selinux-refpolicy/targeted/macros/program/mount_macros.te

91 lines
2.3 KiB
Plaintext

#
# Macros for mount
#
# Author: Brian May <bam@snoopy.apana.org.au>
# Extended by Russell Coker <russell@coker.com.au>
#
#
# mount_domain(domain_prefix,dst_domain_prefix)
#
# Define a derived domain for the mount program for anyone.
#
define(`mount_domain', `
#
# Rules for the $2_t domain, used by the $1_t domain.
#
# $2_t is the domain for the mount process.
#
# This macro will not be included by all users and it may be included twice if
# called from other macros, so we need protection for this do not call this
# macro if $2_def is defined
define(`$2_def', `')
#
type $2_t, domain, privlog $3, nscd_client_domain;
allow $2_t sysfs_t:dir search;
uses_shlib($2_t)
role $1_r types $2_t;
# when mount is run by $1 goto $2_t domain
domain_auto_trans($1_t, mount_exec_t, $2_t)
allow $2_t proc_t:dir search;
allow $2_t proc_t:file { getattr read };
#
# Allow mounting of cdrom by user
#
allow $2_t device_type:blk_file getattr;
tmp_domain($2)
# Use capabilities.
allow $2_t self:capability { net_bind_service sys_rawio sys_admin dac_override chown };
allow $2_t self:unix_stream_socket create_socket_perms;
# Create and modify /etc/mtab.
file_type_auto_trans($2_t, etc_t, etc_runtime_t, file)
allow $2_t etc_t:file { getattr read };
read_locale($2_t)
allow $2_t home_root_t:dir search;
allow $2_t $1_home_dir_t:dir search;
allow $2_t noexattrfile:filesystem { mount unmount };
allow $2_t fs_t:filesystem getattr;
allow $2_t removable_t:filesystem { mount unmount };
allow $2_t mnt_t:dir { mounton search };
allow $2_t sbin_t:dir search;
# Access the terminal.
access_terminal($2_t, $1)
ifdef(`gnome-pty-helper.te', `allow $2_t $1_gph_t:fd use;')
allow $2_t var_t:dir search;
allow $2_t var_run_t:dir search;
ifdef(`distro_redhat',`
ifdef(`pamconsole.te',`
r_dir_file($2_t,pam_var_console_t)
# mount config by default sets fscontext=removable_t
allow $2_t dosfs_t:filesystem relabelfrom;
') dnl end pamconsole.te
') dnl end distro_redhat
') dnl end mount_domain
# mount_loopback_privs(domain_prefix,dst_domain_prefix)
#
# Add loopback mounting privileges to a particular derived
# mount domain.
#
define(`mount_loopback_privs',`
type $1_$2_source_t, file_type, sysadmfile, $1_file_type;
allow $1_t $1_$2_source_t:file create_file_perms;
allow $1_t $1_$2_source_t:file { relabelto relabelfrom };
allow $2_t $1_$2_source_t:file rw_file_perms;
')