Blob Blame History Raw
## <summary>Policy for filesystems.</summary>
## <required val="true">
##	Contains the initial SID for the filesystems.
## </required>

########################################
## <summary>
##	Transform specified type into a filesystem type.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_type',`
	gen_require(`
		attribute filesystem_type;
	')

	typeattribute $1 filesystem_type;
')

########################################
## <summary>
##	Transform specified type into a filesystem
##	type which does not have extended attribute
##	support.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_make_noxattr_fs',`
	gen_require(`
		attribute noxattrfs;
	')

	fs_type($1)

	typeattribute $1 noxattrfs;
')

########################################
## <summary>
##	Associate the specified file type to persistent
##	filesystems with extended attributes.  This
##	allows a file of this type to be created on
##	a filesystem such as ext3, JFS, and XFS.
## </summary>
## <param name="file_type">
##	The type of the to be associated.
## </param>
#
interface(`fs_associate',`
	gen_require(`
		type fs_t;
		class filesystem associate;
	')

	allow $1 fs_t:filesystem associate;
')

########################################
## <summary>
##	Associate the specified file type to
##	filesystems which lack extended attributes
##	support.  This allows a file of this type
##	to be created on a filesystem such as
##	FAT32, and NFS.
## </summary>
## <param name="file_type">
##	The type of the to be associated.
## </param>
#
interface(`fs_associate_noxattr',`
	gen_require(`
		attribute noxattrfs;
		class filesystem associate;
	')

	allow $1 noxattrfs:filesystem associate;
')

########################################
## <summary>
##	Execute files on a filesystem that does
##	not support extended attributes.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_exec_noxattr',`
	gen_require(`
		attribute noxattrfs;
	')

	can_exec($1,noxattrfs)
')

########################################
## <summary>
##	Mount a persistent filesystem which
##	has extended attributes, such as
##	ext3, JFS, or XFS.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_xattr_fs',`
	gen_require(`
		type fs_t;
		class filesystem mount;
	')

	allow $1 fs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a persistent filesystem which
##	has extended attributes, such as
##	ext3, JFS, or XFS.  This allows
##	some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_xattr_fs',`
	gen_require(`
		type fs_t;
		class filesystem remount;
	')

	allow $1 fs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a persistent filesystem which
##	has extended attributes, such as
##	ext3, JFS, or XFS.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_xattr_fs',`
	gen_require(`
		type fs_t;
		class filesystem unmount;
	')

	allow $1 fs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a persistent
##	filesystem which has extended
##	attributes, such as ext3, JFS, or XFS.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_xattr_fs',`
	gen_require(`
		type fs_t;
		class filesystem getattr;
	')

	allow $1 fs_t:filesystem getattr;
')

########################################
## <summary>
##	Do not audit attempts to
##	get the attributes of a persistent
##	filesystem which has extended
##	attributes, such as ext3, JFS, or XFS.
## </summary>
## <param name="domain">
##	The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_getattr_xattr_fs',`
	gen_require(`
		type fs_t;
		class filesystem getattr;
	')

	dontaudit $1 fs_t:filesystem getattr;
')

########################################
## <summary>
##	Allow changing of the label of a
##	filesystem with extended attributes
##	using the context= mount option.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_relabelfrom_xattr_fs',`
	gen_require(`
		type fs_t;
		class filesystem relabelfrom;
	')

	allow $1 fs_t:filesystem relabelfrom;
')

########################################
## <summary>
##	Get the filesystem quotas of a filesystem
##	with extended attributes.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_get_xattr_fs_quota',`
	gen_require(`
		type fs_t;
		class filesystem quotaget;
	')

	allow $1 fs_t:filesystem quotaget;
')

########################################
## <summary>
##	Set the filesystem quotas of a filesystem
##	with extended attributes.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_set_xattr_fs_quota',`
	gen_require(`
		type fs_t;
		class filesystem quotamod;
	')

	allow $1 fs_t:filesystem quotamod;
')

########################################
## <summary>
##	Mount an automount pseudo filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_autofs',`
	gen_require(`
		type autofs_t;
		class filesystem mount;
	')

	allow $1 autofs_t:filesystem mount;
')


