Blob Blame History Raw
## <module name="filesystem" layer="kernel">
## <summary>Policy for filesystems.</summary>

########################################
#
# fs_make_fs(type)
#
define(`fs_make_fs',`
	requires_block_template(`$0'_depend)

	typeattribute $1 fs_type;
')

define(`fs_make_fs_depend',`
	attribute fs_type;
')

########################################
#
# fs_associate(type)
#
define(`fs_associate',`
	requires_block_template(`$0'_depend)

	allow $1 fs_t:filesystem associate;
')

define(`fs_associate_depend',`
	type fs_t;

	class filesystem associate;
')

########################################
#
# fs_noxattr_associate(type)
#
define(`fs_noxattr_associate',`
	requires_block_template(`$0'_depend)

	allow $1 autofs_t:filesystem associate;
	allow $1 cifs_t:filesystem associate;
	allow $1 dosfs_t:filesystem associate;
	allow $1 iso9660_t:filesystem associate;
	allow $1 nfs_t:filesystem associate;
	allow $1 removable_t:filesystem associate;
	allow $1 usbfs_t:filesystem associate;
')

define(`fs_noxattr_associate_depend',`
	type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t;

	class filesystem associate;
')

########################################
#
# fs_mount_persistent_fs(domain)
#
define(`fs_mount_persistent_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_t:filesystem mount;
')

define(`fs_mount_persistent_fs_depend',`
	type fs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_persistent_fs(domain)
#
define(`fs_remount_persistent_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_t:filesystem remount;
')

define(`fs_remount_persistent_fs_depend',`
	type fs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_persistent_fs(domain)
#
define(`fs_unmount_persistent_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_t:filesystem mount;
')

define(`fs_unmount_persistent_fs_depend',`
	type fs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_persistent_fs(domain)
#
define(`fs_getattr_persistent_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_t:filesystem getattr;
')

define(`fs_getattr_persistent_fs_depend',`
	type fs_t;

	class filesystem getattr;
')

########################################
#
# fs_ignore_getattr_persistent_fs(domain)
#
define(`fs_ignore_getattr_persistent_fs',`
	requires_block_template(`$0'_depend)

	dontaudit $1 fs_t:filesystem getattr;
')

define(`fs_ignore_getattr_persistent_fs_depend',`
	type fs_t;

	class filesystem getattr;
')

########################################
#
# fs_relabelfrom_persistent_fs(domain)
#
define(`fs_relabelfrom_persistent_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_t:filesystem relabelfrom;
')

define(`fs_relabelfrom_persistent_fs_depend',`
	type fs_t;

	class filesystem relabelfrom;
')

########################################
#
# fs_mount_autofs(domain)
#
define(`fs_mount_autofs',`
	requires_block_template(`$0'_depend)

	allow $1 autofs_t:filesystem mount;
')

define(`fs_mount_autofs_depend',`
	type autofs_t;
	class filesystem mount;
')

########################################
#
# fs_remount_autofs(domain)
#
define(`fs_remount_autofs',`
	requires_block_template(`$0'_depend)

	allow $1 autofs_t:filesystem remount;
')

define(`fs_remount_autofs_depend',`
	type autofs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_autofs(domain)
#
define(`fs_unmount_autofs',`
	requires_block_template(`$0'_depend)

	allow $1 autofs_t:filesystem mount;
')

define(`fs_unmount_autofs_depend',`
	type autofs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_autofs(domain)
#
define(`fs_getattr_autofs',`
	requires_block_template(`$0'_depend)

	allow $1 autofs_t:filesystem getattr;
')

define(`fs_getattr_autofs_depend',`
	type autofs_t;

	class filesystem getattr;
')

########################################
#
# fs_register_binary_executable_type(domain)
#
define(`fs_register_binary_executable_type',`
	requires_block_template(`$0'_depend)

	allow $1 binfmt_misc_fs_t:dir { getattr search };
	allow $1 binfmt_misc_fs_t:file { getattr ioctl write };
')

define(`fs_register_binary_executable_type_depend',`
	type binfmt_misc_fs_t;

	class dir { getattr search };
	class file { getattr ioctl write };
')

