1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
|
policy_module(fstools, 1.20.1)
########################################
#
# Declarations
#
type fsadm_t;
type fsadm_exec_t;
init_system_domain(fsadm_t, fsadm_exec_t)
role system_r types fsadm_t;
type fsadm_log_t;
logging_log_file(fsadm_log_t)
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
type fsadm_run_t;
files_pid_file(fsadm_run_t)
type swapfile_t; # customizable
files_type(swapfile_t)
########################################
#
# local policy
#
# ipc_lock is for losetup
allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_resource sys_tty_config dac_override dac_read_search };
allow fsadm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execmem execheap };
allow fsadm_t self:fd use;
allow fsadm_t self:fifo_file rw_fifo_file_perms;
allow fsadm_t self:sock_file read_sock_file_perms;
allow fsadm_t self:unix_dgram_socket create_socket_perms;
allow fsadm_t self:unix_stream_socket create_stream_socket_perms;
allow fsadm_t self:unix_dgram_socket sendto;
allow fsadm_t self:unix_stream_socket connectto;
allow fsadm_t self:shm create_shm_perms;
allow fsadm_t self:sem create_sem_perms;
allow fsadm_t self:msgq create_msgq_perms;
allow fsadm_t self:msg { send receive };
can_exec(fsadm_t, fsadm_exec_t)
allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
allow fsadm_t fsadm_tmp_t:file manage_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
allow fsadm_t fsadm_run_t:dir manage_dir_perms;
allow fsadm_t fsadm_run_t:file manage_file_perms;
files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
# log files
allow fsadm_t fsadm_log_t:dir setattr;
manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
logging_log_filetrans(fsadm_t, fsadm_log_t, file)
# Enable swapping to files
allow fsadm_t swapfile_t:file { rw_file_perms swapon };
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
kernel_manage_unlabeled_dirs(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
kernel_getattr_proc(fsadm_t)
kernel_getattr_core_if(fsadm_t)
# Access to /initrd devices
kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t)
kernel_read_unlabeled_files(fsadm_t)
corecmd_exec_bin(fsadm_t)
#RedHat bug #201164
corecmd_exec_shell(fsadm_t)
# cjp: these are probably not needed:
corecmd_read_bin_files(fsadm_t)
corecmd_read_bin_pipes(fsadm_t)
corecmd_read_bin_sockets(fsadm_t)
dev_getattr_all_chr_files(fsadm_t)
dev_dontaudit_getattr_all_blk_files(fsadm_t)
dev_dontaudit_getattr_generic_files(fsadm_t)
# mkreiserfs and other programs need this for UUID
dev_read_rand(fsadm_t)
dev_read_urand(fsadm_t)
dev_write_kmsg(fsadm_t)
# Recreate /dev/cdrom.
dev_manage_generic_symlinks(fsadm_t)
# fdisk needs this for early boot
dev_manage_generic_blk_files(fsadm_t)
# Access to /initrd devices
dev_search_usbfs(fsadm_t)
# for swapon
dev_rw_sysfs(fsadm_t)
# Access to /initrd devices
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)
# for losetup
dev_rw_loop_control(fsadm_t)
domain_use_interactive_fds(fsadm_t)
files_getattr_boot_dirs(fsadm_t)
files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
fs_rw_ramfs_pipes(fsadm_t)
fs_rw_tmpfs_files(fsadm_t)
# remount file system to apply changes
fs_remount_xattr_fs(fsadm_t)
# for /dev/shm
fs_list_auto_mountpoints(fsadm_t)
fs_search_tmpfs(fsadm_t)
fs_getattr_tmpfs_dirs(fsadm_t)
fs_read_tmpfs_symlinks(fsadm_t)
# Recreate /mnt/cdrom.
files_manage_mnt_dirs(fsadm_t)
# for tune2fs
files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
storage_raw_write_removable_device(fsadm_t)
storage_read_scsi_generic(fsadm_t)
storage_swapon_fixed_disk(fsadm_t)
term_use_console(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t)
# losetup: bind mount_loopback_t files to loop devices
mount_rw_loopback_files(fsadm_t)
seutil_read_config(fsadm_t)
userdom_use_user_terminals(fsadm_t)
ifdef(`distro_debian',`
term_dontaudit_use_unallocated_ttys(fsadm_t)
')
ifdef(`distro_redhat',`
optional_policy(`
unconfined_domain(fsadm_t)
')
')
optional_policy(`
amanda_rw_dumpdates_files(fsadm_t)
amanda_append_log_files(fsadm_t)
')
optional_policy(`
# for smartctl cron jobs
cron_system_entry(fsadm_t, fsadm_exec_t)
')
optional_policy(`
devicekit_read_pid_files(fsadm_t)
devicekit_append_inherited_log_files(fsadm_t)
')
optional_policy(`
hal_dontaudit_write_log(fsadm_t)
')
optional_policy(`
livecd_rw_tmp_files(fsadm_t)
')
optional_policy(`
modutils_read_module_config(fsadm_t)
modutils_read_module_deps(fsadm_t)
')
optional_policy(`
nis_use_ypbind(fsadm_t)
')
optional_policy(`
fs_dontaudit_write_ramfs_pipes(fsadm_t)
rhgb_stub(fsadm_t)
')
optional_policy(`
udev_read_db(fsadm_t)
')
optional_policy(`
xen_append_log(fsadm_t)
xen_rw_image_files(fsadm_t)
')
|