# # This file describes the security contexts to be applied to files # when the security policy is installed. The setfiles program # reads this file and labels files accordingly. # # Each specification has the form: # regexp [ -type ] ( context | <> ) # # By default, the regexp is an anchored match on both ends (i.e. a # caret (^) is prepended and a dollar sign ($) is appended automatically). # This default may be overridden by using .* at the beginning and/or # end of the regular expression. # # The optional type field specifies the file type as shown in the mode # field by ls, e.g. use -d to match only directories or -- to match only # regular files. # # The value of < may be used to indicate that matching files # should not be relabeled. # # The last matching specification is used. # # If there are multiple hard links to a file that match # different specifications and those specifications indicate # different security contexts, then a warning is displayed # but the file is still labeled based on the last matching # specification other than <>. # # Some of the files listed here get re-created during boot and therefore # need type transition rules to retain the correct type. These files are # listed here anyway so that if the setfiles program is used on a running # system it does not relabel them to something we do not want. An example of # this is /var/run/utmp. # # # The security context for all files not otherwise specified. # /.* system_u:object_r:default_t # # The root directory. # / -d system_u:object_r:root_t # # Ordinary user home directories. # HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd # HOME_DIR expands to each users home directory, # and to HOME_ROOT/[^/]+ for each HOME_ROOT. # ROLE expands to each users role when role != user_r, and to "user" otherwise. # HOME_ROOT -d system_u:object_r:home_root_t HOME_DIR -d system_u:object_r:ROLE_home_dir_t HOME_DIR/.+ system_u:object_r:ROLE_home_t /root/\.default_contexts -- system_u:object_r:default_context_t # # Mount points; do not relabel subdirectories, since # we do not want to change any removable media by default. /mnt(/[^/]*)? -d system_u:object_r:mnt_t /mnt/[^/]*/.* <> /media(/[^/]*)? -d system_u:object_r:mnt_t /media/[^/]*/.* <> # # /var # /var(/.*)? system_u:object_r:var_t /var/cache/man(/.*)? system_u:object_r:man_t /var/yp(/.*)? system_u:object_r:var_yp_t /var/lib(/.*)? system_u:object_r:var_lib_t /var/lib/nfs(/.*)? system_u:object_r:var_lib_nfs_t /var/lib/texmf(/.*)? system_u:object_r:tetex_data_t /var/cache/fonts(/.*)? system_u:object_r:tetex_data_t /var/lock(/.*)? system_u:object_r:var_lock_t /var/tmp -d system_u:object_r:tmp_t /var/tmp/.* <> /var/tmp/vi\.recover -d system_u:object_r:tmp_t /var/lib/nfs/rpc_pipefs(/.*)? <> /var/mailman/bin(/.*)? system_u:object_r:bin_t /var/mailman/pythonlib(/.*)?/.*\.so(\..*)? -- system_u:object_r:shlib_t # # /var/ftp # /var/ftp/bin(/.*)? system_u:object_r:bin_t /var/ftp/bin/ls -- system_u:object_r:ls_exec_t /var/ftp/lib(64)?(/.*)? system_u:object_r:lib_t /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t /var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /var/ftp/etc(/.*)? system_u:object_r:etc_t # # /bin # /bin(/.*)? system_u:object_r:bin_t /bin/tcsh -- system_u:object_r:shell_exec_t /bin/bash -- system_u:object_r:shell_exec_t /bin/bash2 -- system_u:object_r:shell_exec_t /bin/sash -- system_u:object_r:shell_exec_t /bin/d?ash -- system_u:object_r:shell_exec_t /bin/zsh.* -- system_u:object_r:shell_exec_t /usr/sbin/sesh -- system_u:object_r:shell_exec_t /bin/ls -- system_u:object_r:ls_exec_t # # /boot # /boot(/.