Chris PeBenito e32d52
## <summary>Policy for filesystems.</summary>
Chris PeBenito 274547
## <required val="true">
Chris PeBenito 274547
##	Contains the initial SID for the filesystems.
Chris PeBenito 274547
## </required>
Chris PeBenito e181fe
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Transform specified type into a filesystem type.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
interface(`fs_type',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	typeattribute $1 filesystem_type;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Transform specified type into a filesystem
Chris PeBenito 414e41
##	type which does not have extended attribute
Chris PeBenito 414e41
##	support.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito 0fd9dc
#
Chris PeBenito 199895
interface(`fs_make_noxattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		attribute noxattrfs;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0fd9dc
Chris PeBenito cbca03
	fs_type($1)
Chris PeBenito 0fd9dc
Chris PeBenito 0fd9dc
	typeattribute $1 noxattrfs;
Chris PeBenito 0fd9dc
')
Chris PeBenito 0fd9dc
Chris PeBenito 0fd9dc
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Associate the specified file type to persistent
Chris PeBenito 414e41
##	filesystems with extended attributes.  This
Chris PeBenito 414e41
##	allows a file of this type to be created on
Chris PeBenito 414e41
##	a filesystem such as ext3, JFS, and XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="file_type">
Chris PeBenito 414e41
##	The type of the to be associated.
Chris PeBenito 414e41
## </param>
Chris PeBenito 5d7812
#
Chris PeBenito 199895
interface(`fs_associate',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
		class filesystem associate;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem associate;
Chris PeBenito 5d7812
')
Chris PeBenito 5d7812
Chris PeBenito 5d7812
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Associate the specified file type to
Chris PeBenito 414e41
##	filesystems which lack extended attributes
Chris PeBenito 414e41
##	support.  This allows a file of this type
Chris PeBenito 414e41
##	to be created on a filesystem such as
Chris PeBenito 414e41
##	FAT32, and NFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="file_type">
Chris PeBenito 414e41
##	The type of the to be associated.
Chris PeBenito 414e41
## </param>
Chris PeBenito 5d7812
#
Chris PeBenito 199895
interface(`fs_associate_noxattr',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		attribute noxattrfs;
Chris PeBenito cbc9d6
		class filesystem associate;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito fe040c
	allow $1 noxattrfs:filesystem associate;
Chris PeBenito 5d7812
')
Chris PeBenito 5d7812
Chris PeBenito 5d7812
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 2ec4c9
##	Execute files on a filesystem that does
Chris PeBenito 2ec4c9
##	not support extended attributes.
Chris PeBenito 2ec4c9
## </summary>
Chris PeBenito 2ec4c9
## <param name="domain">
Chris PeBenito 2ec4c9
##	Domain allowed access.
Chris PeBenito 2ec4c9
## </param>
Chris PeBenito 2ec4c9
#
Chris PeBenito 2ec4c9
interface(`fs_exec_noxattr',`
Chris PeBenito 2ec4c9
	gen_require(`
Chris PeBenito 2ec4c9
		attribute noxattrfs;
Chris PeBenito 2ec4c9
	')
Chris PeBenito 2ec4c9
Chris PeBenito 2ec4c9
	can_exec($1,noxattrfs)
Chris PeBenito 2ec4c9
')
Chris PeBenito 2ec4c9
Chris PeBenito 2ec4c9
########################################
Chris PeBenito 2ec4c9
## <summary>
Chris PeBenito 414e41
##	Mount a persistent filesystem which
Chris PeBenito 414e41
##	has extended attributes, such as
Chris PeBenito 414e41
##	ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito 5d7812
#
Chris PeBenito 199895
interface(`fs_mount_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a persistent filesystem which
Chris PeBenito 414e41
##	has extended attributes, such as
Chris PeBenito 414e41
##	ext3, JFS, or XFS.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a persistent filesystem which
Chris PeBenito 414e41
##	has extended attributes, such as
Chris PeBenito 414e41
##	ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a persistent
Chris PeBenito 414e41
##	filesystem which has extended
Chris PeBenito 414e41
##	attributes, such as ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to
Chris PeBenito 414e41
##	get the attributes of a persistent
Chris PeBenito 414e41
##	filesystem which has extended
Chris PeBenito 414e41
##	attributes, such as ext3, JFS, or XFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_dontaudit_getattr_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	dontaudit $1 fs_t:filesystem getattr;
Chris PeBenito 053f6a
')
Chris PeBenito 053f6a
Chris PeBenito 053f6a
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Allow changing of the label of a
Chris PeBenito 414e41
##	filesystem with extended attributes
Chris PeBenito 414e41
##	using the context= mount option.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito 053f6a
#
Chris PeBenito 199895
interface(`fs_relabelfrom_xattr_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type fs_t;
Chris PeBenito cbc9d6
		class filesystem relabelfrom;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 fs_t:filesystem relabelfrom;
Chris PeBenito dc771f
')
