RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/modules/apps/cryfs.if

41 lines
757 B
Plaintext
Raw Normal View History

Add policy for CryFS, encfs and gocryptfs CryFS (https://www.cryfs.org/) is a software that can be run by non-root users that have access to /dev/fuse. Its command is directly used to mount a directory ("/usr/bin/cryfs basedir mountpoint"), like command "mount". Unmounting a mountpoint is done with "fusermount -u mountpoint", /usr/bin/fusermount being a setuid-root program labeled mount_exec_t. EncFS (https://www.arg0.net/encfs) is a similar software that has been considered insecure since a security audit in 2014 found vulnerabilities that are not yet fixed (like https://github.com/vgough/encfs/issues/9). gocryptfs (https://nuetzlich.net/gocryptfs/) is a similar software that has been inspired by EncFS. Allow users with role sysadm to use all these projects. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-12-22 17:03:53 +00:00
## <summary>CryFS and similar other tools which mount encrypted directories using FUSE.</summary>
########################################
## <summary>
## Role access for CryFS.
## </summary>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role.
## </summary>
## </param>
#
interface(`cryfs_role',`
gen_require(`
attribute_role cryfs_roles;
type cryfs_t, cryfs_exec_t;
')
########################################
#
# Declarations
#
roleattribute $1 cryfs_roles;
########################################
#
# Policy
#
domtrans_pattern($2, cryfs_exec_t, cryfs_t)
allow $2 cryfs_t:process signal_perms;
ps_process_pattern($2, cryfs_t)
')