*)? system_u:object_r:boot_t /boot/System\.map(-.*)? system_u:object_r:system_map_t # # /dev # /dev(/.*)? system_u:object_r:device_t /dev/pts(/.*)? <> /dev/cpu/.* -c system_u:object_r:cpu_device_t /dev/microcode -c system_u:object_r:cpu_device_t /dev/MAKEDEV -- system_u:object_r:sbin_t /dev/null -c system_u:object_r:null_device_t /dev/full -c system_u:object_r:null_device_t /dev/zero -c system_u:object_r:zero_device_t /dev/console -c system_u:object_r:console_device_t /dev/xconsole -p system_u:object_r:xconsole_device_t /dev/(kmem|mem|port) -c system_u:object_r:memory_device_t /dev/nvram -c system_u:object_r:memory_device_t /dev/random -c system_u:object_r:random_device_t /dev/urandom -c system_u:object_r:urandom_device_t /dev/adb.* -c system_u:object_r:tty_device_t /dev/capi.* -c system_u:object_r:tty_device_t /dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t /dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t /dev/ircomm[0-9]+ -c system_u:object_r:tty_device_t /dev/rfcomm[0-9]+ -c system_u:object_r:tty_device_t /dev/isdn.* -c system_u:object_r:tty_device_t /dev/.*tty[^/]* -c system_u:object_r:tty_device_t /dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f] -c system_u:object_r:bsdpty_device_t /dev/cu.* -c system_u:object_r:tty_device_t /dev/vcs[^/]* -c system_u:object_r:tty_device_t /dev/ip2[^/]* -c system_u:object_r:tty_device_t /dev/hvc.* -c system_u:object_r:tty_device_t /dev/hvsi.* -c system_u:object_r:tty_device_t /dev/ttySG.* -c system_u:object_r:tty_device_t /dev/tty -c system_u:object_r:devtty_t /dev/lp.* -c system_u:object_r:printer_device_t /dev/par.* -c system_u:object_r:printer_device_t /dev/usb/lp.* -c system_u:object_r:printer_device_t /dev/usblp.* -c system_u:object_r:printer_device_t ifdef(`distro_redhat', ` /dev/root -b system_u:object_r:fixed_disk_device_t ') /dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t /dev/dm-[0-9]+ -b system_u:object_r:fixed_disk_device_t /dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t /dev/rd.* -b system_u:object_r:fixed_disk_device_t /dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t /dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t /dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t /dev/mapper/.* -b system_u:object_r:fixed_disk_device_t /dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t /dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t /dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t /dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t /dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t /dev/loop.* -b system_u:object_r:fixed_disk_device_t /dev/net/.* -c system_u:object_r:tun_tap_device_t /dev/ram.* -b system_u:object_r:fixed_disk_device_t /dev/rawctl -c system_u:object_r:fixed_disk_device_t /dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t /dev/scramdisk/.* -b system_u:object_r:fixed_disk_device_t /dev/initrd -b system_u:object_r:fixed_disk_device_t /dev/jsfd -b system_u:object_r:fixed_disk_device_t /dev/js.* -c system_u:object_r:mouse_device_t /dev/jsflash -c system_u:object_r:fixed_disk_device_t /dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t /dev/usb/rio500 -c system_u:object_r:removable_device_t /dev/fd[^/]+ -b system_u:object_r:removable_device_t # I think a parallel port disk is a removable device... /dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t /dev/p[fg][0-3] -b system_u:object_r:removable_device_t /dev/aztcd -b system_u:object_r:removable_device_t /dev/bpcd -b system_u:object_r:removable_device_t /dev/gscd -b system_u:object_r:removable_device_t /dev/hitcd -b system_u:object_r:removable_device_t /dev/pcd[0-3] -b system_u:object_r:removable_device_t /dev/mcdx? -b system_u:object_r:removable_device_t /dev/cdu.