## Policy for filesystems. ## ## Contains the initial SID for the filesystems. ## ######################################## ## ## Transform specified type into a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_type',` gen_require(` attribute filesystem_type; ') typeattribute $1 filesystem_type; ') ######################################## ## ## Transform specified type into a filesystem ## type which does not have extended attribute ## support. ## ## ## ## Domain allowed access. ## ## # interface(`fs_noxattr_type',` gen_require(` attribute noxattrfs; ') fs_type($1) typeattribute $1 noxattrfs; ') ######################################## ## ## Associate the specified file type to persistent ## filesystems with extended attributes. This ## allows a file of this type to be created on ## a filesystem such as ext3, JFS, and XFS. ## ## ## ## The type of the to be associated. ## ## # interface(`fs_associate',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem associate; ') ######################################## ## ## Associate the specified file type to ## filesystems which lack extended attributes ## support. This allows a file of this type ## to be created on a filesystem such as ## FAT32, and NFS. ## ## ## ## The type of the to be associated. ## ## # interface(`fs_associate_noxattr',` gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:filesystem associate; ') ######################################## ## ## Execute files on a filesystem that does ## not support extended attributes. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_exec_noxattr',` gen_require(` attribute noxattrfs; ') can_exec($1, noxattrfs) ') ######################################## ## ## Mount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_xattr_fs',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem mount; ') ######################################## ## ## Remount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_xattr_fs',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem remount; ') ######################################## ## ## Unmount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_xattr_fs',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem unmount; ') ######################################## ## ## Mount, remount, unmount a persistent filesystem which ## has extended attributes, such as ## ext3, JFS, or XFS. ## ## ## ## Domain allowed access. ## ## # interface(`fs_all_mount_fs_perms_xattr_fs',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem mount_fs_perms; ') ######################################## ## ## Get the attributes of persistent ## filesystems which have extended ## attributes, such as ext3, JFS, or XFS. ## ## ##

## Allow the specified domain to ## get the attributes of a persistent ## filesystems which have extended ## attributes, such as ext3, JFS, or XFS. ## Example attributes: ##

## ##
## ## ## Domain allowed access. ## ## ## ## # interface(`fs_getattr_xattr_fs',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem getattr; ') ######################################## ## ## Do not audit attempts to ## get the attributes of a persistent ## filesystem which has extended ## attributes, such as ext3, JFS, or XFS. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_xattr_fs',` gen_require(` type fs_t; ') dontaudit $1 fs_t:filesystem getattr; ') ######################################## ## ## Allow changing of the label of a ## filesystem with extended attributes ## using the context= mount option. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabelfrom_xattr_fs',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem relabelfrom; ') ######################################## ## ## Watch filesystem with extended attributes ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_xattr_fs',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem watch; ') ######################################## ## ## Get the filesystem quotas of a filesystem ## with extended attributes. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_get_xattr_fs_quotas',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem quotaget; ') ######################################## ## ## Set the filesystem quotas of a filesystem ## with extended attributes. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_set_xattr_fs_quotas',` gen_require(` type fs_t; ') allow $1 fs_t:filesystem quotamod; ') ######################################## ## ## Read files on anon_inodefs file systems. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_anon_inodefs_files',` refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') ') ######################################## ## ## Read and write files on anon_inodefs ## file systems. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_anon_inodefs_files',` refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') ') ######################################## ## ## Do not audit attempts to read or write files on ## anon_inodefs file systems. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_rw_anon_inodefs_files',` refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') ') ######################################## ## ## Mount an automount pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_autofs',` gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem mount; ') ######################################## ## ## Remount an automount pseudo filesystem ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_autofs',` gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem remount; ') ######################################## ## ## Unmount an automount pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_autofs',` gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem unmount; ') ######################################## ## ## Get the attributes of an automount ## pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_autofs',` gen_require(` type autofs_t; ') allow $1 autofs_t:filesystem getattr; ') ######################################## ## ## Search automount filesystem to use automatically ## mounted filesystems. ## ## ## Allow the specified domain to search mount points ## that have filesystems that are mounted by ## the automount service. Generally this will ## be required for any domain that accesses objects ## on these filesystems. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_search_auto_mountpoints',` gen_require(` type autofs_t; ') allow $1 autofs_t:dir search_dir_perms; ') ######################################## ## ## Read directories of automatically ## mounted filesystems. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_list_auto_mountpoints',` gen_require(` type autofs_t; ') allow $1 autofs_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to list directories of automatically ## mounted filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_auto_mountpoints',` gen_require(` type autofs_t; ') dontaudit $1 autofs_t:dir list_dir_perms; ') ######################################## ## ## Create, read, write, and delete symbolic links ## on an autofs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_autofs_symlinks',` gen_require(` type autofs_t; ') manage_lnk_files_pattern($1, autofs_t, autofs_t) ') ######################################## ## ## Get the attributes of directories on ## binfmt_misc filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_binfmt_misc_dirs',` gen_require(` type binfmt_misc_fs_t; ') allow $1 binfmt_misc_fs_t:dir getattr; ') ######################################## ## ## Read binfmt_misc filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_binfmt_misc',` gen_require(` type binfmt_misc_fs_t; ') read_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t) ') ######################################## ## ## Register an interpreter for new binary ## file types, using the kernel binfmt_misc ## support. ## ## ##

