# FLASK # # Security contexts for files in filesystems that # cannot support xattr or use one of the fixed labeling schemes # specified in fs_use. # # Each specifications has the form: # genfscon fstype pathname-prefix [ -type ] context # # The entry with the longest matching pathname prefix is used. # / refers to the root directory of the file system, and # everything is specified relative to this root directory. # If there is no entry with a matching pathname prefix, then # the unlabeled initial SID is used. # # The optional type field specifies the file type as shown in the mode # field by ls, e.g. use -c to match only character device files, -b # to match only block device files. # # Except for proc, in 2.6 other filesystems are limited to a single entry (/) # that covers all entries in the filesystem with a default file context. # For proc, a pathname can be reliably generated from the proc_dir_entry # tree. The proc /sys entries are used for both proc inodes and for sysctl(2) # calls. /proc/PID entries are automatically labeled based on the associated # process. # # Support for other filesystem types requires corresponding code to be # added to the kernel, either as an xattr handler in the filesystem # implementation (preferred, and necessary if you want to access the labels # from userspace) or as logic in the SELinux module. # proc (excluding /proc/PID) genfscon proc / system_u:object_r:proc_t genfscon proc /kmsg system_u:object_r:proc_kmsg_t genfscon proc /kcore system_u:object_r:proc_kcore_t genfscon proc /mdstat system_u:object_r:proc_mdstat_t genfscon proc /mtrr system_u:object_r:mtrr_device_t genfscon proc /net system_u:object_r:proc_net_t genfscon proc /sysvipc system_u:object_r:proc_t genfscon proc /sys system_u:object_r:sysctl_t genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t genfscon proc /sys/net system_u:object_r:sysctl_net_t genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t genfscon proc /sys/vm system_u:object_r:sysctl_vm_t genfscon proc /sys/dev system_u:object_r:sysctl_dev_t genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t genfscon proc /irq system_u:object_r:sysctl_irq_t # rootfs genfscon rootfs / system_u:object_r:root_t # sysfs genfscon sysfs / system_u:object_r:sysfs_t # selinuxfs genfscon selinuxfs / system_u:object_r:security_t # autofs genfscon autofs / system_u:object_r:autofs_t genfscon automount / system_u:object_r:autofs_t # usbdevfs genfscon usbdevfs / system_u:object_r:usbdevfs_t # iso9660 genfscon iso9660 / system_u:object_r:iso9660_t genfscon udf / system_u:object_r:iso9660_t # romfs genfscon romfs / system_u:object_r:romfs_t genfscon cramfs / system_u:object_r:romfs_t # ramfs genfscon ramfs / system_u:object_r:ramfs_t # vfat, msdos genfscon vfat / system_u:object_r:dosfs_t genfscon msdos / system_u:object_r:dosfs_t genfscon fat / system_u:object_r:dosfs_t genfscon ntfs / system_u:object_r:dosfs_t # samba genfscon cifs / system_u:object_r:cifs_t genfscon smbfs / system_u:object_r:cifs_t # nfs genfscon nfs / system_u:object_r:nfs_t genfscon nfs4 / system_u:object_r:nfs_t genfscon afs / system_u:object_r:nfs_t # reiserfs - until xattr security support works properly genfscon reiserfs / system_u:object_r:nfs_t # needs more work genfscon eventpollfs / system_u:object_r:eventpollfs_t genfscon futexfs / system_u:object_r:futexfs_t genfscon bdev / system_u:object_r:bdev_t genfscon usbfs / system_u:object_r:usbfs_t genfscon nfsd / system_u:object_r:nfsd_fs_t genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t