diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index 6201dbf..fd3cb66 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -2,8 +2,14 @@
## Policy for filesystems.
########################################
-#
-# fs_make_fs(type)
+##
+##
+## Transform specified type into a filesystem type.
+##
+##
+## The type of the process performing this action.
+##
+##
#
define(`fs_make_fs',`
requires_block_template(`$0'_depend)
@@ -16,8 +22,17 @@ define(`fs_make_fs_depend',`
')
########################################
-#
-# fs_associate(type)
+##
+##
+## Associate the specified file type to persistent
+## filesystems with extended attributes. This
+## allows a file of this type to be created on
+## a filesystem such as ext3, JFS, and XFS.
+##
+##
+## The type of the to be associated.
+##
+##
#
define(`fs_associate',`
requires_block_template(`$0'_depend)
@@ -32,126 +47,187 @@ define(`fs_associate_depend',`
')
########################################
+##
+##
+## Associate the specified file type to
+## filesystems which lack extended attributes
+## support. This allows a file of this type
+## to be created on a filesystem such as
+## FAT32, and NFS.
+##
+##
+## The type of the to be associated.
+##
+##
#
-# fs_noxattr_associate(type)
-#
-define(`fs_noxattr_associate',`
+define(`fs_associate_noxattr',`
requires_block_template(`$0'_depend)
- allow $1 autofs_t:filesystem associate;
- allow $1 cifs_t:filesystem associate;
- allow $1 dosfs_t:filesystem associate;
- allow $1 iso9660_t:filesystem associate;
- allow $1 nfs_t:filesystem associate;
- allow $1 removable_t:filesystem associate;
- allow $1 usbfs_t:filesystem associate;
+ allow $1 noxattrfs:filesystem associate;
')
-define(`fs_noxattr_associate_depend',`
- type fs_t, nfs_t, cifs_t, dosfs_t, iso9660_t, autofs_t, usbfs_t, removable_t;
+define(`fs_associate_noxattr_depend',`
+ attribute noxattrfs;
class filesystem associate;
')
########################################
+##
+##
+## Mount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
-# fs_mount_persistent_fs(domain)
-#
-define(`fs_mount_persistent_fs',`
+define(`fs_mount_xattr_fs',`
requires_block_template(`$0'_depend)
allow $1 fs_t:filesystem mount;
')
-define(`fs_mount_persistent_fs_depend',`
+define(`fs_mount_xattr_fs_depend',`
type fs_t;
class filesystem mount;
')
########################################
+##
+##
+## Remount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS. This allows
+## some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
-# fs_remount_persistent_fs(domain)
-#
-define(`fs_remount_persistent_fs',`
+define(`fs_remount_xattr_fs',`
requires_block_template(`$0'_depend)
allow $1 fs_t:filesystem remount;
')
-define(`fs_remount_persistent_fs_depend',`
+define(`fs_remount_xattr_fs_depend',`
type fs_t;
class filesystem remount;
')
########################################
+##
+##
+## Unmount a persistent filesystem which
+## has extended attributes, such as
+## ext3, JFS, or XFS.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
-# fs_unmount_persistent_fs(domain)
-#
-define(`fs_unmount_persistent_fs',`
+define(`fs_unmount_xattr_fs',`
requires_block_template(`$0'_depend)
allow $1 fs_t:filesystem mount;
')
-define(`fs_unmount_persistent_fs_depend',`
+define(`fs_unmount_xattr_fs_depend',`
type fs_t;
class filesystem unmount;
')
########################################
+##
+##
+## Get the attributes of a persistent
+## filesystem which has extended
+## attributes, such as ext3, JFS, or XFS.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
-# fs_getattr_persistent_fs(domain)
-#
-define(`fs_getattr_persistent_fs',`
+define(`fs_getattr_xattr_fs',`
requires_block_template(`$0'_depend)
allow $1 fs_t:filesystem getattr;
')
-define(`fs_getattr_persistent_fs_depend',`
+define(`fs_getattr_xattr_fs_depend',`
type fs_t;
class filesystem getattr;
')
########################################
+##
+##
+## Do not audit attempts to
+## get the attributes of a persistent
+## filesystem which has extended
+## attributes, such as ext3, JFS, or XFS.
+##
+##
+## The type of the domain to not audit.
