add mls sensitivity to genfscon, initial sids and fs_use
This commit is contained in:
parent
0d0d2bafd6
commit
e32c0d3b86
@ -105,7 +105,7 @@ filesystem_tmpfs_associate(mouse_device_t)
|
|||||||
type mtrr_device_t, device_node;
|
type mtrr_device_t, device_node;
|
||||||
filesystem_associate(mtrr_device_t)
|
filesystem_associate(mtrr_device_t)
|
||||||
filesystem_tmpfs_associate(mtrr_device_t)
|
filesystem_tmpfs_associate(mtrr_device_t)
|
||||||
genfscon proc /mtrr system_u:object_r:mtrr_device_t
|
genfscon proc /mtrr context_template(system_u:object_r:mtrr_device_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# null_device_t is the type of /dev/null.
|
# null_device_t is the type of /dev/null.
|
||||||
|
@ -16,31 +16,31 @@ type fs_t, fs_type;
|
|||||||
# Non-persistent/pseudo filesystems
|
# Non-persistent/pseudo filesystems
|
||||||
#
|
#
|
||||||
type bdev_t, fs_type;
|
type bdev_t, fs_type;
|
||||||
genfscon bdev / system_u:object_r:bdev_t
|
genfscon bdev / context_template(system_u:object_r:bdev_t,s0)
|
||||||
|
|
||||||
type binfmt_misc_fs_t, fs_type;
|
type binfmt_misc_fs_t, fs_type;
|
||||||
genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t
|
genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0)
|
||||||
|
|
||||||
type eventpollfs_t, fs_type;
|
type eventpollfs_t, fs_type;
|
||||||
genfscon eventpollfs / system_u:object_r:eventpollfs_t
|
genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0)
|
||||||
|
|
||||||
type futexfs_t, fs_type;
|
type futexfs_t, fs_type;
|
||||||
genfscon futexfs / system_u:object_r:futexfs_t
|
genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0)
|
||||||
|
|
||||||
type nfsd_fs_t, fs_type;
|
type nfsd_fs_t, fs_type;
|
||||||
genfscon nfsd / system_u:object_r:nfsd_fs_t
|
genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
|
||||||
|
|
||||||
type ramfs_t, fs_type;
|
type ramfs_t, fs_type;
|
||||||
allow ramfs_t self:filesystem associate;
|
allow ramfs_t self:filesystem associate;
|
||||||
genfscon ramfs / system_u:object_r:ramfs_t
|
genfscon ramfs / context_template(system_u:object_r:ramfs_t,s0)
|
||||||
|
|
||||||
type romfs_t, fs_type;
|
type romfs_t, fs_type;
|
||||||
allow romfs_t self:filesystem associate;
|
allow romfs_t self:filesystem associate;
|
||||||
genfscon romfs / system_u:object_r:romfs_t
|
genfscon romfs / context_template(system_u:object_r:romfs_t,s0)
|
||||||
genfscon cramfs / system_u:object_r:romfs_t
|
genfscon cramfs / context_template(system_u:object_r:romfs_t,s0)
|
||||||
|
|
||||||
type rpc_pipefs_t, fs_type;
|
type rpc_pipefs_t, fs_type;
|
||||||
genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t
|
genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# tmpfs_t is the type for tmpfs filesystems
|
# tmpfs_t is the type for tmpfs filesystems
|
||||||
@ -61,8 +61,8 @@ allow tmpfs_t usbfs_t:filesystem associate;
|
|||||||
#
|
#
|
||||||
type autofs_t, fs_type;
|
type autofs_t, fs_type;
|
||||||
allow autofs_t self:filesystem associate;
|
allow autofs_t self:filesystem associate;
|
||||||
genfscon autofs / system_u:object_r:autofs_t
|
genfscon autofs / context_template(system_u:object_r:autofs_t,s0)
|
||||||
genfscon automount / system_u:object_r:autofs_t
|
genfscon automount / context_template(system_u:object_r:autofs_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# cifs_t is the type for filesystems and their
