# # Authors: Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser # ####################################### # # General file-related types # # # unlabeled_t is the type of unlabeled objects. # Objects that have no known labeling information or that # have labels that are no longer valid are treated as having this type. # type unlabeled_t, sysadmfile; # # fs_t is the default type for conventional filesystems. # type fs_t, fs_type; # needs more work type eventpollfs_t, fs_type; type futexfs_t, fs_type; type bdev_t, fs_type; type usbfs_t, mount_point, fs_type; type nfsd_fs_t, fs_type; type rpc_pipefs_t, fs_type; type binfmt_misc_fs_t, mount_point, fs_type; # # file_t is the default type of a file that has not yet been # assigned an extended attribute (EA) value (when using a filesystem # that supports EAs). # type file_t, file_type, mount_point, sysadmfile; # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. type default_t, file_type, mount_point, sysadmfile; # # root_t is the type for the root directory. # type root_t, file_type, mount_point, polyparent, sysadmfile; # # mnt_t is the type for mount points such as /mnt/cdrom type mnt_t, file_type, mount_point, sysadmfile; # # home_root_t is the type for the directory where user home directories # are created # type home_root_t, file_type, mount_point, polyparent, sysadmfile; # # lost_found_t is the type for the lost+found directories. # type lost_found_t, file_type, sysadmfile; # # boot_t is the type for files in /boot, # including the kernel. # type boot_t, file_type, mount_point, sysadmfile; # system_map_t is for the system.map files in /boot type system_map_t, file_type, sysadmfile; # # boot_runtime_t is the type for /boot/kernel.h, # which is automatically generated at boot time. # only for red hat type boot_runtime_t, file_type, sysadmfile; # # tmp_t is the type of /tmp and /var/tmp. # type tmp_t, file_type, mount_point, sysadmfile, polydir, tmpfile; # # etc_t is the type of the system etc directories. # type etc_t, file_type, sysadmfile; # etc_mail_t is the type of /etc/mail. type etc_mail_t, file_type, sysadmfile, usercanread; # # shadow_t is the type of the /etc/shadow file # type shadow_t, file_type, secure_file_type; allow auth shadow_t:file { getattr read }; # # ld_so_cache_t is the type of /etc/ld.so.cache. # type ld_so_cache_t, file_type, sysadmfile; # # etc_runtime_t is the type of various # files in /etc that are automatically # generated during initialization. # type etc_runtime_t, file_type, sysadmfile; # # fonts_runtime_t is the type of various # fonts files in /usr that are automatically # generated during initialization. # type fonts_t, file_type, sysadmfile, usercanread; # # etc_aliases_t is the type of the aliases database. # type etc_aliases_t, file_type, sysadmfile; # net_conf_t is the type of the /etc/resolv.conf file. # all DHCP clients and PPP need write access to this file. type net_conf_t, file_type, sysadmfile; # # lib_t is the type of files in the system lib directories. # type lib_t, file_type, sysadmfile; # # shlib_t is the type of shared objects in the system lib # directories. # ifdef(`targeted_policy', ` typealias lib_t alias shlib_t; ', ` type shlib_t, file_type, sysadmfile; ') # # texrel_shlib_t is the type of shared objects in the system lib # directories, which require text relocation. # ifdef(`targeted_policy', ` typealias lib_t alias texrel_shlib_t; ', ` type texrel_shlib_t, file_type, sysadmfile; ') # ld_so_t is the type of the system dynamic loaders. # type ld_so_t, file_type, sysadmfile; # # bin_t is the type of files in the system bin directories. # type bin_t, file_type, sysadmfile; # # cert_t is the type of files in the system certs directories. # type cert_t, file_type, sysadmfile, secure_file_type; # # ls_exec_t is the type of the ls program. # type ls_exec_t, file_type, exec_type, sysadmfile; # # shell_exec_t is the type of user shells such as /bin/bash. # type shell_exec_t, file_type, exec_type, sysadmfile; # # sbin_t is the type of files in the system sbin directories. # type