+##
+##
#
-# fs_ignore_getattr_persistent_fs(domain)
-#
-define(`fs_ignore_getattr_persistent_fs',`
+define(`fs_ignore_getattr_xattr_fs',`
requires_block_template(`$0'_depend)
dontaudit $1 fs_t:filesystem getattr;
')
-define(`fs_ignore_getattr_persistent_fs_depend',`
+define(`fs_ignore_getattr_xattr_fs_depend',`
type fs_t;
class filesystem getattr;
')
########################################
+##
+##
+## Allow changing of the label of a
+## filesystem with extended attributes
+## using the context= mount option.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
-# fs_relabelfrom_persistent_fs(domain)
-#
-define(`fs_relabelfrom_persistent_fs',`
+define(`fs_relabelfrom_xattr_fs',`
requires_block_template(`$0'_depend)
allow $1 fs_t:filesystem relabelfrom;
')
-define(`fs_relabelfrom_persistent_fs_depend',`
+define(`fs_relabelfrom_xattr_fs_depend',`
type fs_t;
class filesystem relabelfrom;
')
########################################
-#
-# fs_mount_autofs(domain)
+##
+##
+## Mount an automount pseudo filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_autofs',`
requires_block_template(`$0'_depend)
@@ -164,9 +240,17 @@ define(`fs_mount_autofs_depend',`
class filesystem mount;
')
+
########################################
-#
-# fs_remount_autofs(domain)
+##
+##
+## Remount an automount pseudo filesystem
+## This allows some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_autofs',`
requires_block_template(`$0'_depend)
@@ -181,8 +265,14 @@ define(`fs_remount_autofs_depend',`
')
########################################
-#
-# fs_unmount_autofs(domain)
+##
+##
+## Unmount an automount pseudo filesystem.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_autofs',`
requires_block_template(`$0'_depend)
@@ -197,8 +287,16 @@ define(`fs_unmount_autofs_depend',`
')
########################################
-#
-# fs_getattr_autofs(domain)
+##
+##
+## Get the attributes of an automount
+## pseudo filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_autofs',`
requires_block_template(`$0'_depend)
@@ -213,8 +311,21 @@ define(`fs_getattr_autofs_depend',`
')
########################################
-#
-# fs_register_binary_executable_type(domain)
+##
+##
+## Register an interpreter for new binary
+## file types, using the kernel binfmt_misc
+## support. A common use for this is to
+## register a JVM as an interpreter for
+## Java byte code. Registered binaries
+## can be directly executed on a command line
+## without specifying the interpreter.
+##
+##
+## The type of the domain registering
+## the interpreter.
+##
+##
#
define(`fs_register_binary_executable_type',`
requires_block_template(`$0'_depend)
@@ -231,8 +342,14 @@ define(`fs_register_binary_executable_type_depend',`
')
########################################
-#
-# fs_mount_cifs(domain)
+##
+##
+## Mount a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_cifs',`
requires_block_template(`$0'_depend)
@@ -247,8 +364,15 @@ define(`fs_mount_cifs_depend',`
')
########################################
-#
-# fs_remount_cifs(domain)
+##
+##
+## Remount a CIFS or SMB network filesystem.
+## This allows some mount options to be changed.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_remount_cifs',`
requires_block_template(`$0'_depend)
@@ -263,8 +387,14 @@ define(`fs_remount_cifs_depend',`
')
########################################
-#
-# fs_unmount_cifs(domain)
+##
+##
+## Unmount a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_unmount_cifs',`
requires_block_template(`$0'_depend)
@@ -279,8 +409,16 @@ define(`fs_unmount_cifs_depend',`
')
########################################
-#
-# fs_getattr_cifs(domain)
+##
+##
+## Get the attributes of a CIFS or
+## SMB network filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_cifs',`
requires_block_template(`$0'_depend)
@@ -295,8 +433,16 @@ define(`fs_getattr_cifs_depend',`
')
########################################
-#
-# fs_execute_cifs_files(domain)
+##
+##
+## Execute files on a CIFS or SMB
+## network filesystem, in the caller
+## domain.
+##
+##
+## The type of the domain executing the files.
+##
+##
#
define(`fs_execute_cifs_files',`
requires_block_template(`$0'_depend)
@@ -313,24 +459,38 @@ define(`fs_execute_cifs_files_depend',`
')
########################################
+##
+##
+## Create, read, write, and delete directories
+## on a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain managing the directories.
