diff --git a/refpolicy/policy/modules/kernel/devices.te b/refpolicy/policy/modules/kernel/devices.te index 3fcac882..94cc79f9 100644 --- a/refpolicy/policy/modules/kernel/devices.te +++ b/refpolicy/policy/modules/kernel/devices.te @@ -105,7 +105,7 @@ filesystem_tmpfs_associate(mouse_device_t) type mtrr_device_t, device_node; filesystem_associate(mtrr_device_t) filesystem_tmpfs_associate(mtrr_device_t) -genfscon proc /mtrr system_u:object_r:mtrr_device_t +genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0) # # null_device_t is the type of /dev/null. diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te index fe81f05e..b23cbd98 100644 --- a/refpolicy/policy/modules/kernel/filesystem.te +++ b/refpolicy/policy/modules/kernel/filesystem.te @@ -16,31 +16,31 @@ type fs_t, fs_type; # Non-persistent/pseudo filesystems # type bdev_t, fs_type; -genfscon bdev / system_u:object_r:bdev_t +genfscon bdev / context_template(system_u:object_r:bdev_t,s0) type binfmt_misc_fs_t, fs_type; -genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t +genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0) type eventpollfs_t, fs_type; -genfscon eventpollfs / system_u:object_r:eventpollfs_t +genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0) type futexfs_t, fs_type; -genfscon futexfs / system_u:object_r:futexfs_t +genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0) type nfsd_fs_t, fs_type; -genfscon nfsd / system_u:object_r:nfsd_fs_t +genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0) type ramfs_t, fs_type; allow ramfs_t self:filesystem associate; -genfscon ramfs / system_u:object_r:ramfs_t +genfscon ramfs / context_template(system_u:object_r:ramfs_t,s0) type romfs_t, fs_type; allow romfs_t self:filesystem associate; -genfscon romfs / system_u:object_r:romfs_t -genfscon cramfs / system_u:object_r:romfs_t +genfscon romfs / context_template(system_u:object_r:romfs_t,s0) +genfscon cramfs / context_template(system_u:object_r:romfs_t,s0) type rpc_pipefs_t, fs_type; -genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t +genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0) # # tmpfs_t is the type for tmpfs filesystems @@ -61,8 +61,8 @@ allow tmpfs_t usbfs_t:filesystem associate; # type autofs_t, fs_type; allow autofs_t self:filesystem associate; -genfscon autofs / system_u:object_r:autofs_t -genfscon automount / system_u:object_r:autofs_t +genfscon autofs / context_template(system_u:object_r:autofs_t,s0) +genfscon automount / context_template(system_u:object_r:autofs_t,s0) # # cifs_t is the type for filesystems and their @@ -70,8 +70,8 @@ genfscon automount / system_u:object_r:autofs_t # type cifs_t alias sambafs_t, fs_type; allow cifs_t self:filesystem associate; -genfscon cifs / system_u:object_r:cifs_t -genfscon smbfs / system_u:object_r:cifs_t +genfscon cifs / context_template(system_u:object_r:cifs_t,s0) +genfscon smbfs / context_template(system_u:object_r:cifs_t,s0) # # dosfs_t is the type for fat and vfat @@ -79,10 +79,10 @@ genfscon smbfs / system_u:object_r:cifs_t # type dosfs_t, fs_type; allow dosfs_t self:filesystem associate; -genfscon vfat / system_u:object_r:dosfs_t -genfscon msdos / system_u:object_r:dosfs_t -genfscon fat / system_u:object_r:dosfs_t -genfscon ntfs / system_u:object_r:dosfs_t +genfscon vfat / context_template(system_u:object_r:dosfs_t,s0) +genfscon msdos / context_template(system_u:object_r:dosfs_t,s0) +genfscon fat / context_template(system_u:object_r:dosfs_t,s0) +genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0) # # iso9660_t is the type for CD filesystems @@ -90,8 +90,8 @@ genfscon ntfs / system_u:object_r:dosfs_t # type iso9660_t, fs_type; allow iso9660_t self:filesystem associate; -genfscon iso9660 / system_u:object_r:iso9660_t -genfscon udf / system_u:object_r:iso9660_t +genfscon iso9660 / context_template(system_u:object_r:iso9660_t,s0) +genfscon udf / context_template(system_u:object_r:iso9660_t,s0) # # removable_t is the default type of all removable media @@ -112,6 +112,6 @@ allow removable_t usbfs_t:filesystem associate; type nfs_t, fs_type; files_make_mountpoint(nfs_t) allow nfs_t self:filesystem associate; -genfscon nfs / system_u:object_r:nfs_t -genfscon nfs4 / system_u:object_r:nfs_t -genfscon afs / system_u:object_r:nfs_t +genfscon nfs / context_template(system_u:object_r:nfs_t,s0) +genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0) +genfscon afs / context_template(system_u:object_r:nfs_t,s0) diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te index 8a2637c9..4e108d23 100644 --- a/refpolicy/policy/modules/kernel/kernel.te +++ b/refpolicy/policy/modules/kernel/kernel.te @@ -36,7 +36,7 @@ type unlabeled_t; # type