|
# cifs_t is the type for filesystems and their
|
||||||
@ -70,8 +70,8 @@ genfscon automount / system_u:object_r:autofs_t
|
|||||||
#
|
#
|
||||||
type cifs_t alias sambafs_t, fs_type;
|
type cifs_t alias sambafs_t, fs_type;
|
||||||
allow cifs_t self:filesystem associate;
|
allow cifs_t self:filesystem associate;
|
||||||
genfscon cifs / system_u:object_r:cifs_t
|
genfscon cifs / context_template(system_u:object_r:cifs_t,s0)
|
||||||
genfscon smbfs / system_u:object_r:cifs_t
|
genfscon smbfs / context_template(system_u:object_r:cifs_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# dosfs_t is the type for fat and vfat
|
# dosfs_t is the type for fat and vfat
|
||||||
@ -79,10 +79,10 @@ genfscon smbfs / system_u:object_r:cifs_t
|
|||||||
#
|
#
|
||||||
type dosfs_t, fs_type;
|
type dosfs_t, fs_type;
|
||||||
allow dosfs_t self:filesystem associate;
|
allow dosfs_t self:filesystem associate;
|
||||||
genfscon vfat / system_u:object_r:dosfs_t
|
genfscon vfat / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
genfscon msdos / system_u:object_r:dosfs_t
|
genfscon msdos / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
genfscon fat / system_u:object_r:dosfs_t
|
genfscon fat / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
genfscon ntfs / system_u:object_r:dosfs_t
|
genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# iso9660_t is the type for CD filesystems
|
# iso9660_t is the type for CD filesystems
|
||||||
@ -90,8 +90,8 @@ genfscon ntfs / system_u:object_r:dosfs_t
|
|||||||
#
|
#
|
||||||
type iso9660_t, fs_type;
|
type iso9660_t, fs_type;
|
||||||
allow iso9660_t self:filesystem associate;
|
allow iso9660_t self:filesystem associate;
|
||||||
genfscon iso9660 / system_u:object_r:iso9660_t
|
genfscon iso9660 / context_template(system_u:object_r:iso9660_t,s0)
|
||||||
genfscon udf / system_u:object_r:iso9660_t
|
genfscon udf / context_template(system_u:object_r:iso9660_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# removable_t is the default type of all removable media
|
# removable_t is the default type of all removable media
|
||||||
@ -112,6 +112,6 @@ allow removable_t usbfs_t:filesystem associate;
|
|||||||
type nfs_t, fs_type;
|
type nfs_t, fs_type;
|
||||||
files_make_mountpoint(nfs_t)
|
files_make_mountpoint(nfs_t)
|
||||||
allow nfs_t self:filesystem associate;
|
allow nfs_t self:filesystem associate;
|
||||||
genfscon nfs / system_u:object_r:nfs_t
|
genfscon nfs / context_template(system_u:object_r:nfs_t,s0)
|
||||||
genfscon nfs4 / system_u:object_r:nfs_t
|
genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0)
|
||||||
genfscon afs / system_u:object_r:nfs_t
|
genfscon afs / context_template(system_u:object_r:nfs_t,s0)
|
||||||
|
@ -36,7 +36,7 @@ type unlabeled_t;
|
|||||||
#
|
#
|
||||||
type security_t;
|
type security_t;
|
||||||
filesystem_make_filesystem(security_t)
|
filesystem_make_filesystem(security_t)
|
||||||
genfscon selinuxfs / system_u:object_r:security_t
|
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# sysfs_t is the type for /sys
|
# sysfs_t is the type for /sys
|
||||||
@ -44,7 +44,7 @@ genfscon selinuxfs / system_u:object_r:security_t
|
|||||||
type sysfs_t;
|
type sysfs_t;
|
||||||
files_make_mountpoint(sysfs_t)
|
files_make_mountpoint(sysfs_t)
|
||||||
filesystem_make_filesystem(sysfs_t)
