[selinux-policy: 68/3172] make mountpoints work, plus misc
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:11:03 UTC 2010
commit a2d8246bf6239645cf3716bc9280c777e9b8eed0
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Apr 28 21:41:09 2005 +0000
make mountpoints work, plus misc
refpolicy/policy/modules/kernel/bootloader.te | 78 ++++++++++++------------
refpolicy/policy/modules/kernel/corenetwork.if | 32 +++++++++-
refpolicy/policy/modules/kernel/devices.te | 1 +
refpolicy/policy/modules/kernel/filesystem.te | 1 +
refpolicy/policy/modules/kernel/kernel.if | 14 ++++
refpolicy/policy/modules/kernel/kernel.te | 4 +
refpolicy/policy/modules/kernel/terminal.if | 16 +++++
refpolicy/policy/modules/kernel/terminal.te | 39 ++++++------
refpolicy/policy/modules/system/domain.if | 14 ++++
refpolicy/policy/modules/system/files.if | 41 ++++++++++++
refpolicy/policy/modules/system/files.te | 35 ++++++-----
refpolicy/policy/modules/system/init.if | 14 ++++
refpolicy/policy/modules/system/mount.te | 42 +++---------
13 files changed, 223 insertions(+), 108 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te
index 162ad3f..de09fa8 100644
--- a/refpolicy/policy/modules/kernel/bootloader.te
+++ b/refpolicy/policy/modules/kernel/bootloader.te
@@ -2,6 +2,11 @@
policy_module(bootloader,1.0)
+########################################
+#
+# Declarations
+#
+
attribute can_modify_kernel_modules;
#
@@ -9,6 +14,7 @@ attribute can_modify_kernel_modules;
#
type boot_t;
files_make_file(boot_t)
+files_make_mountpoint(boot_t)
#
# boot_runtime_t is the type for /boot/kernel.h,
@@ -51,7 +57,6 @@ neverallow ~can_modify_kernel_modules modules_object_t:file { create append writ
type system_map_t;
files_make_file(system_map_t)
-
########################################
#
# bootloader local policy
@@ -76,6 +81,12 @@ devices_set_all_block_device_attributes(bootloader_t)
# for reading BIOS data (cjp: ?)
devices_raw_read_memory(bootloader_t)
+init_get_control_channel_attributes(bootloader_t)
+init_script_use_pseudoterminal(bootloader_t)
+init_script_use_file_descriptors(bootloader_t)
+
+domain_use_widely_inheritable_file_descriptors(bootloader_t)
+
libraries_use_dynamic_loader(bootloader_t)
libraries_read_shared_libraries(bootloader_t)
@@ -92,10 +103,11 @@ logging_send_system_log_message(bootloader_t)
filesystem_get_persistent_filesystem_attributes(bootloader_t)
terminal_use_controlling_terminal(bootloader_t)
+terminal_get_user_terminal_attributes(bootloader_t)
allow bootloader_t bootloader_etc_t:file { getattr read };
-define(`initrc_insmod_optional_policy', `
+optional_policy(modutils.te,`
modutils_insmod_execute(insmod_t)
')
@@ -116,6 +128,7 @@ bootloader_install_initrd(bootloader_t)
devices_get_random_data(bootloader_t)
devices_get_pseudorandom_data(bootloader_t)
+
corecommands_execute_general_programs(bootloader_t)
corecommands_execute_system_programs(bootloader_t)
corecommands_execute_shell(bootloader_t)
@@ -144,23 +157,36 @@ optional_policy(`fsadm.te', `
filesystemtools_execute(bootloader_t)
')
-################################################################################
+ifdef(`distro_debian', `
+allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
+allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
+allow bootloader_t boot_t:file relabelfrom;
+')
+
+ifdef(`distro_redhat', `
+files_make_mountpoint(bootloader_tmp_t)
+
+# for mke2fs
+mount_transition(bootloader_t)
+allow bootloader_t modules_object_t:lnk_file { getattr read };
+
+# new file system defaults to file_t, granting file_t access is still bad.
