#DESC Automount - Automount daemon # # Authors: Stephen Smalley # Modified by Russell Coker # X-Debian-Packages: amd am-utils autofs # ################################# # # Rules for the automount_t domain. # daemon_domain(automount) etc_domain(automount) # for SSP allow automount_t urandom_device_t:chr_file read; # for if the mount point is not labelled allow automount_t file_t:dir getattr; allow automount_t default_t:dir getattr; allow automount_t autofs_t:dir { create_dir_perms ioctl }; allow automount_t fs_type:dir getattr; allow automount_t { etc_t etc_runtime_t }:file { getattr read }; allow automount_t proc_t:file { getattr read }; allow automount_t self:process { getpgid setpgid setsched }; allow automount_t self:capability { sys_nice dac_override }; allow automount_t self:unix_stream_socket create_socket_perms; allow automount_t self:unix_dgram_socket create_socket_perms; # because config files can be shell scripts can_exec(automount_t, { etc_t automount_etc_t }) can_network_server(automount_t) can_resolve(automount_t) can_ypbind(automount_t) can_ldap(automount_t) ifdef(`fsadm.te', ` domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t) ') lock_domain(automount) tmp_domain(automount) allow automount_t self:fifo_file rw_file_perms; # Run mount in the mount_t domain. domain_auto_trans(automount_t, mount_exec_t, mount_t) allow mount_t autofs_t:dir { search mounton read }; allow mount_t automount_tmp_t:dir mounton; ifdef(`apmd.te', `domain_auto_trans(apmd_t, automount_exec_t, automount_t) can_exec(automount_t, bin_t)') allow automount_t { bin_t sbin_t }:dir search; can_exec(automount_t, mount_exec_t) can_exec(automount_t, shell_exec_t) allow mount_t autofs_t:dir getattr; dontaudit automount_t var_t:dir write; allow userdomain autofs_t:dir r_dir_perms; allow kernel_t autofs_t:dir { getattr ioctl read search }; allow automount_t { boot_t home_root_t }:dir getattr; allow automount_t mnt_t:dir { getattr search }; can_exec(initrc_t, automount_etc_t) # Allow automount to create and delete directories in / and /home file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir) allow automount_t var_lib_t:dir search; allow automount_t var_lib_nfs_t:dir search;