## Register an interpreter for new binary ## file types, using the kernel binfmt_misc ## support. ##

##

## A common use for this is to ## register a JVM as an interpreter for ## Java byte code. Registered binaries ## can be directly executed on a command line ## without specifying the interpreter. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`fs_register_binary_executable_type',` gen_require(` type binfmt_misc_fs_t; ') rw_files_pattern($1, binfmt_misc_fs_t, binfmt_misc_fs_t) ') ######################################## ## ## Manage bpf directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_bpf_dirs',` gen_require(` type bpf_t; ') manage_dirs_pattern($1, bpf_t, bpf_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Read bpf files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_bpf_files',` gen_require(` type bpf_t; ') manage_files_pattern($1, bpf_t, bpf_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Mount cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_cgroup', ` gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem mount; ') ######################################## ## ## Allow the type to associate to cgroup filesystems. ## ## ## ## The type of the object to be associated. ## ## # interface(`fs_associate_cgroupfs',` gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem associate; ') ######################################## ## ## Remount cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_cgroup', ` gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem remount; ') ######################################## ## ## Unmount cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_cgroup', ` gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem unmount; ') ######################################## ## ## Get attributes of cgroup filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_cgroup',` gen_require(` type cgroup_t; ') allow $1 cgroup_t:filesystem getattr; ') ######################################## ## ## Get attributes of cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_cgroup_files',` gen_require(` type cgroup_t; ') getattr_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Search cgroup directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_cgroup_dirs',` gen_require(` type cgroup_t; ') search_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Relabel cgroup directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_cgroup_dirs',` gen_require(` type cgroup_t; ') relabel_dirs_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## ## list cgroup directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_cgroup_dirs',` gen_require(` type cgroup_t; ') list_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ####################################### ## ## Do not audit attempts to search cgroup directories. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_search_cgroup_dirs', ` gen_require(` type cgroup_t; ') dontaudit $1 cgroup_t:dir search_dir_perms; dev_dontaudit_search_sysfs($1) ') ######################################## ## ## Delete cgroup directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_delete_cgroup_dirs', ` gen_require(` type cgroup_t; ') delete_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Manage cgroup directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_cgroup_dirs',` gen_require(` type cgroup_t; ') manage_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Watch cgroup directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_cgroup_dirs',` gen_require(` type cgroup_t; ') watch_dirs_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Read cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_cgroup_files',` gen_require(` type cgroup_t; ') read_files_pattern($1, cgroup_t, cgroup_t) read_lnk_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Write cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_write_cgroup_files', ` gen_require(` type cgroup_t; ') write_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Read and write cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_cgroup_files',` gen_require(` type cgroup_t; ') read_lnk_files_pattern($1, cgroup_t, cgroup_t) rw_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Do not audit attempts to open, ## get attributes, read and write ## cgroup files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_rw_cgroup_files',` gen_require(` type cgroup_t; ') dontaudit $1 cgroup_t:file rw_file_perms; ') ######################################## ## ## Relabel cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_cgroup_files',` gen_require(` type cgroup_t; ') relabel_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## ## Create cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_create_cgroup_files',` gen_require(` type cgroup_t; ') dev_search_sysfs($1) create_files_pattern($1, cgroup_t, cgroup_t) ') ######################################## ## ## Manage cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_cgroup_files',` gen_require(` type cgroup_t; ') manage_files_pattern($1, cgroup_t, cgroup_t) manage_lnk_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Watch cgroup files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_cgroup_files',` gen_require(` type cgroup_t; ') watch_files_pattern($1, cgroup_t, cgroup_t) watch_lnk_files_pattern($1, cgroup_t, cgroup_t) fs_search_tmpfs($1) dev_search_sysfs($1) ') ######################################## ## ## Mount on cgroup directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mounton_cgroup', ` gen_require(` type cgroup_t; ') allow $1 cgroup_t:dir mounton; ') ######################################## ## ## Read and write ceph files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_cephfs_files',` gen_require(` type cephfs_t; ') rw_files_pattern($1, cephfs_t, cephfs_t) rw_lnk_files_pattern($1, cephfs_t, cephfs_t) ') ######################################## ## ## Do not audit attempts to read ## dirs on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_cifs_dirs',` gen_require(` type cifs_t; ') dontaudit $1 cifs_t:dir list_dir_perms; ') ######################################## ## ## Mount a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_cifs',` gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem mount; ') ######################################## ## ## Remount a CIFS or SMB network filesystem. ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_cifs',` gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem remount; ') ######################################## ## ## Unmount a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_cifs',` gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem unmount; ') ######################################## ## ## Get the attributes of a CIFS or ## SMB network filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_getattr_cifs',` gen_require(` type cifs_t; ') allow $1 cifs_t:filesystem getattr; ') ######################################## ## ## Set the attributes of cifs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_setattr_cifs_dirs',` gen_require(` type cifs_t; ') allow $1 cifs_t:dir setattr; ') ######################################## ## ## Search directories on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_cifs',` gen_require(` type cifs_t; ') allow $1 cifs_t:dir search_dir_perms; ') ######################################## ## ## List the contents of directories on a ## CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_cifs',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to list the contents ## of directories on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_cifs',` gen_require(` type cifs_t; ') dontaudit $1 cifs_t:dir list_dir_perms; ') ######################################## ## ## Mounton a CIFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mounton_cifs',` gen_require(` type cifs_t; ') allow $1 cifs_t:dir mounton; ') ######################################## ## ## Read files on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_read_cifs_files',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; read_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Get the attributes of filesystems that ## do not have extended attribute support. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_getattr_noxattr_fs',` gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:filesystem getattr; ') ######################################## ## ## Read all noxattrfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_noxattr_fs',` gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to list all ## noxattrfs directories. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_noxattr_fs',` gen_require(` attribute noxattrfs; ') dontaudit $1 noxattrfs:dir list_dir_perms; ') ######################################## ## ## Create, read, write, and delete all noxattrfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_noxattr_fs_dirs',` gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:dir manage_dir_perms; ') ######################################## ## ## Read all noxattrfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_noxattr_fs_files',` gen_require(` attribute noxattrfs; ') read_files_pattern($1, noxattrfs, noxattrfs) ') ######################################## ## ## Read/Write all inherited noxattrfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_inherited_noxattr_fs_files',` gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:file rw_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to read all ## noxattrfs files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_noxattr_fs_files',` gen_require(` attribute noxattrfs; ') dontaudit $1 noxattrfs:file read_file_perms; ') ######################################## ## ## Dont audit attempts to write to noxattrfs files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_write_noxattr_fs_files',` gen_require(` attribute noxattrfs; ') dontaudit $1 noxattrfs:file write; ') ######################################## ## ## Create, read, write, and delete all noxattrfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_noxattr_fs_files',` gen_require(` attribute noxattrfs; ') manage_files_pattern($1, noxattrfs, noxattrfs) ') ######################################## ## ## Read all noxattrfs symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_noxattr_fs_symlinks',` gen_require(` attribute noxattrfs; ') read_lnk_files_pattern($1, noxattrfs, noxattrfs) ') ######################################## ## ## Relabel all objets from filesystems that ## do not support extended attributes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabelfrom_noxattr_fs',` gen_require(` attribute noxattrfs; ') allow $1 noxattrfs:dir list_dir_perms; relabelfrom_dirs_pattern($1, noxattrfs, noxattrfs) relabelfrom_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_lnk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_fifo_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_sock_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs) relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs) ') ######################################## ## ## Do not audit attempts to read ## files on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_cifs_files',` gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file read_file_perms; ') ######################################## ## ## Append files ## on a CIFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_append_cifs_files',` gen_require(` type cifs_t; ') append_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Do not audit attempts to append files ## on a CIFS filesystem. ## ## ## ## Domain to not audit. ## ## ## # interface(`fs_dontaudit_append_cifs_files',` gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file append_file_perms; ') ######################################## ## ## Read inherited files on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_inherited_cifs_files',` gen_require(` type cifs_t; ') allow $1 cifs_t:file read_inherited_file_perms; ') ######################################## ## ## Read/Write inherited files on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_inherited_cifs_files',` gen_require(` type cifs_t; ') allow $1 cifs_t:file rw_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to read or ## write files on a CIFS or SMB filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_rw_cifs_files',` gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file rw_inherited_file_perms; ') ######################################## ## ## Read symbolic links on a CIFS or SMB filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_cifs_symlinks',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) allow $1 cifs_t:dir list_dir_perms; read_lnk_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Read named pipes ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_cifs_named_pipes',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) read_fifo_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Read named pipes ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_cifs_named_sockets',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) read_sock_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Execute files on a CIFS or SMB ## network filesystem, in the caller ## domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_exec_cifs_files',` gen_require(` type cifs_t; ') allow $1 cifs_t:dir list_dir_perms; exec_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Mmap files on a CIFS or SMB ## network filesystem, in the caller ## domain. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_map_cifs_files',` gen_require(` type cifs_t; ') allow $1 cifs_t:file map; ') ######################################## ## ## Create, read, write, and delete directories ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_cifs_dirs',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) allow $1 cifs_t:dir manage_dir_perms; ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a CIFS or SMB network filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_cifs_dirs',` gen_require(` type cifs_t; ') dontaudit $1 cifs_t:dir manage_dir_perms; ') ######################################## ## ## Create, read, write, and delete files ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_cifs_files',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) manage_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete files ## on a CIFS or SMB network filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_cifs_files',` gen_require(` type cifs_t; ') dontaudit $1 cifs_t:file manage_file_perms; ') ######################################## ## ## Create, read, write, and delete symbolic links ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_cifs_symlinks',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) manage_lnk_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Create, read, write, and delete named pipes ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_cifs_named_pipes',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) manage_fifo_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Create, read, write, and delete named sockets ## on a CIFS or SMB network filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_cifs_named_sockets',` gen_require(` type cifs_t; ') fs_search_auto_mountpoints($1) manage_sock_files_pattern($1, cifs_t, cifs_t) ') ######################################## ## ## Execute a file on a CIFS or SMB filesystem ## in the specified domain. ## ## ##

