selinux-policy/policy/modules/kernel/filesystem.te

251 lines
7.2 KiB
Plaintext
Raw Normal View History

2005-04-20 19:07:16 +00:00
2007-08-08 20:04:28 +00:00
policy_module(filesystem,1.7.1)
2005-06-30 18:54:08 +00:00
########################################
#
# Declarations
#
attribute filesystem_type;
attribute filesystem_unconfined_type;
2005-06-09 15:20:31 +00:00
attribute noxattrfs;
2005-04-14 20:18:17 +00:00
2005-06-30 18:54:08 +00:00
##############################
2005-04-14 20:18:17 +00:00
#
# fs_t is the default type for persistent
# filesystems with extended attributes
#
2005-10-25 20:06:27 +00:00
type fs_t;
fs_type(fs_t)
sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems that represent objects
# like pipes and sockets, so that these objects are labeled with the same
# type as the creating task.
fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
2005-04-14 20:18:17 +00:00
2005-06-30 18:54:08 +00:00
##############################
2005-04-14 20:18:17 +00:00
#
# Non-persistent/pseudo filesystems
#
2007-08-08 20:04:28 +00:00
type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
2005-10-25 20:06:27 +00:00
type bdev_t;
fs_type(bdev_t)
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
2005-04-14 20:18:17 +00:00
2005-10-25 20:06:27 +00:00
type binfmt_misc_fs_t;
fs_type(binfmt_misc_fs_t)
2005-09-13 13:06:07 +00:00
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
2005-04-14 20:18:17 +00:00
2005-10-25 20:06:27 +00:00
type capifs_t;
fs_type(capifs_t)
2007-06-20 19:47:10 +00:00
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
2005-10-25 20:06:27 +00:00
type configfs_t;
fs_type(configfs_t)
2005-10-24 03:21:26 +00:00
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
2007-06-20 19:47:10 +00:00
type cpusetfs_t;
fs_type(cpusetfs_t)
allow cpusetfs_t self:filesystem associate;
genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
2005-10-25 20:06:27 +00:00
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
2005-04-14 20:18:17 +00:00
2007-06-20 19:47:10 +00:00
type fusefs_t;
fs_noxattr_type(fusefs_t)
allow fusefs_t self:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
2005-10-25 20:06:27 +00:00
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
2005-04-14 20:18:17 +00:00
2005-10-25 20:06:27 +00:00
type hugetlbfs_t;
fs_type(hugetlbfs_t)
2005-09-13 13:06:07 +00:00
files_mountpoint(hugetlbfs_t)
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
2005-09-13 13:06:07 +00:00
type ibmasmfs_t;
fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
2005-10-25 20:06:27 +00:00
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
2005-09-13 13:06:07 +00:00
2007-06-20 19:47:10 +00:00
type mvfs_t;
fs_noxattr_type(mvfs_t)
allow mvfs_t self:filesystem associate;
genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
2005-10-25 20:06:27 +00:00
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
2005-04-14 20:18:17 +00:00
type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
2005-10-25 20:06:27 +00:00
type ramfs_t;
fs_type(ramfs_t)
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
2005-04-14 20:18:17 +00:00
2005-10-25 20:06:27 +00:00
type romfs_t;
fs_type(romfs_t)
genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
2005-04-14 20:18:17 +00:00
2005-10-25 20:06:27 +00:00
type rpc_pipefs_t;
fs_type(rpc_pipefs_t)
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
2005-04-14 20:18:17 +00:00
2007-06-20 19:47:10 +00:00
type spufs_t;
fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
2005-04-14 20:18:17 +00:00
#
# tmpfs_t is the type for tmpfs filesystems
#
2005-10-25 20:06:27 +00:00
type tmpfs_t;
fs_type(tmpfs_t)
files_type(tmpfs_t)
2005-09-16 19:36:10 +00:00
files_mountpoint(tmpfs_t)
2007-08-08 20:04:28 +00:00
files_poly_parent(tmpfs_t)
2005-05-30 21:17:20 +00:00
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
# and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type.
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
2005-06-09 15:20:31 +00:00
allow tmpfs_t noxattrfs:filesystem associate;
2005-04-14 20:18:17 +00:00
2005-06-30 18:54:08 +00:00
##############################
2005-04-14 20:18:17 +00:00
#
# Filesystems without extended attribute support
#
2006-03-29 19:55:30 +00:00
type autofs_t;
fs_noxattr_type(autofs_t)
2005-11-23 19:02:40 +00:00
files_mountpoint(autofs_t)
genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
2005-04-14 20:18:17 +00:00
#
# cifs_t is the type for filesystems and their
# files shared from Windows servers
#
2006-03-29 19:55:30 +00:00
type cifs_t alias sambafs_t;
fs_noxattr_type(cifs_t)
files_mountpoint(cifs_t)
genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
2005-04-14 20:18:17 +00:00
#
# dosfs_t is the type for fat and vfat
# filesystems and their files.
#
2006-03-29 19:55:30 +00:00
type dosfs_t;
fs_noxattr_type(dosfs_t)
allow dosfs_t fs_t:filesystem associate;
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
2005-04-14 20:18:17 +00:00
#
# iso9660_t is the type for CD filesystems
# and their files.
#
2006-03-29 19:55:30 +00:00
type iso9660_t;
fs_noxattr_type(iso9660_t)
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
2005-04-14 20:18:17 +00:00
2005-04-21 22:46:49 +00:00
#
# removable_t is the default type of all removable media
#
2006-03-29 19:55:30 +00:00
type removable_t;
2005-06-09 15:20:31 +00:00
allow removable_t noxattrfs:filesystem associate;
2006-03-29 19:55:30 +00:00
fs_noxattr_type(removable_t)
2006-06-14 20:52:45 +00:00
files_type(removable_t)
2005-04-21 22:46:49 +00:00
2005-04-14 20:18:17 +00:00
#
# nfs_t is the default type for NFS file systems
# and their files.
#
2006-03-29 19:55:30 +00:00
type nfs_t;
fs_noxattr_type(nfs_t)
2005-06-13 17:35:46 +00:00
files_mountpoint(nfs_t)
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
2006-03-29 14:53:58 +00:00
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
2006-03-29 19:55:30 +00:00
########################################
#
# Rules for all filesystem types
#
allow filesystem_type self:filesystem associate;
########################################
#
# Rules for filesystems without xattr support
#
# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
fs_associate_noxattr(noxattrfs)
########################################
#
# Unconfined access to this module
#
allow filesystem_unconfined_type filesystem_type:filesystem *;
# Create/access other files. fs_type is to pick up various
# pseudo filesystem types that are applied to both the filesystem
# and its files.
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;