|
filesystem_make_filesystem(sysfs_t)
|
||||||
genfscon sysfs / system_u:object_r:sysfs_t
|
genfscon sysfs / context_template(system_u:object_r:sysfs_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# usbfs_t is the type for /proc/bus/usb
|
# usbfs_t is the type for /proc/bus/usb
|
||||||
@ -52,8 +52,8 @@ genfscon sysfs / system_u:object_r:sysfs_t
|
|||||||
type usbfs_t alias usbdevfs_t;
|
type usbfs_t alias usbdevfs_t;
|
||||||
files_make_mountpoint(usbfs_t)
|
files_make_mountpoint(usbfs_t)
|
||||||
filesystem_make_filesystem(usbfs_t)
|
filesystem_make_filesystem(usbfs_t)
|
||||||
genfscon usbfs / system_u:object_r:usbfs_t
|
genfscon usbfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||||
genfscon usbdevfs / system_u:object_r:usbfs_t
|
genfscon usbdevfs / context_template(system_u:object_r:usbfs_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Procfs types
|
# Procfs types
|
||||||
@ -62,24 +62,24 @@ genfscon usbdevfs / system_u:object_r:usbfs_t
|
|||||||
type proc_t;
|
type proc_t;
|
||||||
files_make_mountpoint(proc_t)
|
files_make_mountpoint(proc_t)
|
||||||
filesystem_make_filesystem(proc_t)
|
filesystem_make_filesystem(proc_t)
|
||||||
genfscon proc / system_u:object_r:proc_t
|
genfscon proc / context_template(system_u:object_r:proc_t,s0)
|
||||||
genfscon proc /sysvipc system_u:object_r:proc_t
|
genfscon proc /sysvipc context_template(system_u:object_r:proc_t,s0)
|
||||||
|
|
||||||
# kernel message interface
|
# kernel message interface
|
||||||
type proc_kmsg_t;
|
type proc_kmsg_t;
|
||||||
genfscon proc /kmsg system_u:object_r:proc_kmsg_t
|
genfscon proc /kmsg context_template(system_u:object_r:proc_kmsg_t,s0)
|
||||||
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
|
neverallow ~can_receive_kernel_messages proc_kmsg_t:file ~getattr;
|
||||||
|
|
||||||
# /proc kcore: inaccessible
|
# /proc kcore: inaccessible
|
||||||
type proc_kcore_t;
|
type proc_kcore_t;
|
||||||
neverallow * proc_kcore_t:file ~getattr;
|
neverallow * proc_kcore_t:file ~getattr;
|
||||||
genfscon proc /kcore system_u:object_r:proc_kcore_t
|
genfscon proc /kcore context_template(system_u:object_r:proc_kcore_t,s0)
|
||||||
|
|
||||||
type proc_mdstat_t;
|
type proc_mdstat_t;
|
||||||
genfscon proc /mdstat system_u:object_r:proc_mdstat_t
|
genfscon proc /mdstat context_template(system_u:object_r:proc_mdstat_t,s0)
|
||||||
|
|
||||||
type proc_net_t;
|
type proc_net_t;
|
||||||
genfscon proc /net system_u:object_r:proc_net_t
|
genfscon proc /net context_template(system_u:object_r:proc_net_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Sysctl types
|
# Sysctl types
|
||||||
@ -87,48 +87,48 @@ genfscon proc /net system_u:object_r:proc_net_t
|
|||||||
|
|
||||||
# /proc/irq directory and files
|
# /proc/irq directory and files
|
||||||
type sysctl_irq_t;
|
type sysctl_irq_t;
|
||||||
genfscon proc /irq system_u:object_r:sysctl_irq_t
|
genfscon proc /irq context_template(system_u:object_r:sysctl_irq_t,s0)
|
||||||
|
|
||||||
# /proc/net/rpc directory and files
|
# /proc/net/rpc directory and files
|
||||||
type sysctl_rpc_t;
|
type sysctl_rpc_t;
|
||||||
genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t
|
genfscon proc /net/rpc context_template(system_u:object_r:sysctl_rpc_t,s0)
|
||||||
|
|
||||||
# /proc/sys directory, base directory of sysctls
|
