|
Chris PeBenito |
0fbfa5 |
#DESC updfstab - Red Hat utility to change /etc/fstab
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Author: Russell Coker <russell@coker.com.au>
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
daemon_base_domain(updfstab, `, fs_domain, etc_writer')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
rw_dir_create_file(updfstab_t, etc_t)
|
|
Chris PeBenito |
0fbfa5 |
create_dir_file(updfstab_t, mnt_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Read /dev directories and modify sym-links
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t device_t:dir rw_dir_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t device_t:lnk_file create_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# Access disk devices.
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t removable_device_t:blk_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for /proc/partitions
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t proc_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for /proc/self/mounts
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(updfstab_t, self)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# for /etc/mtab
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t etc_runtime_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
read_locale(updfstab_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`dbusd.te', `
|
|
Chris PeBenito |
0fbfa5 |
dbusd_client(system, updfstab)
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t system_dbusd_t:dbus { send_msg };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
|
|
Chris PeBenito |
0fbfa5 |
# I will not allow it
|
|
Chris PeBenito |
0fbfa5 |
read_sysctl(updfstab_t)
|
|
Chris PeBenito |
0fbfa5 |
dontaudit updfstab_t sysctl_kernel_t:file write;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t modules_conf_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t sbin_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t sbin_t:lnk_file read;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t { var_t var_log_t }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t kernel_t:fd use;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`modutil.te', `
|
|
Chris PeBenito |
0fbfa5 |
dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
|
|
Chris PeBenito |
0fbfa5 |
can_exec(updfstab_t, insmod_exec_t)
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t modules_object_t:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t modules_dep_t:file { getattr read };
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
ifdef(`pamconsole.te', `
|
|
Chris PeBenito |
0fbfa5 |
domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
|
|
Chris PeBenito |
0fbfa5 |
')
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t kernel_t:system syslog_console;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t sysadm_tty_device_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t self:capability dac_override;
|
|
Chris PeBenito |
0fbfa5 |
dontaudit updfstab_t self:capability sys_admin;
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
|
|
Chris PeBenito |
0fbfa5 |
can_getsecurity(updfstab_t)
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t { sbin_t bin_t }:dir { search getattr };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit updfstab_t devtty_t:chr_file { read write };
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t self:fifo_file { getattr read write ioctl };
|
|
Chris PeBenito |
0fbfa5 |
can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
|
|
Chris PeBenito |
0fbfa5 |
dontaudit updfstab_t home_root_t:dir { getattr search };
|
|
Chris PeBenito |
0fbfa5 |
dontaudit updfstab_t { home_dir_type home_type }:dir search;
|
|
Chris PeBenito |
0fbfa5 |
allow updfstab_t fs_t:filesystem { getattr };
|