########################################
#
# fs_mount_cifs(domain)
#
define(`fs_mount_cifs',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:filesystem mount;
')

define(`fs_mount_cifs_depend',`
	type cifs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_cifs(domain)
#
define(`fs_remount_cifs',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:filesystem remount;
')

define(`fs_remount_cifs_depend',`
	type cifs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_cifs(domain)
#
define(`fs_unmount_cifs',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:filesystem mount;
')

define(`fs_unmount_cifs_depend',`
	type cifs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_cifs(domain)
#
define(`fs_getattr_cifs',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:filesystem getattr;
')

define(`fs_getattr_cifs_depend',`
	type cifs_t;

	class filesystem getattr;
')

########################################
#
# fs_execute_cifs_files(domain)
#
define(`fs_execute_cifs_files',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:dir r_dir_perms;
	can_exec($1, cifs_t)
')

define(`fs_execute_cifs_files_depend',`
	type cifs_t;

	class dir r_dir_perms;
	class file { getattr read execute execute_no_trans };
')

########################################
#
# fs_manage_cifs_directories(domain)
#
define(`fs_manage_cifs_directories',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:dir create_file_perms;
')

define(`fs_manage_cifs_directories_depend',`
	type cifs_t;

	class dir create_file_perms;
')

########################################
#
# fs_manage_cifs_files(domain)
#
define(`fs_manage_cifs_files',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:dir rw_dir_perms;
	allow $1 cifs_t:file create_file_perms;
')

define(`fs_manage_cifs_files_depend',`
	type cifs_t;

	class dir rw_dir_perms;
	class file create_file_perms;
')

########################################
#
# fs_manage_cifs_symbolic_links(domain)
#
define(`fs_manage_cifs_symbolic_links',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:dir rw_dir_perms;
	allow $1 cifs_t:lnk_file create_lnk_perms;
')

define(`fs_manage_cifs_symbolic_links_depend',`
	type cifs_t;

	class dir rw_dir_perms;
	class lnk_file create_lnk_perms;
')

########################################
#
# fs_manage_cifs_named_pipes(domain)
#
define(`fs_manage_cifs_named_pipes',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:dir rw_dir_perms;
	allow $1 cifs_t:fifo_file create_file_perms;
')

define(`fs_manage_cifs_named_pipes_depend',`
	type cifs_t;

	class dir rw_dir_perms;
	class fifo_file create_file_perms;
')

########################################
#
# fs_manage_cifs_named_sockets(domain)
#
define(`fs_manage_cifs_named_sockets',`
	requires_block_template(`$0'_depend)

	allow $1 cifs_t:dir rw_file_perms;
	allow $1 cifs_t:sock_file create_file_perms;
')

define(`fs_manage_cifs_named_sockets_depend',`
	type cifs_t;

	class dir rw_dir_perms;
	class sock_file create_file_perms;
')

########################################
#
# fs_mount_dos_fs(domain)
#
define(`fs_mount_dos_fs',`
	requires_block_template(`$0'_depend)

	allow $1 dosfs_t:filesystem mount;
')

define(`fs_mount_dos_fs_depend',`
	type dosfs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_dos_fs(domain)
#
define(`fs_remount_dos_fs',`
	requires_block_template(`$0'_depend)

	allow $1 dosfs_t:filesystem remount;
')

define(`fs_remount_dos_fs_depend',`
	type dosfs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_dos_fs(domain)
#
define(`fs_unmount_dos_fs',`
	requires_block_template(`$0'_depend)

	allow $1 dosfs_t:filesystem mount;
')

define(`fs_unmount_dos_fs_depend',`
	type dosfs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_dos_fs(domain)
#
define(`fs_getattr_dos_fs',`
	requires_block_template(`$0'_depend)

	allow $1 dosfs_t:filesystem getattr;
')

define(`fs_getattr_dos_fs_depend',`
	type dosfs_t;

	class filesystem getattr;
')

