|
Chris PeBenito |
0fbfa5 |
#DESC Mount - Filesystem mount utilities
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Macros for mount
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Brian May <bam@snoopy.apana.org.au>
|
|
Chris PeBenito |
0fbfa5 |
# X-Debian-Packages: mount
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# based on the work of:
|
|
Chris PeBenito |
0fbfa5 |
# Mark Westerman mark.westerman@csoconline.com
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
type mount_exec_t, file_type, sysadmfile, exec_type;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
5493c2 |
mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
|
|
Chris PeBenito |
0fbfa5 |
mount_loopback_privs(sysadm, mount)
|
|
Chris PeBenito |
0fbfa5 |
role sysadm_r types mount_t;
|
|
Chris PeBenito |
0fbfa5 |
role system_r types mount_t;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t { initrc_devpts_t console_device_t }:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(initrc_t, mount_exec_t, mount_t)
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t init_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t privfd:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t self:capability { ipc_lock dac_override };
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t self:process { fork signal_perms };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t file_type:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access disk devices.
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t fixed_disk_device_t:devfile_class_set rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t removable_device_t:devfile_class_set rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t device_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for when /etc/mtab loses its type
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t file_t:file { getattr read unlink };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Mount, remount and unmount file systems.
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t fs_type:filesystem mount_fs_perms;
|
|
Chris PeBenito |
2705f9 |
allow mount_t mount_point:dir mounton;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t nfs_t:dir search;
|
|
Chris PeBenito |
5493c2 |
allow mount_t sysctl_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t root_t:filesystem unmount;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
5493c2 |
can_portmap(mount_t)
|
|
Chris PeBenito |
5493c2 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`portmap.te', `
|
|
Chris PeBenito |
0fbfa5 |
# for nfs
|
|
Chris PeBenito |
0fbfa5 |
can_network(mount_t)
|
|
Chris PeBenito |
5493c2 |
allow mount_t port_type:tcp_socket name_connect;
|
|
Chris PeBenito |
0fbfa5 |
can_ypbind(mount_t)
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t port_t:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(mount_t, portmap_t)
|
|
Chris PeBenito |
0fbfa5 |
can_udp_send(portmap_t, mount_t)
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t rpc_pipefs_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# required for mount.smbfs
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t sbin_t:lnk_file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
rhgb_domain(mount_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for localization
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t lib_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t autofs_t:dir read;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t fs_t:filesystem relabelfrom;
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# This rule needs to be generalized. Only admin, initrc should have it.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t file_type:filesystem { unmount mount relabelto };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t mnt_t:dir getattr;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit mount_t kernel_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t userdomain:fd use;
|
|
Chris PeBenito |
0fbfa5 |
can_exec(mount_t, { sbin_t bin_t })
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t device_t:dir r_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t tmpfs_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# tries to read /init
|
|
Chris PeBenito |
0fbfa5 |
dontaudit mount_t root_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow kernel_t mount_t:tcp_socket { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t self:capability { setgid setuid };
|
|
Chris PeBenito |
0fbfa5 |
allow user_t mount_t:tcp_socket write;
|
|
Chris PeBenito |
0fbfa5 |
allow mount_t proc_t:lnk_file read;
|