########################################
## <summary>
##	Remount an automount pseudo filesystem
##	This allows some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_autofs',`
	gen_require(`
		type autofs_t;
		class filesystem remount;
	')

	allow $1 autofs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount an automount pseudo filesystem.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_autofs',`
	gen_require(`
		type autofs_t;
		class filesystem unmount;
	')

	allow $1 autofs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of an automount
##	pseudo filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_autofs',`
	gen_require(`
		type autofs_t;
		class filesystem getattr;
	')

	allow $1 autofs_t:filesystem getattr;
')

########################################
## <summary>
##	Search automount filesystem to use automatically
##	mounted filesystems.
## </summary>
## <param name="domain">
##	The type of the domain performing this action.
## </param>
#
interface(`fs_search_auto_mountpoints',`
	gen_require(`
		type autofs_t;
		class dir { getattr search };
	')

	allow $1 autofs_t:dir { getattr search };
')

########################################
## <summary>
##	Register an interpreter for new binary
##	file types, using the kernel binfmt_misc
##	support.  A common use for this is to
##	register a JVM as an interpreter for
##	Java byte code.  Registered binaries
##	can be directly executed on a command line
##	without specifying the interpreter.
## </summary>
## <param name="domain">
##	The type of the domain registering
##	the interpreter.
## </param>
#
interface(`fs_register_binary_executable_type',`
	gen_require(`
		type binfmt_misc_fs_t;
		class dir { getattr search };
		class file { getattr ioctl write };
	')

	allow $1 binfmt_misc_fs_t:dir { getattr search };
	allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
')

########################################
## <summary>
##	Mount a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_cifs',`
	gen_require(`
		type cifs_t;
		class filesystem mount;
	')

	allow $1 cifs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a CIFS or SMB network filesystem.
##	This allows some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_remount_cifs',`
	gen_require(`
		type cifs_t;
		class filesystem remount;
	')

	allow $1 cifs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_unmount_cifs',`
	gen_require(`
		type cifs_t;
		class filesystem unmount;
	')

	allow $1 cifs_t:filesystem unmount;
')

########################################
## <summary>
##	Get the attributes of a CIFS or
##	SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_cifs',`
	gen_require(`
		type cifs_t;
		class filesystem getattr;
	')

	allow $1 cifs_t:filesystem getattr;
')

########################################
## <summary>
##	Search directories on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
##	The type of the domain reading the files.
## </param>
#
interface(`fs_search_cifs',`
	gen_require(`
		type cifs_t;
		class dir search;
	')

	allow $1 cifs_t:dir search;
')

########################################
## <summary>
##	List the contents of directories on a
##	CIFS or SMB filesystem.
## </summary>
## <param name="domain">
##	The type of the domain reading the files.
## </param>
#
interface(`fs_list_cifs',`
	gen_require(`
		type cifs_t;
		class dir r_dir_perms;
	')

	allow $1 cifs_t:dir r_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to list the contents
##	of directories on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`fs_dontaudit_list_cifs',`
	gen_require(`
		type cifs_t;
	')

	dontaudit $1 cifs_t:dir r_dir_perms;
')

########################################
## <summary>
##	Read files on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
##	The type of the domain reading the files.
## </param>
#
interface(`fs_read_cifs_files',`
	gen_require(`
		type cifs_t;
	')

	allow $1 cifs_t:dir r_dir_perms;
	allow $1 cifs_t:file r_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read
##	files on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
##	The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_read_cifs_files',`
	gen_require(`
		type cifs_t;
	')

	dontaudit $1 cifs_t:file r_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read or
##	write files on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
##	The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_rw_cifs_files',`
	gen_require(`
		type cifs_t;
	')

	dontaudit $1 cifs_t:file { read write };
')

########################################
## <summary>
##	Read symbolic links on a CIFS or SMB filesystem.
## </summary>
## <param name="domain">
##	The type of the domain reading the symbolic links.
## </param>
#
interface(`fs_read_cifs_symlinks',`
	gen_require(`
		type cifs_t;
		class dir r_dir_perms;
		class lnk_file r_file_perms;
	')

	allow $1 cifs_t:dir r_dir_perms;
	allow $1 cifs_t:lnk_file r_file_perms;
')