+allow bootloader_t self:unix_stream_socket { create ioctl read getattr write setattr append bind getopt setopt shutdown };
+allow bootloader_t boot_runtime_t:file { read getattr unlink };
+
+# for memlock
+devices_get_zeros(bootloader_t)
+allow bootloader_t self:capability ipc_lock;
+')
+
ifdef(`TODO',`
# admin runs bootloader:
domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
allow bootloader_t admin_tty_type:chr_file rw_file_perms;
-allow bootloader_t privfd:fd use;
-
-allow bootloader_t { device_type ttyfile }:chr_file getattr;
-allow bootloader_t initctl_t:fifo_file getattr;
-# no transition from initrc to bootloader,
-# so why are these rules needed
role system_r types bootloader_t;
-allow bootloader_t initrc_devpts_t:chr_file rw_file_perms;
allow bootloader_t initrc_t:fifo_file { read write };
-allow bootloader_t initrc_t:fd use;
allow bootloader_t lib_t:file { getattr read };
@@ -171,17 +197,14 @@ allow bootloader_t var_t:file { getattr read };
# LVM2 / Device Mapper's /dev/mapper/control
# maybe we should change the labeling for this
-ifdef(`lvm.te', `
+optional_policy(`lvm.te', `
+lvm_transition(bootloader_t)
allow bootloader_t lvm_control_t:chr_file rw_file_perms;
-domain_auto_trans(bootloader_t, lvm_exec_t, lvm_t)
allow lvm_t bootloader_tmp_t:file rw_file_perms;
r_dir_file(bootloader_t, lvm_etc_t)
')
ifdef(`distro_debian', `
-allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
-allow bootloader_t modules_object_t:file { relabelfrom relabelto unlink };
-allow bootloader_t boot_t:file relabelfrom;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file relabelto;
allow bootloader_t { usr_t lib_t fsadm_exec_t }:file create_file_perms;
allow bootloader_t tmpfs_t:dir r_dir_perms;
@@ -194,21 +217,10 @@ can_exec(bootloader_t, usr_t)
')
ifdef(`distro_redhat', `
-# for mke2fs
-domain_auto_trans(bootloader_t, mount_exec_t, mount_t);
-allow mount_t bootloader_tmp_t:dir mounton;
-allow bootloader_t modules_object_t:lnk_file { getattr read };
-
# new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t file_t:dir create_dir_perms;
allow bootloader_t file_t:{ file blk_file chr_file } create_file_perms;
allow bootloader_t file_t:lnk_file create_lnk_perms;
-allow bootloader_t self:unix_stream_socket create_socket_perms;
-allow bootloader_t boot_runtime_t:file { read getattr unlink };
-
-# for memlock
-allow bootloader_t zero_device_t:chr_file { getattr read };
-allow bootloader_t self:capability ipc_lock;
')
dontaudit bootloader_t selinux_config_t:dir search;
@@ -218,15 +230,3 @@ dontaudit bootloader_t devpts_t:dir create_dir_perms;
dontaudit bootloader_t var_run_t:dir search;
') dnl end TODO
-
-########################################
-#
-# Conditional policy logic
-#
-
-ifdef(`monolithic_policy',`
-ifdef(`modutils.te',`initrc_insmod_optional_policy')
-',`
-optional modutils { modutils_insmod_execute_depend }
-ifopt (modutils) { initrc_insmod_optional_policy }
-') dnl end monolithic_policy
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if
index cf9f6d8..b8447ed 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if
+++ b/refpolicy/policy/modules/kernel/corenetwork.if
@@ -791,7 +791,7 @@ allow $1 self:capability net_bind_service;
')
define(`corenetwork_bind_udp_on_all_reserved_ports_depend',`
-type reserved_port_type;
+attribute reserved_port_type;
class tcp_socket name_bind;
class capability net_bind_service;
')
@@ -807,11 +807,39 @@ allow $1 self:capability net_bind_service;
')
define(`corenetwork_bind_udp_on_all_reserved_ports_depend',`
-type reserved_port_type;
+attribute reserved_port_type;
class udp_socket name_bind;
class self:capability net_bind_service;
')
+#######################################
+#
+# corenetwork_ignore_bind_tcp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_ignore_bind_tcp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_ignore_bind_tcp_on_all_reserved_ports_depend',$2)
+dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+define(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',`
+attribute reserved_port_type;
+class tcp_socket name_bind;
+')
+
+#######################################
+#
+# corenetwork_ignore_bind_udp_on_all_reserved_ports(domain,[`optional'])
+#
+define(`corenetwork_ignore_bind_udp_on_all_reserved_ports',`
+requires_block_template(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',$2)
+dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+define(`corenetwork_ignore_bind_udp_on_all_reserved_ports_depend',`
+attribute reserved_port_type;
+class udp_socket name_bind;
+')
+
########################################
#
# This section is processed through m4 to create real interfaces
diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te
index e4482d1..422d7fb 100644
--- a/refpolicy/policy/modules/kernel/devices.te
+++ b/refpolicy/policy/modules/kernel/devices.te
@@ -13,6 +13,7 @@ attribute device_node;
#
type device_t;
files_make_file(device_t)
+files_make_mountpoint(device_t)
filesystem_tmpfs_associate(device_t)
