policy_module(filesystem,1.0) ######################################## # # Declarations # attribute filesystem_type; attribute noxattrfs; ############################## # # fs_t is the default type for persistent # filesystems with extended attributes # type fs_t, filesystem_type; sid fs gen_context(system_u:object_r:fs_t,s0) # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems that represent objects # like pipes and sockets, so that these objects are labeled with the same # type as the creating task. fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); ############################## # # Non-persistent/pseudo filesystems # type bdev_t, filesystem_type; genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) type binfmt_misc_fs_t, filesystem_type; files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) type capifs_t, filesystem_type; allow capifs_t self:filesystem associate; genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) type configfs_t, filesystem_type; allow configfs_t self:filesystem associate; genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) type eventpollfs_t, filesystem_type; genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0) type futexfs_t, filesystem_type; genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) type hugetlbfs_t, filesystem_type; files_mountpoint(hugetlbfs_t) allow hugetlbfs_t self:filesystem associate; genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0) type inotifyfs_t, filesystem_type; allow inotifyfs_t self:filesystem associate; genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) type nfsd_fs_t, filesystem_type; genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type ramfs_t, filesystem_type; allow ramfs_t self:filesystem associate; genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) type romfs_t, filesystem_type; allow romfs_t self:filesystem associate; genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) type rpc_pipefs_t, filesystem_type; genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) # # tmpfs_t is the type for tmpfs filesystems # type tmpfs_t, filesystem_type; files_type(tmpfs_t) files_mountpoint(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, # and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems like devpts and tmpfs # where we want to label objects with a derived type. fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); allow tmpfs_t self:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate; ############################## # # Filesystems without extended attribute support # type autofs_t, filesystem_type, noxattrfs; allow autofs_t self:filesystem associate; genfscon autofs / gen_context(system_u:object_r:autofs_t,s0) genfscon automount / gen_context(system_u:object_r:autofs_t,s0) # # cifs_t is the type for filesystems and their # files shared from Windows servers # type cifs_t alias sambafs_t, filesystem_type, noxattrfs; allow cifs_t self:filesystem associate; genfscon cifs / gen_context(system_u:object_r:cifs_t,s0) genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0) # # dosfs_t is the type for fat and vfat # filesystems and their files. # type dosfs_t, filesystem_type, noxattrfs; allow dosfs_t self:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) # # iso9660_t is the type for CD filesystems # and their files. # type iso9660_t, filesystem_type, noxattrfs; allow iso9660_t self:filesystem associate; genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) # # removable_t is the default type of all removable media # type removable_t, filesystem_type, noxattrfs; allow removable_t noxattrfs:filesystem associate; # # nfs_t is the default type for NFS file systems # and their files. # type nfs_t, filesystem_type, noxattrfs; files_mountpoint(nfs_t) allow nfs_t self:filesystem associate; genfscon nfs / gen_context(system_u:object_r:nfs_t,s0) genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0) genfscon afs / gen_context(system_u:object_r:nfs_t,s0)