########################################
## <summary>
##	Execute files on a CIFS or SMB
##	network filesystem, in the caller
##	domain.
## </summary>
## <param name="domain">
##	The type of the domain executing the files.
## </param>
#
interface(`fs_execute_cifs_files',`
	gen_require(`
		type cifs_t;
		class dir r_dir_perms;
	')

	allow $1 cifs_t:dir r_dir_perms;
	can_exec($1, cifs_t)
')

########################################
## <summary>
##	Do not audit attempts to read or
##	write files on a CIFS or SMB filesystems.
## </summary>
## <param name="domain">
##	The type of the domain to not audit.
## </param>
#
interface(`fs_read_cifs_files',`
	gen_require(`
		type cifs_t;
		class file { read write };
	')

	dontaudit $1 cifs_t:file { read write };
')

########################################
## <summary>
##	Create, read, write, and delete directories
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the directories.
## </param>
#
interface(`fs_manage_cifs_dirs',`
	gen_require(`
		type cifs_t;
	')

	allow $1 cifs_t:dir create_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to create, read,
##	write, and delete directories
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the directories.
## </param>
#
interface(`fs_dontaudit_manage_cifs_dirs',`
	gen_require(`
		type cifs_t;
	')

	dontaudit $1 cifs_t:dir create_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete files
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the files.
## </param>
#
interface(`fs_manage_cifs_files',`
	gen_require(`
		type cifs_t;
		class dir rw_dir_perms;
		class file create_file_perms;
	')

	allow $1 cifs_t:dir rw_dir_perms;
	allow $1 cifs_t:file create_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to create, read,
##	write, and delete files
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`fs_dontaudit_manage_cifs_files',`
	gen_require(`
		type cifs_t;
	')

	dontaudit $1 cifs_t:file create_file_perms;
')

########################################
## <summary>
##	Create, read, write, and delete symbolic links
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the symbolic links.
## </param>
#
interface(`fs_manage_cifs_symlinks',`
	gen_require(`
		type cifs_t;
		class dir rw_dir_perms;
		class lnk_file create_lnk_perms;
	')

	allow $1 cifs_t:dir rw_dir_perms;
	allow $1 cifs_t:lnk_file create_lnk_perms;
')

########################################
## <summary>
##	Create, read, write, and delete named pipes
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the pipes.
## </param>
#
interface(`fs_manage_cifs_named_pipes',`
	gen_require(`
		type cifs_t;
		class dir rw_dir_perms;
		class fifo_file create_file_perms;
	')

	allow $1 cifs_t:dir rw_dir_perms;
	allow $1 cifs_t:fifo_file create_file_perms;
')

########################################
## <summary>
##	Create, read, write, and delete named sockets
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the sockets.
## </param>
#
interface(`fs_manage_cifs_named_sockets',`
	gen_require(`
		type cifs_t;
		class dir rw_dir_perms;
		class sock_file create_file_perms;
	')

	allow $1 cifs_t:dir rw_file_perms;
	allow $1 cifs_t:sock_file create_file_perms;
')

########################################
## <summary>
##	Execute a file on a CIFS or SMB filesystem
##	in the specified domain.
## </summary>
## <desc>
##	<p>
##	Execute a file on a CIFS or SMB filesystem
##	in the specified domain.  This allows
##	the specified domain to execute any file
##	on these filesystems in the specified
##	domain.  This is not suggested.
##	</p>
##	<p>
##	No interprocess communication (signals, pipes,
##	etc.) is provided by this interface since
##	the domains are not owned by this module.
##	</p>
##	<p>
##	This interface was added to handle
##	home directories on CIFS/SMB filesystems,
##	in particular used by the ssh-agent policy.
##	</p>
## </desc>
## <param name="domain">
##	The type of the process performing this action.
## </param>
## <param name="target_domain">
##	The type of the new process.
## </param>
#
interface(`fs_cifs_domtrans',`
	gen_require(`
		type cifs_t;
		class dir search;
	')

	allow $1 cifs_t:dir search;

	domain_auto_trans($1,cifs_t,$2)
')

