Chris PeBenito e181fe
Chris PeBenito 960373
policy_module(filesystem,1.0)
Chris PeBenito 960373
Chris PeBenito fd89e1
########################################
Chris PeBenito fd89e1
#
Chris PeBenito fd89e1
# Declarations
Chris PeBenito fd89e1
#
Chris PeBenito fd89e1
Chris PeBenito cbca03
attribute filesystem_type;
Chris PeBenito fe040c
attribute noxattrfs;
Chris PeBenito b4cd15
Chris PeBenito fd89e1
##############################
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# fs_t is the default type for persistent
Chris PeBenito b4cd15
# filesystems with extended attributes
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type fs_t, filesystem_type;
Chris PeBenito e02c61
sid fs gen_context(system_u:object_r:fs_t,s0)
Chris PeBenito cabfa5
Chris PeBenito cabfa5
# Use xattrs for the following filesystem types.
Chris PeBenito cabfa5
# Requires that a security xattr handler exist for the filesystem.
Chris PeBenito e02c61
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
Chris PeBenito e02c61
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
Chris PeBenito e02c61
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
Chris PeBenito e02c61
fs_use_xattr reiserfs gen_context(system_u:object_r:fs_t,s0);
Chris PeBenito e02c61
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
Chris PeBenito cabfa5
Chris PeBenito cabfa5
# Use the allocating task SID to label inodes in the following filesystem
Chris PeBenito cabfa5
# types, and label the filesystem itself with the specified context.
Chris PeBenito cabfa5
# This is appropriate for pseudo filesystems that represent objects
Chris PeBenito cabfa5
# like pipes and sockets, so that these objects are labeled with the same
Chris PeBenito cabfa5
# type as the creating task.  
Chris PeBenito e02c61
fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
Chris PeBenito e02c61
fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
Chris PeBenito b4cd15
Chris PeBenito fd89e1
##############################
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# Non-persistent/pseudo filesystems
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type bdev_t, filesystem_type;
Chris PeBenito e02c61
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
Chris PeBenito b4cd15
Chris PeBenito cbca03
type binfmt_misc_fs_t, filesystem_type;
Chris PeBenito 0907bd
files_mountpoint(binfmt_misc_fs_t)
Chris PeBenito e02c61
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito 77f6e2
type capifs_t, filesystem_type;
Chris PeBenito 77f6e2
allow capifs_t self:filesystem associate;
Chris PeBenito 77f6e2
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
Chris PeBenito 77f6e2
Chris PeBenito 19b555
type configfs_t, filesystem_type;
Chris PeBenito 19b555
allow configfs_t self:filesystem associate;
Chris PeBenito 19b555
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
Chris PeBenito 19b555
Chris PeBenito cbca03
type eventpollfs_t, filesystem_type;
Chris PeBenito 34e722
allow eventpollfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito cbca03
type futexfs_t, filesystem_type;
Chris PeBenito 34e722
allow futexfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito 0907bd
type hugetlbfs_t, filesystem_type;
Chris PeBenito 0907bd
files_mountpoint(hugetlbfs_t)
Chris PeBenito 0907bd
allow hugetlbfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)
Chris PeBenito 0907bd
Chris PeBenito 0907bd
type inotifyfs_t, filesystem_type;
Chris PeBenito 0907bd
allow inotifyfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
Chris PeBenito 0907bd
Chris PeBenito cbca03
type nfsd_fs_t, filesystem_type;
Chris PeBenito 34e722
allow nfsd_fs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito cbca03
type ramfs_t, filesystem_type;
Chris PeBenito b4cd15
allow ramfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito cbca03
type romfs_t, filesystem_type;
Chris PeBenito b4cd15
allow romfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
Chris PeBenito e02c61
genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito cbca03
type rpc_pipefs_t, filesystem_type;
Chris PeBenito 34e722
allow rpc_pipefs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# tmpfs_t is the type for tmpfs filesystems
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type tmpfs_t, filesystem_type;
Chris PeBenito 8fd367
files_type(tmpfs_t)
Chris PeBenito cff75c
files_mountpoint(tmpfs_t)
Chris PeBenito f5c42b
Chris PeBenito cabfa5
# Use a transition SID based on the allocating task SID and the
Chris PeBenito cabfa5
# filesystem SID to label inodes in the following filesystem types,
Chris PeBenito cabfa5
# and label the filesystem itself with the specified context.
Chris PeBenito cabfa5
# This is appropriate for pseudo filesystems like devpts and tmpfs
Chris PeBenito cabfa5
# where we want to label objects with a derived type.
Chris PeBenito e02c61
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
Chris PeBenito e02c61
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
Chris PeBenito e02c61
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
Chris PeBenito cabfa5
Chris PeBenito b4cd15
allow tmpfs_t self:filesystem associate;
Chris PeBenito fe040c
allow tmpfs_t noxattrfs:filesystem associate;
Chris PeBenito b4cd15
Chris PeBenito fd89e1
##############################
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# Filesystems without extended attribute support
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type autofs_t, filesystem_type, noxattrfs;
Chris PeBenito b4cd15
allow autofs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
Chris PeBenito e02c61
genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# cifs_t is the type for filesystems and their
Chris PeBenito b4cd15
# files shared from Windows servers
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type cifs_t alias sambafs_t, filesystem_type, noxattrfs;
Chris PeBenito b4cd15
allow cifs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
Chris PeBenito e02c61
genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# dosfs_t is the type for fat and vfat
Chris PeBenito b4cd15
# filesystems and their files.
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type dosfs_t, filesystem_type, noxattrfs;
Chris PeBenito b4cd15
allow dosfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
Chris PeBenito e02c61
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
Chris PeBenito e02c61
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
Chris PeBenito e02c61
genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito b4cd15
# iso9660_t is the type for CD filesystems
Chris PeBenito b4cd15
# and their files.
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type iso9660_t, filesystem_type, noxattrfs;
Chris PeBenito b4cd15
allow iso9660_t self:filesystem associate;
Chris PeBenito e02c61
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
Chris PeBenito e02c61
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
Chris PeBenito b4cd15
Chris PeBenito b4cd15
#
Chris PeBenito 33bc0d
# removable_t is the default type of all removable media
Chris PeBenito 33bc0d
#
Chris PeBenito cbca03
type removable_t, filesystem_type, noxattrfs;
Chris PeBenito fe040c
allow removable_t noxattrfs:filesystem associate;
Chris PeBenito 9bbc75
files_config_file(removable_t)
Chris PeBenito 33bc0d
Chris PeBenito 33bc0d
#
Chris PeBenito b4cd15
# nfs_t is the default type for NFS file systems
Chris PeBenito b4cd15
# and their files.
Chris PeBenito b4cd15
#
Chris PeBenito cbca03
type nfs_t, filesystem_type, noxattrfs;
Chris PeBenito c9428d
files_mountpoint(nfs_t)
Chris PeBenito b4cd15
allow nfs_t self:filesystem associate;
Chris PeBenito e02c61
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
Chris PeBenito e02c61
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
Chris PeBenito e02c61
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)