Chris PeBenito dc771f
Chris PeBenito dc771f
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 052c95
##	Get the filesystem quotas of a filesystem
Chris PeBenito 052c95
##	with extended attributes.
Chris PeBenito 052c95
## </summary>
Chris PeBenito 052c95
## <param name="domain">
Chris PeBenito 052c95
##	The type of the domain mounting the filesystem.
Chris PeBenito 052c95
## </param>
Chris PeBenito 052c95
#
Chris PeBenito 052c95
interface(`fs_get_xattr_fs_quota',`
Chris PeBenito 052c95
	gen_require(`
Chris PeBenito 052c95
		type fs_t;
Chris PeBenito 052c95
		class filesystem quotaget;
Chris PeBenito 052c95
	')
Chris PeBenito 052c95
Chris PeBenito 052c95
	allow $1 fs_t:filesystem quotaget;
Chris PeBenito 052c95
')
Chris PeBenito 052c95
Chris PeBenito 052c95
########################################
Chris PeBenito 052c95
## <summary>
Chris PeBenito 052c95
##	Set the filesystem quotas of a filesystem
Chris PeBenito 052c95
##	with extended attributes.
Chris PeBenito 052c95
## </summary>
Chris PeBenito 052c95
## <param name="domain">
Chris PeBenito 052c95
##	The type of the domain mounting the filesystem.
Chris PeBenito 052c95
## </param>
Chris PeBenito 052c95
#
Chris PeBenito 052c95
interface(`fs_set_xattr_fs_quota',`
Chris PeBenito 052c95
	gen_require(`
Chris PeBenito 052c95
		type fs_t;
Chris PeBenito 052c95
		class filesystem quotamod;
Chris PeBenito 052c95
	')
Chris PeBenito 052c95
Chris PeBenito 052c95
	allow $1 fs_t:filesystem quotamod;
Chris PeBenito 052c95
')
Chris PeBenito 052c95
Chris PeBenito 052c95
########################################
Chris PeBenito 052c95
## <summary>
Chris PeBenito 414e41
##	Mount an automount pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito fe040c
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount an automount pseudo filesystem
Chris PeBenito 414e41
##	This allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount an automount pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of an automount
Chris PeBenito 414e41
##	pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_autofs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type autofs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 autofs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito ab940a
## <summary>
Chris PeBenito ab940a
##	Search automount filesystem to use automatically
Chris PeBenito ab940a
##	mounted filesystems.
Chris PeBenito ab940a
## </summary>
Chris PeBenito ab940a
## <param name="domain">
Chris PeBenito ab940a
##	The type of the domain performing this action.
Chris PeBenito ab940a
## </param>
Chris PeBenito ab940a
#
Chris PeBenito ab940a
interface(`fs_search_auto_mountpoints',`
Chris PeBenito ab940a
	gen_require(`
Chris PeBenito ab940a
		type autofs_t;
Chris PeBenito ab940a
		class dir { getattr search };
Chris PeBenito ab940a
	')
Chris PeBenito ab940a
Chris PeBenito ab940a
	allow $1 autofs_t:dir { getattr search };
Chris PeBenito ab940a
')
Chris PeBenito ab940a
Chris PeBenito ab940a
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Register an interpreter for new binary
Chris PeBenito 414e41
##	file types, using the kernel binfmt_misc
Chris PeBenito 414e41
##	support.  A common use for this is to
Chris PeBenito 414e41
##	register a JVM as an interpreter for
Chris PeBenito 414e41
##	Java byte code.  Registered binaries
Chris PeBenito 414e41
##	can be directly executed on a command line
Chris PeBenito 414e41
##	without specifying the interpreter.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain registering
Chris PeBenito 414e41
##	the interpreter.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_register_binary_executable_type',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type binfmt_misc_fs_t;
Chris PeBenito cbc9d6
		class dir { getattr search };
Chris PeBenito cbc9d6
		class file { getattr ioctl write };
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 binfmt_misc_fs_t:dir { getattr search };
Chris PeBenito 0c73cd
	allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_cifs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a CIFS or SMB network filesystem.