########################################
## <summary>
##	Mount a DOS filesystem, such as
##	FAT32 or NTFS.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_dos_fs',`
	gen_require(`
		type dosfs_t;
		class filesystem mount;
	')

	allow $1 dosfs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a DOS filesystem, such as
##	FAT32 or NTFS.  This allows
##	some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_dos_fs',`
	gen_require(`
		type dosfs_t;
		class filesystem remount;
	')

	allow $1 dosfs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a DOS filesystem, such as
##	FAT32 or NTFS.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_dos_fs',`
	gen_require(`
		type dosfs_t;
		class filesystem unmount;
	')

	allow $1 dosfs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a DOS
##	filesystem, such as FAT32 or NTFS.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_dos_fs',`
	gen_require(`
		type dosfs_t;
		class filesystem getattr;
	')

	allow $1 dosfs_t:filesystem getattr;
')

########################################
## <summary>
##	Allow changing of the label of a
##	DOS filesystem using the context= mount option.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_relabelfrom_dos_fs',`
	gen_require(`
		type dosfs_t;
		class filesystem relabelfrom;
	')

	allow $1 dosfs_t:filesystem relabelfrom;
')

########################################
## <summary>
##	Mount an iso9660 filesystem, which
##	is usually used on CDs.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_iso9660_fs',`
	gen_require(`
		type iso9660_t;
		class filesystem mount;
	')

	allow $1 iso9660_t:filesystem mount;
')

########################################
## <summary>
##	Remount an iso9660 filesystem, which
##	is usually used on CDs.  This allows
##	some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_iso9660_fs',`
	gen_require(`
		type iso9660_t;
		class filesystem remount;
	')

	allow $1 iso9660_t:filesystem remount;
')

########################################
## <summary>
##	Unmount an iso9660 filesystem, which
##	is usually used on CDs.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_iso9660_fs',`
	gen_require(`
		type iso9660_t;
		class filesystem unmount;
	')

	allow $1 iso9660_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of an iso9660
##	filesystem, which is usually used on CDs.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_iso9660_fs',`
	gen_require(`
		type iso9660_t;
		class filesystem getattr;
	')

	allow $1 iso9660_t:filesystem getattr;
')

########################################
## <summary>
##	Mount a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_nfs',`
	gen_require(`
		type nfs_t;
		class filesystem mount;
	')

	allow $1 nfs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a NFS filesystem.  This allows
##	some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_nfs',`
	gen_require(`
		type nfs_t;
		class filesystem remount;
	')

	allow $1 nfs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_nfs',`
	gen_require(`
		type nfs_t;
		class filesystem unmount;
	')

	allow $1 nfs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_nfs',`
	gen_require(`
		type nfs_t;
		class filesystem getattr;
	')

	allow $1 nfs_t:filesystem getattr;
')

########################################
## <summary>
##	Search directories on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain reading the files.
## </param>
#
interface(`fs_search_nfs',`
	gen_require(`
		type nfs_t;
		class dir search;
	')

	allow $1 nfs_t:dir search;
')

########################################
## <summary>
##	Do not audit attempts to list the contents
##	of directories on a NFS filesystem.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`fs_dontaudit_list_nfs',`
	gen_require(`
		type nfs_t;
	')

	dontaudit $1 nfs_t:dir r_dir_perms;
')

########################################
## <summary>
##	Read files on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain reading the files.
## </param>
#
interface(`fs_read_nfs_files',`
	gen_require(`
		type nfs_t;
		class dir r_dir_perms;
		class file r_file_perms;
	')

	allow $1 nfs_t:dir r_dir_perms;
	allow $1 nfs_t:file r_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read
##	files on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_read_nfs_files',`
	gen_require(`
		type nfs_t;
	')

	dontaudit $1 nfs_t:file r_file_perms;
')

########################################
## <summary>
##	Execute files on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain executing the files.
## </param>
#
interface(`fs_execute_nfs_files',`
	gen_require(`
		type nfs_t;
		class dir r_dir_perms;
	')

	allow $1 nfs_t:dir r_dir_perms;
	can_exec($1, nfs_t)
')

########################################
## <summary>
##	Do not audit attempts to read or
##	write files on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_rw_nfs_files',`
	gen_require(`
		type nfs_t;
	')

	dontaudit $1 nfs_t:file { read write };
')

########################################
## <summary>
##	Read symbolic links on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain reading the symbolic links.
## </param>
#
interface(`fs_read_nfs_symlinks',`
	gen_require(`
		type nfs_t;
		class dir r_dir_perms;
		class lnk_file r_file_perms;
	')

	allow $1 nfs_t:dir r_dir_perms;
	allow $1 nfs_t:lnk_file r_file_perms;
')