## Execute a file on a CIFS or SMB filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on CIFS/SMB filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`fs_cifs_domtrans',` gen_require(` type cifs_t; ') allow $1 cifs_t:dir search_dir_perms; domain_auto_transition_pattern($1, cifs_t, $2) ') ######################################## ## ## Make general progams in cifs an entrypoint for ## the specified domain. ## ## ## ## The domain for which cifs_t is an entrypoint. ## ## # interface(`fs_cifs_entry_type',` gen_require(` type cifs_t; ') domain_entry_file($1, cifs_t) ') ######################################## ## ## Make general progams in CIFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which cifs_t is an entrypoint. ## ## # interface(`fs_cifs_entrypoint',` gen_require(` type cifs_t; ') allow $1 cifs_t:file entrypoint; ') ####################################### ## ## dontaudit write dirs ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_dontaudit_write_configfs_dirs',` gen_require(` type configfs_t; ') dontaudit $1 configfs_t:dir write; ') ####################################### ## ## Read dirs ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_configfs_dirs',` gen_require(` type configfs_t; ') list_dirs_pattern($1, configfs_t, configfs_t) ') ####################################### ## ## Create, read, write, and delete dirs ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_configfs_dirs',` gen_require(` type configfs_t; ') manage_dirs_pattern($1, configfs_t, configfs_t) ') ####################################### ## ## Read files ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_configfs_files',` gen_require(` type configfs_t; ') read_files_pattern($1, configfs_t, configfs_t) ') ####################################### ## ## Create, read, write, and delete files ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_configfs_files',` gen_require(` type configfs_t; ') manage_files_pattern($1, configfs_t, configfs_t) ') ####################################### ## ## Create, read, write, and delete files ## on a configfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_configfs_lnk_files',` gen_require(` type configfs_t; ') manage_lnk_files_pattern($1, configfs_t, configfs_t) ') ######################################## ## ## Unmount a configfs filesystem ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_configfs',` gen_require(` type configfs_t; ') allow $1 configfs_t:filesystem unmount; ') ######################################## ## ## Mount a DOS filesystem, such as ## FAT32 or NTFS. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_dos_fs',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem mount; ') ######################################## ## ## Remount a DOS filesystem, such as ## FAT32 or NTFS. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_dos_fs',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem remount; ') ######################################## ## ## Unmount a DOS filesystem, such as ## FAT32 or NTFS. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_dos_fs',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem unmount; ') ######################################## ## ## Get the attributes of a DOS ## filesystem, such as FAT32 or NTFS. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_getattr_dos_fs',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem getattr; ') ######################################## ## ## Allow changing of the label of a ## DOS filesystem using the context= mount option. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabelfrom_dos_fs',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem relabelfrom; ') ######################################## ## ## Watch dosfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_dos_fs',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:filesystem watch; ') ######################################## ## ## Search dosfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_dos',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:dir search_dir_perms; ') ######################################## ## ## List dirs DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_dos',` gen_require(` type dosfs_t; ') list_dirs_pattern($1, dosfs_t, dosfs_t) ') ######################################## ## ## Create, read, write, and delete dirs ## on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_dos_dirs',` gen_require(` type dosfs_t; ') manage_dirs_pattern($1, dosfs_t, dosfs_t) ') ######################################## ## ## Watch_sb dirs on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_sb_dos_dirs', ` gen_require(` type dosfs_t; ') watch_sb_dirs_pattern($1, dosfs_t, dosfs_t) ') ######################################## ## ## Watch_mount dirs on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_mount_dos_dirs',` gen_require(` type dosfs_t; ') watch_mount_dirs_pattern($1, dosfs_t, dosfs_t) ') ######################################## ## ## Watch_with_perm dirs on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_with_perm_dos_dirs',` gen_require(` type dosfs_t; ') watch_with_perm_dirs_pattern($1, dosfs_t, dosfs_t) ') ######################################## ## ## Mmap files on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_map_dos_files',` gen_require(` type dosfs_t; ') allow $1 dosfs_t:file map; ') ######################################## ## ## Read files on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_dos_files',` gen_require(` type dosfs_t; ') read_files_pattern($1, dosfs_t, dosfs_t) ') ######################################## ## ## Create, read, write, and delete files ## on a DOS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_dos_files',` gen_require(` type dosfs_t; ') manage_files_pattern($1, dosfs_t, dosfs_t) ') ######################################## ## ## Read eventpollfs files. ## ## ##

## Read eventpollfs files ##

##

## This interface has been deprecated, and will ## be removed in the future. ##

##
## ## ## Domain allowed access. ## ## # # eventpollfs was changed to task SID 20060628 interface(`fs_read_eventpollfs',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## Get the attributes of an ecryptfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_ecryptfs',` gen_require(` type ecryptfs_t; ') allow $1 ecryptfs_t:filesystem getattr; ') ####################################### ## ## Search directories ## on a ecrypt filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_ecryptfs',` gen_require(` type ecryptfs_t; ') allow $1 ecryptfs_t:dir search_dir_perms; ') ######################################## ## ## Create, read, write, and delete directories ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_ecryptfs_dirs',` gen_require(` type ecryptfs_t; ') manage_dirs_pattern($1, ecryptfs_t, ecryptfs_t) allow $1 ecryptfs_t:dir manage_dir_perms; ') ####################################### ## ## Create, read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_read_ecryptfs_files',` gen_require(` type ecryptfs_t; ') read_files_pattern($1, ecryptfs_t, ecryptfs_t) ') ######################################## ## ## Create, read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_ecryptfs_files',` gen_require(` type ecryptfs_t; ') manage_files_pattern($1, ecryptfs_t, ecryptfs_t) allow $1 ecryptfs_t:file map; ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_ecryptfs_files',` gen_require(` type ecryptfs_t; ') dontaudit $1 ecryptfs_t:file manage_file_perms; ') ######################################## ## ## Read symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_ecryptfs_symlinks',` gen_require(` type ecryptfs_t; ') allow $1 ecryptfs_t:dir list_dir_perms; read_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ') ####################################### ## ## Dontaudit append files on ecrypt filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_dontaudit_append_ecryptfs_files',` gen_require(` type ecryptfs_t; ') dontaudit $1 ecryptfs_t:file append; ') ######################################## ## ## Manage symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_ecryptfs_symlinks',` gen_require(` type ecryptfs_t; ') manage_lnk_files_pattern($1, ecryptfs_t, ecryptfs_t) ') ######################################## ## ## Execute a file on a FUSE filesystem ## in the specified domain. ## ## ##