+##
+##
#
-# fs_manage_cifs_directories(domain)
-#
-define(`fs_manage_cifs_directories',`
+define(`fs_manage_cifs_dirs',`
requires_block_template(`$0'_depend)
allow $1 cifs_t:dir create_file_perms;
')
-define(`fs_manage_cifs_directories_depend',`
+define(`fs_manage_cifs_dirs_depend',`
type cifs_t;
class dir create_file_perms;
')
########################################
-#
-# fs_manage_cifs_files(domain)
+##
+##
+## Create, read, write, and delete files
+## on a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain managing the files.
+##
+##
#
define(`fs_manage_cifs_files',`
requires_block_template(`$0'_depend)
@@ -347,17 +507,24 @@ define(`fs_manage_cifs_files_depend',`
')
########################################
+##
+##
+## Create, read, write, and delete symbolic links
+## on a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain managing the symbolic links.
+##
+##
#
-# fs_manage_cifs_symbolic_links(domain)
-#
-define(`fs_manage_cifs_symbolic_links',`
+define(`fs_manage_cifs_symlinks',`
requires_block_template(`$0'_depend)
allow $1 cifs_t:dir rw_dir_perms;
allow $1 cifs_t:lnk_file create_lnk_perms;
')
-define(`fs_manage_cifs_symbolic_links_depend',`
+define(`fs_manage_cifs_symlinks_depend',`
type cifs_t;
class dir rw_dir_perms;
@@ -365,8 +532,15 @@ define(`fs_manage_cifs_symbolic_links_depend',`
')
########################################
-#
-# fs_manage_cifs_named_pipes(domain)
+##
+##
+## Create, read, write, and delete named pipes
+## on a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain managing the pipes.
+##
+##
#
define(`fs_manage_cifs_named_pipes',`
requires_block_template(`$0'_depend)
@@ -383,8 +557,15 @@ define(`fs_manage_cifs_named_pipes_depend',`
')
########################################
-#
-# fs_manage_cifs_named_sockets(domain)
+##
+##
+## Create, read, write, and delete named sockets
+## on a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain managing the sockets.
+##
+##
#
define(`fs_manage_cifs_named_sockets',`
requires_block_template(`$0'_depend)
@@ -401,8 +582,15 @@ define(`fs_manage_cifs_named_sockets_depend',`
')
########################################
-#
-# fs_mount_dos_fs(domain)
+##
+##
+## Mount a DOS filesystem, such as
+## FAT32 or NTFS.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_dos_fs',`
requires_block_template(`$0'_depend)
@@ -417,8 +605,16 @@ define(`fs_mount_dos_fs_depend',`
')
########################################
-#
-# fs_remount_dos_fs(domain)
+##
+##
+## Remount a DOS filesystem, such as
+## FAT32 or NTFS. This allows
+## some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_dos_fs',`
requires_block_template(`$0'_depend)
@@ -433,8 +629,15 @@ define(`fs_remount_dos_fs_depend',`
')
########################################
-#
-# fs_unmount_dos_fs(domain)
+##
+##
+## Unmount a DOS filesystem, such as
+## FAT32 or NTFS.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_dos_fs',`
requires_block_template(`$0'_depend)
@@ -449,8 +652,16 @@ define(`fs_unmount_dos_fs_depend',`
')
########################################
-#
-# fs_getattr_dos_fs(domain)
+##
+##
+## Get the attributes of a DOS
+## filesystem, such as FAT32 or NTFS.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_dos_fs',`
requires_block_template(`$0'_depend)
@@ -465,8 +676,15 @@ define(`fs_getattr_dos_fs_depend',`
')
########################################
-#
-# fs_relabelfrom_dos_fs(domain)
+##
+##
+## Allow changing of the label of a
+## DOS filesystem using the context= mount option.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_relabelfrom_dos_fs',`
requires_block_template(`$0'_depend)
@@ -481,72 +699,108 @@ define(`fs_relabelfrom_dos_fs_depend',`
')
########################################
+##
+##
+## Mount an iso9660 filesystem, which
+## is usually used on CDs.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
-# fs_mount_cd_fs(domain)
-#
-define(`fs_mount_cd_fs',`
+define(`fs_mount_iso9660_fs',`
requires_block_template(`$0'_depend)
allow $1 iso9660_t:filesystem mount;
')
-define(`fs_mount_cd_fs_depend',`