########################################
## <summary>
##	Create, read, write, and delete directories
##	on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the directories.
## </param>
#
interface(`fs_manage_nfs_dirs',`
	gen_require(`
		type nfs_t;
		class dir create_dir_perms;
	')

	allow $1 nfs_t:dir create_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to create, read,
##	write, and delete directories
##	on a NFS filesystem.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`fs_dontaudit_manage_nfs_dirs',`
	gen_require(`
		type nfs_t;
	')

	dontaudit $1 nfs_t:dir create_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete files
##	on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the files.
## </param>
#
interface(`fs_manage_nfs_files',`
	gen_require(`
		type nfs_t;
		class dir rw_dir_perms;
		class file create_file_perms;
	')

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:file create_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to create,
##	read, write, and delete files
##	on a NFS filesystem.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`fs_dontaudit_manage_nfs_files',`
	gen_require(`
		type nfs_t;
	')

	dontaudit $1 nfs_t:file create_file_perms;
')

#########################################
## <summary>
##	Create, read, write, and delete symbolic links
##	on a CIFS or SMB network filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the symbolic links.
## </param>
#
interface(`fs_manage_nfs_symlinks',`
	gen_require(`
		type nfs_t;
		class dir r_dir_perms;
		class lnk_file create_lnk_perms;
	')

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:lnk_file create_lnk_perms;
')

#########################################
## <summary>
##	Create, read, write, and delete named pipes
##	on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the pipes.
## </param>
#
interface(`fs_manage_nfs_named_pipes',`
	gen_require(`
		type nfs_t;
		class dir rw_dir_perms;
		class fifo_file create_file_perms;
	')

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:fifo_file create_file_perms;
')

#########################################
## <summary>
##	Create, read, write, and delete named sockets
##	on a NFS filesystem.
## </summary>
## <param name="domain">
##	The type of the domain managing the sockets.
## </param>
#
interface(`fs_manage_nfs_named_sockets',`
	gen_require(`
		type nfs_t;
		class dir rw_dir_perms;
		class sock_file create_file_perms;
	')

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:sock_file create_file_perms;
')

########################################
## <summary>
##	Execute a file on a NFS filesystem
##	in the specified domain.
## </summary>
## <desc>
##	<p>
##	Execute a file on a NFS filesystem
##	in the specified domain.  This allows
##	the specified domain to execute any file
##	on a NFS filesystem in the specified
##	domain.  This is not suggested.
##	</p>
##	<p>
##	No interprocess communication (signals, pipes,
##	etc.) is provided by this interface since
##	the domains are not owned by this module.
##	</p>
##	<p>
##	This interface was added to handle
##	home directories on NFS filesystems,
##	in particular used by the ssh-agent policy.
##	</p>
## </desc>
## <param name="domain">
##	The type of the process performing this action.
## </param>
## <param name="target_domain">
##	The type of the new process.
## </param>
#
interface(`fs_nfs_domtrans',`
	gen_require(`
		type nfs_t;
		class dir search;
	')

	allow $1 nfs_t:dir search;

	domain_auto_trans($1,nfs_t,$2)
')

########################################
## <summary>
##	Mount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_nfsd_fs',`
	gen_require(`
		type nfsd_fs_t;
		class filesystem mount;
	')

	allow $1 nfsd_fs_t:filesystem mount;
')

########################################
## <summary>
##	Mount a NFS server pseudo filesystem.
##	This allows some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_nfsd_fs',`
	gen_require(`
		type nfsd_fs_t;
		class filesystem remount;
	')

	allow $1 nfsd_fs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a NFS server pseudo filesystem.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_nfsd_fs',`
	gen_require(`
		type nfsd_fs_t;
		class filesystem unmount;
	')

	allow $1 nfsd_fs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a NFS server
##	pseudo filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_nfsd_fs',`
	gen_require(`
		type nfsd_fs_t;
		class filesystem getattr;
	')

	allow $1 nfsd_fs_t:filesystem getattr;
')