########################################
#
# fs_relabelfrom_dos_fs(domain)
#
define(`fs_relabelfrom_dos_fs',`
	requires_block_template(`$0'_depend)

	allow $1 dosfs_t:filesystem relabelfrom;
')

define(`fs_relabelfrom_dos_fs_depend',`
	type dosfs_t;

	class filesystem relabelfrom;
')

########################################
#
# fs_mount_cd_fs(domain)
#
define(`fs_mount_cd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 iso9660_t:filesystem mount;
')

define(`fs_mount_cd_fs_depend',`
	type iso9660_t;

	class filesystem mount;
')

########################################
#
# fs_remount_cd_fs(domain)
#
define(`fs_remount_cd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 iso9660_t:filesystem remount;
')

define(`fs_remount_cd_fs_depend',`
	type iso9660_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_cd_fs(domain)
#
define(`fs_unmount_cd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 iso9660_t:filesystem mount;
')

define(`fs_unmount_cd_fs_depend',`
	type iso9660_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_cd_fs(domain)
#
define(`fs_getattr_cd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 iso9660_t:filesystem getattr;
')

define(`fs_getattr_cd_fs_depend',`
	type iso9660_t;

	class filesystem getattr;
')

########################################
#
# fs_mount_nfs(domain)
#
define(`fs_mount_nfs',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:filesystem mount;
')

define(`fs_mount_nfs_depend',`
	type nfs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_nfs(domain)
#
define(`fs_remount_nfs',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:filesystem remount;
')

define(`fs_remount_nfs_depend',`
	type nfs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_nfs(domain)
#
define(`fs_unmount_nfs',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:filesystem mount;
')

define(`fs_unmount_nfs_depend',`
	type nfs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_nfs(domain)
#
define(`fs_getattr_nfs',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:filesystem getattr;
')

define(`fs_getattr_nfs_depend',`
	type nfs_t;

	class filesystem getattr;
')

########################################
#
# fs_execute_nfs_files(domain)
#
define(`fs_execute_nfs_files',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:dir r_dir_perms;
	can_exec($1, nfs_t)
')

define(`fs_execute_nfs_files_depend',`
	type nfs_t;

	class dir r_dir_perms;
	class file { getattr read execute execute_no_trans };
')

########################################
#
# fs_manage_nfs_directories(domain)
#
define(`fs_manage_nfs_directories',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:dir create_dir_perms;
')

define(`fs_manage_nfs_directories_depend',`
	type nfs_t;

	class dir create_dir_perms;
')

########################################
#
# fs_manage_nfs_files(domain)
#
define(`fs_manage_nfs_files',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:file create_file_perms;
')

define(`fs_manage_nfs_files_depend',`
	type nfs_t;

	class dir rw_dir_perms;
	class file create_file_perms;
')

########################################
#
# fs_manage_nfs_symbolic_links(domain)
#
define(`fs_manage_nfs_symbolic_links',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:lnk_file create_lnk_perms;
')

define(`fs_manage_nfs_symbolic_links_depend',`
	type nfs_t;

	class dir r_dir_perms;
	class lnk_file create_lnk_perms;
')

########################################
#
# fs_manage_nfs_named_pipes(domain)
#
define(`fs_manage_nfs_named_pipes',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:fifo_file create_file_perms;
')

define(`fs_manage_nfs_named_pipes_depend',`
	type nfs_t;

	class dir rw_dir_perms;
	class fifo_file create_file_perms;
')

########################################
#
# fs_manage_nfs_named_sockets(domain)
#
define(`fs_manage_nfs_named_sockets',`
	requires_block_template(`$0'_depend)

	allow $1 nfs_t:dir rw_dir_perms;
	allow $1 nfs_t:sock_file create_file_perms;
')

define(`fs_manage_nfs_named_sockets_depend',`
	type nfs_t;

	class dir rw_dir_perms;
	class sock_file create_file_perms;
')

