Chris PeBenito e181fe
Chris PeBenito 185272
policy_module(files,1.2.1)
Chris PeBenito 960373
Chris PeBenito fd89e1
########################################
Chris PeBenito fd89e1
#
Chris PeBenito fd89e1
# Declarations
Chris PeBenito fd89e1
#
Chris PeBenito fd89e1
Chris PeBenito b4cd15
attribute file_type;
Chris PeBenito 2db2c7
Chris PeBenito 2db2c7
# cjp: should handle this different
Chris PeBenito 2db2c7
allow file_type self:filesystem associate;
Chris PeBenito 2db2c7
Chris PeBenito b4cd15
attribute lockfile;
Chris PeBenito 46410f
attribute mountpoint;
Chris PeBenito b4cd15
attribute pidfile;
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# For labeling types that are to be polyinstantiated
Chris PeBenito a1fcff
attribute polydir;
Chris PeBenito a1fcff
Chris PeBenito 9bbc75
# this is a hack and should be changed
Chris PeBenito 9bbc75
attribute usercanread;
Chris PeBenito 9bbc75
Chris PeBenito a1fcff
# And for labeling the parent directories of those polyinstantiated directories
Chris PeBenito a1fcff
# This is necessary for remounting the original in the parent to give
Chris PeBenito a1fcff
# security aware apps access
Chris PeBenito a1fcff
attribute polyparent;
Chris PeBenito a1fcff
Chris PeBenito a1fcff
# And labeling for the member directories
Chris PeBenito a1fcff
attribute polymember;
Chris PeBenito a1fcff
Chris PeBenito a2868f
# sensitive security files whose accesses should
Chris PeBenito a2868f
# not be dontaudited for uses
Chris PeBenito a2868f
attribute security_file_type;
Chris PeBenito a2868f
Chris PeBenito b4cd15
attribute tmpfile;
Chris PeBenito 46410f
attribute tmpfsfile;
Chris PeBenito b4cd15
Chris PeBenito 1c1ac6
#
Chris PeBenito 1c1ac6
# boot_t is the type for files in /boot
Chris PeBenito 1c1ac6
#
Chris PeBenito 1c1ac6
type boot_t;
Chris PeBenito 1c1ac6
files_type(boot_t)
Chris PeBenito 1c1ac6
files_mountpoint(boot_t)
Chris PeBenito 1c1ac6
Chris PeBenito b4cd15
# default_t is the default type for files that do not
Chris PeBenito b4cd15
# match any specification in the file_contexts configuration
Chris PeBenito b4cd15
# other than the generic /.* specification.
Chris PeBenito a2d824
type default_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(default_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(default_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# etc_t is the type of the system etc directories.
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
type etc_t, file_type;
Chris PeBenito 763c44
fs_associate(etc_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(etc_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# etc_runtime_t is the type of various
Chris PeBenito b4cd15
# files in /etc that are automatically
Chris PeBenito b4cd15
# generated during initialization.
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
type etc_runtime_t, file_type;
Chris PeBenito 763c44
fs_associate(etc_runtime_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(etc_runtime_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# file_t is the default type of a file that has not yet been
Chris PeBenito b4cd15
# assigned an extended attribute (EA) value (when using a filesystem
Chris PeBenito b4cd15
# that supports EAs).
Chris PeBenito b4cd15
#
Chris PeBenito a2d824
type file_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(file_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(file_t)
Chris PeBenito 0fd9dc
kernel_rootfs_mountpoint(file_t)
Chris PeBenito e02c61
sid file gen_context(system_u:object_r:file_t,s0)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# home_root_t is the type for the directory where user home directories
Chris PeBenito b4cd15
# are created
Chris PeBenito b4cd15
#
Chris PeBenito 0f27d9
type home_root_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(home_root_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(home_root_t)
Chris PeBenito 0f27d9
files_poly_parent(home_root_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# lost_found_t is the type for the lost+found directories.
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
type lost_found_t, file_type;
Chris PeBenito 763c44
fs_associate(lost_found_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(lost_found_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# mnt_t is the type for mount points such as /mnt/cdrom
Chris PeBenito b4cd15
#
Chris PeBenito a2d824
type mnt_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(mnt_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(mnt_t)
Chris PeBenito b4cd15
Chris PeBenito 1c1ac6
#
Chris PeBenito 1c1ac6
# modules_object_t is the type for kernel modules
Chris PeBenito 1c1ac6
#
Chris PeBenito 1c1ac6
type modules_object_t;
Chris PeBenito 1c1ac6
files_type(modules_object_t)
Chris PeBenito 1c1ac6
Chris PeBenito 219bcf
type no_access_t, file_type;
Chris PeBenito 763c44
fs_associate(no_access_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(no_access_t)
Chris PeBenito 219bcf
Chris PeBenito 219bcf
type poly_t, file_type;
Chris PeBenito 763c44
fs_associate(poly_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(poly_t)
Chris PeBenito 219bcf
Chris PeBenito 219bcf
type readable_t, file_type;
Chris PeBenito 763c44
fs_associate(readable_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(readable_t)
Chris PeBenito 219bcf
Chris PeBenito b4cd15
#
Chris PeBenito a2d824
# root_t is the type for rootfs and the root directory.
Chris PeBenito a2d824
#
Chris PeBenito 0f27d9
type root_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(root_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(root_t)
Chris PeBenito 0f27d9
files_poly_parent(root_t)
Chris PeBenito 0fd9dc
kernel_rootfs_mountpoint(root_t)
Chris PeBenito e02c61
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
Chris PeBenito a2d824
Chris PeBenito a2d824
#
Chris PeBenito b4cd15
# src_t is the type of files in the system src directories.
Chris PeBenito b4cd15
#
Chris PeBenito 0907bd
type src_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(src_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(src_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito 1c1ac6
# system_map_t is for the system.map files in /boot
Chris PeBenito 1c1ac6
#
Chris PeBenito 1c1ac6
type system_map_t;
Chris PeBenito 1c1ac6
files_type(system_map_t)
Chris PeBenito 1c1ac6
Chris PeBenito 1c1ac6
#
Chris PeBenito b4cd15
# tmp_t is the type of the temporary directories
Chris PeBenito b4cd15
#
Chris PeBenito c3cf66
type tmp_t, mountpoint; #, polydir
Chris PeBenito c3cf66
files_tmp_file(tmp_t)
Chris PeBenito 0f27d9
files_poly_parent(tmp_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# usr_t is the type for /usr.
Chris PeBenito b4cd15
#
Chris PeBenito a2d824
type usr_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(usr_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(usr_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# var_t is the type of /var
Chris PeBenito b4cd15
#
Chris PeBenito a2d824
type var_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(var_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(var_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# var_lib_t is the type of /var/lib
Chris PeBenito b4cd15
#
Chris PeBenito ea7d57
type var_lib_t, file_type, mountpoint;
Chris PeBenito 763c44
fs_associate(var_lib_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(var_lib_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# var_lock_t is tye type of /var/lock
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
type var_lock_t, file_type, lockfile;
Chris PeBenito 763c44
fs_associate(var_lock_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(var_lock_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# var_run_t is the type of /var/run, usually
Chris PeBenito b4cd15
# used for pid and other runtime files.
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
type var_run_t, file_type, pidfile;
Chris PeBenito 763c44
fs_associate(var_run_t)
Chris PeBenito 0fd9dc
fs_associate_noxattr(var_run_t)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# var_spool_t is the type of /var/spool
Chris PeBenito b4cd15
#
Chris PeBenito c3cf66
type var_spool_t;
Chris PeBenito c3cf66
files_tmp_file(var_spool_t)