# Only directories and symlinks should be labeled device_t.
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index be8788a..fe81f05 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -110,6 +110,7 @@ allow removable_t usbfs_t:filesystem associate;
# and their files.
#
type nfs_t, fs_type;
+files_make_mountpoint(nfs_t)
allow nfs_t self:filesystem associate;
genfscon nfs / system_u:object_r:nfs_t
genfscon nfs4 / system_u:object_r:nfs_t
diff --git a/refpolicy/policy/modules/kernel/kernel.if b/refpolicy/policy/modules/kernel/kernel.if
index 224daf6..47f3ef6 100644
--- a/refpolicy/policy/modules/kernel/kernel.if
+++ b/refpolicy/policy/modules/kernel/kernel.if
@@ -57,6 +57,20 @@ class fd use;
########################################
#
+# kernel_ignore_use_file_descriptors(domain,[`optional'])
+#
+define(`kernel_ignore_use_file_descriptors',`
+requires_block_template(kernel_ignore_use_file_descriptors_depend,$2)
+dontaudit $1 kernel_t:fd use;
+')
+
+define(`kernel_ignore_use_file_descriptors_depend',`
+type kernel_t;
+class fd use;
+')
+
+########################################
+#
# kernel_make_root_filesystem_mountpoint(domain,[`optional'])
#
define(`kernel_make_root_filesystem_mountpoint',`
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index a8173ef..2092546 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -36,6 +36,7 @@ genfscon selinuxfs / system_u:object_r:security_t
# sysfs_t is the type for /sys
#
type sysfs_t;
+files_make_mountpoint(sysfs_t)
filesystem_make_filesystem(sysfs_t)
genfscon sysfs / system_u:object_r:sysfs_t
@@ -43,6 +44,7 @@ genfscon sysfs / system_u:object_r:sysfs_t
# usbfs_t is the type for /proc/bus/usb
#
type usbfs_t alias usbdevfs_t;
+files_make_mountpoint(usbfs_t)
filesystem_make_filesystem(usbfs_t)
genfscon usbfs / system_u:object_r:usbfs_t
genfscon usbdevfs / system_u:object_r:usbfs_t
@@ -52,6 +54,7 @@ genfscon usbdevfs / system_u:object_r:usbfs_t
#
type proc_t;
+files_make_mountpoint(proc_t)
genfscon proc / system_u:object_r:proc_t
genfscon proc /sysvipc system_u:object_r:proc_t
@@ -89,6 +92,7 @@ genfscon proc /sys system_u:object_r:sysctl_t
# /proc/sys/fs directory and files
type sysctl_fs_t;
+files_make_mountpoint(sysctl_fs_t)
genfscon proc /sys/fs system_u:object_r:sysctl_fs_t
# /proc/sys/kernel directory and files
diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if
index 64da779..bf48426 100644
--- a/refpolicy/policy/modules/kernel/terminal.if
+++ b/refpolicy/policy/modules/kernel/terminal.if
@@ -153,3 +153,19 @@ define(`terminal_ignore_list_pseudoterminals_depend',`
type devpts_t;
class dir { getattr search read };
')
+
+########################################
+#
+# terminal_get_user_terminal_attributes(domain,[`optional'])
+#
+define(`terminal_get_user_terminal_attributes',`
+requires_block_template(terminal_get_user_terminal_attributes_depend,$2)
+devices_list_device_nodes($1,optional)
+allow $1 ttynode:chr_file getattr;
+')
+
+define(`terminal_get_user_terminal_attributes_depend',`
+attribute ttynode;
+class chr_file getattr;
+devices_list_device_nodes_depend
+')
diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te
index 8b1323a..36d172b 100644
--- a/refpolicy/policy/modules/kernel/terminal.te
+++ b/refpolicy/policy/modules/kernel/terminal.te
@@ -6,43 +6,44 @@ attribute ttynode;
attribute ptynode;
#
+# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
+type bsdpty_device_t;
+devices_make_device_node(bsdpty_device_t)