Chris PeBenito 414e41
##	This allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_cifs',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
		class filesystem remount;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_cifs',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
		class filesystem unmount;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 6af06c
	allow $1 cifs_t:filesystem unmount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a CIFS or
Chris PeBenito 414e41
##	SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_cifs',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
		class filesystem getattr;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 948914
##	Search directories on a CIFS or SMB filesystem.
Chris PeBenito 948914
## </summary>
Chris PeBenito 948914
## <param name="domain">
Chris PeBenito 948914
##	The type of the domain reading the files.
Chris PeBenito 948914
## </param>
Chris PeBenito 948914
#
Chris PeBenito 948914
interface(`fs_search_cifs',`
Chris PeBenito 948914
	gen_require(`
Chris PeBenito 948914
		type cifs_t;
Chris PeBenito 948914
		class dir search;
Chris PeBenito 948914
	')
Chris PeBenito 948914
Chris PeBenito 948914
	allow $1 cifs_t:dir search;
Chris PeBenito 948914
')
Chris PeBenito 948914
Chris PeBenito 948914
########################################
Chris PeBenito 948914
## <summary>
Chris PeBenito 414e41
##	Read files on a CIFS or SMB filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain reading the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_cifs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
		class dir r_dir_perms;
Chris PeBenito d35c62
		class file r_file_perms;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito d35c62
	allow $1 cifs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 cifs_t:file r_file_perms;
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to read or
Chris PeBenito 414e41
##	write files on a CIFS or SMB filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_dontaudit_rw_cifs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
		class file { read write };
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	dontaudit $1 cifs_t:file { read write };
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read symbolic links on a CIFS or SMB filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain reading the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_cifs_symlinks',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
		class dir r_dir_perms;
Chris PeBenito d35c62
		class lnk_file r_file_perms;
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	allow $1 cifs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 cifs_t:lnk_file r_file_perms;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Execute files on a CIFS or SMB
Chris PeBenito 414e41
##	network filesystem, in the caller
Chris PeBenito 414e41
##	domain.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain executing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_execute_cifs_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
		class dir r_dir_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir r_dir_perms;
Chris PeBenito c2c00b
	can_exec($1, cifs_t)
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to read or
Chris PeBenito 414e41
##	write files on a CIFS or SMB filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_cifs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type cifs_t;
Chris PeBenito d35c62
		class file { read write };
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	dontaudit $1 cifs_t:file { read write };
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete directories
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the directories.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_dirs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
		class dir create_dir_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete files
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete symbolic links
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_symlinks',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class lnk_file create_lnk_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:lnk_file create_lnk_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named pipes
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the pipes.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_named_pipes',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class fifo_file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:fifo_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named sockets
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the sockets.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_cifs_named_sockets',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type cifs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class sock_file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 cifs_t:dir rw_file_perms;
Chris PeBenito 0c73cd
	allow $1 cifs_t:sock_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito df00b2
