Chris PeBenito 0fbfa5
#DESC updfstab - Red Hat utility to change /etc/fstab
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
daemon_base_domain(updfstab, `, fs_domain, etc_writer')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
rw_dir_create_file(updfstab_t, etc_t)
Chris PeBenito 0fbfa5
create_dir_file(updfstab_t, mnt_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Read /dev directories and modify sym-links
Chris PeBenito 0fbfa5
allow updfstab_t device_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow updfstab_t device_t:lnk_file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access disk devices.
Chris PeBenito 0fbfa5
allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
Chris PeBenito 0fbfa5
allow updfstab_t removable_device_t:blk_file rw_file_perms;
Chris PeBenito 0fbfa5
allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /proc/partitions
Chris PeBenito 0fbfa5
allow updfstab_t proc_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /proc/self/mounts
Chris PeBenito 0fbfa5
r_dir_file(updfstab_t, self)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /etc/mtab
Chris PeBenito 0fbfa5
allow updfstab_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_locale(updfstab_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`dbusd.te', `
Chris PeBenito 0fbfa5
dbusd_client(system, updfstab)
Chris PeBenito 0fbfa5
allow updfstab_t system_dbusd_t:dbus { send_msg };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
Chris PeBenito 0fbfa5
# I will not allow it
Chris PeBenito 0fbfa5
read_sysctl(updfstab_t)
Chris PeBenito 0fbfa5
dontaudit updfstab_t sysctl_kernel_t:file write;
Chris PeBenito 0fbfa5
allow updfstab_t modules_conf_t:file { getattr read };
Chris PeBenito 0fbfa5
allow updfstab_t sbin_t:dir search;
Chris PeBenito 0fbfa5
allow updfstab_t sbin_t:lnk_file read;
Chris PeBenito 0fbfa5
allow updfstab_t { var_t var_log_t }:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow updfstab_t kernel_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
allow updfstab_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`modutil.te', `
Chris PeBenito 0fbfa5
dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
Chris PeBenito 0fbfa5
can_exec(updfstab_t, insmod_exec_t)
Chris PeBenito 0fbfa5
allow updfstab_t modules_object_t:dir search;
Chris PeBenito 0fbfa5
allow updfstab_t modules_dep_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`pamconsole.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow updfstab_t kernel_t:system syslog_console;
Chris PeBenito 0fbfa5
allow updfstab_t sysadm_tty_device_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow updfstab_t self:capability dac_override;
Chris PeBenito 0fbfa5
dontaudit updfstab_t self:capability sys_admin;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
Chris PeBenito 0fbfa5
can_getsecurity(updfstab_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow updfstab_t { sbin_t bin_t }:dir { search getattr };
Chris PeBenito 0fbfa5
dontaudit updfstab_t devtty_t:chr_file { read write };
Chris PeBenito 0fbfa5
allow updfstab_t self:fifo_file { getattr read write ioctl };
Chris PeBenito 0fbfa5
can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
Chris PeBenito 0fbfa5
dontaudit updfstab_t home_root_t:dir { getattr search };
Chris PeBenito 0fbfa5
dontaudit updfstab_t { home_dir_type home_type }:dir search;
Chris PeBenito 0fbfa5
allow updfstab_t fs_t:filesystem { getattr };