## Execute a file on a FUSE filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on FUSE filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`fs_ecryptfs_domtrans',` gen_require(` type ecryptfs_t; ') allow $1 ecryptfs_t:dir search_dir_perms; domain_auto_transition_pattern($1, ecryptfs_t, $2) ') ######################################## ## ## Mount a FUSE filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_fusefs',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:filesystem mount; ') ######################################## ## ## Unmount a FUSE filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_fusefs',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:filesystem unmount; ') ######################################## ## ## Mounton a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mounton_fusefs',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir mounton; ') ######################################## ## ## Search directories ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_search_fusefs',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to list the contents ## of directories on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_fusefs',` gen_require(` type fusefs_t; ') dontaudit $1 fusefs_t:dir list_dir_perms; ') ######################################## ## ## Create, read, write, and delete directories ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_fusefs_dirs',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_fusefs_dirs',` gen_require(` type fusefs_t; ') dontaudit $1 fusefs_t:dir manage_dir_perms; ') ######################################## ## ## Read, a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_read_fusefs_files',` gen_require(` type fusefs_t; ') read_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## ## Execute files on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_exec_fusefs_files',` gen_require(` type fusefs_t; ') exec_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## ## mmap files on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_mmap_fusefs_files',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:file map; ') ######################################### ## ## Create, read, write, and delete named sockets ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_fusefs_named_sockets',` gen_require(` type fusefs_t; ') manage_sock_files_pattern($1, fusefs_t, fusefs_t) ') ######################################### ## ## Create, read, write, and delete named pipes ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## interface(`fs_manage_fusefs_named_pipes',` gen_require(` type fusefs_t; ') manage_fifo_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## ## Make general progams in FUSEFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which fusefs_t is an entrypoint. ## ## # interface(`fs_fusefs_entry_type',` gen_require(` type fusefs_t; ') domain_entry_file($1, fusefs_t) ') ######################################## ## ## Make general progams in FUSEFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which fusefs_t is an entrypoint. ## ## # interface(`fs_fusefs_entrypoint',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:file entrypoint; ') ######################################## ## ## Create, read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_fusefs_files',` gen_require(` type fusefs_t; ') manage_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a FUSEFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_fusefs_files',` gen_require(` type fusefs_t; ') dontaudit $1 fusefs_t:file manage_file_perms; ') ######################################## ## ## Read symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_fusefs_symlinks',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir list_dir_perms; read_lnk_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## ## Manage symbolic links on a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_fusefs_symlinks',` gen_require(` type fusefs_t; ') manage_lnk_files_pattern($1, fusefs_t, fusefs_t) ') ######################################## ## ## Execute a file on a FUSE filesystem ## in the specified domain. ## ## ##

## Execute a file on a FUSE filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on these filesystems in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on FUSE filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`fs_fusefs_domtrans',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:dir search_dir_perms; domain_auto_transition_pattern($1, fusefs_t, $2) ') ######################################## ## ## Get the attributes of a FUSEFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_getattr_fusefs',` gen_require(` type fusefs_t; ') allow $1 fusefs_t:filesystem getattr; ') ######################################## ## ## Get the attributes of an hugetlbfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_hugetlbfs',` gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:filesystem getattr; ') ######################################## ## ## List hugetlbfs. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_hugetlbfs',` gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:dir list_dir_perms; ') ######################################## ## ## Manage hugetlbfs dirs. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_hugetlbfs_dirs',` gen_require(` type hugetlbfs_t; ') manage_dirs_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## ## Read hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') read_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## ## Read and write hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:file map; rw_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## ## Manage hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') manage_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## ## Execute hugetlbfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_exec_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:dir list_dir_perms; exec_files_pattern($1, hugetlbfs_t, hugetlbfs_t) ') ######################################## ## ## Allow the type to associate to hugetlbfs filesystems. ## ## ## ## The type of the object to be associated. ## ## # interface(`fs_associate_hugetlbfs',` gen_require(` type hugetlbfs_t; ') allow $1 hugetlbfs_t:filesystem associate; ') ######################################## ## ## List oracleasmfs. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_oracleasmfs',` gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:dir list_dir_perms; ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_oracleasmfs_fs',` gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:filesystem getattr; ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_oracleasmfs',` gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:file getattr; ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_setattr_oracleasmfs',` gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:file setattr; ') ######################################## ## ## Get the attributes of an oracleasmfs ## filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_setattr_oracleasmfs_dirs',` gen_require(` type oracleasmfs_t; ') allow $1 oracleasmfs_t:dir setattr; ') ######################################## ## ## Read and write the oracleasm device. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_oracleasm',` gen_require(` type oracleasmfs_t; ') manage_dirs_pattern($1, oracleasmfs_t, oracleasmfs_t) manage_blk_files_pattern($1, oracleasmfs_t, oracleasmfs_t) dev_filetrans($1, oracleasmfs_t, dir, "oracleasm") ') ######################################## ## ## Search inotifyfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_inotifyfs',` refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') ') ######################################## ## ## List inotifyfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_inotifyfs',` refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') ') ######################################## ## ## Do not audit attempts to list inotifyfs filesystem. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_inotifyfs',` refpolicywarn(`$0($*) has been deprecated. All calls can be safely removed.') ') ######################################## ## ## Create an object in a hugetlbfs filesystem, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`fs_hugetlbfs_filetrans',` gen_require(` type hugetlbfs_t; ') allow $2 hugetlbfs_t:filesystem associate; filetrans_pattern($1, hugetlbfs_t, $2, $3, $4) ') ######################################## ## ## Mount an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_iso9660_fs',` gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem mount; ') ######################################## ## ## Remount an iso9660 filesystem, which ## is usually used on CDs. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_iso9660_fs',` gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem remount; ') ######################################## ## ## Unmount an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_iso9660_fs',` gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem unmount; ') ######################################## ## ## Get the attributes of an iso9660 ## filesystem, which is usually used on CDs. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_getattr_iso9660_fs',` gen_require(` type iso9660_t; ') allow $1 iso9660_t:filesystem getattr; ') ######################################## ## ## Read files on an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_iso9660_files',` gen_require(` type iso9660_t; ') allow $1 iso9660_t:dir list_dir_perms; allow $1 iso9660_t:file getattr; ') ######################################## ## ## Read files on an iso9660 filesystem, which ## is usually used on CDs. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_iso9660_files',` gen_require(` type iso9660_t; ') allow $1 iso9660_t:dir list_dir_perms; read_files_pattern($1, iso9660_t, iso9660_t) read_lnk_files_pattern($1, iso9660_t, iso9660_t) ') ######################################## ## ## Mount a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_nfs',` gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem mount; ') ######################################## ## ## Remount a NFS filesystem. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_nfs',` gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem remount; ') ######################################## ## ## Unmount a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_nfs',` gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem unmount; ') ######################################## ## ## Get the attributes of a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_getattr_nfs',` gen_require(` type nfs_t; ') allow $1 nfs_t:filesystem getattr; ') ######################################## ## ## Set the attributes of nfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_setattr_nfs_dirs',` gen_require(` type nfs_t; ') allow $1 nfs_t:dir setattr; ') ######################################## ## ## Search directories on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_nfs',` gen_require(` type nfs_t; ') allow $1 nfs_t:dir search_dir_perms; ') ######################################## ## ## List NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_nfs',` gen_require(` type nfs_t; ') allow $1 nfs_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to list the contents ## of directories on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_nfs',` gen_require(` type nfs_t; ') dontaudit $1 nfs_t:dir list_dir_perms; ') ######################################## ## ## Mounton a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mounton_nfs',` gen_require(` type nfs_t; ') allow $1 nfs_t:dir mounton; ') ######################################## ## ## Read files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_read_nfs_files',` gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) allow $1 nfs_t:dir list_dir_perms; read_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## Do not audit attempts to read ## files on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_nfs_files',` gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file read_file_perms; ') ######################################## ## ## Read files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_write_nfs_files',` gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) allow $1 nfs_t:dir list_dir_perms; write_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## Execute files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_exec_nfs_files',` gen_require(` type nfs_t; ') allow $1 nfs_t:dir list_dir_perms; exec_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## Make general progams in nfs an entrypoint for ## the specified domain. ## ## ## ## The domain for which nfs_t is an entrypoint. ## ## # interface(`fs_nfs_entry_type',` gen_require(` type nfs_t; ') domain_entry_file($1, nfs_t) ') ######################################## ## ## Make general progams in NFS an entrypoint for ## the specified domain. ## ## ## ## The domain for which nfs_t is an entrypoint. ## ## # interface(`fs_nfs_entrypoint',` gen_require(` type nfs_t; ') allow $1 nfs_t:file entrypoint; ') ######################################## ## ## Append files ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_append_nfs_files',` gen_require(` type nfs_t; ') append_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## Do not audit attempts to append files ## on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## ## # interface(`fs_dontaudit_append_nfs_files',` gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file append_file_perms; ') ######################################## ## ## Read inherited files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_inherited_nfs_files',` gen_require(` type nfs_t; ') allow $1 nfs_t:file read_inherited_file_perms; ') ######################################## ## ## Read/write inherited files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_inherited_nfs_files',` gen_require(` type nfs_t; ') allow $1 nfs_t:file rw_inherited_file_perms; ') ######################################## ## ## Do not audit attempts to read or ## write files on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_rw_nfs_files',` gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file rw_inherited_file_perms; ') ######################################## ## ## Read symbolic links on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_nfs_symlinks',` gen_require(` type nfs_t; ') allow $1 nfs_t:dir list_dir_perms; read_lnk_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## Do not audit attempts to read symbolic links on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_nfs_symlinks',` gen_require(` type nfs_t; ') dontaudit $1 nfs_t:lnk_file read_lnk_file_perms; ') ######################################### ## ## Read named sockets on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_nfs_named_sockets',` gen_require(` type nfs_t; ') read_sock_files_pattern($1, nfs_t, nfs_t) ') ######################################### ## ## Read named pipes on a NFS network filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_read_nfs_named_pipes',` gen_require(` type nfs_t; ') read_fifo_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## Read directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_rpc_dirs',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir getattr; ') ######################################## ## ## Watch directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_rpc_dirs',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir watch_dir_perms; ') ######################################## ## ## Search directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_rpc',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to list removable storage directories. ## ## ##