########################################
## <summary>
##	Mount a RAM filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_ramfs',`
	gen_require(`
		type ramfs_t;
		class filesystem mount;
	')

	allow $1 ramfs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a RAM filesystem.  This allows
##	some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_ramfs',`
	gen_require(`
		type ramfs_t;
		class filesystem remount;
	')

	allow $1 ramfs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a RAM filesystem.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_ramfs',`
	gen_require(`
		type ramfs_t;
		class filesystem unmount;
	')

	allow $1 ramfs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a RAM filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_ramfs',`
	gen_require(`
		type ramfs_t;
		class filesystem getattr;
	')

	allow $1 ramfs_t:filesystem getattr;
')

########################################
## <summary>
##	Search directories on a ramfs
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_search_ramfs',`
	gen_require(`
		type ramfs_t;
	')

	allow $1 ramfs_t:dir search;
')

########################################
## <summary>
##	Write to named socket on a ramfs filesystem.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_write_ramfs_socket',`
	gen_require(`
		type ramfs_t;
	')

	allow $1 ramfs_t:sock_file write;
')

########################################
## <summary>
##	Mount a ROM filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_romfs',`
	gen_require(`
		type romfs_t;
		class filesystem mount;
	')

	allow $1 romfs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a ROM filesystem.  This allows
##	some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_romfs',`
	gen_require(`
		type romfs_t;
		class filesystem remount;
	')

	allow $1 romfs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a ROM filesystem.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_romfs',`
	gen_require(`
		type romfs_t;
		class filesystem unmount;
	')

	allow $1 romfs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a ROM
##	filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_romfs',`
	gen_require(`
		type romfs_t;
		class filesystem getattr;
	')

	allow $1 romfs_t:filesystem getattr;
')

########################################
## <summary>
##	Mount a RPC pipe filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_rpc_pipefs',`
	gen_require(`
		type rpc_pipefs_t;
		class filesystem mount;
	')

	allow $1 rpc_pipefs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a RPC pipe filesystem.  This
##	allows some mount option to be changed.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_rpc_pipefs',`
	gen_require(`
		type rpc_pipefs_t;
		class filesystem remount;
	')

	allow $1 rpc_pipefs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a RPC pipe filesystem.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_rpc_pipefs',`
	gen_require(`
		type rpc_pipefs_t;
		class filesystem unmount;
	')

	allow $1 rpc_pipefs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a RPC pipe
##	filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_rpc_pipefs',`
	gen_require(`
		type rpc_pipefs_t;
		class filesystem getattr;
	')

	allow $1 rpc_pipefs_t:filesystem getattr;
')

########################################
## <summary>
##	Mount a tmpfs filesystem.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class filesystem mount;
	')

	allow $1 tmpfs_t:filesystem mount;
')

########################################
## <summary>
##	Remount a tmpfs filesystem.
## </summary>
## <param name="domain">
##	The type of the domain remounting the filesystem.
## </param>
#
interface(`fs_remount_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class filesystem remount;
	')

	allow $1 tmpfs_t:filesystem remount;
')

########################################
## <summary>
##	Unmount a tmpfs filesystem.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class filesystem unmount;
	')

	allow $1 tmpfs_t:filesystem mount;
')

########################################
## <summary>
##	Get the attributes of a tmpfs
##	filesystem.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class filesystem getattr;
	')

	allow $1 tmpfs_t:filesystem getattr;
')

########################################
## <summary>
##	Allow the type to associate to tmpfs filesystems.
## </summary>
## <param name="type">
##	The type of the object to be associated.
## </param>
#
interface(`fs_associate_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class filesystem associate;
	')

	allow $1 tmpfs_t:filesystem associate;
')

########################################
## <summary>
##	Get the attributes of tmpfs directories.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_getattr_tmpfs_dir',`
	gen_require(`
		type tmpfs_t;
		class dir getattr;
	')

	allow $1 tmpfs_t:dir getattr;
')

########################################
## <summary>
##	Set the attributes of tmpfs directories.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_setattr_tmpfs_dir',`
	gen_require(`
		type tmpfs_t;
		class dir setattr;
	')

	allow $1 tmpfs_t:dir setattr;
')

########################################
## <summary>
##	Search tmpfs directories.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_search_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class dir search;
	')

	allow $1 tmpfs_t:dir search;
')

