mount_ntfs policy

mount_ntfs policy

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: mount_ntfs.patch --]
[-- Type: text/x-patch, Size: 3512 bytes --]

--- nsaserefpolicy/policy/modules/system/mount.fc	2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/mount.fc	2007-03-22 15:06:59.000000000 -0400
@@ -1,4 +1,3 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.ntfs-3g		--	gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
--- nsaserefpolicy/policy/modules/system/mount.if	2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/mount.if	2007-03-22 15:06:59.000000000 -0400
@@ -143,3 +143,40 @@
 		mount_domtrans($1)
 	')
 ')
+
+########################################
+## <summary>
+##	Execute a domain transition to run mount_ntfs.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`mount_ntfs_domtrans',`
+	gen_require(`
+		type mount_ntfs_t, mount_ntfs_exec_t;
+	')
+
+	domtrans_pattern($1,mount_ntfs_exec_t,mount_ntfs_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read/write to
+##	init scripts with a unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_ntfs_rw_stream_sockets',`
+	gen_require(`
+		type mount_ntfs_t;
+	')
+
+	allow $1 mount_ntfs_t:unix_stream_socket { read write };
+')
--- nsaserefpolicy/policy/modules/system/mount.te	2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/system/mount.te	2007-03-22 15:06:59.000000000 -0400
@@ -9,8 +9,13 @@
 type mount_t;
 type mount_exec_t;
 init_system_domain(mount_t,mount_exec_t)
+application_executable_file(mount_exec_t)
 role system_r types mount_t;
 
+type mount_ntfs_t;
+type mount_ntfs_exec_t;
+init_daemon_domain(mount_ntfs_t, mount_ntfs_exec_t)
+
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
 
@@ -29,7 +34,7 @@
 #
 
 # setuid/setgid needed to mount cifs 
-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:capability { ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
 
 allow mount_t mount_loopback_t:file read_file_perms;
 allow mount_t self:netlink_route_socket r_netlink_socket_perms;
@@ -197,3 +207,40 @@
 	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
 	unconfined_domain(unconfined_mount_t)
 ')
+
+########################################
+#
+# mount_ntfs local policy
+#
+allow mount_ntfs_t self:capability { setuid sys_admin };
+allow mount_ntfs_t self:fifo_file { read write };
+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_ntfs_t self:unix_dgram_socket { connect create };
+
+corecmd_read_bin_symlinks(mount_ntfs_t)
+corecmd_exec_shell(mount_ntfs_t)
+
+files_read_etc_files(mount_ntfs_t)
+
+libs_use_ld_so(mount_ntfs_t)
+libs_use_shared_libs(mount_ntfs_t)
+
+fusermount_domtrans(mount_ntfs_t)
+fusermount_use_fds(mount_ntfs_t)
+
+kernel_read_system_state(mount_ntfs_t)
+
+logging_send_syslog_msg(mount_ntfs_t)
+
+miscfiles_read_localization(mount_ntfs_t)
+
+modutils_domtrans_insmod(mount_ntfs_t)
+
+mount_ntfs_domtrans(mount_t)
+
+storage_raw_read_fixed_disk(mount_ntfs_t)
+storage_raw_write_fixed_disk(mount_ntfs_t)
+
+ifdef(`targeted_policy',`
+	term_use_generic_ptys(mount_ntfs_t)
+')