+define(`fs_mount_iso9660_fs_depend',`
type iso9660_t;
class filesystem mount;
')
########################################
+##
+##
+## Remount an iso9660 filesystem, which
+## is usually used on CDs. This allows
+## some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
-# fs_remount_cd_fs(domain)
-#
-define(`fs_remount_cd_fs',`
+define(`fs_remount_iso9660_fs',`
requires_block_template(`$0'_depend)
allow $1 iso9660_t:filesystem remount;
')
-define(`fs_remount_cd_fs_depend',`
+define(`fs_remount_iso9660_fs_depend',`
type iso9660_t;
class filesystem remount;
')
########################################
+##
+##
+## Unmount an iso9660 filesystem, which
+## is usually used on CDs.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
-# fs_unmount_cd_fs(domain)
-#
-define(`fs_unmount_cd_fs',`
+define(`fs_unmount_iso9660_fs',`
requires_block_template(`$0'_depend)
allow $1 iso9660_t:filesystem mount;
')
-define(`fs_unmount_cd_fs_depend',`
+define(`fs_unmount_iso9660_fs_depend',`
type iso9660_t;
class filesystem unmount;
')
########################################
+##
+##
+## Get the attributes of an iso9660
+## filesystem, which is usually used on CDs.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
-# fs_getattr_cd_fs(domain)
-#
-define(`fs_getattr_cd_fs',`
+define(`fs_getattr_iso9660_fs',`
requires_block_template(`$0'_depend)
allow $1 iso9660_t:filesystem getattr;
')
-define(`fs_getattr_cd_fs_depend',`
+define(`fs_getattr_iso9660_fs_depend',`
type iso9660_t;
class filesystem getattr;
')
########################################
-#
-# fs_mount_nfs(domain)
+##
+##
+## Mount a NFS filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_nfs',`
requires_block_template(`$0'_depend)
@@ -561,8 +815,15 @@ define(`fs_mount_nfs_depend',`
')
########################################
-#
-# fs_remount_nfs(domain)
+##
+##
+## Remount a NFS filesystem. This allows
+## some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_nfs',`
requires_block_template(`$0'_depend)
@@ -577,8 +838,14 @@ define(`fs_remount_nfs_depend',`
')
########################################
-#
-# fs_unmount_nfs(domain)
+##
+##
+## Unmount a NFS filesystem.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_nfs',`
requires_block_template(`$0'_depend)
@@ -593,8 +860,15 @@ define(`fs_unmount_nfs_depend',`
')
########################################
-#
-# fs_getattr_nfs(domain)
+##
+##
+## Get the attributes of a NFS filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_nfs',`
requires_block_template(`$0'_depend)
@@ -609,8 +883,14 @@ define(`fs_getattr_nfs_depend',`
')
########################################
-#
-# fs_execute_nfs_files(domain)
+##
+##
+## Execute files on a NFS filesystem.
+##
+##
+## The type of the domain executing the files.
+##
+##
#
define(`fs_execute_nfs_files',`
requires_block_template(`$0'_depend)
@@ -627,24 +907,38 @@ define(`fs_execute_nfs_files_depend',`
')
########################################
+##
+##
+## Create, read, write, and delete directories
+## on a NFS filesystem.
+##
+##
+## The type of the domain managing the directories.
+##
+##
#
-# fs_manage_nfs_directories(domain)
-#
-define(`fs_manage_nfs_directories',`
+define(`fs_manage_nfs_dirs',`
requires_block_template(`$0'_depend)
allow $1 nfs_t:dir create_dir_perms;
')
-define(`fs_manage_nfs_directories_depend',`
+define(`fs_manage_nfs_dirs_depend',`
type nfs_t;
class dir create_dir_perms;
')
########################################
-#
-# fs_manage_nfs_files(domain)
+##
+##
+## Create, read, write, and delete files
+## on a NFS filesystem.
+##
+##
+## The type of the domain managing the files.
+##
+##
#
define(`fs_manage_nfs_files',`
requires_block_template(`$0'_depend)
@@ -660,27 +954,41 @@ define(`fs_manage_nfs_files_depend',`
class file create_file_perms;
')
-########################################
-#
-# fs_manage_nfs_symbolic_links(domain)
+#########################################
+##
+##
+## Create, read, write, and delete symbolic links
+## on a CIFS or SMB network filesystem.
+##
+##
+## The type of the domain managing the symbolic links.