##	Execute a file on a CIFS or SMB filesystem
Chris PeBenito df00b2
##	in the specified domain.
Chris PeBenito df00b2
## </summary>
Chris PeBenito df00b2
## <desc>
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	Execute a file on a CIFS or SMB filesystem
Chris PeBenito df00b2
##	in the specified domain.  This allows
Chris PeBenito df00b2
##	the specified domain to execute any file
Chris PeBenito df00b2
##	on these filesystems in the specified
Chris PeBenito df00b2
##	domain.  This is not suggested.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	No interprocess communication (signals, pipes,
Chris PeBenito df00b2
##	etc.) is provided by this interface since
Chris PeBenito df00b2
##	the domains are not owned by this module.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	This interface was added to handle
Chris PeBenito df00b2
##	home directories on CIFS/SMB filesystems,
Chris PeBenito df00b2
##	in particular used by the ssh-agent policy.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
## </desc>
Chris PeBenito df00b2
## <param name="domain">
Chris PeBenito df00b2
##	The type of the process performing this action.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
## <param name="target_domain">
Chris PeBenito df00b2
##	The type of the new process.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
#
Chris PeBenito df00b2
interface(`fs_cifs_domtrans',`
Chris PeBenito df00b2
	gen_require(`
Chris PeBenito df00b2
		type cifs_t;
Chris PeBenito df00b2
		class dir search;
Chris PeBenito df00b2
	')
Chris PeBenito df00b2
Chris PeBenito df00b2
	allow $1 cifs_t:dir search;
Chris PeBenito df00b2
Chris PeBenito df00b2
	domain_auto_trans($1,cifs_t,$2)
Chris PeBenito df00b2
')
Chris PeBenito df00b2
Chris PeBenito df00b2
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Mount a DOS filesystem, such as
Chris PeBenito 414e41
##	FAT32 or NTFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a DOS filesystem, such as
Chris PeBenito 414e41
##	FAT32 or NTFS.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a DOS filesystem, such as
Chris PeBenito 414e41
##	FAT32 or NTFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a DOS
Chris PeBenito 414e41
##	filesystem, such as FAT32 or NTFS.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Allow changing of the label of a
Chris PeBenito 414e41
##	DOS filesystem using the context= mount option.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito dc771f
#
Chris PeBenito 199895
interface(`fs_relabelfrom_dos_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type dosfs_t;
Chris PeBenito cbc9d6
		class filesystem relabelfrom;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 dosfs_t:filesystem relabelfrom;
Chris PeBenito dc771f
')
Chris PeBenito dc771f
Chris PeBenito dc771f
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount an iso9660 filesystem, which
Chris PeBenito 414e41
##	is usually used on CDs.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito dc771f
#
Chris PeBenito 199895
interface(`fs_mount_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount an iso9660 filesystem, which
Chris PeBenito 414e41
##	is usually used on CDs.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount an iso9660 filesystem, which
Chris PeBenito 414e41
##	is usually used on CDs.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of an iso9660
Chris PeBenito 414e41
##	filesystem, which is usually used on CDs.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_iso9660_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type iso9660_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 iso9660_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a NFS filesystem.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_nfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 948914
##	Search directories on a NFS filesystem.
Chris PeBenito 948914
## </summary>
Chris PeBenito 948914
## <param name="domain">
Chris PeBenito 948914
##	The type of the domain reading the files.
Chris PeBenito 948914
## </param>
Chris PeBenito 948914
#
Chris PeBenito 948914
interface(`fs_search_nfs',`
Chris PeBenito 948914
	gen_require(`
Chris PeBenito 948914
		type nfs_t;
Chris PeBenito 948914
		class dir search;
Chris PeBenito 948914
	')
Chris PeBenito 948914
Chris PeBenito 948914
	allow $1 nfs_t:dir search;
Chris PeBenito 948914
')
Chris PeBenito 948914
Chris PeBenito 948914
########################################
Chris PeBenito 948914
## <summary>
Chris PeBenito 414e41
##	Read files on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain reading the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_nfs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
		class dir r_dir_perms;
Chris PeBenito d35c62
		class file r_file_perms;
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 nfs_t:file r_file_perms;
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Execute files on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain executing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_execute_nfs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
		class dir r_dir_perms;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito c2c00b
	can_exec($1, nfs_t)
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to read or
Chris PeBenito 414e41
##	write files on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_dontaudit_rw_nfs_files',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
		class file { read write };
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito d35c62
	dontaudit $1 nfs_t:file { read write };
Chris PeBenito d35c62
')
Chris PeBenito d35c62
Chris PeBenito d35c62
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read symbolic links on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain reading the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 199895
interface(`fs_read_nfs_symlinks',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
		class dir r_dir_perms;
Chris PeBenito d35c62
		class lnk_file r_file_perms;
Chris PeBenito d35c62
	')
Chris PeBenito d35c62
Chris PeBenito d35c62
	allow $1 nfs_t:dir r_dir_perms;
Chris PeBenito d35c62
	allow $1 nfs_t:lnk_file r_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete directories
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the directories.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_dirs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class dir create_dir_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir create_dir_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete files
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the files.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito fe040c
#########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete symbolic links
Chris PeBenito 414e41
##	on a CIFS or SMB network filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the symbolic links.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_symlinks',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type nfs_t;
Chris PeBenito d35c62
		class dir r_dir_perms;
Chris PeBenito d35c62
		class lnk_file create_lnk_perms;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:lnk_file create_lnk_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito fe040c
#########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named pipes
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the pipes.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_named_pipes',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class fifo_file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:fifo_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito fe040c
#########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete named sockets
Chris PeBenito 414e41
##	on a NFS filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain managing the sockets.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_manage_nfs_named_sockets',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class sock_file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 nfs_t:sock_file create_file_perms;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito df00b2