+
+#
# console_device_t is the type of /dev/console.
#
type console_device_t;
devices_make_device_node(console_device_t)
#
+# devpts_t is the type of the devpts file system and
+# the type of the root directory of the file system.
+#
+type devpts_t;
+files_make_mountpoint(devpts_t)
+filesystem_make_filesystem(devpts_t)
+
+#
# devtty_t is the type of /dev/tty.
#
type devtty_t;
devices_make_device_node(devtty_t)
#
-# tty_device_t is the type of /dev/*tty*
+# ptmx_t is the type for /dev/ptmx.
#
-type tty_device_t, ttynode;
-devices_make_device_node(tty_device_t)
+type ptmx_t;
+devices_make_device_node(ptmx_t)
#
-# bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f]
-type bsdpty_device_t, ptynode;
-devices_make_device_node(bsdpty_device_t)
+# tty_device_t is the type of /dev/*tty*
+#
+type tty_device_t;
+devices_make_device_node(tty_device_t)
#
# usbtty_device_t is the type of /dev/usr/tty*
#
type usbtty_device_t;
devices_make_device_node(usbtty_device_t)
-
-#
-# ptmx_t is the type for /dev/ptmx.
-#
-type ptmx_t;
-devices_make_device_node(ptmx_t)
-
-#
-# devpts_t is the type of the devpts file system and
-# the type of the root directory of the file system.
-#
-type devpts_t;
-filesystem_make_filesystem(devpts_t)
diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if
index 42e2333..fbc39fe 100644
--- a/refpolicy/policy/modules/system/domain.if
+++ b/refpolicy/policy/modules/system/domain.if
@@ -115,6 +115,20 @@ attribute privfd;
########################################
#
+# domain_use_widely_inheritable_file_descriptors(domain,[`optional'])
+#
+define(`domain_use_widely_inheritable_file_descriptors',`
+requires_block_template(domain_use_widely_inheritable_file_descriptors_depend,$2)
+allow $1 privfd:fd use;
+')
+
+define(`domain_use_widely_inheritable_file_descriptors_depend',`
+attribute privfd;
+class fd use;
+')
+
+########################################
+#
# domain_all_init_domains_transition(domain,[`optional'])
#
define(`domain_all_init_domains_transition',`
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 53b3ac0..8adce40 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -19,6 +19,19 @@ filesystem_noxattr_associate_depend
########################################
#
+# files_make_mountpoint(type,[`optional'])
+#
+define(`files_make_mountpoint',`
+requires_block_template(files_make_mountpoint_depend,$2)
+typeattribute $1 mountpoint;
+')
+
+define(`files_make_mountpoint_depend',`
+attribute mountpoint;
+')
+
+########################################
+#
# files_get_all_file_attributes(type,[`optional'])
#
define(`files_get_all_file_attributes',`
@@ -95,6 +108,20 @@ class dir { getattr search read };
########################################
#
+# files_mount_on_all_mountpoints(type,[`optional'])
+#
+define(`files_mount_on_all_mountpoints',`
+requires_block_template(files_mount_on_all_mountpoints_depend,$2)
+allow $1 mountpoint:dir { getattr search mounton };
+')
+
+define(`files_mount_on_all_mountpoints_depend',`
+attribute mountpoint;
+class dir { getattr search mounton };
+')
+
+########################################
+#
# files_read_root_dir(domain,[`optional'])
#
define(`files_read_root_dir',`
@@ -186,6 +213,20 @@ class dir { getattr search read write remove_name };
########################################
#
+# files_unmount_root_filesystem(domain,[`optional'])
+#
+define(`files_unmount_root_filesystem',`
+requires_block_template(files_unmount_root_filesystem_depend,$2)
+allow $1 root_t:filesystem unmount;
+')
+
+define(`files_unmount_root_filesystem_depend',`
+type root_t;
+class filesystem unmount;
+')
+
+########################################
+#
# files_read_general_system_config(type,[`optional'])
#
define(`files_read_general_system_config',`
diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te
index 66e2247..c3aa666 100644
--- a/refpolicy/policy/modules/system/files.te
+++ b/refpolicy/policy/modules/system/files.te
@@ -6,11 +6,12 @@ attribute file_type;
attribute lockfile;
attribute pidfile;
attribute tmpfile;
+attribute mountpoint;
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
-type default_t, file_type;
+type default_t, file_type, mountpoint;
filesystem_associate(default_t)
filesystem_noxattr_associate(default_t)
@@ -35,26 +36,16 @@ filesystem_noxattr_associate(etc_runtime_t)
