109 lines
4.1 KiB
Plaintext
109 lines
4.1 KiB
Plaintext
# FLASK
|
|
|
|
#
|
|
# Security contexts for files in filesystems that
|
|
# cannot support xattr or use one of the fixed labeling schemes
|
|
# specified in fs_use.
|
|
#
|
|
# Each specifications has the form:
|
|
# genfscon fstype pathname-prefix [ -type ] context
|
|
#
|
|
# The entry with the longest matching pathname prefix is used.
|
|
# / refers to the root directory of the file system, and
|
|
# everything is specified relative to this root directory.
|
|
# If there is no entry with a matching pathname prefix, then
|
|
# the unlabeled initial SID is used.
|
|
#
|
|
# The optional type field specifies the file type as shown in the mode
|
|
# field by ls, e.g. use -c to match only character device files, -b
|
|
# to match only block device files.
|
|
#
|
|
# Except for proc, in 2.6 other filesystems are limited to a single entry (/)
|
|
# that covers all entries in the filesystem with a default file context.
|
|
# For proc, a pathname can be reliably generated from the proc_dir_entry
|
|
# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
|
|
# calls. /proc/PID entries are automatically labeled based on the associated
|
|
# process.
|
|
#
|
|
# Support for other filesystem types requires corresponding code to be
|
|
# added to the kernel, either as an xattr handler in the filesystem
|
|
# implementation (preferred, and necessary if you want to access the labels
|
|
# from userspace) or as logic in the SELinux module.
|
|
|
|
# proc (excluding /proc/PID)
|
|
genfscon proc / system_u:object_r:proc_t:s0
|
|
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
|
|
genfscon proc /kcore system_u:object_r:proc_kcore_t:s15:c0.c255
|
|
genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0
|
|
genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0
|
|
genfscon proc /net system_u:object_r:proc_net_t:s0
|
|
genfscon proc /sysvipc system_u:object_r:proc_t:s0
|
|
genfscon proc /sys system_u:object_r:sysctl_t:s0
|
|
genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0
|
|
genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0
|
|
genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0
|
|
genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0
|
|
genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0
|
|
genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0
|
|
genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0
|
|
genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0
|
|
genfscon proc /irq system_u:object_r:sysctl_irq_t:s0
|
|
|
|
# rootfs
|
|
genfscon rootfs / system_u:object_r:root_t:s0
|
|
|
|
# sysfs
|
|
genfscon sysfs / system_u:object_r:sysfs_t:s0
|
|
|
|
# selinuxfs
|
|
genfscon selinuxfs / system_u:object_r:security_t:s0
|
|
|
|
# autofs
|
|
genfscon autofs / system_u:object_r:autofs_t:s0
|
|
genfscon automount / system_u:object_r:autofs_t:s0
|
|
|
|
# usbdevfs
|
|
genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0
|
|
|
|
# iso9660
|
|
genfscon iso9660 / system_u:object_r:iso9660_t:s0
|
|
genfscon udf / system_u:object_r:iso9660_t:s0
|
|
|
|
# romfs
|
|
genfscon romfs / system_u:object_r:romfs_t:s0
|
|
genfscon cramfs / system_u:object_r:romfs_t:s0
|
|
|
|
# ramfs
|
|
genfscon ramfs / system_u:object_r:ramfs_t:s0
|
|
|
|
# vfat, msdos
|
|
genfscon vfat / system_u:object_r:dosfs_t:s0
|
|
genfscon msdos / system_u:object_r:dosfs_t:s0
|
|
genfscon fat / system_u:object_r:dosfs_t:s0
|
|
genfscon ntfs / system_u:object_r:dosfs_t:s0
|
|
|
|
# samba
|
|
genfscon cifs / system_u:object_r:cifs_t:s0
|
|
genfscon smbfs / system_u:object_r:cifs_t:s0
|
|
|
|
# nfs
|
|
genfscon nfs / system_u:object_r:nfs_t:s0
|
|
genfscon nfs4 / system_u:object_r:nfs_t:s0
|
|
genfscon afs / system_u:object_r:nfs_t:s0
|
|
|
|
genfscon debugfs / system_u:object_r:debugfs_t:s0
|
|
genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0
|
|
genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0
|
|
genfscon capifs / system_u:object_r:capifs_t:s0
|
|
genfscon configfs / system_u:object_r:configfs_t:s0
|
|
|
|
# needs more work
|
|
genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0
|
|
genfscon futexfs / system_u:object_r:futexfs_t:s0
|
|
genfscon bdev / system_u:object_r:bdev_t:s0
|
|
genfscon usbfs / system_u:object_r:usbfs_t:s0
|
|
genfscon nfsd / system_u:object_r:nfsd_fs_t:s0
|
|
genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0
|
|
genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0
|
|
|