security_t; filesystem_make_filesystem(security_t) -genfscon selinuxfs / system_u:object_r:security_t +genfscon selinuxfs / context_template(system_u:object_r:security_t,s0) # # sysfs_t is the type for /sys @@ -44,7 +44,7 @@ genfscon selinuxfs / system_u:object_r:security_t type sysfs_t; files_make_mountpoint(sysfs_t) filesystem_make_filesystem(sysfs_t) -genfscon sysfs / system_u:object_r:sysfs_t +genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0) # # usbfs_t is the type for /proc/bus/usb @@ -52,8 +52,8 @@ genfscon sysfs / system_u:object_r:sysfs_t type usbfs_t alias usbdevfs_t; files_make_mountpoint(usbfs_t) filesystem_make_filesystem(usbfs_t) -genfscon usbfs / system_u:object_r:usbfs_t -genfscon usbdevfs / system_u:object_r:usbfs_t +genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0) +genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0) # # Procfs types @@ -62,24 +62,24 @@ genfscon usbdevfs / system_u:object_r:usbfs_t type proc_t; files_make_mountpoint(proc_t) filesystem_make_filesystem(proc_t) -genfscon proc / system_u:object_r:proc_t -genfscon proc /sysvipc system_u:object_r:proc_t +genfscon proc / context_template(system_u:object_r:proc_t,s0) +genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0) # kernel message interface type proc_kmsg_t; -genfscon proc /kmsg system_u:object_r:proc_kmsg_t +genfscon proc /kmsg context_template(system_u:object_r:proc_kmsg_t,s0) neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr; # /proc kcore: inaccessible type proc_kcore_t; neverallow * proc_kcore_t:file ~getattr; -genfscon proc /kcore system_u:object_r:proc_kcore_t +genfscon proc /kcore context_template(system_u:object_r:proc_kcore_t,s0) type proc_mdstat_t; -genfscon proc /mdstat system_u:object_r:proc_mdstat_t +genfscon proc /mdstat context_template(system_u:object_r:proc_mdstat_t,s0) type proc_net_t; -genfscon proc /net system_u:object_r:proc_net_t +genfscon proc /net context_template(system_u:object_r:proc_net_t,s0) # # Sysctl types @@ -87,48 +87,48 @@ genfscon proc /net system_u:object_r:proc_net_t # /proc/irq directory and files type sysctl_irq_t; -genfscon proc /irq system_u:object_r:sysctl_irq_t +genfscon proc /irq context_template(system_u:object_r:sysctl_irq_t,s0) # /proc/net/rpc directory and files type sysctl_rpc_t; -genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t +genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0) # /proc/sys directory, base directory of sysctls type sysctl_t; -genfscon proc /sys system_u:object_r:sysctl_t +genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0) # /proc/sys/fs directory and files type sysctl_fs_t; files_make_mountpoint(sysctl_fs_t) -genfscon proc /sys/fs system_u:object_r:sysctl_fs_t +genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0) # /proc/sys/kernel directory and files type sysctl_kernel_t; -genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t +genfscon proc /sys/kernel context_template(system_u:object_r:sysctl_kernel_t,s0) # /proc/sys/kernel/modprobe file type sysctl_modprobe_t; -genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t +genfscon proc /sys/kernel/modprobe context_template(system_u:object_r:sysctl_modprobe_t,s0) # /proc/sys/kernel/hotplug file type sysctl_hotplug_t; -genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t +genfscon proc /sys/kernel/hotplug context_template(system_u:object_r:sysctl_hotplug_t,s0) # /proc/sys/net directory and files type sysctl_net_t; -genfscon proc /sys/net system_u:object_r:sysctl_net_t +genfscon proc /sys/net context_template(system_u:object_r:sysctl_net_t,s0) # /proc/sys/net/unix directory and files type sysctl_net_unix_t; -genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t +genfscon proc /sys/net/unix context_template(system_u:object_r:sysctl_net_unix_t,s0) # /proc/sys/vm directory and files type sysctl_vm_t; -genfscon proc /sys/vm system_u:object_r:sysctl_vm_t +genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0) # /proc/sys/dev directory and files type sysctl_dev_t; -genfscon proc /sys/dev system_u:object_r:sysctl_dev_t +genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0) ######################################## # diff --git a/refpolicy/policy/modules/system/files.te b/refpolicy/policy/modules/system/files.te index c3aa6663..c26db14f 100644 --- a/refpolicy/policy/modules/system/files.te +++ b/refpolicy/policy/modules/system/files.te @@ -83,7 +83,7 @@ filesystem_associate(root_t) filesystem_noxattr_associate(root_t) kernel_read_directory_from(root_t) kernel_make_root_filesystem_mountpoint(root_t) -genfscon rootfs / system_u:object_r:root_t +genfscon rootfs / context_template(system_u:object_r:root_t,s0) # # src_t is the type of files in the system src directories.