Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/system/fstools.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/system/fstools.te')
-rw-r--r--policy/modules/system/fstools.te197
1 files changed, 197 insertions, 0 deletions
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
new file mode 100644
index 00000000..6c4b6ee2
--- /dev/null
+++ b/policy/modules/system/fstools.te
@@ -0,0 +1,197 @@
+policy_module(fstools, 1.15.0)
+
+########################################
+#
+# Declarations
+#
+
+type fsadm_t;
+type fsadm_exec_t;
+init_system_domain(fsadm_t, fsadm_exec_t)
+role system_r types fsadm_t;
+
+type fsadm_log_t;
+logging_log_file(fsadm_log_t)
+
+type fsadm_tmp_t;
+files_tmp_file(fsadm_tmp_t)
+
+type swapfile_t; # customizable
+files_type(swapfile_t)
+
+########################################
+#
+# local policy
+#
+
+# ipc_lock is for losetup
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
+allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
+allow fsadm_t self:fd use;
+allow fsadm_t self:fifo_file rw_fifo_file_perms;
+allow fsadm_t self:sock_file read_sock_file_perms;
+allow fsadm_t self:unix_dgram_socket create_socket_perms;
+allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
+allow fsadm_t self:unix_dgram_socket sendto;
+allow fsadm_t self:unix_stream_socket connectto;
+allow fsadm_t self:shm create_shm_perms;
+allow fsadm_t self:sem create_sem_perms;
+allow fsadm_t self:msgq create_msgq_perms;
+allow fsadm_t self:msg { send receive };
+
+can_exec(fsadm_t, fsadm_exec_t)
+
+allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
+allow fsadm_t fsadm_tmp_t:file manage_file_perms;
+files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+
+# log files
+allow fsadm_t fsadm_log_t:dir setattr;
+manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
+logging_log_filetrans(fsadm_t, fsadm_log_t, file)
+
+# Enable swapping to files
+allow fsadm_t swapfile_t:file { rw_file_perms swapon };
+
+kernel_read_system_state(fsadm_t)
+kernel_read_kernel_sysctls(fsadm_t)
+kernel_request_load_module(fsadm_t)
+# Allow console log change (updfstab)
+kernel_change_ring_buffer_level(fsadm_t)
+# mkreiserfs needs this
+kernel_getattr_proc(fsadm_t)
+kernel_getattr_core_if(fsadm_t)
+# Access to /initrd devices
+kernel_rw_unlabeled_dirs(fsadm_t)
+kernel_rw_unlabeled_blk_files(fsadm_t)
+
+corecmd_exec_bin(fsadm_t)
+#RedHat bug #201164
+corecmd_exec_shell(fsadm_t)
+# cjp: these are probably not needed:
+corecmd_read_bin_files(fsadm_t)
+corecmd_read_bin_pipes(fsadm_t)
+corecmd_read_bin_sockets(fsadm_t)
+
+dev_getattr_all_chr_files(fsadm_t)
+dev_dontaudit_getattr_all_blk_files(fsadm_t)
+dev_dontaudit_getattr_generic_files(fsadm_t)
+# mkreiserfs and other programs need this for UUID
+dev_read_rand(fsadm_t)
+dev_read_urand(fsadm_t)
+dev_write_kmsg(fsadm_t)
+# Recreate /dev/cdrom.
+dev_manage_generic_symlinks(fsadm_t)
+# fdisk needs this for early boot
+dev_manage_generic_blk_files(fsadm_t)
+# Access to /initrd devices
+dev_search_usbfs(fsadm_t)
+# for swapon
+dev_rw_sysfs(fsadm_t)
+# Access to /initrd devices
+dev_getattr_usbfs_dirs(fsadm_t)
+# Access to /dev/mapper/control
+dev_rw_lvm_control(fsadm_t)
+
+domain_use_interactive_fds(fsadm_t)
+
+files_getattr_boot_dirs(fsadm_t)
+files_list_home(fsadm_t)
+files_read_usr_files(fsadm_t)
+files_read_etc_files(fsadm_t)
+files_manage_lost_found(fsadm_t)
+files_manage_isid_type_dirs(fsadm_t)
+# Write to /etc/mtab.
+files_manage_etc_runtime_files(fsadm_t)
+files_etc_filetrans_etc_runtime(fsadm_t, file)
+# Access to /initrd devices
+files_rw_isid_type_dirs(fsadm_t)
+files_rw_isid_type_blk_files(fsadm_t)
+files_read_isid_type_files(fsadm_t)
+
+fs_search_auto_mountpoints(fsadm_t)
+fs_getattr_xattr_fs(fsadm_t)
+fs_rw_ramfs_pipes(fsadm_t)
+fs_rw_tmpfs_files(fsadm_t)
+# remount file system to apply changes
+fs_remount_xattr_fs(fsadm_t)
+# for /dev/shm
+fs_list_auto_mountpoints(fsadm_t)
+fs_search_tmpfs(fsadm_t)
+fs_getattr_tmpfs_dirs(fsadm_t)
+fs_read_tmpfs_symlinks(fsadm_t)
+# Recreate /mnt/cdrom.
+files_manage_mnt_dirs(fsadm_t)
+# for tune2fs
+files_search_all(fsadm_t)
+
+mls_file_read_all_levels(fsadm_t)
+mls_file_write_all_levels(fsadm_t)
+
+storage_raw_read_fixed_disk(fsadm_t)
+storage_raw_write_fixed_disk(fsadm_t)
+storage_raw_read_removable_device(fsadm_t)
+storage_raw_write_removable_device(fsadm_t)
+storage_read_scsi_generic(fsadm_t)
+storage_swapon_fixed_disk(fsadm_t)
+
+term_use_console(fsadm_t)
+
+init_use_fds(fsadm_t)
+init_use_script_ptys(fsadm_t)
+init_dontaudit_getattr_initctl(fsadm_t)
+
+logging_send_syslog_msg(fsadm_t)
+
+miscfiles_read_localization(fsadm_t)
+
+seutil_read_config(fsadm_t)
+
+userdom_use_user_terminals(fsadm_t)
+
+ifdef(`distro_redhat',`
+ optional_policy(`
+ unconfined_domain(fsadm_t)
+ ')
+')
+
+optional_policy(`
+ amanda_rw_dumpdates_files(fsadm_t)
+ amanda_append_log_files(fsadm_t)
+')
+
+optional_policy(`
+ # for smartctl cron jobs
+ cron_system_entry(fsadm_t, fsadm_exec_t)
+')
+
+optional_policy(`
+ hal_dontaudit_write_log(fsadm_t)
+')
+
+optional_policy(`
+ livecd_rw_tmp_files(fsadm_t)
+')
+
+optional_policy(`
+ modutils_read_module_config(fsadm_t)
+ modutils_read_module_deps(fsadm_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(fsadm_t)
+')
+
+optional_policy(`
+ fs_dontaudit_write_ramfs_pipes(fsadm_t)
+ rhgb_stub(fsadm_t)
+')
+
+optional_policy(`
+ udev_read_db(fsadm_t)
+')
+
+optional_policy(`
+ xen_append_log(fsadm_t)
+ xen_rw_image_files(fsadm_t)
+')