# assigned an extended attribute (EA) value (when using a filesystem
# that supports EAs).
#
-type file_t, file_type;
+type file_t, file_type, mountpoint;
filesystem_associate(file_t)
filesystem_noxattr_associate(file_t)
kernel_make_root_filesystem_mountpoint(file_t)
#
-# root_t is the type for rootfs and the root directory.
-#
-type root_t, file_type;
-filesystem_associate(root_t)
-filesystem_noxattr_associate(root_t)
-kernel_read_directory_from(root_t)
-kernel_make_root_filesystem_mountpoint(root_t)
-genfscon rootfs / system_u:object_r:root_t
-
-#
# home_root_t is the type for the directory where user home directories
# are created
#
-type home_root_t, file_type;
+type home_root_t, file_type, mountpoint;
filesystem_associate(home_root_t)
filesystem_noxattr_associate(home_root_t)
@@ -68,7 +59,7 @@ filesystem_noxattr_associate(lost_found_t)
#
# mnt_t is the type for mount points such as /mnt/cdrom
#
-type mnt_t, file_type;
+type mnt_t, file_type, mountpoint;
filesystem_associate(mnt_t)
filesystem_noxattr_associate(mnt_t)
@@ -85,6 +76,16 @@ filesystem_associate(readable_t)
filesystem_noxattr_associate(readable_t)
#
+# root_t is the type for rootfs and the root directory.
+#
+type root_t, file_type, mountpoint;
+filesystem_associate(root_t)
+filesystem_noxattr_associate(root_t)
+kernel_read_directory_from(root_t)
+kernel_make_root_filesystem_mountpoint(root_t)
+genfscon rootfs / system_u:object_r:root_t
+
+#
# src_t is the type of files in the system src directories.
#
type src_t, file_type;
@@ -94,21 +95,21 @@ filesystem_noxattr_associate(src_t)
#
# tmp_t is the type of the temporary directories
#
-type tmp_t, file_type, tmpfile;
+type tmp_t, file_type, tmpfile, mountpoint;
filesystem_associate(tmp_t)
filesystem_noxattr_associate(tmp_t)