* -b system_u:object_r:removable_device_t /dev/cm20.* -b system_u:object_r:removable_device_t /dev/optcd -b system_u:object_r:removable_device_t /dev/sbpcd.* -b system_u:object_r:removable_device_t /dev/sjcd -b system_u:object_r:removable_device_t /dev/sonycd -b system_u:object_r:removable_device_t # parallel port ATAPI generic device /dev/pg[0-3] -c system_u:object_r:removable_device_t /dev/rtc -c system_u:object_r:clock_device_t /dev/psaux -c system_u:object_r:mouse_device_t /dev/atibm -c system_u:object_r:mouse_device_t /dev/logibm -c system_u:object_r:mouse_device_t /dev/.*mouse.* -c system_u:object_r:mouse_device_t /dev/input/.*mouse.* -c system_u:object_r:mouse_device_t /dev/input/event.* -c system_u:object_r:event_device_t /dev/input/mice -c system_u:object_r:mouse_device_t /dev/input/js.* -c system_u:object_r:mouse_device_t /dev/ptmx -c system_u:object_r:ptmx_t /dev/sequencer -c system_u:object_r:misc_device_t /dev/fb[0-9]* -c system_u:object_r:framebuf_device_t /dev/apm_bios -c system_u:object_r:apm_bios_t /dev/cpu/mtrr -c system_u:object_r:mtrr_device_t /dev/pmu -c system_u:object_r:power_device_t /dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t /dev/winradio. -c system_u:object_r:v4l_device_t /dev/vttuner -c system_u:object_r:v4l_device_t /dev/tlk[0-3] -c system_u:object_r:v4l_device_t /dev/adsp -c system_u:object_r:sound_device_t /dev/mixer.* -c system_u:object_r:sound_device_t /dev/dsp.* -c system_u:object_r:sound_device_t /dev/audio.* -c system_u:object_r:sound_device_t /dev/r?midi.* -c system_u:object_r:sound_device_t /dev/sequencer2 -c system_u:object_r:sound_device_t /dev/smpte.* -c system_u:object_r:sound_device_t /dev/sndstat -c system_u:object_r:sound_device_t /dev/beep -c system_u:object_r:sound_device_t /dev/patmgr[01] -c system_u:object_r:sound_device_t /dev/mpu401.* -c system_u:object_r:sound_device_t /dev/srnd[0-7] -c system_u:object_r:sound_device_t /dev/aload.* -c system_u:object_r:sound_device_t /dev/amidi.* -c system_u:object_r:sound_device_t /dev/amixer.* -c system_u:object_r:sound_device_t /dev/snd/.* -c system_u:object_r:sound_device_t /dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t /dev/n?(raw)?[qr]ft[0-3] -c system_u:object_r:tape_device_t /dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t /dev/n?tpqic[12].* -c system_u:object_r:tape_device_t /dev/ht[0-1] -b system_u:object_r:tape_device_t /dev/n?osst[0-3].* -c system_u:object_r:tape_device_t /dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t /dev/tape.* -c system_u:object_r:tape_device_t ifdef(`distro_suse', ` /dev/usbscanner -c system_u:object_r:scanner_device_t ') /dev/usb/scanner.* -c system_u:object_r:scanner_device_t /dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t /dev/usb/mdc800.* -c system_u:object_r:scanner_device_t /dev/usb/tty.* -c system_u:object_r:usbtty_device_t /dev/mmetfgrab -c system_u:object_r:scanner_device_t /dev/nvidia.* -c system_u:object_r:xserver_misc_device_t /dev/dri/.+ -c system_u:object_r:dri_device_t /dev/radeon -c system_u:object_r:dri_device_t /dev/agpgart -c system_u:object_r:agp_device_t /dev/z90crypt -c system_u:object_r:crypt_device_t # # Misc # /proc(/.*)? <> /sys(/.*)? <> /selinux(/.*)? <> # # /opt # /opt(/.*)? system_u:object_r:usr_t /opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t /opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t /opt(/.