## Policy for mount. ######################################## ## ## Execute mount in the mount domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mount_domtrans',` gen_require(` type mount_t, mount_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mount_exec_t, mount_t) ') ######################################## ## ## Execute mount in the mount domain, and ## allow the specified role the mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`mount_run',` gen_require(` attribute_role mount_roles; ') mount_domtrans($1) roleattribute $2 mount_roles; ') ######################################## ## ## Execute mount in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`mount_exec',` gen_require(` type mount_exec_t; ') # cjp: this should be removed: allow $1 mount_exec_t:dir list_dir_perms; allow $1 mount_exec_t:lnk_file read_lnk_file_perms; corecmd_search_bin($1) can_exec($1, mount_exec_t) ') ######################################## ## ## Send a generic signal to mount. ## ## ## ## Domain allowed access. ## ## # interface(`mount_signal',` gen_require(` type mount_t; ') allow $1 mount_t:process signal; ') ######################################## ## ## Use file descriptors for mount. ## ## ## ## The type of the process performing this action. ## ## # interface(`mount_use_fds',` gen_require(` type mount_t; ') allow $1 mount_t:fd use; ') ######################################## ## ## Execute mount in the unconfined mount domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mount_domtrans_unconfined',` gen_require(` type unconfined_mount_t, mount_exec_t; ') domtrans_pattern($1, mount_exec_t, unconfined_mount_t) ') ######################################## ## ## Execute mount in the unconfined mount domain, and ## allow the specified role the unconfined mount domain, ## and use the caller's terminal. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`mount_run_unconfined',` gen_require(` type unconfined_mount_t; ') mount_domtrans_unconfined($1) role $2 types unconfined_mount_t; ') ######################################## ## ## Read loopback filesystem image files. ## ## ## ## Domain allowed access. ## ## # interface(`mount_read_loopback_files',` gen_require(` type mount_loopback_t; ') allow $1 mount_loopback_t:file read_file_perms; ') ######################################## ## ## Read and write loopback filesystem image files. ## ## ## ## Domain allowed access. ## ## # interface(`mount_rw_loopback_files',` gen_require(` type mount_loopback_t; ') allow $1 mount_loopback_t:file rw_file_perms; ') ######################################## ## ## List mount runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`mount_list_runtime',` gen_require(` type mount_runtime_t; ') allow $1 mount_runtime_t:dir list_dir_perms; ') ######################################## ## ## Watch mount runtime dirs. ## ## ## ## Domain allowed access. ## ## # interface(`mount_watch_runtime_dirs',` gen_require(` type mount_runtime_t; ') allow $1 mount_runtime_t:dir watch; ') ######################################## ## ## Watch mount runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`mount_watch_runtime_files',` gen_require(` type mount_runtime_t; ') allow $1 mount_runtime_t:file watch; ') ######################################## ## ## Watch reads on mount runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`mount_watch_reads_runtime_files',` gen_require(` type mount_runtime_t; ') allow $1 mount_runtime_t:file watch_reads; ') ######################################## ## ## Getattr on mount_runtime_t files ## ## ## ## Domain allowed access. ## ## # interface(`mount_getattr_runtime_files',` gen_require(` type mount_runtime_t; ') allow $1 mount_runtime_t:file getattr; ') ######################################## ## ## Read mount runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`mount_read_runtime_files',` gen_require(` type mount_runtime_t; ') read_files_pattern($1, mount_runtime_t, mount_runtime_t) ') ######################################## ## ## Read and write mount runtime files. ## ## ## ## Domain allowed access. ## ## # interface(`mount_rw_runtime_files',` gen_require(` type mount_runtime_t; ') rw_files_pattern($1, mount_runtime_t, mount_runtime_t) ')