selinux-policy/policy/modules/kernel/files.te
2007-02-16 23:01:42 +00:00

225 lines
4.4 KiB
Plaintext

policy_module(files,1.4.1)
########################################
#
# Declarations
#
attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;
# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
attribute tmpfile;
attribute tmpfsfile;
# this is a hack and should be changed
attribute usercanread;
#
# boot_t is the type for files in /boot
#
type boot_t;
files_mountpoint(boot_t)
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
type default_t;
files_mountpoint(default_t)
#
# etc_t is the type of the system etc directories.
#
type etc_t;
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
type etc_runtime_t;
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;
#
# file_t is the default type of a file that has not yet been
# assigned an extended attribute (EA) value (when using a filesystem
# that supports EAs).
#
type file_t;
files_mountpoint(file_t)
kernel_rootfs_mountpoint(file_t)
sid file gen_context(system_u:object_r:file_t,s0)
#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
files_type(lost_found_t)
#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t;
files_mountpoint(mnt_t)
#
# modules_object_t is the type for kernel modules
#
type modules_object_t;
files_type(modules_object_t)
type no_access_t;
files_type(no_access_t)
type poly_t;
files_type(poly_t)
type readable_t;
files_type(readable_t)
#
# root_t is the type for rootfs and the root directory.
#
type root_t;
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
# src_t is the type of files in the system src directories.
#
type src_t;
files_mountpoint(src_t)
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
#
# tmp_t is the type of the temporary directories
#
type tmp_t;
files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)
#
# usr_t is the type for /usr.
#
type usr_t;
files_mountpoint(usr_t)
#
# var_t is the type of /var
#
type var_t;
files_mountpoint(var_t)
#
# var_lib_t is the type of /var/lib
#
type var_lib_t;
files_mountpoint(var_lib_t)
#
# var_lock_t is tye type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)
#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
files_pid_file(var_run_t)
#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)
########################################
#
# Rules for all file types
#
allow file_type self:filesystem associate;
fs_associate(file_type)
fs_associate_noxattr(file_type)
ifdef(`targeted_policy', `
fs_associate_tmpfs(file_type)
')
########################################
#
# Rules for all tmp file types
#
allow tmpfile tmp_t:filesystem associate;
fs_associate_tmpfs(tmpfile)
########################################
#
# Rules for all tmpfs file types
#
fs_associate_tmpfs(tmpfsfile)
########################################
#
# Unconfined access to this module
#
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;
ifdef(`targeted_policy',`
tunable_policy(`allow_execmod',`
allow files_unconfined_type file_type:file execmod;
')
')