+##
+##
#
-define(`fs_manage_nfs_symbolic_links',`
+define(`fs_manage_nfs_symlinks',`
requires_block_template(`$0'_depend)
allow $1 nfs_t:dir rw_dir_perms;
allow $1 nfs_t:lnk_file create_lnk_perms;
')
-define(`fs_manage_nfs_symbolic_links_depend',`
+define(`fs_manage_nfs_symlinks_depend',`
type nfs_t;
class dir r_dir_perms;
class lnk_file create_lnk_perms;
')
-########################################
-#
-# fs_manage_nfs_named_pipes(domain)
+#########################################
+##
+##
+## Create, read, write, and delete named pipes
+## on a NFS filesystem.
+##
+##
+## The type of the domain managing the pipes.
+##
+##
#
define(`fs_manage_nfs_named_pipes',`
requires_block_template(`$0'_depend)
@@ -696,9 +1004,16 @@ define(`fs_manage_nfs_named_pipes_depend',`
class fifo_file create_file_perms;
')
-########################################
-#
-# fs_manage_nfs_named_sockets(domain)
+#########################################
+##
+##
+## Create, read, write, and delete named sockets
+## on a NFS filesystem.
+##
+##
+## The type of the domain managing the sockets.
+##
+##
#
define(`fs_manage_nfs_named_sockets',`
requires_block_template(`$0'_depend)
@@ -715,8 +1030,14 @@ define(`fs_manage_nfs_named_sockets_depend',`
')
########################################
-#
-# fs_mount_nfsd_fs(domain)
+##
+##
+## Mount a NFS server pseudo filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_nfsd_fs',`
requires_block_template(`$0'_depend)
@@ -731,8 +1052,15 @@ define(`fs_mount_nfsd_fs_depend',`
')
########################################
-#
-# fs_remount_nfsd_fs(domain)
+##
+##
+## Mount a NFS server pseudo filesystem.
+## This allows some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_nfsd_fs',`
requires_block_template(`$0'_depend)
@@ -747,8 +1075,14 @@ define(`fs_remount_nfsd_fs_depend',`
')
########################################
-#
-# fs_unmount_nfsd_fs(domain)
+##
+##
+## Unmount a NFS server pseudo filesystem.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_nfsd_fs',`
requires_block_template(`$0'_depend)
@@ -763,8 +1097,16 @@ define(`fs_unmount_nfsd_fs_depend',`
')
########################################
-#
-# fs_getattr_nfsd_fs(domain)
+##
+##
+## Get the attributes of a NFS server
+## pseudo filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_nfsd_fs',`
requires_block_template(`$0'_depend)
@@ -779,8 +1121,14 @@ define(`fs_getattr_nfsd_fs_depend',`
')
########################################
-#
-# fs_mount_ramfs(domain)
+##
+##
+## Mount a RAM filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_ramfs',`
requires_block_template(`$0'_depend)
@@ -795,8 +1143,15 @@ define(`fs_mount_ramfs_depend',`
')
########################################
-#
-# fs_remount_ramfs(domain)
+##
+##
+## Remount a RAM filesystem. This allows
+## some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_ramfs',`
requires_block_template(`$0'_depend)
@@ -811,8 +1166,14 @@ define(`fs_remount_ramfs_depend',`
')
########################################
-#
-# fs_unmount_ramfs(domain)
+##
+##
+## Unmount a RAM filesystem.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_ramfs',`
requires_block_template(`$0'_depend)
@@ -827,8 +1188,15 @@ define(`fs_unmount_ramfs_depend',`
')
########################################
-#
-# fs_getattr_ramfs(domain)
+##
+##
+## Get the attributes of a RAM filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_ramfs',`
requires_block_template(`$0'_depend)
@@ -843,8 +1211,14 @@ define(`fs_getattr_ramfs_depend',`
')
########################################
-#
-# fs_mount_romfs(domain)
+##
+##
+## Mount a ROM filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_romfs',`
requires_block_template(`$0'_depend)
@@ -859,8 +1233,15 @@ define(`fs_mount_romfs_depend',`
')
########################################
-#
-# fs_remount_romfs(domain)
+##
+##
+## Remount a ROM filesystem. This allows
+## some mount options to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_romfs',`
requires_block_template(`$0'_depend)
@@ -875,8 +1256,14 @@ define(`fs_remount_romfs_depend',`
')
########################################
-#
-# fs_unmount_romfs(domain)