########################################
## <summary>
##	List the contents of generic tmpfs directories.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_list_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class dir r_dir_perms;
	')

	allow $1 tmpfs_t:dir r_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to list the
##	contents of generic tmpfs directories.
## </summary>
## <param name="domain">
##	Domain to not audit.
## </param>
#
interface(`fs_dontaudit_list_tmpfs',`
	gen_require(`
		type tmpfs_t;
		class dir r_dir_perms;
	')

	dontaudit $1 tmpfs_t:dir r_dir_perms;
')

########################################
## <summary>
##	Create, read, write, and delete
##	tmpfs directories
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_manage_tmpfs_dirs',`
	gen_require(`
		type tmpfs_t;
		class dir create_dir_perms;
	')

	allow $1 tmpfs_t:dir create_dir_perms;
')

########################################
#
# fs_create_tmpfs_data(domain,derivedtype,[class])
#
interface(`fs_create_tmpfs_data',`
	gen_require(`
		type tmpfs_t;
		class filesystem associate;
		class dir rw_dir_perms; 
	')

	allow $2 tmpfs_t:filesystem associate;
	allow $1 tmpfs_t:dir rw_dir_perms;

	ifelse(`$3',`',`
		type_transition $1 tmpfs_t:file $2;
	',`
		type_transition $1 tmpfs_t:$3 $2;
	')
')

########################################
## <summary>
##	Read and write character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_use_tmpfs_chr_dev',`
	gen_require(`
		type tmpfs_t;
		class dir r_dir_perms; 
		class chr_file rw_file_perms;
	')

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:chr_file rw_file_perms;
')

########################################
## <summary>
##	Relabel character nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_relabel_tmpfs_chr_dev',`
	gen_require(`
		type tmpfs_t;
		class dir r_dir_perms;
		class chr_file { getattr relabelfrom relabelto };
	')

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
')

########################################
## <summary>
##	Read and write block nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_use_tmpfs_blk_dev',`
	gen_require(`
		type tmpfs_t;
		class dir r_dir_perms; 
		class blk_file rw_file_perms;
	')

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:blk_file rw_file_perms;
')

########################################
## <summary>
##	Relabel block nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_relabel_tmpfs_blk_dev',`
	gen_require(`
		type tmpfs_t;
		class dir r_dir_perms;
		class blk_file { getattr relabelfrom relabelto };
	')

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
')

########################################
## <summary>
##	Read and write, create and delete generic
##	files on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_files',`
	gen_require(`
		type tmpfs_t;
		class dir rw_dir_perms;
		class file create_file_perms;
	')

	allow $1 tmpfs_t:dir rw_dir_perms;
	allow $1 tmpfs_t:file create_file_perms;
')

########################################
## <summary>
##	Read and write, create and delete symbolic
##	links on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_symlinks',`
	gen_require(`
		type tmpfs_t;
		class dir rw_dir_perms;
		class chr_file create_lnk_perms;
	')

	allow $1 tmpfs_t:dir rw_dir_perms;
	allow $1 tmpfs_t:chr_file create_lnk_perms;
')

########################################
## <summary>
##	Read and write, create and delete socket
##	files on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_sockets',`
	gen_require(`
		type tmpfs_t;
		class dir rw_dir_perms;
		class sock_file create_file_perms;
	')

	allow $1 tmpfs_t:dir rw_dir_perms;
	allow $1 tmpfs_t:sock_file create_file_perms;
')

########################################
## <summary>
##	Read and write, create and delete character
##	nodes on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_chr_dev',`
	gen_require(`
		type tmpfs_t;
		class dir rw_dir_perms;
		class chr_file create_file_perms;
	')

	allow $1 tmpfs_t:dir rw_dir_perms;
	allow $1 tmpfs_t:chr_file create_file_perms;
')

########################################
## <summary>
##	Read and write, create and delete block nodes
##	on tmpfs filesystems.
## </summary>
## <param name="domain">
##	The type of the process performing this action.
## </param>
#
interface(`fs_manage_tmpfs_blk_dev',`
	gen_require(`
		type tmpfs_t;
		class dir rw_dir_perms;
		class blk_file create_file_perms;
	')

	allow $1 tmpfs_t:dir rw_dir_perms;
	allow $1 tmpfs_t:blk_file create_file_perms;
')