##	Execute a file on a NFS filesystem
Chris PeBenito df00b2
##	in the specified domain.
Chris PeBenito df00b2
## </summary>
Chris PeBenito df00b2
## <desc>
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	Execute a file on a NFS filesystem
Chris PeBenito df00b2
##	in the specified domain.  This allows
Chris PeBenito df00b2
##	the specified domain to execute any file
Chris PeBenito df00b2
##	on a NFS filesystem in the specified
Chris PeBenito df00b2
##	domain.  This is not suggested.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	No interprocess communication (signals, pipes,
Chris PeBenito df00b2
##	etc.) is provided by this interface since
Chris PeBenito df00b2
##	the domains are not owned by this module.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	

Chris PeBenito df00b2
##	This interface was added to handle
Chris PeBenito df00b2
##	home directories on NFS filesystems,
Chris PeBenito df00b2
##	in particular used by the ssh-agent policy.
Chris PeBenito df00b2
##	

Chris PeBenito df00b2
## </desc>
Chris PeBenito df00b2
## <param name="domain">
Chris PeBenito df00b2
##	The type of the process performing this action.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
## <param name="target_domain">
Chris PeBenito df00b2
##	The type of the new process.
Chris PeBenito df00b2
## </param>
Chris PeBenito df00b2
#
Chris PeBenito df00b2
interface(`fs_nfs_domtrans',`
Chris PeBenito df00b2
	gen_require(`
Chris PeBenito df00b2
		type nfs_t;
Chris PeBenito df00b2
		class dir search;
Chris PeBenito df00b2
	')
Chris PeBenito df00b2
Chris PeBenito df00b2
	allow $1 nfs_t:dir search;
Chris PeBenito df00b2
Chris PeBenito df00b2
	domain_auto_trans($1,nfs_t,$2)
Chris PeBenito df00b2
')
Chris PeBenito df00b2
Chris PeBenito df00b2
########################################
Chris PeBenito df00b2
## <summary>
Chris PeBenito 414e41
##	Mount a NFS server pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a NFS server pseudo filesystem.
Chris PeBenito 414e41
##	This allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a NFS server pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a NFS server
Chris PeBenito 414e41
##	pseudo filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_nfsd_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type nfsd_fs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 nfsd_fs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a RAM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a RAM filesystem.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a RAM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a RAM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_ramfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type ramfs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 ramfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a ROM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a ROM filesystem.  This allows
Chris PeBenito 414e41
##	some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a ROM filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a ROM
Chris PeBenito 414e41
##	filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_romfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type romfs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 romfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a RPC pipe filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a RPC pipe filesystem.  This
Chris PeBenito 414e41
##	allows some mount option to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a RPC pipe filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a RPC pipe
Chris PeBenito 414e41
##	filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_rpc_pipefs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type rpc_pipefs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 rpc_pipefs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount a tmpfs filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount a tmpfs filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain remounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount a tmpfs filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of a tmpfs
Chris PeBenito 414e41
##	filesystem.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_getattr_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Allow the type to associate to tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="type">
Chris PeBenito 414e41
##	The type of the object to be associated.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_associate_tmpfs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class filesystem associate;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:filesystem associate;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a42ca7
