## Filesystem automounter service. ######################################## ## ## Execute automount in the automount domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`automount_domtrans',` gen_require(` type automount_t, automount_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, automount_exec_t, automount_t) ') ######################################## ## ## Send generic signals to automount. ## ## ## ## Domain allowed access. ## ## # interface(`automount_signal',` gen_require(` type automount_t; ') allow $1 automount_t:process signal; ') ######################################## ## ## Execute automount in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`automount_exec_config',` refpolicywarn(`$0(): has been deprecated, please use files_exec_etc_files() instead.') files_exec_etc_files($1) ') ######################################## ## ## Read automount process state. ## ## ## ## Domain to allow access. ## ## # interface(`automount_read_state',` gen_require(` type automount_t; ') kernel_search_proc($1) allow $1 automount_t:dir list_dir_perms; read_files_pattern($1, automount_t, automount_t) read_lnk_files_pattern($1, automount_t, automount_t) ') ######################################## ## ## Do not audit attempts to use ## automount file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`automount_dontaudit_use_fds',` gen_require(` type automount_t; ') dontaudit $1 automount_t:fd use; ') ######################################## ## ## Write to a automount unnamed pipe. ## ## ## ## Domain allowed access. ## ## # interface(`automount_write_pipes',` gen_require(` type automount_t; ') allow $1 automount_t:fd use; allow $1 automount_t:fifo_file write; ') ######################################## ## ## Do not audit attempts to write ## automount unnamed pipes. ## ## ## ## Domain to not audit. ## ## # interface(`automount_dontaudit_write_pipes',` gen_require(` type automount_t; ') dontaudit $1 automount_t:fifo_file write; ') ######################################## ## ## Allow domain to search of automount temporary ## directories. ## ## ## ## Domain to not audit. ## ## # interface(`automount_search_tmp_dirs',` gen_require(` type automount_tmp_t; ') search_dirs_pattern($1, automount_tmp_t, automount_tmp_t) ') ######################################## ## ## Do not audit attempts to get ## attributes of automount temporary ## directories. ## ## ## ## Domain to not audit. ## ## # interface(`automount_dontaudit_getattr_tmp_dirs',` gen_require(` type automount_tmp_t; ') dontaudit $1 automount_tmp_t:dir getattr_dir_perms; ') ######################################## ## ## Execute automount server in the automount domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`automount_systemctl',` gen_require(` type automount_t; type automount_unit_file_t; ') systemd_exec_systemctl($1) init_reload_services($1) allow $1 automount_unit_file_t:file read_file_perms; allow $1 automount_unit_file_t:service manage_service_perms; ps_process_pattern($1, automount_t) ') ######################################## ## ## All of the rules required to ## administrate an automount environment. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## ## # interface(`automount_admin',` gen_require(` type automount_t, automount_lock_t, automount_tmp_t; type automount_var_run_t, automount_initrc_exec_t; type automount_unit_file_t, automount_keytab_t; ') allow $1 automount_t:process signal_perms; ps_process_pattern($1, automount_t) tunable_policy(`deny_ptrace',`',` allow $1 automount_t:process ptrace; ') init_labeled_script_domtrans($1, automount_initrc_exec_t) domain_system_change_exemption($1) role_transition $2 automount_initrc_exec_t system_r; allow $2 system_r; files_list_etc($1) admin_pattern($1, automount_keytab_t) files_list_var($1) admin_pattern($1, automount_lock_t) files_list_tmp($1) admin_pattern($1, automount_tmp_t) files_list_pids($1) admin_pattern($1, automount_var_run_t) automount_systemctl($1) admin_pattern($1, automount_unit_file_t) allow $1 automount_unit_file_t:service all_service_perms; ')