########################################
#
# fs_mount_nfsd_fs(domain)
#
define(`fs_mount_nfsd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 nfsd_fs_t:filesystem mount;
')

define(`fs_mount_nfsd_fs_depend',`
	type nfsd_fs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_nfsd_fs(domain)
#
define(`fs_remount_nfsd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 nfsd_fs_t:filesystem remount;
')

define(`fs_remount_nfsd_fs_depend',`
	type nfsd_fs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_nfsd_fs(domain)
#
define(`fs_unmount_nfsd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 nfsd_fs_t:filesystem mount;
')

define(`fs_unmount_nfsd_fs_depend',`
	type nfsd_fs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_nfsd_fs(domain)
#
define(`fs_getattr_nfsd_fs',`
	requires_block_template(`$0'_depend)

	allow $1 nfsd_fs_t:filesystem getattr;
')

define(`fs_getattr_nfsd_fs_depend',`
	type nfsd_fs_t;

	class filesystem getattr;
')

########################################
#
# fs_mount_ramfs(domain)
#
define(`fs_mount_ramfs',`
	requires_block_template(`$0'_depend)

	allow $1 ramfs_t:filesystem mount;
')

define(`fs_mount_ramfs_depend',`
	type ramfs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_ramfs(domain)
#
define(`fs_remount_ramfs',`
	requires_block_template(`$0'_depend)

	allow $1 ramfs_t:filesystem remount;
')

define(`fs_remount_ramfs_depend',`
	type ramfs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_ramfs(domain)
#
define(`fs_unmount_ramfs',`
	requires_block_template(`$0'_depend)

	allow $1 ramfs_t:filesystem mount;
')

define(`fs_unmount_ramfs_depend',`
	type ramfs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_ramfs(domain)
#
define(`fs_getattr_ramfs',`
	requires_block_template(`$0'_depend)

	allow $1 ramfs_t:filesystem getattr;
')

define(`fs_getattr_ramfs_depend',`
	type ramfs_t;

	class filesystem getattr;
')

########################################
#
# fs_mount_romfs(domain)
#
define(`fs_mount_romfs',`
	requires_block_template(`$0'_depend)

	allow $1 romfs_t:filesystem mount;
')

define(`fs_mount_romfs_depend',`
	type romfs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_romfs(domain)
#
define(`fs_remount_romfs',`
	requires_block_template(`$0'_depend)

	allow $1 romfs_t:filesystem remount;
')

define(`fs_remount_romfs_depend',`
	type romfs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_romfs(domain)
#
define(`fs_unmount_romfs',`
	requires_block_template(`$0'_depend)

	allow $1 romfs_t:filesystem mount;
')

define(`fs_unmount_romfs_depend',`
	type romfs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_romfs(domain)
#
define(`fs_getattr_romfs',`
	requires_block_template(`$0'_depend)

	allow $1 romfs_t:filesystem getattr;
')

define(`fs_getattr_romfs_depend',`
	type romfs_t;

	class filesystem getattr;
')

########################################
#
# fs_mount_rpc_pipefs(domain)
#
define(`fs_mount_rpc_pipefs',`
	requires_block_template(`$0'_depend)

	allow $1 rpc_pipefs_t:filesystem mount;
')

define(`fs_mount_rpc_pipefs_depend',`
	type rpc_pipefs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_rpc_pipefs(domain)
#
define(`fs_remount_rpc_pipefs',`
	requires_block_template(`$0'_depend)

	allow $1 rpc_pipefs_t:filesystem remount;
')

define(`fs_remount_rpc_pipefs_depend',`
	type rpc_pipefs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_rpc_pipefs(domain)
#
define(`fs_unmount_rpc_pipefs',`
	requires_block_template(`$0'_depend)

	allow $1 rpc_pipefs_t:filesystem mount;
')

define(`fs_unmount_rpc_pipefs_depend',`
	type rpc_pipefs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_rpc_pipefs(domain)
#
define(`fs_getattr_rpc_pipefs',`
	requires_block_template(`$0'_depend)

	allow $1 rpc_pipefs_t:filesystem getattr;
')

define(`fs_getattr_rpc_pipefs_depend',`
	type rpc_pipefs_t;

	class filesystem getattr;
')

