|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
9e8f65 |
policy_module(filesystem,1.5.2)
|
|
Chris PeBenito |
960373 |
|
|
Chris PeBenito |
fd89e1 |
########################################
|
|
Chris PeBenito |
fd89e1 |
#
|
|
Chris PeBenito |
fd89e1 |
# Declarations
|
|
Chris PeBenito |
fd89e1 |
#
|
|
Chris PeBenito |
fd89e1 |
|
|
Chris PeBenito |
cbca03 |
attribute filesystem_type;
|
|
Chris PeBenito |
b518fc |
attribute filesystem_unconfined_type;
|
|
Chris PeBenito |
fe040c |
attribute noxattrfs;
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
fd89e1 |
##############################
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
# fs_t is the default type for persistent
|
|
Chris PeBenito |
b4cd15 |
# filesystems with extended attributes
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
c3cf66 |
type fs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(fs_t)
|
|
Chris PeBenito |
e02c61 |
sid fs gen_context(system_u:object_r:fs_t,s0)
|
|
Chris PeBenito |
cabfa5 |
|
|
Chris PeBenito |
cabfa5 |
# Use xattrs for the following filesystem types.
|
|
Chris PeBenito |
cabfa5 |
# Requires that a security xattr handler exist for the filesystem.
|
|
Chris PeBenito |
d6d16b |
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
d6d16b |
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
2dbd38 |
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
e539a4 |
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
cabfa5 |
|
|
Chris PeBenito |
cabfa5 |
# Use the allocating task SID to label inodes in the following filesystem
|
|
Chris PeBenito |
cabfa5 |
# types, and label the filesystem itself with the specified context.
|
|
Chris PeBenito |
cabfa5 |
# This is appropriate for pseudo filesystems that represent objects
|
|
Chris PeBenito |
cabfa5 |
# like pipes and sockets, so that these objects are labeled with the same
|
|
Chris PeBenito |
cabfa5 |
# type as the creating task.
|
|
Chris PeBenito |
81a016 |
fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
fd89e1 |
##############################
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
# Non-persistent/pseudo filesystems
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
c3cf66 |
type bdev_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(bdev_t)
|
|
Chris PeBenito |
e02c61 |
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
c3cf66 |
type binfmt_misc_fs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(binfmt_misc_fs_t)
|
|
Chris PeBenito |
0907bd |
files_mountpoint(binfmt_misc_fs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
c3cf66 |
type capifs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(capifs_t)
|
|
Chris PeBenito |
77f6e2 |
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
|
Chris PeBenito |
77f6e2 |
|
|
Chris PeBenito |
c3cf66 |
type configfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(configfs_t)
|
|
Chris PeBenito |
19b555 |
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
|
|
Chris PeBenito |
19b555 |
|
|
Chris PeBenito |
c3cf66 |
type eventpollfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(eventpollfs_t)
|
|
Chris PeBenito |
81a016 |
# change to task SID 20060628
|
|
Chris PeBenito |
81a016 |
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
c3cf66 |
type futexfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(futexfs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
c3cf66 |
type hugetlbfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(hugetlbfs_t)
|
|
Chris PeBenito |
0907bd |
files_mountpoint(hugetlbfs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
|
|
Chris PeBenito |
0907bd |
|
|
Chris PeBenito |
123a99 |
type ibmasmfs_t;
|
|
Chris PeBenito |
123a99 |
fs_type(ibmasmfs_t)
|
|
Chris PeBenito |
123a99 |
allow ibmasmfs_t self:filesystem associate;
|
|
Chris PeBenito |
123a99 |
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
|
|
Chris PeBenito |
123a99 |
|
|
Chris PeBenito |
c3cf66 |
type inotifyfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(inotifyfs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
|
|
Chris PeBenito |
0907bd |
|
|
Chris PeBenito |
c3cf66 |
type nfsd_fs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(nfsd_fs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
522b59 |
type oprofilefs_t;
|
|
Chris PeBenito |
522b59 |
fs_type(oprofilefs_t)
|
|
Chris PeBenito |
522b59 |
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
|
|
Chris PeBenito |
522b59 |
|
|
Chris PeBenito |
c3cf66 |
type ramfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(ramfs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
c3cf66 |
type romfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(romfs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
c3cf66 |
type rpc_pipefs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(rpc_pipefs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
|
|
Chris PeBenito |
6b19be |
files_mountpoint(rpc_pipefs_t)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
# tmpfs_t is the type for tmpfs filesystems
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
c3cf66 |
type tmpfs_t;
|
|
Chris PeBenito |
c3cf66 |
fs_type(tmpfs_t)
|
|
Chris PeBenito |
8fd367 |
files_type(tmpfs_t)
|
|
Chris PeBenito |
cff75c |
files_mountpoint(tmpfs_t)