##	Get the attributes of tmpfs directories.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito a42ca7
## <param name="domain">
Chris PeBenito a42ca7
##	Domain allowed access.
Chris PeBenito a42ca7
## </param>
Chris PeBenito a42ca7
#
Chris PeBenito a42ca7
interface(`fs_getattr_tmpfs_dir',`
Chris PeBenito a42ca7
	gen_require(`
Chris PeBenito a42ca7
		type tmpfs_t;
Chris PeBenito a42ca7
		class dir getattr;
Chris PeBenito a42ca7
	')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
	allow $1 tmpfs_t:dir getattr;
Chris PeBenito a42ca7
')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a42ca7
##	Set the attributes of tmpfs directories.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito a42ca7
## <param name="domain">
Chris PeBenito a42ca7
##	Domain allowed access.
Chris PeBenito a42ca7
## </param>
Chris PeBenito a42ca7
#
Chris PeBenito a42ca7
interface(`fs_setattr_tmpfs_dir',`
Chris PeBenito a42ca7
	gen_require(`
Chris PeBenito a42ca7
		type tmpfs_t;
Chris PeBenito a42ca7
		class dir setattr;
Chris PeBenito a42ca7
	')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
	allow $1 tmpfs_t:dir setattr;
Chris PeBenito a42ca7
')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito a42ca7
##	Search tmpfs directories.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito a42ca7
## <param name="domain">
Chris PeBenito a42ca7
##	Domain allowed access.
Chris PeBenito a42ca7
## </param>
Chris PeBenito a42ca7
#
Chris PeBenito a42ca7
interface(`fs_search_tmpfs',`
Chris PeBenito a42ca7
	gen_require(`
Chris PeBenito a42ca7
		type tmpfs_t;
Chris PeBenito a42ca7
		class dir search;
Chris PeBenito a42ca7
	')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
	allow $1 tmpfs_t:dir search;
Chris PeBenito a42ca7
')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
########################################
Chris PeBenito a5f339
## <summary>
Chris PeBenito a5f339
##	List the contents of generic tmpfs directories.
Chris PeBenito a5f339
## </summary>
Chris PeBenito a5f339
## <param name="domain">
Chris PeBenito a5f339
##	Domain allowed access.
Chris PeBenito a5f339
## </param>
Chris PeBenito a5f339
#
Chris PeBenito a5f339
interface(`fs_list_tmpfs',`
Chris PeBenito a5f339
	gen_require(`
Chris PeBenito a5f339
		type tmpfs_t;
Chris PeBenito a5f339
		class dir r_dir_perms;
Chris PeBenito a5f339
	')
Chris PeBenito a5f339
Chris PeBenito a5f339
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito a5f339
')
Chris PeBenito a5f339
Chris PeBenito a5f339
########################################
Chris PeBenito a5f339
## <summary>
Chris PeBenito a5f339
##	Do not audit attempts to list the
Chris PeBenito a5f339
##	contents of generic tmpfs directories.
Chris PeBenito a5f339
## </summary>
Chris PeBenito a5f339
## <param name="domain">
Chris PeBenito a5f339
##	Domain to not audit.
Chris PeBenito a5f339
## </param>
Chris PeBenito a5f339
#
Chris PeBenito a5f339
interface(`fs_dontaudit_list_tmpfs',`
Chris PeBenito a5f339
	gen_require(`
Chris PeBenito a5f339
		type tmpfs_t;
Chris PeBenito a5f339
		class dir r_dir_perms;
Chris PeBenito a5f339
	')
Chris PeBenito a5f339
Chris PeBenito a5f339
	dontaudit $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito a5f339
')
Chris PeBenito a5f339
Chris PeBenito a5f339
########################################
Chris PeBenito b4cd15
#
Chris PeBenito 1694de
# fs_create_tmpfs_data(domain,derivedtype,[class])
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_create_tmpfs_data',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class filesystem associate;
Chris PeBenito cbc9d6
		class dir rw_dir_perms; 
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $2 tmpfs_t:filesystem associate;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	ifelse(`$3',`',`
Chris PeBenito 0c73cd
		type_transition $1 tmpfs_t:file $2;
Chris PeBenito 0c73cd
	',`
Chris PeBenito 0c73cd
		type_transition $1 tmpfs_t:$3 $2;
Chris PeBenito 0c73cd
	')
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read and write character nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_use_tmpfs_chr_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class dir r_dir_perms; 
Chris PeBenito cbc9d6
		class chr_file rw_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:chr_file rw_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Relabel character nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito efd8ed
#
Chris PeBenito ebdc3b
interface(`fs_relabel_tmpfs_chr_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class dir r_dir_perms;
Chris PeBenito cbc9d6
		class chr_file { getattr relabelfrom relabelto };
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
Chris PeBenito efd8ed
')
Chris PeBenito efd8ed
Chris PeBenito efd8ed
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read and write block nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_use_tmpfs_blk_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class dir r_dir_perms; 
Chris PeBenito cbc9d6
		class blk_file rw_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:blk_file rw_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Relabel block nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito efd8ed
#
Chris PeBenito ebdc3b
interface(`fs_relabel_tmpfs_blk_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class dir r_dir_perms;
Chris PeBenito cbc9d6
		class blk_file { getattr relabelfrom relabelto };
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir r_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
Chris PeBenito efd8ed
')
