policy_module(filesystem,1.0) ######################################## # # Declarations # attribute filesystem_type; attribute noxattrfs; ############################## # # fs_t is the default type for persistent # filesystems with extended attributes # type fs_t, filesystem_type; sid fs context_template(system_u:object_r:fs_t,s0) # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. fs_use_xattr ext2 context_template(system_u:object_r:fs_t,s0); fs_use_xattr ext3 context_template(system_u:object_r:fs_t,s0); fs_use_xattr jfs context_template(system_u:object_r:fs_t,s0); fs_use_xattr reiserfs context_template(system_u:object_r:fs_t,s0); fs_use_xattr xfs context_template(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems that represent objects # like pipes and sockets, so that these objects are labeled with the same # type as the creating task. fs_use_task pipefs context_template(system_u:object_r:fs_t,s0); fs_use_task sockfs context_template(system_u:object_r:fs_t,s0); ############################## # # Non-persistent/pseudo filesystems # type bdev_t, filesystem_type; genfscon bdev / context_template(system_u:object_r:bdev_t,s0) type binfmt_misc_fs_t, filesystem_type; files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / context_template(system_u:object_r:binfmt_misc_fs_t,s0) type debugfs_t, filesystem_type; allow debugfs_t self:filesystem associate; type eventpollfs_t, filesystem_type; genfscon eventpollfs / context_template(system_u:object_r:eventpollfs_t,s0) type futexfs_t, filesystem_type; genfscon futexfs / context_template(system_u:object_r:futexfs_t,s0) type hugetlbfs_t, filesystem_type; files_mountpoint(hugetlbfs_t) allow hugetlbfs_t self:filesystem associate; genfscon hugetlbfs / context_template(system_u:object_r:hugetlbfs_t,s0) type inotifyfs_t, filesystem_type; allow inotifyfs_t self:filesystem associate; genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0) type nfsd_fs_t, filesystem_type; genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0) type ramfs_t, filesystem_type; allow ramfs_t self:filesystem associate; genfscon ramfs / context_template(system_u:object_r:ramfs_t,s0) type romfs_t, filesystem_type; allow romfs_t self:filesystem associate; genfscon romfs / context_template(system_u:object_r:romfs_t,s0) genfscon cramfs / context_template(system_u:object_r:romfs_t,s0) type rpc_pipefs_t, filesystem_type; genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0) # # tmpfs_t is the type for tmpfs filesystems # type tmpfs_t, filesystem_type; files_type(tmpfs_t) files_mountpoint(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, # and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems like devpts and tmpfs # where we want to label objects with a derived type. fs_use_trans mqueue context_template(system_u:object_r:tmpfs_t,s0); fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0); allow tmpfs_t self:filesystem associate; allow tmpfs_t noxattrfs:filesystem associate; ############################## # # Filesystems without extended attribute support # type autofs_t, filesystem_type, noxattrfs; allow autofs_t self:filesystem associate; genfscon autofs / context_template(system_u:object_r:autofs_t,s0) genfscon automount / context_template(system_u:object_r:autofs_t,s0) # # cifs_t is the type for filesystems and their # files shared from Windows servers # type cifs_t alias sambafs_t, filesystem_type, noxattrfs; allow cifs_t self:filesystem associate; genfscon cifs / context_template(system_u:object_r:cifs_t,s0) genfscon smbfs / context_template(system_u:object_r:cifs_t,s0) # # dosfs_t is the type for fat and vfat # filesystems and their files. # type dosfs_t, filesystem_type, noxattrfs; allow dosfs_t self:filesystem associate; genfscon fat / context_template(system_u:object_r:dosfs_t,s0) genfscon msdos / context_template(system_u:object_r:dosfs_t,s0) genfscon ntfs / context_template(system_u:object_r:dosfs_t,s0) genfscon vfat / context_template(system_u:object_r:dosfs_t,s0) # # iso9660_t is the type for CD filesystems # and their files. # type iso9660_t, filesystem_type, noxattrfs; allow iso9660_t self:filesystem associate; genfscon iso9660 / context_template(system_u:object_r:iso9660_t,s0) genfscon udf / context_template(system_u:object_r:iso9660_t,s0) # # removable_t is the default type of all removable media # type removable_t, filesystem_type, noxattrfs; allow removable_t noxattrfs:filesystem associate; # # nfs_t is the default type for NFS file systems # and their files. # type nfs_t, filesystem_type, noxattrfs; files_mountpoint(nfs_t) allow nfs_t self:filesystem associate; genfscon nfs / context_template(system_u:object_r:nfs_t,s0) genfscon nfs4 / context_template(system_u:object_r:nfs_t,s0) genfscon afs / context_template(system_u:object_r:nfs_t,s0)