sbin_t, file_type, sysadmfile; # # usr_t is the type for /usr. # type usr_t, file_type, mount_point, sysadmfile; # # src_t is the type of files in the system src directories. # type src_t, file_type, mount_point, sysadmfile; # # var_t is the type for /var. # type var_t, file_type, mount_point, sysadmfile; # # Types for subdirectories of /var. # type var_run_t, file_type, sysadmfile; type var_log_t, file_type, sysadmfile, logfile; typealias var_log_t alias crond_log_t; type faillog_t, file_type, sysadmfile, logfile; type var_lock_t, file_type, sysadmfile, lockfile; type var_lib_t, mount_point, file_type, sysadmfile; type var_auth_t, file_type, sysadmfile; # for /var/{spool,lib}/texmf index files type tetex_data_t, file_type, sysadmfile, tmpfile; type var_spool_t, file_type, sysadmfile, tmpfile; type var_yp_t, file_type, sysadmfile; # Type for /var/log/ksyms. type var_log_ksyms_t, file_type, sysadmfile, logfile; # Type for /var/log/lastlog. type lastlog_t, file_type, sysadmfile, logfile; # Type for /var/lib/nfs. type var_lib_nfs_t, file_type, mount_point, sysadmfile, usercanread; # # wtmp_t is the type of /var/log/wtmp. # type wtmp_t, file_type, sysadmfile, logfile; # # cron_spool_t is the type for /var/spool/cron. # type cron_spool_t, file_type, sysadmfile; # # print_spool_t is the type for /var/spool/lpd and /var/spool/cups. # type print_spool_t, file_type, sysadmfile, tmpfile; # # mail_spool_t is the type for /var/spool/mail. # type mail_spool_t, file_type, sysadmfile; # # mqueue_spool_t is the type for /var/spool/mqueue. # type mqueue_spool_t, file_type, sysadmfile; # # man_t is the type for the man directories. # type man_t, file_type, sysadmfile; typealias man_t alias catman_t; # # readable_t is a general type for # files that are readable by all domains. # type readable_t, file_type, sysadmfile; # # Base type for the tests directory. # type test_file_t, file_type, sysadmfile; # # poly_t is the type for the polyinstantiated directories. # type poly_t, file_type, sysadmfile; # # swapfile_t is for swap files # type swapfile_t, file_type, sysadmfile; # # locale_t is the type for system localization # type locale_t, file_type, sysadmfile; # # Allow each file type to be associated with # the default file system type. # allow { file_type device_type ttyfile } fs_t:filesystem associate; type tmpfs_t, file_type, mount_point, sysadmfile, fs_type; allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate; allow { logfile tmpfile home_type } tmp_t:filesystem associate; ifdef(`distro_redhat', ` allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate; ') type autofs_t, fs_type, noexattrfile, sysadmfile; type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile; type sysfs_t, mount_point, fs_type, sysadmfile; type iso9660_t, fs_type, noexattrfile, sysadmfile; type romfs_t, fs_type, sysadmfile; type ramfs_t, fs_type, sysadmfile; type dosfs_t, fs_type, noexattrfile, sysadmfile; type hugetlbfs_t, mount_point, fs_type, sysadmfile; typealias file_t alias mqueue_t; # udev_runtime_t is the type of the udev table file type udev_runtime_t, file_type, sysadmfile; # krb5_conf_t is the type of the /etc/krb5.conf file type krb5_conf_t, file_type, sysadmfile; type cifs_t, fs_type, noexattrfile, sysadmfile; type debugfs_t, fs_type, sysadmfile; type configfs_t, fs_type, sysadmfile; type inotifyfs_t, fs_type, sysadmfile; type capifs_t, fs_type, sysadmfile; # removable_t is the default type of all removable media type removable_t, file_type, sysadmfile, usercanread; allow file_type removable_t:filesystem associate; allow file_type noexattrfile:filesystem associate; # Type for anonymous FTP data, used by ftp and rsync type public_content_t, file_type, sysadmfile, customizable; type public_content_rw_t, file_type, sysadmfile, customizable; typealias public_content_t alias ftpd_anon_t; typealias public_content_rw_t alias ftpd_anon_rw_t; # type for /tmp/.ICE-unix type ice_tmp_t, file_type, sysadmfile, tmpfile; # type for /usr/share/hwdata type hwdata_t, file_type, sysadmfile; allow { fs_type file_type } self:filesystem associate;