Chris PeBenito efd8ed
Chris PeBenito efd8ed
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito ebdc3b
##	Read and write, create and delete symbolic
Chris PeBenito ebdc3b
##	links on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito ebdc3b
## <param name="domain">
Chris PeBenito ebdc3b
##	The type of the process performing this action.
Chris PeBenito ebdc3b
## </param>
Chris PeBenito ebdc3b
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_symlinks',`
Chris PeBenito ebdc3b
	gen_require(`
Chris PeBenito ebdc3b
		type tmpfs_t;
Chris PeBenito ebdc3b
		class dir rw_dir_perms;
Chris PeBenito ebdc3b
		class chr_file create_lnk_perms;
Chris PeBenito ebdc3b
	')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:chr_file create_lnk_perms;
Chris PeBenito ebdc3b
')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito ebdc3b
##	Read and write, create and delete socket
Chris PeBenito ebdc3b
##	files on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito ebdc3b
## <param name="domain">
Chris PeBenito ebdc3b
##	The type of the process performing this action.
Chris PeBenito ebdc3b
## </param>
Chris PeBenito ebdc3b
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_sockets',`
Chris PeBenito ebdc3b
	gen_require(`
Chris PeBenito ebdc3b
		type tmpfs_t;
Chris PeBenito ebdc3b
		class dir rw_dir_perms;
Chris PeBenito ebdc3b
		class sock_file create_file_perms;
Chris PeBenito ebdc3b
	')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito ebdc3b
	allow $1 tmpfs_t:sock_file create_file_perms;
Chris PeBenito ebdc3b
')
Chris PeBenito ebdc3b
Chris PeBenito ebdc3b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read and write, create and delete character
Chris PeBenito 414e41
##	nodes on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_chr_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class chr_file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:chr_file create_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Read and write, create and delete block nodes
Chris PeBenito 414e41
##	on tmpfs filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 414e41
## </param>
Chris PeBenito daa0e0
#
Chris PeBenito ebdc3b
interface(`fs_manage_tmpfs_blk_dev',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbc9d6
		type tmpfs_t;
Chris PeBenito cbc9d6
		class dir rw_dir_perms;
Chris PeBenito cbc9d6
		class blk_file create_file_perms;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:dir rw_dir_perms;
Chris PeBenito 0c73cd
	allow $1 tmpfs_t:blk_file create_file_perms;
Chris PeBenito daa0e0
')
Chris PeBenito daa0e0
Chris PeBenito daa0e0
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Mount all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_mount_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
		class filesystem mount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem mount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Remount all filesystems.  This
Chris PeBenito 414e41
##	allows some mount options to be changed.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain mounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_remount_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
		class filesystem remount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem remount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Unmount all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain unmounting the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`fs_unmount_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
		class filesystem unmount;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem unmount;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito 219bcf
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the attributes of all persistent
Chris PeBenito 414e41
##	filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain doing the
Chris PeBenito 414e41
##	getattr on the filesystem.
Chris PeBenito 414e41
## </param>
Chris PeBenito 219bcf
#
Chris PeBenito 199895
interface(`fs_getattr_all_fs',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
		class filesystem getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem getattr;
Chris PeBenito 219bcf
')
Chris PeBenito 219bcf
Chris PeBenito 075c4f
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts to get the attributes
Chris PeBenito 414e41
##	all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain to not audit.
Chris PeBenito 414e41
## </param>
Chris PeBenito 9ccd96
#
Chris PeBenito 9ccd96
interface(`fs_dontaudit_getattr_all_fs',`
Chris PeBenito 9ccd96
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito 9ccd96
		class filesystem getattr;
Chris PeBenito 9ccd96
	')
Chris PeBenito 9ccd96
Chris PeBenito cbca03
	dontaudit $1 filesystem_type:filesystem getattr;
Chris PeBenito 9ccd96
')
Chris PeBenito 9ccd96
Chris PeBenito 9ccd96
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Get the quotas of all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain getting quotas.