*)?/bin(/.*)? system_u:object_r:bin_t /opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t /opt(/.*)?/man(/.*)? system_u:object_r:man_t /opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t # # /etc # /etc(/.*)? system_u:object_r:etc_t /var/db/.*\.db -- system_u:object_r:etc_t /etc/\.pwd\.lock -- system_u:object_r:shadow_t /etc/passwd\.lock -- system_u:object_r:shadow_t /etc/group\.lock -- system_u:object_r:shadow_t /etc/shadow.* -- system_u:object_r:shadow_t /etc/gshadow.* -- system_u:object_r:shadow_t /var/db/shadow.* -- system_u:object_r:shadow_t /etc/blkid\.tab.* -- system_u:object_r:etc_runtime_t /etc/fstab\.REVOKE -- system_u:object_r:etc_runtime_t /etc/\.fstab\.hal\..+ -- system_u:object_r:etc_runtime_t /etc/HOSTNAME -- system_u:object_r:etc_runtime_t /etc/ioctl\.save -- system_u:object_r:etc_runtime_t /etc/mtab -- system_u:object_r:etc_runtime_t /etc/motd -- system_u:object_r:etc_runtime_t /etc/issue -- system_u:object_r:etc_runtime_t /etc/issue\.net -- system_u:object_r:etc_runtime_t /etc/sysconfig/hwconf -- system_u:object_r:etc_runtime_t /etc/sysconfig/iptables\.save -- system_u:object_r:etc_runtime_t /etc/sysconfig/firstboot -- system_u:object_r:etc_runtime_t /etc/asound\.state -- system_u:object_r:etc_runtime_t /etc/ptal/ptal-printd-like -- system_u:object_r:etc_runtime_t ifdef(`distro_gentoo', ` /etc/profile\.env -- system_u:object_r:etc_runtime_t /etc/csh\.env -- system_u:object_r:etc_runtime_t /etc/env\.d/.* -- system_u:object_r:etc_runtime_t ') /etc/ld\.so\.cache -- system_u:object_r:ld_so_cache_t /etc/ld\.so\.preload -- system_u:object_r:ld_so_cache_t /etc/yp\.conf.* -- system_u:object_r:net_conf_t /etc/resolv\.conf.* -- system_u:object_r:net_conf_t /etc/selinux(/.*)? system_u:object_r:selinux_config_t /etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:policy_config_t /etc/selinux/([^/]*/)?src(/.*)? system_u:object_r:policy_src_t /etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t /etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t # # /lib(64)? # /lib(64)?(/.*)? system_u:object_r:lib_t /lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- system_u:object_r:ld_so_t # # /sbin # /sbin(/.*)? system_u:object_r:sbin_t # # /tmp # /tmp -d system_u:object_r:tmp_t /tmp/.* <> # # /usr # /usr(/.*)? system_u:object_r:usr_t /usr(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/lib/win32/.* -- system_u:object_r:shlib_t /usr(/.*)?/java/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr(/.*)?/java/.*\.jar -- system_u:object_r:shlib_t /usr(/.*)?/java/.*\.jsa -- system_u:object_r:shlib_t /usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* system_u:object_r:ld_so_t /usr(/.*)?/bin(/.*)? system_u:object_r:bin_t /usr(/.*)?/Bin(/.*)? system_u:object_r:bin_t /usr(/.*)?/sbin(/.*)? system_u:object_r:sbin_t /usr/etc(/.*)? system_u:object_r:etc_t /usr/inclu.e(/.*)? system_u:object_r:usr_t /usr/libexec(/.*)? system_u:object_r:bin_t /usr/src(/.*)? system_u:object_r:src_t /usr/tmp -d system_u:object_r:tmp_t /usr/tmp/.* <> /usr/man(/.*)? system_u:object_r:man_t /usr/share/man(/.*)? system_u:object_r:man_t /usr/share/mc/extfs/.* -- system_u:object_r:bin_t /usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t /usr/share/ssl/certs(/.*)? system_u:object_r:cert_t /usr/share/ssl/private(/.*)? system_u:object_r:cert_t # nvidia share libraries /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t # libGL /usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t ifdef(`distro_debian', ` /usr/share/selinux(/.