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
cabfa5 |
# Use a transition SID based on the allocating task SID and the
|
|
Chris PeBenito |
cabfa5 |
# filesystem SID to label inodes in the following filesystem types,
|
|
Chris PeBenito |
cabfa5 |
# and label the filesystem itself with the specified context.
|
|
Chris PeBenito |
cabfa5 |
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
|
Chris PeBenito |
cabfa5 |
# where we want to label objects with a derived type.
|
|
Chris PeBenito |
e02c61 |
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
|
|
Chris PeBenito |
e02c61 |
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
|
|
Chris PeBenito |
cabfa5 |
|
|
Chris PeBenito |
fe040c |
allow tmpfs_t noxattrfs:filesystem associate;
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
fd89e1 |
##############################
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
# Filesystems without extended attribute support
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
da14da |
type autofs_t;
|
|
Chris PeBenito |
da14da |
fs_noxattr_type(autofs_t)
|
|
Chris PeBenito |
af2345 |
files_mountpoint(autofs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
# cifs_t is the type for filesystems and their
|
|
Chris PeBenito |
b4cd15 |
# files shared from Windows servers
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
da14da |
type cifs_t alias sambafs_t;
|
|
Chris PeBenito |
da14da |
fs_noxattr_type(cifs_t)
|
|
Chris PeBenito |
6b19be |
files_mountpoint(cifs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
# dosfs_t is the type for fat and vfat
|
|
Chris PeBenito |
b4cd15 |
# filesystems and their files.
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
da14da |
type dosfs_t;
|
|
Chris PeBenito |
da14da |
fs_noxattr_type(dosfs_t)
|
|
Chris PeBenito |
955019 |
allow dosfs_t fs_t:filesystem associate;
|
|
Chris PeBenito |
e02c61 |
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
|
|
Chris PeBenito |
6b19be |
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
# iso9660_t is the type for CD filesystems
|
|
Chris PeBenito |
b4cd15 |
# and their files.
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
da14da |
type iso9660_t;
|
|
Chris PeBenito |
da14da |
fs_noxattr_type(iso9660_t)
|
|
Chris PeBenito |
e02c61 |
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
33bc0d |
# removable_t is the default type of all removable media
|
|
Chris PeBenito |
33bc0d |
#
|
|
Chris PeBenito |
da14da |
type removable_t;
|
|
Chris PeBenito |
fe040c |
allow removable_t noxattrfs:filesystem associate;
|
|
Chris PeBenito |
da14da |
fs_noxattr_type(removable_t)
|
|
Chris PeBenito |
b68a85 |
files_type(removable_t)
|
|
Chris PeBenito |
33bc0d |
|
|
Chris PeBenito |
33bc0d |
#
|
|
Chris PeBenito |
b4cd15 |
# nfs_t is the default type for NFS file systems
|
|
Chris PeBenito |
b4cd15 |
# and their files.
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
da14da |
type nfs_t;
|
|
Chris PeBenito |
da14da |
fs_noxattr_type(nfs_t)
|
|
Chris PeBenito |
c9428d |
files_mountpoint(nfs_t)
|
|
Chris PeBenito |
e02c61 |
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
|
|
Chris PeBenito |
e02c61 |
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
|
|
Chris PeBenito |
a3cf80 |
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
|
|
Chris PeBenito |
a3cf80 |
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
|
|
Chris PeBenito |
d2a903 |
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
|
Chris PeBenito |
da14da |
|
|
Chris PeBenito |
da14da |
########################################
|
|
Chris PeBenito |
da14da |
#
|
|
Chris PeBenito |
da14da |
# Rules for all filesystem types
|
|
Chris PeBenito |
da14da |
#
|
|
Chris PeBenito |
da14da |
|
|
Chris PeBenito |
da14da |
allow filesystem_type self:filesystem associate;
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
########################################
|
|
Chris PeBenito |
b518fc |
#
|
|
Chris PeBenito |
d6d16b |
# Rules for filesystems without xattr support
|
|
Chris PeBenito |
d6d16b |
#
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
d6d16b |
# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
|
|
Chris PeBenito |
d6d16b |
fs_associate_noxattr(noxattrfs)
|
|
Chris PeBenito |
d6d16b |
|
|
Chris PeBenito |
d6d16b |
########################################
|
|
Chris PeBenito |
d6d16b |
#
|
|
Chris PeBenito |
b518fc |
# Unconfined access to this module
|
|
Chris PeBenito |
b518fc |
#
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
allow filesystem_unconfined_type filesystem_type:filesystem *;
|
|
Chris PeBenito |
b518fc |
|
|
Chris PeBenito |
b518fc |
# Create/access other files. fs_type is to pick up various
|
|
Chris PeBenito |
b518fc |
# pseudo filesystem types that are applied to both the filesystem
|
|
Chris PeBenito |
b518fc |
# and its files.
|
|
Chris PeBenito |
b518fc |
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
|