Chris PeBenito 0fbfa5
#DESC Fsadm - Disk and file system administration
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  
Chris PeBenito 0fbfa5
# X-Debian-Packages: util-linux e2fsprogs xfsprogs reiserfsprogs parted raidtools2 mount
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the fsadm_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# fsadm_t is the domain for disk and file system
Chris PeBenito 0fbfa5
# administration.
Chris PeBenito 0fbfa5
# fsadm_exec_t is the type of the corresponding programs.
Chris PeBenito 0fbfa5
#
Chris PeBenito a08248
type fsadm_t, domain, privlog, fs_domain, mlsfileread;
Chris PeBenito 0fbfa5
role system_r types fsadm_t;
Chris PeBenito 0fbfa5
role sysadm_r types fsadm_t;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
general_domain_access(fsadm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for swapon
Chris PeBenito a08248
r_dir_file(fsadm_t, sysfs_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read system information files in /proc.
Chris PeBenito 0fbfa5
r_dir_file(fsadm_t, proc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read system variables in /proc/sys
Chris PeBenito 0fbfa5
read_sysctl(fsadm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /dev/shm
Chris PeBenito 0fbfa5
allow fsadm_t tmpfs_t:dir { getattr search };
Chris PeBenito a1fcff
allow fsadm_t tmpfs_t:file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
base_file_read_access(fsadm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /etc.
Chris PeBenito a08248
r_dir_file(fsadm_t, etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read module-related files.
Chris PeBenito 0fbfa5
allow fsadm_t modules_conf_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /dev directories and any symbolic links.
Chris PeBenito 0fbfa5
allow fsadm_t device_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow fsadm_t device_t:lnk_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
uses_shlib(fsadm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type fsadm_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
Chris PeBenito a08248
ifdef(`targeted_policy', `', `
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
Chris PeBenito a08248
')
Chris PeBenito 0fbfa5
tmp_domain(fsadm)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# remount file system to apply changes
Chris PeBenito 0fbfa5
allow fsadm_t fs_t:filesystem remount;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fsadm_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# mkreiserfs needs this
Chris PeBenito 0fbfa5
allow fsadm_t proc_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# mkreiserfs and other programs need this for UUID
Chris PeBenito 0fbfa5
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Use capabilities.  ipc_lock is for losetup
Chris PeBenito a08248
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Write to /etc/mtab.
Chris PeBenito 0fbfa5
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from init.
Chris PeBenito 0fbfa5
allow fsadm_t init_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Run other fs admin programs in the fsadm_t domain.
Chris PeBenito 0fbfa5
can_exec(fsadm_t, fsadm_exec_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access disk devices.
Chris PeBenito 0fbfa5
allow fsadm_t fixed_disk_device_t:devfile_class_set rw_file_perms;
Chris PeBenito 0fbfa5
allow fsadm_t removable_device_t:devfile_class_set rw_file_perms;
Chris PeBenito 0fbfa5
allow fsadm_t scsi_generic_device_t:chr_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access lost+found.
Chris PeBenito 0fbfa5
allow fsadm_t lost_found_t:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow fsadm_t lost_found_t:{ file sock_file fifo_file } create_file_perms;
Chris PeBenito 0fbfa5
allow fsadm_t lost_found_t:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow fsadm_t file_t:dir { search read getattr rmdir create };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Recreate /mnt/cdrom. 
Chris PeBenito 0fbfa5
allow fsadm_t mnt_t:dir { search read getattr rmdir create };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Recreate /dev/cdrom.
Chris PeBenito 0fbfa5
allow fsadm_t device_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow fsadm_t device_t:lnk_file { unlink create };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Enable swapping to devices and files
Chris PeBenito 0fbfa5
allow fsadm_t swapfile_t:file { getattr swapon };
Chris PeBenito 0fbfa5
allow fsadm_t fixed_disk_device_t:blk_file { getattr swapon };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow console log change (updfstab)
Chris PeBenito 0fbfa5
allow fsadm_t kernel_t:system syslog_console;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access terminals.
Chris PeBenito 77f6e2
can_access_pty(fsadm_t, initrc)
Chris PeBenito 77f6e2
allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
Chris PeBenito 0fbfa5
allow fsadm_t privfd:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale(fsadm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for smartctl cron jobs
Chris PeBenito 0fbfa5
system_crond_entry(fsadm_exec_t, fsadm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access to /initrd devices
Chris PeBenito 0fbfa5
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
Chris PeBenito 0fbfa5
allow fsadm_t usbfs_t:dir { getattr search };
Chris PeBenito a1fcff
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
Chris PeBenito a1fcff
allow fsadm_t device_type:chr_file getattr;
Chris PeBenito 65a252
Chris PeBenito 65a252
# for tune2fs
Chris PeBenito 65a252
allow fsadm_t file_type:dir { getattr search };