policy_module(files,1.2.2) ######################################## # # Declarations # attribute file_type; # cjp: should handle this different allow file_type self:filesystem associate; attribute lockfile; attribute mountpoint; attribute pidfile; # For labeling types that are to be polyinstantiated attribute polydir; # this is a hack and should be changed attribute usercanread; # And for labeling the parent directories of those polyinstantiated directories # This is necessary for remounting the original in the parent to give # security aware apps access attribute polyparent; # And labeling for the member directories attribute polymember; # sensitive security files whose accesses should # not be dontaudited for uses attribute security_file_type; attribute tmpfile; attribute tmpfsfile; # # boot_t is the type for files in /boot # type boot_t; files_type(boot_t) files_mountpoint(boot_t) # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. type default_t, file_type, mountpoint; fs_associate(default_t) fs_associate_noxattr(default_t) # # etc_t is the type of the system etc directories. # type etc_t, file_type; fs_associate(etc_t) fs_associate_noxattr(etc_t) # # etc_runtime_t is the type of various # files in /etc that are automatically # generated during initialization. # type etc_runtime_t, file_type; fs_associate(etc_runtime_t) fs_associate_noxattr(etc_runtime_t) # # file_t is the default type of a file that has not yet been # assigned an extended attribute (EA) value (when using a filesystem # that supports EAs). # type file_t, file_type, mountpoint; fs_associate(file_t) fs_associate_noxattr(file_t) kernel_rootfs_mountpoint(file_t) sid file gen_context(system_u:object_r:file_t,s0) # # home_root_t is the type for the directory where user home directories # are created # type home_root_t, file_type, mountpoint; fs_associate(home_root_t) fs_associate_noxattr(home_root_t) files_poly_parent(home_root_t) # # lost_found_t is the type for the lost+found directories. # type lost_found_t, file_type; fs_associate(lost_found_t) fs_associate_noxattr(lost_found_t) # # mnt_t is the type for mount points such as /mnt/cdrom # type mnt_t, file_type, mountpoint; fs_associate(mnt_t) fs_associate_noxattr(mnt_t) # # modules_object_t is the type for kernel modules # type modules_object_t; files_type(modules_object_t) type no_access_t, file_type; fs_associate(no_access_t) fs_associate_noxattr(no_access_t) type poly_t, file_type; fs_associate(poly_t) fs_associate_noxattr(poly_t) type readable_t, file_type; fs_associate(readable_t) fs_associate_noxattr(readable_t) # # root_t is the type for rootfs and the root directory. # type root_t, file_type, mountpoint; fs_associate(root_t) fs_associate_noxattr(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # # src_t is the type of files in the system src directories. # type src_t, file_type, mountpoint; fs_associate(src_t) fs_associate_noxattr(src_t) # # system_map_t is for the system.map files in /boot # type system_map_t; files_type(system_map_t) # # tmp_t is the type of the temporary directories # type tmp_t, mountpoint; #, polydir files_tmp_file(tmp_t) files_poly_parent(tmp_t) # # usr_t is the type for /usr. # type usr_t, file_type, mountpoint; fs_associate(usr_t) fs_associate_noxattr(usr_t) # # var_t is the type of /var # type var_t, file_type, mountpoint; fs_associate(var_t) fs_associate_noxattr(var_t) # # var_lib_t is the type of /var/lib # type var_lib_t, file_type, mountpoint; fs_associate(var_lib_t) fs_associate_noxattr(var_lib_t) # # var_lock_t is tye type of /var/lock # type var_lock_t, file_type, lockfile; fs_associate(var_lock_t) fs_associate_noxattr(var_lock_t) # # var_run_t is the type of /var/run, usually # used for pid and other runtime files. # type var_run_t, file_type, pidfile; fs_associate(var_run_t) fs_associate_noxattr(var_run_t) # # var_spool_t is the type of /var/spool # type var_spool_t; files_tmp_file(var_spool_t)