## Do not audit attempts to list removable storage directories ##

##

## This interface has been deprecated, and will ## be removed in the future. ##

##
## ## ## Domain allowed access. ## ## # interface(`fs_list_pstorefs',` refpolicywarn(`$0($*) has been deprecated.') ') ######################################## ## ## List kernel persistent storage directories. ## ## ## ## Domain to not audit. ## ## # interface(`fs_list_pstore',` gen_require(` type pstore_t; ') allow $1 pstore_t:dir list_dir_perms; ') ######################################## ## ## Read kernel persistent storage files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_read_pstore_files',` gen_require(` type pstore_t; ') read_files_pattern($1, pstore_t, pstore_t) dev_search_sysfs($1) ') ######################################## ## ## Delete kernel persistent storage files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_delete_pstore_files',` gen_require(` type pstore_t; ') delete_files_pattern($1, pstore_t, pstore_t) dev_search_sysfs($1) ') ######################################## ## ## Relabel directory on removable storage. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_pstore_dirs',` gen_require(` type pstore_t; ') relabel_dirs_pattern($1, pstore_t, pstore_t) ') ######################################## ## ## Search removable storage directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_removable',` gen_require(` type removable_t; ') allow $1 removable_t:dir search_dir_perms; ') ######################################## ## ## Do not audit attempts to list removable storage directories. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_removable',` gen_require(` type removable_t; ') dontaudit $1 removable_t:dir list_dir_perms; ') ######################################## ## ## Read removable storage files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_removable_files',` gen_require(` type removable_t; ') read_files_pattern($1, removable_t, removable_t) ') ######################################## ## ## mmap files on a removable files. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_mmap_removable_files',` gen_require(` type removable_t; ') allow $1 removable_t:file map; ') ######################################## ## ## Do not audit attempts to read removable storage files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_removable_files',` gen_require(` type removable_t; ') dontaudit $1 removable_t:file read_file_perms; ') ######################################## ## ## Do not audit attempts to write removable storage files. ## ## ## ## Domain not to audit. ## ## # interface(`fs_dontaudit_write_removable_files',` gen_require(` type removable_t; ') dontaudit $1 removable_t:file write_file_perms; ') ######################################## ## ## Read removable storage symbolic links. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_removable_symlinks',` gen_require(` type removable_t; ') read_lnk_files_pattern($1, removable_t, removable_t) ') ###################################### ## ## Read block nodes on removable filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_removable_blk_files',` gen_require(` type removable_t; ') allow $1 removable_t:dir list_dir_perms; read_blk_files_pattern($1, removable_t, removable_t) ') ######################################## ## ## Read and write block nodes on removable filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_removable_blk_files',` gen_require(` type removable_t; ') allow $1 removable_t:dir list_dir_perms; rw_blk_files_pattern($1, removable_t, removable_t) ') ######################################## ## ## Read directories of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_rpc',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:dir list_dir_perms; ') ######################################## ## ## Read files of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_rpc_files',` gen_require(` type rpc_pipefs_t; ') read_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) ') ######################################## ## ## Read symbolic links of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_rpc_symlinks',` gen_require(` type rpc_pipefs_t; ') read_lnk_files_pattern($1, rpc_pipefs_t, rpc_pipefs_t) ') ######################################## ## ## Read sockets of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_rpc_sockets',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:sock_file read; ') ######################################## ## ## Read and write sockets of RPC file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_rpc_sockets',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:sock_file { read write }; ') ######################################## ## ## Create, read, write, and delete directories ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_nfs_dirs',` gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) allow $1 nfs_t:dir manage_dir_perms; ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_nfs_dirs',` gen_require(` type nfs_t; ') dontaudit $1 nfs_t:dir manage_dir_perms; ') ######################################## ## ## Create, read, write, and delete files ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_nfs_files',` gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) manage_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## mmap files on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_mmap_nfs_files',` gen_require(` type nfs_t; ') allow $1 nfs_t:file map; ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a NFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_nfs_files',` gen_require(` type nfs_t; ') dontaudit $1 nfs_t:file manage_file_perms; ') ######################################### ## ## Create, read, write, and delete symbolic links ## on a NFS network filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_nfs_symlinks',` gen_require(` type nfs_t; ') fs_search_auto_mountpoints($1) manage_lnk_files_pattern($1, nfs_t, nfs_t) ') ######################################### ## ## Create, read, write, and delete named pipes ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_nfs_named_pipes',` gen_require(` type nfs_t; ') manage_fifo_files_pattern($1, nfs_t, nfs_t) ') ######################################### ## ## Create, read, write, and delete named sockets ## on a NFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_nfs_named_sockets',` gen_require(` type nfs_t; ') manage_sock_files_pattern($1, nfs_t, nfs_t) ') ######################################## ## ## Execute a file on a NFS filesystem ## in the specified domain. ## ## ##

## Execute a file on a NFS filesystem ## in the specified domain. This allows ## the specified domain to execute any file ## on a NFS filesystem in the specified ## domain. This is not suggested. ##

##

## No interprocess communication (signals, pipes, ## etc.) is provided by this interface since ## the domains are not owned by this module. ##

##

## This interface was added to handle ## home directories on NFS filesystems, ## in particular used by the ssh-agent policy. ##