+##
+##
+## Unmount a ROM filesystem.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_romfs',`
requires_block_template(`$0'_depend)
@@ -891,8 +1278,16 @@ define(`fs_unmount_romfs_depend',`
')
########################################
-#
-# fs_getattr_romfs(domain)
+##
+##
+## Get the attributes of a ROM
+## filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_romfs',`
requires_block_template(`$0'_depend)
@@ -907,8 +1302,14 @@ define(`fs_getattr_romfs_depend',`
')
########################################
-#
-# fs_mount_rpc_pipefs(domain)
+##
+##
+## Mount a RPC pipe filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_rpc_pipefs',`
requires_block_template(`$0'_depend)
@@ -923,8 +1324,15 @@ define(`fs_mount_rpc_pipefs_depend',`
')
########################################
-#
-# fs_remount_rpc_pipefs(domain)
+##
+##
+## Remount a RPC pipe filesystem. This
+## allows some mount option to be changed.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_rpc_pipefs',`
requires_block_template(`$0'_depend)
@@ -939,8 +1347,14 @@ define(`fs_remount_rpc_pipefs_depend',`
')
########################################
-#
-# fs_unmount_rpc_pipefs(domain)
+##
+##
+## Unmount a RPC pipe filesystem.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_rpc_pipefs',`
requires_block_template(`$0'_depend)
@@ -955,8 +1369,16 @@ define(`fs_unmount_rpc_pipefs_depend',`
')
########################################
-#
-# fs_getattr_rpc_pipefs(domain)
+##
+##
+## Get the attributes of a RPC pipe
+## filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_rpc_pipefs',`
requires_block_template(`$0'_depend)
@@ -971,8 +1393,14 @@ define(`fs_getattr_rpc_pipefs_depend',`
')
########################################
-#
-# fs_mount_tmpfs(domain)
+##
+##
+## Mount a tmpfs filesystem.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_tmpfs',`
requires_block_template(`$0'_depend)
@@ -987,8 +1415,14 @@ define(`fs_mount_tmpfs_depend',`
')
########################################
-#
-# fs_remount_tmpfs(domain)
+##
+##
+## Remount a tmpfs filesystem.
+##
+##
+## The type of the domain remounting the filesystem.
+##
+##
#
define(`fs_remount_tmpfs',`
requires_block_template(`$0'_depend)
@@ -1003,8 +1437,14 @@ define(`fs_remount_tmpfs_depend',`
')
########################################
-#
-# fs_unmount_tmpfs(domain)
+##
+##
+## Unmount a tmpfs filesystem.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_tmpfs',`
requires_block_template(`$0'_depend)
@@ -1019,8 +1459,16 @@ define(`fs_unmount_tmpfs_depend',`
')
########################################
-#
-# fs_getattr_tmpfs(domain)
+##
+##
+## Get the attributes of a tmpfs
+## filesystem.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_tmpfs',`
requires_block_template(`$0'_depend)
@@ -1035,7 +1483,7 @@ define(`fs_getattr_tmpfs_depend',`
')
########################################
-##
+##
##
## Allow the type to associate to tmpfs filesystems.
##
@@ -1045,13 +1493,13 @@ define(`fs_getattr_tmpfs_depend',`
##
##
#
-define(`fs_tmpfs_associate',`
+define(`fs_associate_tmpfs',`
requires_block_template(`$0'_depend)
allow $1 tmpfs_t:filesystem associate;
')
-define(`fs_tmpfs_associate_depend',`
+define(`fs_associate_tmpfs_depend',`
type tmpfs_t;
class filesystem associate;
@@ -1234,8 +1682,14 @@ define(`fs_manage_tmpfs_block_devices_depend',`
')
########################################
-#
-# fs_mount_all_fs(type)
+##
+##
+## Mount all filesystems.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_mount_all_fs',`
requires_block_template(`$0'_depend)
@@ -1250,8 +1704,15 @@ define(`fs_mount_all_fs_depend',`
')
########################################
-#
-# fs_remount_all_fs(type)
+##
+##
+## Remount all filesystems. This
+## allows some mount options to be changed.
+##
+##
+## The type of the domain mounting the filesystem.
+##
+##
#
define(`fs_remount_all_fs',`
requires_block_template(`$0'_depend)
@@ -1266,8 +1727,14 @@ define(`fs_remount_all_fs_depend',`
')
########################################
-#
-# fs_unmount_all_fs(type)
+##
+##
+## Unmount all filesystems.
+##
+##
+## The type of the domain unmounting the filesystem.