########################################
#
# fs_mount_tmpfs(domain)
#
define(`fs_mount_tmpfs',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:filesystem mount;
')

define(`fs_mount_tmpfs_depend',`
	type tmpfs_t;

	class filesystem mount;
')

########################################
#
# fs_remount_tmpfs(domain)
#
define(`fs_remount_tmpfs',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:filesystem remount;
')

define(`fs_remount_tmpfs_depend',`
	type tmpfs_t;

	class filesystem remount;
')

########################################
#
# fs_unmount_tmpfs(domain)
#
define(`fs_unmount_tmpfs',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:filesystem mount;
')

define(`fs_unmount_tmpfs_depend',`
	type tmpfs_t;

	class filesystem unmount;
')

########################################
#
# fs_getattr_tmpfs(domain)
#
define(`fs_getattr_tmpfs',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:filesystem getattr;
')

define(`fs_getattr_tmpfs_depend',`
	type tmpfs_t;

	class filesystem getattr;
')

########################################
## <interface name="fs_tmpfs_associate">
##	<description>
##		Allow the type to associate to tmpfs filesystems.
##	</description>
##	<parameter name="type">
##		The type of the object to be associated.
##	</parameter>
##	<infoflow type="none"/>
## </interface>
#
define(`fs_tmpfs_associate',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:filesystem associate;
')

define(`fs_tmpfs_associate_depend',`
	type tmpfs_t;

	class filesystem associate;
')

########################################
#
# fs_create_tmpfs_data(domain,derivedtype,[class])
#
define(`fs_create_tmpfs_data',`
	requires_block_template(`$0'_depend)

	allow $2 tmpfs_t:filesystem associate;
	allow $1 tmpfs_t:dir rw_dir_perms;

	ifelse(`$3',`',`
		type_transition $1 tmpfs_t:file $2;
	',`
		type_transition $1 tmpfs_t:$3 $2;
	')
')

define(`fs_create_private_tmpfs_data_depend',`
	type tmpfs_t;

	class filesystem associate;
	class dir rw_dir_perms; 
')

########################################
## <interface name="fs_use_tmpfs_character_devices">
##	<description>
##		Read and write character nodes on tmpfs filesystems.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="both" weight="10"/>
## </interface>
#
define(`fs_use_tmpfs_character_devices',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:chr_file rw_file_perms;
')

define(`fs_use_tmpfs_character_devices_depend',`
	type tmpfs_t;

	class dir r_dir_perms; 
	class chr_file rw_file_perms;
')

########################################
## <interface name="fs_relabel_tmpfs_character_devices">
##	<description>
##		Relabel character nodes on tmpfs filesystems.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="both" weight="10"/>
## </interface>
#
define(`fs_relabel_tmpfs_character_devices',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:chr_file { getattr relabelfrom relabelto };
')

define(`fs_relabel_tmpfs_character_devices_depend',`
	type tmpfs_t;

	class dir r_dir_perms;
	class chr_file { getattr relabelfrom relabelto };
')

########################################
## <interface name="fs_use_tmpfs_block_devices">
##	<description>
##		Read and write block nodes on tmpfs filesystems.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="both" weight="10"/>
## </interface>
#
define(`fs_use_tmpfs_block_devices',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:blk_file rw_file_perms;
')

define(`fs_use_tmpfs_block_devices_depend',`
	type tmpfs_t;

	class dir r_dir_perms; 
	class blk_file rw_file_perms;
')