##
## ## ## Domain allowed to transition. ## ## ## ## ## The type of the new process. ## ## # interface(`fs_nfs_domtrans',` gen_require(` type nfs_t; ') allow $1 nfs_t:dir search_dir_perms; domain_auto_transition_pattern($1, nfs_t, $2) ') ######################################## ## ## Mount on nfsd_fs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mounton_nfsd_fs', ` gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:dir mounton; ') ######################################## ## ## Mount a NFS server pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_nfsd_fs',` gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem mount; ') ######################################## ## ## Mount a NFS server pseudo filesystem. ## This allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_nfsd_fs',` gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem remount; ') ######################################## ## ## Unmount a NFS server pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_nfsd_fs',` gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem unmount; ') ######################################## ## ## Get the attributes of a NFS server ## pseudo filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_nfsd_fs',` gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:filesystem getattr; ') ######################################## ## ## Search NFS server directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_nfsd_fs',` gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:dir search_dir_perms; ') ######################################## ## ## List NFS server directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_nfsd_fs',` gen_require(` type nfsd_fs_t; ') allow $1 nfsd_fs_t:dir list_dir_perms; ') ######################################## ## ## Getattr files on an nfsd filesystem ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_nfsd_files',` gen_require(` type nfsd_fs_t; ') getattr_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ####################################### ## ## read files on an nfsd filesystem ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_nfsd_files',` gen_require(` type nfsd_fs_t; ') read_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ####################################### ## ## Read and write NFS server files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_nfsd_fs',` gen_require(` type nfsd_fs_t; ') rw_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ######################################## ## ## Getattr files on an nsfs filesystem ## ## ## ## Domain allowed access. ## ## # interface(`fs_dontaudit_getattr_nsfs_files',` gen_require(` type nsfs_t; ') dontaudit $1 nsfs_t:file getattr; ') ######################################## ## ## Getattr files on an nsfs filesystem ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_nsfs_files',` gen_require(` type nsfs_t; ') getattr_files_pattern($1, nsfs_t, nsfs_t) ') ####################################### ## ## Read nsfs inodes (e.g. /proc/pid/ns/uts) ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_nsfs_files',` gen_require(` type nsfs_t; ') allow $1 nsfs_t:file read_file_perms; ') ####################################### ## ## Read and write nsfs inodes (e.g. /proc/pid/ns/uts) ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_nsfs_files',` gen_require(` type nsfs_t; ') rw_files_pattern($1, nsfs_t, nsfs_t) ') ######################################## ## ## Mount a nsfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_nsfs',` gen_require(` type nsfs_t; ') allow $1 nsfs_t:filesystem mount; ') ######################################## ## ## Remount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_nsfs',` gen_require(` type nsfs_t; ') allow $1 nsfs_t:filesystem remount; ') ######################################## ## ## Unmount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_nsfs',` gen_require(` type nsfs_t; ') allow $1 nsfs_t:filesystem unmount; ') ######################################## ## ## Manage NFS server files and directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_nfsd_fs',` gen_require(` type nfsd_fs_t; ') manage_dirs_pattern($1, nfsd_fs_t, nfsd_fs_t) manage_files_pattern($1, nfsd_fs_t, nfsd_fs_t) ') ######################################## ## ## Allow the type to associate to ramfs filesystems. (Deprecated) ## ## ## ## The type of the object to be associated. ## ## # interface(`fs_associate_ramfs',` refpolicywarn(`$0() has been deprecated, please use fs_associate_tmpfs() instead.') fs_associate_tmpfs($1) ') ######################################## ## ## Allow the type to associate to proc filesystems. ## ## ## ## The type of the object to be associated. ## ## # interface(`fs_associate_proc',` gen_require(` type proc_t; ') allow $1 proc_t:filesystem associate; ') ######################################## ## ## Mount a RAM filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_ramfs',` refpolicywarn(`$0() has been deprecated, please use fs_mount_tmpfs() instead.') fs_mount_tmpfs($1) ') ######################################## ## ## Remount a RAM filesystem. This allows ## some mount options to be changed. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_ramfs',` refpolicywarn(`$0() has been deprecated, please use fs_remount_tmpfs() instead.') fs_remount_tmpfs($1) ') ######################################## ## ## Unmount a RAM filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_ramfs',` refpolicywarn(`$0() has been deprecated, please use fs_unmount_tmpfs() instead.') fs_unmount_tmpfs($1) ') ######################################## ## ## Get the attributes of a RAM filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_ramfs',` refpolicywarn(`$0() has been deprecated, please use fs_getattr_tmpfs() instead.') fs_getattr_tmpfs($1) ') ######################################## ## ## Search directories on a ramfs (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_ramfs',` refpolicywarn(`$0() has been deprecated, please use fs_search_tmpfs() instead.') fs_search_tmpfs($1) ') ######################################## ## ## Do not audit attempts to search directories on a ramfs (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_search_ramfs',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Create, read, write, and delete ## directories on a ramfs. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_ramfs_dirs',` refpolicywarn(`$0() has been deprecated, please use fs_manage_tmpfs_dirs() instead.') fs_manage_tmpfs_dirs($1) ') ######################################## ## ## Do not audit attempts to read on a ramfs files. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_ramfs_files',` refpolicywarn(`$0() has been deprecated, please use fs_dontaudit_read_tmpfs_files() instead.') fs_dontaudit_read_tmpfs_files($1) ') ######################################## ## ## Do not audit attempts to read on a ramfs fifo_files. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_ramfs_pipes',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Create, read, write, and delete ## files on a ramfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_ramfs_files',` refpolicywarn(`$0() has been deprecated, please use fs_manage_tmpfs_files() instead.') fs_manage_tmpfs_files($1) ') ######################################## ## ## Write to named pipe on a ramfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_write_ramfs_pipes',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Do not audit attempts to write to named ## pipes on a ramfs filesystem. (Deprecated) ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_write_ramfs_pipes',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Read and write a named pipe on a ramfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_ramfs_pipes',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Create, read, write, and delete ## named pipes on a ramfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_ramfs_pipes',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Write to named socket on a ramfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_write_ramfs_sockets',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Create, read, write, and delete ## named sockets on a ramfs filesystem. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_ramfs_sockets',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Mount a ROM filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_romfs',` gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem mount; ') ######################################## ## ## Remount a ROM filesystem. This allows ## some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_romfs',` gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem remount; ') ######################################## ## ## Unmount a ROM filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_romfs',` gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem unmount; ') ######################################## ## ## Get the attributes of a ROM ## filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_romfs',` gen_require(` type romfs_t; ') allow $1 romfs_t:filesystem getattr; ') ######################################## ## ## Mount a RPC pipe filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem mount; ') ######################################## ## ## Remount a RPC pipe filesystem. This ## allows some mount option to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem remount; ') ######################################## ## ## Unmount a RPC pipe filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_rpc_pipefs',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem unmount; ') ######################################## ## ## Get the attributes of a RPC pipe ## filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_rpc_pipefs',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:filesystem getattr; ') ######################################### ## ## Read and write RPC pipe filesystem named pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_rpc_named_pipes',` gen_require(` type rpc_pipefs_t; ') allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms; ') ######################################## ## ## Mount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem mount; ') ######################################## ## ## Watch a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem watch; ') ######################################## ## ## Dontaudit remount a tmpfs filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_remount_tmpfs',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:filesystem remount; ') ######################################## ## ## Remount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem remount; ') ######################################## ## ## Unmount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem unmount; ') ######################################## ## ## Mount, remount, unmount a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_all_mount_fs_perms_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem mount_fs_perms; ') ######################################## ## ## Mount on tmpfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mounton_tmpfs', ` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir mounton; ') ######################################## ## ## Watch_sb tmpfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_sb_tmpfs', ` gen_require(` type tmpfs_t; ') watch_sb_dirs_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Get the attributes of a tmpfs ## filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_getattr_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem getattr; ') ######################################## ## ## Allow the type to associate to tmpfs filesystems. ## ## ## ## The type of the object to be associated. ## ## # interface(`fs_associate_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem associate; ') ######################################## ## ## Relabel from tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabelfrom_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:filesystem relabelfrom; ') ######################################## ## ## Get the attributes of tmpfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir getattr; ') ######################################## ## ## Do not audit attempts to get the attributes ## of tmpfs directories. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir getattr; ') ######################################## ## ## Set the attributes of tmpfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_setattr_tmpfs_dirs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir setattr; ') ######################################## ## ## Search tmpfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir search_dir_perms; ') ######################################## ## ## List the contents of generic tmpfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_tmpfs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; ') ######################################## ## ## Do not audit attempts to list the ## contents of generic tmpfs directories. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_list_tmpfs',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir list_dir_perms; ') ######################################## ## ## Relabel directory on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_tmpfs_dirs',` gen_require(` type tmpfs_t; ') relabel_dirs_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Watch_mount directory on the tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_mount_tmpfs_dirs',` gen_require(` type tmpfs_t; ') fs_search_tmpfs($1) allow $1 tmpfs_t:dir watch_mount_dir_perms; ') ######################################## ## ## Watch_with_perm directory on the tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_with_perm_tmpfs_dirs',` gen_require(` type tmpfs_t; ') fs_search_tmpfs($1) allow $1 tmpfs_t:dir watch_with_perm_dir_perms; ') ######################################## ## ## Relabel fifo_file on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_tmpfs_fifo_files',` gen_require(` type tmpfs_t; ') relabel_fifo_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Relabel files on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_tmpfs_files',` gen_require(` type tmpfs_t; ') relabel_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Delete tmpfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_delete_tmpfs_dirs', ` gen_require(` type tmpfs_t; ') delete_dirs_pattern($1, tmpfs_t, tmpfs_t) fs_search_tmpfs($1) ') ######################################## ## ## Create, read, write, and delete ## tmpfs directories ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_tmpfs_dirs',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir manage_dir_perms; ') ######################################## ## ## Do not audit attempts to write ## tmpfs directories ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_write_tmpfs_dirs',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir write; ') ######################################## ## ## Create an object in a tmpfs filesystem, with a private ## type using a type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## The type of the object to be created. ## ## ## ## ## The object class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`fs_tmpfs_filetrans',` gen_require(` type tmpfs_t; ') allow $2 tmpfs_t:filesystem associate; filetrans_pattern($1, tmpfs_t, $2, $3, $4) ') ######################################## ## ## Do not audit attempts to getattr ## generic tmpfs files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_tmpfs_files',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:file getattr; ') ######################################## ## ## Do not audit attempts to read or write ## generic tmpfs files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_rw_tmpfs_files',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:file rw_inherited_file_perms; ') ######################################## ## ## Create, read, write, and delete ## auto moutpoints. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_auto_mountpoints',` gen_require(` type autofs_t; ') allow $1 autofs_t:dir manage_dir_perms; ') ######################################## ## ## Read generic tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_tmpfs_files',` gen_require(` type tmpfs_t; ') read_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Read and write generic tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_tmpfs_files',` gen_require(` type tmpfs_t; ') rw_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Read and write generic tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_inherited_tmpfs_files',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:file { rw_inherited_file_perms }; ') ######################################## ## ## Map generic tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_map_tmpfs_files',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:file map; ') ######################################## ## ## Read tmpfs link files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_tmpfs_symlinks',` gen_require(` type tmpfs_t; ') read_lnk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Relabel from tmpfs lnk files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabelfrom_tmpfs_lnk_files',` gen_require(` type tmpfs_t; ') relabelfrom_lnk_files_pattern($1,tmpfs_t,tmpfs_t) ') ######################################## ## ## Read and write character nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_tmpfs_chr_files',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; rw_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Do not audit attempts to read and write character nodes on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_use_tmpfs_chr_dev',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:dir list_dir_perms; dontaudit $1 tmpfs_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Do not audit attempts to create character nodes on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_create_tmpfs_chr_dev',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:chr_file create; ') ######################################## ## ## Do not audit attempts to dontaudit read block nodes on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_tmpfs_blk_dev',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:blk_file read_blk_file_perms; ') ######################################## ## ## Do not audit attempts to read files on tmpfs filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_read_tmpfs_files',` gen_require(` type tmpfs_t; ') dontaudit $1 tmpfs_t:blk_file read; ') ######################################## ## ## Relabel character nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_tmpfs_chr_file',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; relabel_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Read and write block nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_tmpfs_blk_files',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; rw_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Relabel block nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_tmpfs_blk_file',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:blk_file getattr; ') ######################################## ## ## Relabel block nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_tmpfs_blk_file',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; relabel_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Relabel sock nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabel_tmpfs_sock_file',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir list_dir_perms; relabel_sock_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Delete generic files in tmpfs directory. ## ## ## ## Domain allowed access. ## ## # interface(`fs_delete_tmpfs_files',` gen_require(` type tmpfs_t; ') allow $1 tmpfs_t:dir del_entry_dir_perms; allow $1 tmpfs_t:file_class_set delete_file_perms; ') ######################################## ## ## Read and write, create and delete generic ## files on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_tmpfs_files',` gen_require(` type tmpfs_t; ') manage_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Execute files on a tmpfs filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_exec_tmpfs_files',` gen_require(` type tmpfs_t; ') exec_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Read and write, create and delete symbolic ## links on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_tmpfs_symlinks',` gen_require(` type tmpfs_t; ') manage_lnk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Read and write, create and delete socket ## files on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_tmpfs_sockets',` gen_require(` type tmpfs_t; ') manage_sock_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Write to socket files on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_write_tmpfs_socket_files',` gen_require(` type tmpfs_t; ') write_sock_files_pattern($1, tmpfs_t, tmpfs_t) fs_search_tmpfs($1) ') ######################################## ## ## Read and write, create and delete character ## nodes on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_tmpfs_chr_files',` gen_require(` type tmpfs_t; ') manage_chr_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Read and write, create and delete block nodes ## on tmpfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_manage_tmpfs_blk_files',` gen_require(` type tmpfs_t; ') manage_blk_files_pattern($1, tmpfs_t, tmpfs_t) ') ######################################## ## ## Mount a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_xenfs',` gen_require(` type xenfs_t; ') allow $1 xenfs_t:filesystem mount; ') ######################################## ## ## Search the XENFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_xenfs',` gen_require(` type xenfs_t; ') allow $1 xenfs_t:dir search_dir_perms; ') ######################################## ## ## Read files on a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_read_xenfs_files',` gen_require(` type xenfs_t; ') allow $1 xenfs_t:file read_file_perms; ') ######################################## ## ## Map files on a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`fs_map_xenfs_files',` gen_require(` type xenfs_t; ') allow $1 xenfs_t:file map; ') ######################################## ## ## Create, read, write, and delete directories ## on a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_xenfs_dirs',` gen_require(` type xenfs_t; ') allow $1 xenfs_t:dir manage_dir_perms; ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete directories ## on a XENFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_xenfs_dirs',` gen_require(` type xenfs_t; ') dontaudit $1 xenfs_t:dir manage_dir_perms; ') ######################################## ## ## Create, read, write, and delete files ## on a XENFS filesystem. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_xenfs_files',` gen_require(` type xenfs_t; ') manage_files_pattern($1, xenfs_t, xenfs_t) ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete files ## on a XENFS filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_manage_xenfs_files',` gen_require(` type xenfs_t; ') dontaudit $1 xenfs_t:file manage_file_perms; ') ######################################## ## ## Mount all filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_all_fs',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem mount; # Mount checks write access on the dir allow $1 filesystem_type:dir write; ') ######################################## ## ## Remount all filesystems. This ## allows some mount options to be changed. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_all_fs',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem remount; ') ######################################## ## ## Unmount all filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_all_fs',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem unmount; ') ######################################## ## ## Watch all filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_watch_all_fs',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem watch; ') ######################################## ## ## Get the attributes of all filesystems. ## ## ##