# /proc/sys directory, base directory of sysctls
|
||||||
type sysctl_t;
|
type sysctl_t;
|
||||||
genfscon proc /sys system_u:object_r:sysctl_t
|
genfscon proc /sys context_template(system_u:object_r:sysctl_t,s0)
|
||||||
|
|
||||||
# /proc/sys/fs directory and files
|
# /proc/sys/fs directory and files
|
||||||
type sysctl_fs_t;
|
type sysctl_fs_t;
|
||||||
files_make_mountpoint(sysctl_fs_t)
|
files_make_mountpoint(sysctl_fs_t)
|
||||||
genfscon proc /sys/fs system_u:object_r:sysctl_fs_t
|
genfscon proc /sys/fs context_template(system_u:object_r:sysctl_fs_t,s0)
|
||||||
|
|
||||||
# /proc/sys/kernel directory and files
|
# /proc/sys/kernel directory and files
|
||||||
type sysctl_kernel_t;
|
type sysctl_kernel_t;
|
||||||
genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t
|
genfscon proc /sys/kernel context_template(system_u:object_r:sysctl_kernel_t,s0)
|
||||||
|
|
||||||
# /proc/sys/kernel/modprobe file
|
# /proc/sys/kernel/modprobe file
|
||||||
type sysctl_modprobe_t;
|
type sysctl_modprobe_t;
|
||||||
genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t
|
genfscon proc /sys/kernel/modprobe context_template(system_u:object_r:sysctl_modprobe_t,s0)
|
||||||
|
|
||||||
# /proc/sys/kernel/hotplug file
|
# /proc/sys/kernel/hotplug file
|
||||||
type sysctl_hotplug_t;
|
type sysctl_hotplug_t;
|
||||||
genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t
|
genfscon proc /sys/kernel/hotplug context_template(system_u:object_r:sysctl_hotplug_t,s0)
|
||||||
|
|
||||||
# /proc/sys/net directory and files
|
# /proc/sys/net directory and files
|
||||||
type sysctl_net_t;
|
type sysctl_net_t;
|
||||||
genfscon proc /sys/net system_u:object_r:sysctl_net_t
|
genfscon proc /sys/net context_template(system_u:object_r:sysctl_net_t,s0)
|
||||||
|
|
||||||
# /proc/sys/net/unix directory and files
|
# /proc/sys/net/unix directory and files
|
||||||
type sysctl_net_unix_t;
|
type sysctl_net_unix_t;
|
||||||
genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t
|
genfscon proc /sys/net/unix context_template(system_u:object_r:sysctl_net_unix_t,s0)
|
||||||
|
|
||||||
# /proc/sys/vm directory and files
|
# /proc/sys/vm directory and files
|
||||||
type sysctl_vm_t;
|
type sysctl_vm_t;
|
||||||
genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
|
genfscon proc /sys/vm context_template(system_u:object_r:sysctl_vm_t,s0)
|
||||||
|
|
||||||
# /proc/sys/dev directory and files
|
# /proc/sys/dev directory and files
|
||||||
type sysctl_dev_t;
|
type sysctl_dev_t;
|
||||||
genfscon proc /sys/dev system_u:object_r:sysctl_dev_t
|
genfscon proc /sys/dev context_template(system_u:object_r:sysctl_dev_t,s0)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -83,7 +83,7 @@ filesystem_associate(root_t)
|
|||||||
filesystem_noxattr_associate(root_t)
|
filesystem_noxattr_associate(root_t)
|
||||||
kernel_read_directory_from(root_t)
|
kernel_read_directory_from(root_t)
|
||||||
kernel_make_root_filesystem_mountpoint(root_t)
|
kernel_make_root_filesystem_mountpoint(root_t)
|
||||||
genfscon rootfs / system_u:object_r:root_t
|
genfscon rootfs / context_template(system_u:object_r:root_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# src_t is the type of files in the system src directories.
|
# src_t is the type of files in the system src directories.
|
||||||
|
Loading…
Reference in New Issue
Block a user