito |
ac9aa2 |
|
|
Chris PeBenito |
ac9aa2 |
########################################
|
|
Chris PeBenito |
ac9aa2 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Search all directories with a filesystem type.
|
|
Chris PeBenito |
a1fcff |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
a1fcff |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
a1fcff |
## </param>
|
|
Chris PeBenito |
a1fcff |
#
|
|
Chris PeBenito |
a1fcff |
interface(`fs_search_all',`
|
|
Chris PeBenito |
a1fcff |
gen_require(`
|
|
Chris PeBenito |
a1fcff |
attribute filesystem_type;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
ac9aa2 |
allow $1 filesystem_type:dir search_dir_perms;
|
|
Chris PeBenito |
a1fcff |
')
|
|
Chris PeBenito |
a1fcff |
|
|
Chris PeBenito |
a1fcff |
########################################
|
|
Chris PeBenito |
a1fcff |
## <summary>
|
|
Chris PeBenito |
ae9e27 |
## List all directories with a filesystem type.
|
|
Chris PeBenito |
ae9e27 |
## </summary>
|
|
Chris PeBenito |
ae9e27 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ae9e27 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ae9e27 |
## </param>
|
|
Chris PeBenito |
ae9e27 |
#
|
|
Chris PeBenito |
ae9e27 |
interface(`fs_list_all',`
|
|
Chris PeBenito |
ae9e27 |
gen_require(`
|
|
Chris PeBenito |
ae9e27 |
attribute filesystem_type;
|
|
Chris PeBenito |
ae9e27 |
')
|
|
Chris PeBenito |
ae9e27 |
|
|
Chris PeBenito |
ae9e27 |
allow $1 filesystem_type:dir r_dir_perms;
|
|
Chris PeBenito |
ae9e27 |
')
|
|
Chris PeBenito |
ae9e27 |
|
|
Chris PeBenito |
ae9e27 |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Get the attributes of all files with
|
|
Chris PeBenito |
4483ee |
## a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
075c4f |
#
|
|
Chris PeBenito |
199895 |
interface(`fs_getattr_all_files',`
|
|
Chris PeBenito |
cbc9d6 |
gen_require(`
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
cbc9d6 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:dir { search getattr };
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:file getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Get the attributes of all symbolic links with
|
|
Chris PeBenito |
4483ee |
## a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`fs_getattr_all_symlinks',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute filesystem_type;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
allow $1 filesystem_type:dir { search getattr };
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:lnk_file getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Get the attributes of all named pipes with
|
|
Chris PeBenito |
4483ee |
## a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`fs_getattr_all_pipes',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute filesystem_type;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
allow $1 filesystem_type:dir { search getattr };
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:fifo_file getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Get the attributes of all named sockets with
|
|
Chris PeBenito |
4483ee |
## a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`fs_getattr_all_sockets',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute filesystem_type;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
allow $1 filesystem_type:dir { search getattr };
|
|
Chris PeBenito |
cbca03 |
allow $1 filesystem_type:sock_file getattr;
|
|
Chris PeBenito |
075c4f |
')
|
|
Chris PeBenito |
075c4f |
|
|
Chris PeBenito |
9726b3 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
4483ee |
## of all files with a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`fs_dontaudit_getattr_all_files',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute filesystem_type;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
dontaudit $1 filesystem_type:file getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
4483ee |
## of all symbolic links with a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`fs_dontaudit_getattr_all_symlinks',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute filesystem_type;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
dontaudit $1 filesystem_type:lnk_file getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
4483ee |
## of all named pipes with a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`fs_dontaudit_getattr_all_pipes',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute filesystem_type;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
dontaudit $1 filesystem_type:fifo_file getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Do not audit attempts to get the attributes
|
|
Chris PeBenito |
4483ee |
## of all named sockets with a filesystem type.
|
|
Chris PeBenito |
4483ee |
## </summary>
|
|
Chris PeBenito |
4483ee |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
4483ee |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
4483ee |
## </param>
|
|
Chris PeBenito |
4483ee |
#
|
|
Chris PeBenito |
4483ee |
interface(`fs_dontaudit_getattr_all_sockets',`
|
|
Chris PeBenito |
4483ee |
gen_require(`
|
|
Chris PeBenito |
4483ee |
attribute filesystem_type;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
dontaudit $1 filesystem_type:sock_file getattr;
|
|
Chris PeBenito |
4483ee |
')
|
|
Chris PeBenito |
4483ee |
|
|
Chris PeBenito |
4483ee |
########################################
|
|
Chris PeBenito |
4483ee |
## <summary>
|
|
Chris PeBenito |
9726b3 |
## Unconfined access to filesystems
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
9726b3 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
9726b3 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
9726b3 |
## </param>
|
|
Chris PeBenito |
9726b3 |
#
|
|
Chris PeBenito |
9726b3 |
interface(`fs_unconfined',`
|
|
Chris PeBenito |
9726b3 |
gen_require(`
|
|
Chris PeBenito |
b518fc |
attribute filesystem_unconfined_type;
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
b518fc |
typeattribute $1 filesystem_unconfined_type;
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
########################################
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
e99359 |
## Relabel all objets from filesystems that
|
|
Chris PeBenito |
e99359 |
## do not support extended attributes.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## <param name="domain">
|
|
Chris PeBenito |
e99359 |
## <summary>
|
|
Chris PeBenito |
e99359 |
## Domain allowed access.
|
|
Chris PeBenito |
e99359 |
## </summary>
|
|
Chris PeBenito |
e99359 |
## </param>
|
|
Chris PeBenito |
e99359 |
#
|
|
Chris PeBenito |
e99359 |
interface(`fs_relabelfrom_noxattr_fs',`
|
|
Chris PeBenito |
e99359 |
gen_require(`
|
|
Chris PeBenito |
e99359 |
attribute noxattrfs;
|
|
Chris PeBenito |
e99359 |
')
|
|
Chris PeBenito |
e99359 |
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:dir { list_dir_perms relabelfrom };
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:file { getattr relabelfrom };
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:lnk_file { getattr relabelfrom };
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:fifo_file { getattr relabelfrom };
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:sock_file { getattr relabelfrom };
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:blk_file { getattr relabelfrom };
|
|
Chris PeBenito |
e99359 |
allow $1 noxattrfs:chr_file { getattr relabelfrom };
|
|
Chris PeBenito |
e99359 |
')
|