+##
+##
#
define(`fs_unmount_all_fs',`
requires_block_template(`$0'_depend)
@@ -1282,8 +1749,16 @@ define(`fs_mount_all_fs_depend',`
')
########################################
-#
-# fs_getattr_all_fs(type)
+##
+##
+## Get the attributes of all persistent
+## filesystems.
+##
+##
+## The type of the domain doing the
+## getattr on the filesystem.
+##
+##
#
define(`fs_getattr_all_fs',`
requires_block_template(`$0'_depend)
@@ -1298,8 +1773,14 @@ define(`fs_getattr_all_fs_depend',`
')
########################################
-#
-# fs_get_all_fs_quotas(type)
+##
+##
+## Get the quotas of all filesystems.
+##
+##
+## The type of the domain getting quotas.
+##
+##
#
define(`fs_get_all_fs_quotas',`
requires_block_template(`$0'_depend)
@@ -1314,8 +1795,14 @@ define(`fs_get_all_fs_quotas_depend',`
')
########################################
-#
-# fs_set_all_quotas(type)
+##
+##
+## Set the quotas of all filesystems.
+##
+##
+## The type of the domain setting quotas.
+##
+##
#
define(`fs_set_all_quotas',`
requires_block_template(`$0'_depend)
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index 49a1893..3f46cbb 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -2,6 +2,7 @@
policy_module(filesystem,1.0)
attribute fs_type;
+attribute noxattrfs;
########################################
#
@@ -72,19 +73,13 @@ fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t self:filesystem associate;
-allow tmpfs_t autofs_t:filesystem associate;
-allow tmpfs_t cifs_t:filesystem associate;
-allow tmpfs_t dosfs_t:filesystem associate;
-allow tmpfs_t iso9660_t:filesystem associate;
-allow tmpfs_t nfs_t:filesystem associate;
-allow tmpfs_t removable_t:filesystem associate;
-allow tmpfs_t usbfs_t:filesystem associate;
+allow tmpfs_t noxattrfs:filesystem associate;
########################################
#
# Filesystems without extended attribute support
#
-type autofs_t, fs_type;
+type autofs_t, fs_type, noxattrfs;
allow autofs_t self:filesystem associate;
genfscon autofs / context_template(system_u:object_r:autofs_t,s0)
genfscon automount / context_template(system_u:object_r:autofs_t,s0)
@@ -93,7 +88,7 @@ genfscon automount / context_template(system_u:object_r:autofs_t,s0)
# cifs_t is the type for filesystems and their
# files shared from Windows servers
#
-type cifs_t alias sambafs_t, fs_type;
+type cifs_t alias sambafs_t, fs_type, noxattrfs;
allow cifs_t self:filesystem associate;
genfscon cifs / context_template(system_u:object_r:cifs_t,s0)
genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
@@ -102,7 +97,7 @@ genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
# dosfs_t is the type for fat and vfat
# filesystems and their files.
#
-type dosfs_t, fs_type;
+type dosfs_t, fs_type, noxattrfs;
allow dosfs_t self:filesystem associate;
genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
@@ -113,7 +108,7 @@ genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0)
# iso9660_t is the type for CD filesystems
# and their files.
#
-type iso9660_t, fs_type;
+type iso9660_t, fs_type, noxattrfs;
allow iso9660_t self:filesystem associate;
genfscon iso9660 / context_template(system_u:object_r:iso9660_t,s0)
genfscon udf / context_template(system_u:object_r:iso9660_t,s0)
@@ -121,20 +116,14 @@ genfscon udf / context_template(system_u:object_r:iso9660_t,s0)
#
# removable_t is the default type of all removable media
#
-type removable_t, fs_type;
-allow removable_t self:filesystem associate;
-allow removable_t autofs_t:filesystem associate;
-allow removable_t cifs_t:filesystem associate;
-allow removable_t dosfs_t:filesystem associate;
-allow removable_t iso9660_t:filesystem associate;
-allow removable_t nfs_t:filesystem associate;
-allow removable_t usbfs_t:filesystem associate;
+type removable_t, fs_type, noxattrfs;
+allow removable_t noxattrfs:filesystem associate;
#
# nfs_t is the default type for NFS file systems
# and their files.
#
-type nfs_t, fs_type;
+type nfs_t, fs_type, noxattrfs;
files_make_mountpoint(nfs_t)
allow nfs_t self:filesystem associate;
genfscon nfs / context_template(system_u:object_r:nfs_t,s0)