#
# usr_t is the type for /usr.
#
-type usr_t, file_type;
+type usr_t, file_type, mountpoint;
filesystem_associate(usr_t)
filesystem_noxattr_associate(usr_t)
#
# var_t is the type of /var
#
-type var_t, file_type;
+type var_t, file_type, mountpoint;
filesystem_associate(var_t)
filesystem_noxattr_associate(var_t)
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 7284838..8b2e2f2 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -20,6 +20,20 @@ class process { transition noatsecure siginh rlimitinh };
########################################
#
+# init_get_control_channel_attributes(domain,[`optional'])
+#
+define(`init_get_control_channel_attributes',`
+requires_block_template(init_get_control_channel_attributes_depend,$2)
+allow $1 initctl_t:fifo_file getattr;
+')
+
+define(`init_get_control_channel_attributes_depend',`
+type initctl_t;
+class fifo_file getattr;
+')
+
+########################################
+#
# init_sigchld(domain,[`optional'])
#
define(`init_sigchld',`
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index fd8a76c..af0b7b1 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -21,6 +21,7 @@ allow mount_t mount_tmp_t:file { getattr create read setattr write setattr unlin
allow mount_t mount_tmp_t:dir { getattr search create read setattr write setattr unlink rmdir };
kernel_read_system_state(mount_t)
+kernel_ignore_use_file_descriptors(mount_t)
devices_get_all_block_device_attributes(mount_t)
devices_list_device_nodes(mount_t)
@@ -34,13 +35,23 @@ filesystem_get_persistent_filesystem_attributes(mount_t)
filesystem_mount_all_filesystems(mount_t)
filesystem_unmount_all_filesystems(mount_t)
filesystem_remount_all_filesystems(mount_t)
+files_unmount_root_filesystem(mount_t)
terminal_use_console(mount_t)
+corenetwork_ignore_bind_tcp_on_all_reserved_ports(mount_t)
+corenetwork_ignore_bind_udp_on_all_reserved_ports(mount_t)
+
+init_use_file_descriptors(mount_t)
+init_script_use_pseudoterminal(mount_t)
+
+domain_use_widely_inheritable_file_descriptors(mount_t)
+
files_search_all_directories(mount_t)
files_create_private_tmp_data(mount_t,mount_tmp_t,{ file dir })
files_read_general_system_config(mount_t)
files_create_runtime_system_config(mount_t)
+files_mount_on_all_mountpoints(mount_t)
libraries_use_dynamic_loader(mount_t)
libraries_read_shared_libraries(mount_t)
@@ -54,31 +65,9 @@ logging_send_system_log_message(mount_t)
miscfiles_read_localization(mount_t)
ifdef(`TODO',`
-
# Mount, remount and unmount file systems.
-allow mount_t default_t:dir mounton;
-allow mount_t file_t:dir mounton;
-allow mount_t usr_t:dir mounton;
-allow mount_t var_t:dir mounton;
-allow mount_t proc_t:dir mounton;
-allow mount_t root_t:dir mounton;
-allow mount_t home_root_t:dir mounton;
-allow mount_t tmp_t:dir mounton;
-allow mount_t mnt_t:dir { mounton getattr };
-allow mount_t devpts_t:dir mounton;
-allow mount_t usbdevfs_t:dir mounton;
-allow mount_t sysfs_t:dir { mounton search };
-allow mount_t nfs_t:dir { mounton search };
# nfsv4 has a filesystem to mount for its userspace daemons
allow mount_t var_lib_nfs_t:dir mounton;
-allow mount_t boot_t:dir mounton;
-allow mount_t device_t:dir mounton;
-# mount binfmt_misc on /proc/sys/fs/binfmt_misc
-allow mount_t sysctl_t:dir { mounton search };
-#TODO: Need macro for unmounting root filesystem
-#allow mount_t root_t:filesystem unmount;
-
-allow mount_t initrc_devpts_t:chr_file { read write };
#domain_auto_trans(initrc_t, mount_exec_t, mount_t)
@@ -91,10 +80,6 @@ allow sysadm_t sysadm_mount_source_t:file create_file_perms;
allow sysadm_t sysadm_mount_source_t:file { relabelto relabelfrom };
allow mount_t sysadm_mount_source_t:file rw_file_perms;
-# TODO: Examine these further; may need macros
-allow mount_t init_t:fd use;
-allow mount_t privfd:fd use;
-
# TODO: Probably need a macro for reading/unlinking files
# for when /etc/mtab loses its type
allow mount_t file_t:file { getattr read unlink };
@@ -123,7 +108,6 @@ allow $2_t dosfs_t:filesystem relabelfrom;
') dnl end pamconsole.te
') dnl end distro_redhat
-# TODO: This macro contains an ifdef for rhgb.te
ifdef(`rhgb.te', `
allow mount_t rhgb_t:process sigchld;
allow mount_t rhgb_t:fd use;
@@ -152,8 +136,4 @@ can_udp_send(portmap_t, mount_t)
allow mount_t rpc_pipefs_t:dir search;
')
-# Dontaudits
-dontaudit mount_t reserved_port_type:{tcp_socket udp_socket} name_bind;
-dontaudit mount_t kernel_t:fd use;
-
') dnl endif TODO
More information about the scm-commits
mailing list