sadms 2.0.15.repack-0ubuntu2 / usr / share / sadms-2.0.15 / conf / pam_mount_macros.te

This file is indexed.

/usr/share/sadms-2.0.15/conf/pam_mount_macros.te is in sadms 2.0.15.repack-0ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
type pammount_var_run_t, file_type, sysadmfile, pidfile;
typealias pammount_var_run_t alias var_run_pammount_t;

type pam_mount_exec_t, file_type, sysadmfile, exec_type;
type pam_mount_t, domain, privlog, fs_domain;

define(`pam_mount_domain', `
# may exec helper binaries:
role $1_r types pam_mount_t;
domain_auto_trans($2_t, pam_mount_exec_t, pam_mount_t)

# FIXME: should have more fine-grained types
# read /etc/pam_mount.conf and ~/.pam_mount.conf
allow $2_t etc_runtime_t:file { getattr read };
allow $2_t user_home_t:file { getattr read };

# allow checking to see if a volume is already mounted in or at $HOME
allow $2_t user_home_t:dir { search getattr };
allow $2_t user_home_dir_t:dir { search getattr };

# for lsof, etc: VIOLATES ASSERTION
# can_exec($2_t, sbin_t)

allow $2_t default_t:file { getattr read };

# allow the proper execution of mount:
role $1_r types mount_t;
domain_auto_trans($2_t, mount_exec_t, mount_t)

# allow the proper execution of losetup and fsck:
role $1_r types fsadm_t;
domain_auto_trans($2_t, fsadm_exec_t, fsadm_t)
')

pam_mount_domain(system, xdm)
pam_mount_domain(user, user_su)
pam_mount_domain(sysadm, sysadm_su)
pam_mount_domain(system, local_login)
pam_mount_domain(system, remote_login)

# allow pam_mount_t (helper binaries) to manipulate /var/run/pam_mount:
uses_shlib(pam_mount_t)
read_locale(pam_mount_t)
file_type_auto_trans(pam_mount_t, var_run_t, pammount_var_run_t, file)
allow pam_mount_t pammount_var_run_t:dir rw_dir_perms;
allow pam_mount_t pammount_var_run_t:file { create getattr };
allow pam_mount_t var_run_t:dir { create getattr setattr add_name write };
allow pam_mount_t var_run_t:file { create getattr setattr read write lock unlink };
allow pam_mount_t pam_mount_t:unix_dgram_socket { create connect write };
allow pam_mount_t pam_mount_t:capability { chown fsetid };

# allow fsck to remove /etc/blkid.tab.old VIOLATES ASSETION
# allow fsadm_t etc_t:file { unlink };

# allow users to mount volumes within and as their home directory:
allow mount_t user_home_t:dir { mounton getattr };
allow mount_t user_home_dir_t:dir { getattr mounton };

# allow users to losetup in home directory:
allow fsadm_t user_home_t:dir { search };
allow fsadm_t user_home_t:file { read write };

# so that losetup may read password from stdin:
allow fsadm_t user_devpts_t:chr_file { read write };

# allow users to mount images in their home directory:
allow mount_t user_home_t:file { getattr read write };

# ============================= Should be move to elsewhere once util-linux ===
# ============================= is patched: ===================================
# allow reading of /proc/mounts link
allow mount_t proc_t:lnk_file { read };

# manipulate /dev/mapper/control:
allow mount_t lvm_control_t:chr_file { read write ioctl };
allow mount_t device_t:chr_file { read write ioctl };

# create a device within /dev/mapper:
allow mount_t device_t:dir { write add_name remove_name };
allow mount_t device_t:blk_file { create unlink getattr read };

# allow mount to read password from parent process:
allow mount_t user_devpts_t:chr_file { read write getattr };

# allow mount to create /dev/mapper device
allow mount_t mount_t:capability { mknod };

# allow mount to look up and set proper context of new /dev/mapper device:
allow mount_t file_context_t:file { read getattr };
allow mount_t security_t:dir { search };
allow mount_t security_t:file { read write };
allow mount_t security_t:security { check_context };
allow mount_t device_t:blk_file { relabelfrom };
allow mount_t fixed_disk_device_t:blk_file { relabelto unlink };

# not sure yet why these are needed:
allow mount_t selinux_config_t:file { read getattr };
allow mount_t mount_t:dir { search };
allow mount_t mount_t:file { getattr read };
# =============================================================================

APT Browse - Built by Thomas Orozco.