#

# Macros for mount

#

# Author:  Brian May <bam@snoopy.apana.org.au>

# Extended by Russell Coker <russell@coker.com.au>

#

#

# mount_domain(domain_prefix,dst_domain_prefix)

#

# Define a derived domain for the mount program for anyone.

#

define(`mount_domain', `

#

# Rules for the $2_t domain, used by the $1_t domain.

#

# $2_t is the domain for the mount process.

#

# This macro will not be included by all users and it may be included twice if

# called from other macros, so we need protection for this do not call this

# macro if $2_def is defined

define(`$2_def', `')

#

type $2_t, domain, privlog $3, nscd_client_domain;

allow $2_t sysfs_t:dir search;

uses_shlib($2_t)

role $1_r types $2_t;

# when mount is run by $1 goto $2_t domain

domain_auto_trans($1_t, mount_exec_t, $2_t)

allow $2_t proc_t:dir search;

allow $2_t proc_t:file { getattr read };

#

# Allow mounting of cdrom by user

#

allow $2_t device_type:blk_file getattr;

tmp_domain($2)

# Use capabilities.

allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };

allow $2_t self:unix_stream_socket create_socket_perms;

# Create and modify /etc/mtab.

file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)

allow $2_t etc_t:file { getattr read };

read_locale($2_t)

allow $2_t home_root_t:dir search;

allow $2_t $1_home_dir_t:dir search;

allow $2_t noexattrfile:filesystem { mount unmount };

allow $2_t fs_t:filesystem getattr;

allow $2_t removable_t:filesystem { mount unmount };

allow $2_t mnt_t:dir { mounton search };

allow $2_t sbin_t:dir search;

# Access the terminal.

access_terminal($2_t, $1)

ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')

allow $2_t var_t:dir search;

allow $2_t var_run_t:dir search;

ifdef(`distro_redhat',`

ifdef(`pamconsole.te',`

r_dir_file($2_t,pam_var_console_t)

# mount config by default sets fscontext=removable_t

allow $2_t dosfs_t:filesystem relabelfrom;

') dnl end pamconsole.te

') dnl end distro_redhat

') dnl end mount_domain

# mount_loopback_privs(domain_prefix,dst_domain_prefix)

#

# Add loopback mounting privileges to a particular derived

# mount domain. 

#

define(`mount_loopback_privs',`

type $1_$2_source_t, file_type, sysadmfile, $1_file_type;

allow $1_t $1_$2_source_t:file create_file_perms;

allow $1_t $1_$2_source_t:file { relabelto relabelfrom };

allow $2_t $1_$2_source_t:file rw_file_perms;

')