########################################
## <interface name="fs_relabel_tmpfs_block_devices">
##	<description>
##		Relabel block nodes on tmpfs filesystems.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="both" weight="10"/>
## </interface>
#
define(`fs_relabel_tmpfs_block_devices',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:dir r_dir_perms;
	allow $1 tmpfs_t:blk_file { getattr relabelfrom relabelto };
')

define(`fs_use_tmpfs_block_devices_depend',`
	type tmpfs_t;

	class dir r_dir_perms;
	class blk_file { getattr relabelfrom relabelto };
')

########################################
## <interface name="fs_manage_tmpfs_character_devices">
##	<description>
##		Read and write, create and delete character
##		nodes on tmpfs filesystems.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="both" weight="10"/>
## </interface>
#
define(`fs_manage_tmpfs_character_devices',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:dir rw_dir_perms;
	allow $1 tmpfs_t:chr_file create_file_perms;
')

define(`fs_manage_tmpfs_character_devices_depend',`
	type tmpfs_t;

	class dir rw_dir_perms;
	class chr_file create_file_perms;
')

########################################
## <interface name="fs_manage_tmpfs_block_devices">
##	<description>
##		Read and write, create and delete block nodes
##		on tmpfs filesystems.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="both" weight="10"/>
## </interface>
#
define(`fs_manage_tmpfs_block_devices',`
	requires_block_template(`$0'_depend)

	allow $1 tmpfs_t:dir rw_dir_perms;
	allow $1 tmpfs_t:blk_file create_file_perms;
')

define(`fs_manage_tmpfs_block_devices_depend',`
	type tmpfs_t;

	class dir rw_dir_perms;
	class blk_file create_file_perms;
')

########################################
#
# fs_mount_all_fs(type)
#
define(`fs_mount_all_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_type:filesystem mount;
')

define(`fs_mount_all_fs_depend',`
	attribute fs_type;

	class filesystem mount;
')

########################################
#
# fs_remount_all_fs(type)
#
define(`fs_remount_all_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_type:filesystem remount;
')

define(`fs_remount_all_fs_depend',`
	attribute fs_type;

	class filesystem remount;
')

########################################
#
# fs_unmount_all_fs(type)
#
define(`fs_unmount_all_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_type:filesystem unmount;
')

define(`fs_mount_all_fs_depend',`
	attribute fs_type;

	class filesystem unmount;
')

########################################
#
# fs_getattr_all_fs(type)
#
define(`fs_getattr_all_fs',`
	requires_block_template(`$0'_depend)

	allow $1 fs_type:filesystem getattr;
')

define(`fs_getattr_all_fs_depend',`
	attribute fs_type;

	class filesystem getattr;
')

########################################
#
# fs_get_all_fs_quotas(type)
#
define(`fs_get_all_fs_quotas',`
	requires_block_template(`$0'_depend)

	allow $1 fs_type:filesystem quotaget;
')

define(`fs_get_all_fs_quotas_depend',`
	attribute fs_type;

	class filesystem quotaget;
')

########################################
#
# fs_set_all_quotas(type)
#
define(`fs_set_all_quotas',`
	requires_block_template(`$0'_depend)

	allow $1 fs_type:filesystem quotamod;
')

define(`fs_set_all_quotas_depend',`
	attribute fs_type;

	class filesystem quotamod;
')

########################################
#
# fs_getattr_all_files(type)
#
define(`fs_getattr_all_files',`
	requires_block_template(`$0'_depend)

	allow $1 fs_type:dir { search getattr };
	allow $1 fs_type:file getattr;
	allow $1 fs_type:lnk_file getattr;
	allow $1 fs_type:fifo_file getattr;
	allow $1 fs_type:sock_file getattr;
')

define(`fs_getattr_all_files_depend',`
	attribute fs_type;

	class dir { search getattr };
	class file getattr;
	class lnk_file getattr;
	class fifo_file getattr;
	class sock_file getattr;
')

## </module>