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 199895
interface(`fs_get_all_fs_quotas',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
		class filesystem quotaget;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem quotaget;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b16c6b
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 414e41
##	Set the quotas of all filesystems.
Chris PeBenito a42ca7
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 414e41
##	The type of the domain setting quotas.
Chris PeBenito 414e41
## </param>
Chris PeBenito 759ba0
#
Chris PeBenito 199895
interface(`fs_set_all_quotas',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
		class filesystem quotamod;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:filesystem quotamod;
Chris PeBenito 759ba0
')
Chris PeBenito 759ba0
Chris PeBenito 759ba0
########################################
Chris PeBenito ae9e27
## <summary>
Chris PeBenito ae9e27
##	List all directories with a filesystem type.
Chris PeBenito ae9e27
## </summary>
Chris PeBenito ae9e27
## <param name="domain">
Chris PeBenito ae9e27
##	Domain allowed access.
Chris PeBenito ae9e27
## </param>
Chris PeBenito ae9e27
#
Chris PeBenito ae9e27
interface(`fs_list_all',`
Chris PeBenito ae9e27
	gen_require(`
Chris PeBenito ae9e27
		attribute filesystem_type;
Chris PeBenito ae9e27
		class dir r_dir_perms;
Chris PeBenito ae9e27
	')
Chris PeBenito ae9e27
Chris PeBenito ae9e27
	allow $1 filesystem_type:dir r_dir_perms;
Chris PeBenito ae9e27
')
Chris PeBenito ae9e27
Chris PeBenito ae9e27
Chris PeBenito ae9e27
########################################
Chris PeBenito 759ba0
#
Chris PeBenito 1694de
# fs_getattr_all_files(type)
Chris PeBenito 075c4f
#
Chris PeBenito 199895
interface(`fs_getattr_all_files',`
Chris PeBenito cbc9d6
	gen_require(`
Chris PeBenito cbca03
		attribute filesystem_type;
Chris PeBenito cbc9d6
		class dir { search getattr };
Chris PeBenito cbc9d6
		class file getattr;
Chris PeBenito cbc9d6
		class lnk_file getattr;
Chris PeBenito cbc9d6
		class fifo_file getattr;
Chris PeBenito cbc9d6
		class sock_file getattr;
Chris PeBenito cbc9d6
	')
Chris PeBenito 0c73cd
Chris PeBenito cbca03
	allow $1 filesystem_type:dir { search getattr };
Chris PeBenito cbca03
	allow $1 filesystem_type:file getattr;
Chris PeBenito cbca03
	allow $1 filesystem_type:lnk_file getattr;
Chris PeBenito cbca03
	allow $1 filesystem_type:fifo_file getattr;
Chris PeBenito cbca03
	allow $1 filesystem_type:sock_file getattr;
Chris PeBenito 075c4f
')
Chris PeBenito 075c4f
Chris PeBenito 9726b3
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 9726b3
##	Unconfined access to filesystems
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 9726b3
## <param name="domain">
Chris PeBenito 9726b3
##	Domain allowed access.
Chris PeBenito 9726b3
## </param>
Chris PeBenito 9726b3
#
Chris PeBenito 9726b3
interface(`fs_unconfined',`
Chris PeBenito 9726b3
	gen_require(`
Chris PeBenito 9726b3
		attribute filesystem_type;
Chris PeBenito 9726b3
	')
Chris PeBenito 9726b3
Chris PeBenito 9726b3
	allow $1 filesystem_type:filesystem *;
Chris PeBenito 9726b3
Chris PeBenito 9726b3
	# Create/access other files.  fs_type is to pick up various
Chris PeBenito 9726b3
	# pseudo filesystem types that are applied to both the filesystem
Chris PeBenito 9726b3
	# and its files.
Chris PeBenito 9726b3
	allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *;
Chris PeBenito 9726b3
')