*)? system_u:object_r:policy_src_t ') ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t ') # # /usr/lib(64)? # /usr/lib(64)?/perl5/man(/.*)? system_u:object_r:man_t /usr/lib(64)?/selinux(/.*)? system_u:object_r:policy_src_t /usr/lib(64)?/emacsen-common/.* system_u:object_r:bin_t # # /usr/local # /usr/local/etc(/.*)? system_u:object_r:etc_t /usr/local/src(/.*)? system_u:object_r:src_t /usr/local/man(/.*)? system_u:object_r:man_t /usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t /usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t /usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t # # /usr/X11R6/man # /usr/X11R6/man(/.*)? system_u:object_r:man_t # # Fonts dir # /usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t ifdef(`distro_debian', ` /var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t ') /usr/share/fonts(/.*)? system_u:object_r:fonts_t /usr/share/ghostscript/fonts(/.*)? system_u:object_r:fonts_t /usr/local/share/fonts(/.*)? system_u:object_r:fonts_t # # /var/run # /var/run(/.*)? system_u:object_r:var_run_t /var/run/.*\.*pid <> # # /var/spool # /var/spool(/.*)? system_u:object_r:var_spool_t /var/spool/texmf(/.*)? system_u:object_r:tetex_data_t /var/spool/(client)?mqueue(/.*)? system_u:object_r:mqueue_spool_t # # /var/log # /var/log(/.*)? system_u:object_r:var_log_t /var/log/wtmp.* -- system_u:object_r:wtmp_t /var/log/btmp.* -- system_u:object_r:faillog_t /var/log/faillog -- system_u:object_r:faillog_t /var/log/ksyms.* -- system_u:object_r:var_log_ksyms_t /var/log/dmesg -- system_u:object_r:var_log_t /var/log/lastlog -- system_u:object_r:lastlog_t /var/log/ksymoops(/.*)? system_u:object_r:var_log_ksyms_t /var/log/syslog -- system_u:object_r:var_log_t # # Journal files # /\.journal <> /usr/\.journal <> /boot/\.journal <> HOME_ROOT/\.journal <> /var/\.journal <> /tmp/\.journal <> /usr/local/\.journal <> # # Lost and found directories. # /lost\+found -d system_u:object_r:lost_found_t /lost\+found/.* <> /usr/lost\+found -d system_u:object_r:lost_found_t /usr/lost\+found/.* <> /boot/lost\+found -d system_u:object_r:lost_found_t /boot/lost\+found/.* <> HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t HOME_ROOT/lost\+found/.* <> /var/lost\+found -d system_u:object_r:lost_found_t /var/lost\+found/.* <> /tmp/lost\+found -d system_u:object_r:lost_found_t /tmp/lost\+found/.* <> /var/tmp/lost\+found -d system_u:object_r:lost_found_t /var/tmp/lost\+found/.* <> /usr/local/lost\+found -d system_u:object_r:lost_found_t /usr/local/lost\+found/.* <> # # system localization # /usr/share/zoneinfo(/.*)? system_u:object_r:locale_t /usr/share/locale(/.*)? system_u:object_r:locale_t /usr/lib/locale(/.*)? system_u:object_r:locale_t /etc/localtime -- system_u:object_r:locale_t /etc/localtime -l system_u:object_r:etc_t /etc/pki(/.*)? system_u:object_r:cert_t # # Gnu Cash # /usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t /usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t # # Turboprint # /usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t /usr/share/hwdata(/.*)? system_u:object_r:hwdata_t # # initrd mount point, only used during boot # /initrd -d system_u:object_r:root_t # # The krb5.conf file is always being tested for writability, so # we defined a type to dontaudit # /etc/krb5\.conf -- system_u:object_r:krb5_conf_t # # Thunderbird # /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t /usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t /usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t /usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t # # /srv # /srv(/.*)? system_u:object_r:var_t