########################################
## <summary>
##	Mount all filesystems.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_mount_all_fs',`
	gen_require(`
		attribute filesystem_type;
		class filesystem mount;
	')

	allow $1 filesystem_type:filesystem mount;
')

########################################
## <summary>
##	Remount all filesystems.  This
##	allows some mount options to be changed.
## </summary>
## <param name="domain">
##	The type of the domain mounting the filesystem.
## </param>
#
interface(`fs_remount_all_fs',`
	gen_require(`
		attribute filesystem_type;
		class filesystem remount;
	')

	allow $1 filesystem_type:filesystem remount;
')

########################################
## <summary>
##	Unmount all filesystems.
## </summary>
## <param name="domain">
##	The type of the domain unmounting the filesystem.
## </param>
#
interface(`fs_unmount_all_fs',`
	gen_require(`
		attribute filesystem_type;
		class filesystem unmount;
	')

	allow $1 filesystem_type:filesystem unmount;
')

########################################
## <summary>
##	Get the attributes of all persistent
##	filesystems.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_getattr_all_fs',`
	gen_require(`
		attribute filesystem_type;
		class filesystem getattr;
	')

	allow $1 filesystem_type:filesystem getattr;
')

########################################
## <summary>
##	Do not audit attempts to get the attributes
##	all filesystems.
## </summary>
## <param name="domain">
##	The type of the domain to not audit.
## </param>
#
interface(`fs_dontaudit_getattr_all_fs',`
	gen_require(`
		attribute filesystem_type;
		class filesystem getattr;
	')

	dontaudit $1 filesystem_type:filesystem getattr;
')

########################################
## <summary>
##	Get the quotas of all filesystems.
## </summary>
## <param name="domain">
##	The type of the domain getting quotas.
## </param>
#
interface(`fs_get_all_fs_quotas',`
	gen_require(`
		attribute filesystem_type;
		class filesystem quotaget;
	')

	allow $1 filesystem_type:filesystem quotaget;
')

########################################
## <summary>
##	Set the quotas of all filesystems.
## </summary>
## <param name="domain">
##	The type of the domain setting quotas.
## </param>
#
interface(`fs_set_all_quotas',`
	gen_require(`
		attribute filesystem_type;
		class filesystem quotamod;
	')

	allow $1 filesystem_type:filesystem quotamod;
')

########################################
## <summary>
##	Relabelfrom all filesystems.
## </summary>
## <param name="domain">
##	The type of the domain doing the
##	getattr on the filesystem.
## </param>
#
interface(`fs_relabelfrom_all_fs',`
	gen_require(`
		attribute filesystem_type;
	')

	allow $1 filesystem_type:filesystem relabelfrom;
')

########################################
## <summary>
##	Search all directories with a filesystem type.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_search_all',`
	gen_require(`
		attribute filesystem_type;
		class dir { getattr search };
	')

	allow $1 filesystem_type:dir { getattr search };
')

########################################
## <summary>
##	List all directories with a filesystem type.
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_list_all',`
	gen_require(`
		attribute filesystem_type;
		class dir r_dir_perms;
	')

	allow $1 filesystem_type:dir r_dir_perms;
')

########################################
#
# fs_getattr_all_files(type)
#
interface(`fs_getattr_all_files',`
	gen_require(`
		attribute filesystem_type;
		class dir { search getattr };
		class file getattr;
		class lnk_file getattr;
		class fifo_file getattr;
		class sock_file getattr;
	')

	allow $1 filesystem_type:dir { search getattr };
	allow $1 filesystem_type:file getattr;
	allow $1 filesystem_type:lnk_file getattr;
	allow $1 filesystem_type:fifo_file getattr;
	allow $1 filesystem_type:sock_file getattr;
')

########################################
## <summary>
##	Unconfined access to filesystems
## </summary>
## <param name="domain">
##	Domain allowed access.
## </param>
#
interface(`fs_unconfined',`
	gen_require(`
		attribute filesystem_type;
	')

	allow $1 filesystem_type:filesystem *;

	# Create/access other files.  fs_type is to pick up various
	# pseudo filesystem types that are applied to both the filesystem
	# and its files.
	allow $1 filesystem_type:{ dir lnk_file sock_file fifo_file blk_file } *;
')