selinux-refpolicy/strict/domains/program/updfstab.te

82 lines
2.6 KiB
Plaintext

#DESC updfstab - Red Hat utility to change /etc/fstab
#
# Author: Russell Coker <russell@coker.com.au>
#
daemon_base_domain(updfstab, `, fs_domain, etc_writer')
rw_dir_create_file(updfstab_t, etc_t)
create_dir_file(updfstab_t, mnt_t)
# Read /dev directories and modify sym-links
allow updfstab_t device_t:dir rw_dir_perms;
allow updfstab_t device_t:lnk_file create_file_perms;
# Access disk devices.
allow updfstab_t fixed_disk_device_t:blk_file rw_file_perms;
allow updfstab_t removable_device_t:blk_file rw_file_perms;
allow updfstab_t scsi_generic_device_t:chr_file rw_file_perms;
# for /proc/partitions
allow updfstab_t proc_t:file { getattr read };
# for /proc/self/mounts
r_dir_file(updfstab_t, self)
# for /etc/mtab
allow updfstab_t etc_runtime_t:file { getattr read };
read_locale(updfstab_t)
ifdef(`dbusd.te', `
dbusd_client(system, updfstab)
allow updfstab_t system_dbusd_t:dbus { send_msg };
allow initrc_t updfstab_t:dbus send_msg;
allow updfstab_t initrc_t:dbus send_msg;
')
# not sure what the sysctl_kernel_t file is, or why it wants to write it, so
# I will not allow it
read_sysctl(updfstab_t)
dontaudit updfstab_t sysctl_kernel_t:file write;
allow updfstab_t modules_conf_t:file { getattr read };
allow updfstab_t sbin_t:dir search;
allow updfstab_t sbin_t:lnk_file read;
allow updfstab_t { var_t var_log_t }:dir search;
allow updfstab_t kernel_t:fd use;
allow updfstab_t self:unix_stream_socket create_stream_socket_perms;
allow updfstab_t self:unix_dgram_socket create_socket_perms;
ifdef(`modutil.te', `
dnl domain_auto_trans(updfstab_t, insmod_exec_t, insmod_t)
can_exec(updfstab_t, insmod_exec_t)
allow updfstab_t modules_object_t:dir search;
allow updfstab_t modules_dep_t:file { getattr read };
')
ifdef(`pamconsole.te', `
domain_auto_trans(updfstab_t, pam_console_exec_t, pam_console_t)
')
allow updfstab_t kernel_t:system syslog_console;
allow updfstab_t sysadm_tty_device_t:chr_file { read write };
allow updfstab_t self:capability dac_override;
dontaudit updfstab_t self:capability sys_admin;
r_dir_file(updfstab_t, { selinux_config_t file_context_t default_context_t } )
can_getsecurity(updfstab_t)
allow updfstab_t { sbin_t bin_t }:dir { search getattr };
dontaudit updfstab_t devtty_t:chr_file { read write };
allow updfstab_t self:fifo_file { getattr read write ioctl };
can_exec(updfstab_t, { sbin_t bin_t ls_exec_t } )
dontaudit updfstab_t home_root_t:dir { getattr search };
dontaudit updfstab_t { home_dir_type home_type }:dir search;
allow updfstab_t fs_t:filesystem { getattr };
allow updfstab_t tmpfs_t:dir getattr;
ifdef(`hald.te', `
can_unix_connect(updfstab_t, hald_t)
')