[selinux-policy: 51/3172] initial commit

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:09:23 UTC 2010 

commit 3016a9ff9575329fc13f667c70cb04ca7aebc6f4
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Apr 26 21:12:52 2005 +0000

    initial commit

 refpolicy/policy/modules/system/mount.te |  159 ++++++++++++++++++++++++++++++
 1 files changed, 159 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
new file mode 100644
index 0000000..fd8a76c
--- /dev/null
+++ b/refpolicy/policy/modules/system/mount.te
@@ -0,0 +1,159 @@
+# Copyright (C) 2005 Tresys Technology, LLC
+
+type mount_t;
+domain_make_domain(mount_t)
+role system_r types mount_t;
+
+type mount_exec_t;
+domain_make_entrypoint_file(mount_t,mount_exec_t)
+
+type mount_tmp_t;
+files_make_file(mount_tmp_t)
+
+########################################
+#
+# mount local policy
+#
+
+allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown };
+
+allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlink };
+allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
+
+kernel_read_system_state(mount_t)
+
+devices_get_all_block_device_attributes(mount_t)
+devices_list_device_nodes(mount_t)
+
+storage_raw_read_fixed_disk(mount_t)
+storage_raw_write_fixed_disk(mount_t)
+storage_raw_read_removable_device(mount_t)
+storage_raw_write_removable_device(mount_t)
+
+filesystem_get_persistent_filesystem_attributes(mount_t)
+filesystem_mount_all_filesystems(mount_t)
+filesystem_unmount_all_filesystems(mount_t)
+filesystem_remount_all_filesystems(mount_t)
+
+terminal_use_console(mount_t)
+
+files_search_all_directories(mount_t)
+files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
+files_read_general_system_config(mount_t)
+files_create_runtime_system_config(mount_t)
+
+libraries_use_dynamic_loader(mount_t)
+libraries_read_shared_libraries(mount_t)
+
+# required for mount.smbfs
+corecommands_execute_system_programs(mount_t)
+corecommands_execute_general_programs(mount_t)
+
+logging_send_system_log_message(mount_t)
+
+miscfiles_read_localization(mount_t)
+
+ifdef(`TODO',`
+
+# Mount, remount and unmount file systems.
+allow mount_t default_t:dir mounton;
+allow mount_t file_t:dir mounton;
+allow mount_t usr_t:dir mounton;
+allow mount_t var_t:dir mounton;
+allow mount_t proc_t:dir mounton;
+allow mount_t root_t:dir mounton;
+allow mount_t home_root_t:dir mounton;
+allow mount_t tmp_t:dir mounton;
+allow mount_t mnt_t:dir { mounton getattr };
+allow mount_t devpts_t:dir mounton;
+allow mount_t usbdevfs_t:dir mounton;
+allow mount_t sysfs_t:dir { mounton search };
+allow mount_t nfs_t:dir { mounton search };
+# nfsv4 has a filesystem to mount for its userspace daemons
+allow mount_t var_lib_nfs_t:dir mounton;
+allow mount_t boot_t:dir mounton;
+allow mount_t device_t:dir mounton;
+# mount binfmt_misc on /proc/sys/fs/binfmt_misc
+allow mount_t sysctl_t:dir { mounton search };
+#TODO: Need macro for unmounting root filesystem
+#allow mount_t root_t:filesystem unmount;
+
+allow mount_t initrc_devpts_t:chr_file { read write };
+
+#domain_auto_trans(initrc_t, mount_exec_t, mount_t)
+
+# for localization
+allow mount_t lib_t:file { getattr read };
+
+# TODO: Need to examine this further. Not sure how to handle this
+type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
+allow sysadm_t sysadm_mount_source_t:file create_file_perms;
+allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
+allow mount_t sysadm_mount_source_t:file rw_file_perms;
+
+# TODO: Examine these further; may need macros
+allow mount_t init_t:fd use;
+allow mount_t privfd:fd use;
+
+# TODO: Probably need a macro for reading/unlinking files
+# for when /etc/mtab loses its type
+allow mount_t file_t:file { getattr read unlink };
+
+# TODO: Need macro for granting relabelto, relabelfrom
+allow mount_t fs_t:filesystem relabelfrom;
+
+# This rule needs to be generalized.  Only admin, initrc should have it.
+allow mount_t file_type:filesystem { unmount mount relabelto };
+
+allow mount_t userdomain:fd use;
+
+domain_auto_trans(sysadm_t, mount_exec_t, mount_t)
+role sysadm_r types mount_t;
+allow mount_t sysadm_tty_device_t:chr_file { getattr read write ioctl };
+allow mount_t sysadm_devpts_t:chr_file { getattr read write };
+ifdef(`gnome-pty-helper.te', `
+allow mount_t sysadm_gph_t:fd use;
+')
+
+ifdef(`distro_redhat',`
+ifdef(`pamconsole.te',`
+r_dir_file($2_t,pam_var_console_t)
+# mount config by default sets fscontext=removable_t
+allow $2_t dosfs_t:filesystem relabelfrom;
+') dnl end pamconsole.te
+') dnl end distro_redhat
+
+# TODO: This macro contains an ifdef for rhgb.te
+ifdef(`rhgb.te', `
+allow mount_t rhgb_t:process sigchld;
+allow mount_t rhgb_t:fd use;
+allow mount_t rhgb_t:fifo_file { read write };
+')
+
+ifdef(`distro_redhat', `
+allow mount_t tmpfs_t:chr_file { read write };
+allow mount_t tmpfs_t:dir mounton;
+')
+
+ifdef(`automount.te', `
+allow mount_t autofs_t:dir read;
+')
+
+ifdef(`portmap.te', `
+# for nfs
+can_network(mount_t)
+can_ypbind(mount_t)
+corenetwork_bind_tcp_on_general_port(mount_t)
+corenetwork_bind_udp_on_general_port(mount_t)
+corenetwork_bind_tcp_on_reserved_port(mount_t)
+corenetwork_bind_udp_on_reserved_port(mount_t)
+can_udp_send(mount_t, portmap_t)
+can_udp_send(portmap_t, mount_t)
+allow mount_t rpc_pipefs_t:dir search;
+')
+
+# Dontaudits
+dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
+dontaudit mount_t kernel_t:fd use;
+
+') dnl endif TODO

More information about the scm-commits mailing list