# Compartmentalized domain specifically for mounting fuseblk filesystems. # We need this to not grant fuseblkd_untrusted sys_admin permissions. type fuseblkd_exec, system_file_type, exec_type, file_type; type fuseblkd, domain; typeattribute fuseblkd coredomain; # Required for mount and unmounting. We can't minimize this permission, # even though we only allow mount/unmount. allow fuseblkd self:global_capability_class_set sys_admin; # Permissions for the fuseblk filesystem. allow fuseblkd fuse_device:chr_file rw_file_perms; allow fuseblkd fuseblk:filesystem { mount unmount }; allow fuseblkd fuseblkd_untrusted:fd use; # Look through block devices to find the correct one. allow fuseblkd block_device:dir search; # Permissions to mount on the media_rw directory for USB drives. allow fuseblkd mnt_media_rw_file:dir search; allow fuseblkd mnt_media_rw_stub_file:dir mounton; ### ### neverallow rules ### # Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary. neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition; neverallow * fuseblkd:process dyntransition; neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;