## Allow the specified domain to ## get the attributes of all filesystems. ## Example attributes: ##

##
    ##
  • Type of the file system (e.g., ext3)
  • ##
  • Size of the file system
  • ##
  • Available space on the file system
  • ##
##
## ## ## Domain allowed access. ## ## ## ## # interface(`fs_getattr_all_fs',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem getattr; files_getattr_all_file_type_fs($1) ') ######################################## ## ## Do not audit attempts to get the attributes ## all filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_all_fs',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:filesystem getattr; ') ######################################## ## ## Do not audit attempts to check the ## access on all filesystems. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_all_access_check',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:dir_file_class_set audit_access; ') ######################################## ## ## Get the quotas of all filesystems. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_get_all_fs_quotas',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem quotaget; ') ######################################## ## ## Set the quotas of all filesystems. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_set_all_quotas',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem quotamod; ') ######################################## ## ## Relabelfrom all filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_relabelfrom_all_fs',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:filesystem relabelfrom; ') ######################################## ## ## Get the attributes of all directories ## with a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_all_dirs',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:dir getattr; ') ######################################## ## ## Dontaudit Get the attributes of all directories ## with a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_dontaudit_getattr_all_dirs',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:dir getattr; ') ######################################## ## ## Dontaudit map of all directories ## with a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_dontaudit_map_all_dirs',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:dir map; ') ######################################## ## ## Search all directories with a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_all',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:dir search_dir_perms; ') ######################################## ## ## List all directories with a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_list_all',` gen_require(` attribute filesystem_type; ') allow $1 filesystem_type:dir list_dir_perms; ') ######################################## ## ## Get the attributes of all files with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_all_files',` gen_require(` attribute filesystem_type; ') getattr_files_pattern($1, filesystem_type, filesystem_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all files with a filesystem type. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_all_files',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:file getattr; ') ######################################## ## ## Get the attributes of all symbolic links with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_all_symlinks',` gen_require(` attribute filesystem_type; ') getattr_lnk_files_pattern($1, filesystem_type, filesystem_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all symbolic links with a filesystem type. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_all_symlinks',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:lnk_file getattr; ') ######################################## ## ## Get the attributes of all named pipes with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_all_pipes',` gen_require(` attribute filesystem_type; ') getattr_fifo_files_pattern($1, filesystem_type, filesystem_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named pipes with a filesystem type. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_all_pipes',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:fifo_file getattr; ') ######################################## ## ## Get the attributes of all named sockets with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_all_sockets',` gen_require(` attribute filesystem_type; ') getattr_sock_files_pattern($1, filesystem_type, filesystem_type) ') ######################################## ## ## Do not audit attempts to get the attributes ## of all named sockets with a filesystem type. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_getattr_all_sockets',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:sock_file getattr; ') ######################################## ## ## Get the attributes of all block device nodes with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_all_blk_files',` gen_require(` attribute filesystem_type; ') getattr_blk_files_pattern($1, filesystem_type, filesystem_type) ') ######################################## ## ## Get the attributes of all character device nodes with ## a filesystem type. ## ## ## ## Domain allowed access. ## ## # interface(`fs_getattr_all_chr_files',` gen_require(` attribute filesystem_type; ') getattr_chr_files_pattern($1, filesystem_type, filesystem_type) ') ######################################## ## ## Unconfined access to filesystems ## ## ## ## Domain allowed access. ## ## # interface(`fs_unconfined',` gen_require(` attribute filesystem_unconfined_type; ') typeattribute $1 filesystem_unconfined_type; ') ######################################## ## ## Do not audit attempts to read or write ## all leaked filesystems files. ## ## ## ## Domain to not audit. ## ## # interface(`fs_dontaudit_leaks',` gen_require(` attribute filesystem_type; ') dontaudit $1 filesystem_type:file rw_inherited_file_perms; dontaudit $1 filesystem_type:lnk_file { read }; ') ######################################## ## ## Transition named content in tmpfs_t directory ## ## ## ## Domain allowed access. ## ## # interface(`fs_tmpfs_filetrans_named_content',` gen_require(` type cgroup_t; type devlog_t; ') fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpu") fs_tmpfs_filetrans($1, cgroup_t, lnk_file, "cpuacct") fs_tmpfs_filetrans($1, devlog_t, lnk_file, "log") ') ####################################### ## ## Read files in efivarfs ## - contains Linux Kernel configuration options for UEFI systems ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_read_efivarfs_files',` gen_require(` type efivarfs_t; ') read_files_pattern($1, efivarfs_t, efivarfs_t) ') ####################################### ## ## Read and write files in efivarfs ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_rw_efivarfs_files',` gen_require(` type efivarfs_t; ') rw_files_pattern($1, efivarfs_t, efivarfs_t) ') ####################################### ## ## Create efivarfs files ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_create_efivarfs_files',` gen_require(` type efivarfs_t; ') create_files_pattern($1, efivarfs_t, efivarfs_t) ') ####################################### ## ## Manage efivarfs files ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_efivarfs_files',` gen_require(` type efivarfs_t; ') manage_files_pattern($1, efivarfs_t, efivarfs_t) ') ######################################## ## ## Search efivarfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_efivarfs_dirs',` gen_require(` type efivarfs_t; ') search_dirs_pattern($1, efivarfs_t, efivarfs_t) ') ######################################## ## ## Set the attributes of efivarfs files. ## ## ## ## Domain allowed access. ## ## # interface(`fs_setattr_efivarfs_files',` gen_require(` type efivarfs_t; ') allow $1 efivarfs_t:file setattr; ') ######################################## ## ## Read and write sockets of ONLOAD file system pipes. ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_onload_sockets',` gen_require(` type onload_fs_t; ') rw_files_pattern($1, onload_fs_t, onload_fs_t) rw_fifo_files_pattern($1, onload_fs_t, onload_fs_t) rw_sock_files_pattern($1, onload_fs_t, onload_fs_t) allow $1 onload_fs_t:sock_file ioctl; ') ######################################## ## ## Search tracefs_t directories ## ## ## ## Domain allowed access. ## ## # interface(`fs_search_tracefs_dirs',` gen_require(` type tracefs_t; ') search_dirs_pattern($1, tracefs_t, tracefs_t) ') ######################################## ## ## Read and write tracefs_t files ## ## ## ## Domain allowed access. ## ## # interface(`fs_rw_tracefs_files',` gen_require(` type tracefs_t; ') rw_files_pattern($1, tracefs_t, tracefs_t) ') ######################################## ## ## Create, read, write, and delete dirs ## labeled as tracefs_t. ## ## ## ## Domain allowed access. ## ## ## # interface(`fs_manage_tracefs_dirs',` gen_require(` type tracefs_t; ') manage_dirs_pattern($1, tracefs_t, tracefs_t) ') ######################################## ## ## Mount tracefs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_mount_tracefs', ` gen_require(` type tracefs_t; ') allow $1 tracefs_t:filesystem mount; ') ######################################## ## ## Remount tracefs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_remount_tracefs', ` gen_require(` type tracefs_t; ') allow $1 tracefs_t:filesystem remount; ') ######################################## ## ## Unmount tracefs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`fs_unmount_tracefs', ` gen_require(` type tracefs_t; ') allow $1 tracefs_t:filesystem unmount; ')