|
Chris PeBenito |
0fbfa5 |
# FLASK
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Security contexts for files in filesystems that
|
|
Chris PeBenito |
0fbfa5 |
# cannot support xattr or use one of the fixed labeling schemes
|
|
Chris PeBenito |
0fbfa5 |
# specified in fs_use.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Each specifications has the form:
|
|
Chris PeBenito |
0fbfa5 |
# genfscon fstype pathname-prefix [ -type ] context
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# The entry with the longest matching pathname prefix is used.
|
|
Chris PeBenito |
0fbfa5 |
# / refers to the root directory of the file system, and
|
|
Chris PeBenito |
0fbfa5 |
# everything is specified relative to this root directory.
|
|
Chris PeBenito |
0fbfa5 |
# If there is no entry with a matching pathname prefix, then
|
|
Chris PeBenito |
0fbfa5 |
# the unlabeled initial SID is used.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# The optional type field specifies the file type as shown in the mode
|
|
Chris PeBenito |
0fbfa5 |
# field by ls, e.g. use -c to match only character device files, -b
|
|
Chris PeBenito |
0fbfa5 |
# to match only block device files.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Except for proc, in 2.6 other filesystems are limited to a single entry (/)
|
|
Chris PeBenito |
0fbfa5 |
# that covers all entries in the filesystem with a default file context.
|
|
Chris PeBenito |
0fbfa5 |
# For proc, a pathname can be reliably generated from the proc_dir_entry
|
|
Chris PeBenito |
0fbfa5 |
# tree. The proc /sys entries are used for both proc inodes and for sysctl(2)
|
|
Chris PeBenito |
0fbfa5 |
# calls. /proc/PID entries are automatically labeled based on the associated
|
|
Chris PeBenito |
0fbfa5 |
# process.
|
|
Chris PeBenito |
0fbfa5 |
#
|
|
Chris PeBenito |
0fbfa5 |
# Support for other filesystem types requires corresponding code to be
|
|
Chris PeBenito |
0fbfa5 |
# added to the kernel, either as an xattr handler in the filesystem
|
|
Chris PeBenito |
0fbfa5 |
# implementation (preferred, and necessary if you want to access the labels
|
|
Chris PeBenito |
0fbfa5 |
# from userspace) or as logic in the SELinux module.
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# proc (excluding /proc/PID)
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc / system_u:object_r:proc_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /kmsg system_u:object_r:proc_kmsg_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /kcore system_u:object_r:proc_kcore_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /mdstat system_u:object_r:proc_mdstat_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /mtrr system_u:object_r:mtrr_device_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /net system_u:object_r:proc_net_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sysvipc system_u:object_r:proc_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys system_u:object_r:sysctl_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys/net system_u:object_r:sysctl_net_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys/vm system_u:object_r:sysctl_vm_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /sys/dev system_u:object_r:sysctl_dev_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon proc /irq system_u:object_r:sysctl_irq_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# rootfs
|
|
Chris PeBenito |
0fbfa5 |
genfscon rootfs / system_u:object_r:root_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# sysfs
|
|
Chris PeBenito |
0fbfa5 |
genfscon sysfs / system_u:object_r:sysfs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# selinuxfs
|
|
Chris PeBenito |
0fbfa5 |
genfscon selinuxfs / system_u:object_r:security_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# autofs
|
|
Chris PeBenito |
0fbfa5 |
genfscon autofs / system_u:object_r:autofs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon automount / system_u:object_r:autofs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# usbdevfs
|
|
Chris PeBenito |
0fbfa5 |
genfscon usbdevfs / system_u:object_r:usbdevfs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# iso9660
|
|
Chris PeBenito |
0fbfa5 |
genfscon iso9660 / system_u:object_r:iso9660_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon udf / system_u:object_r:iso9660_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# romfs
|
|
Chris PeBenito |
0fbfa5 |
genfscon romfs / system_u:object_r:romfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon cramfs / system_u:object_r:romfs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# ramfs
|
|
Chris PeBenito |
0fbfa5 |
genfscon ramfs / system_u:object_r:ramfs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# vfat, msdos
|
|
Chris PeBenito |
0fbfa5 |
genfscon vfat / system_u:object_r:dosfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon msdos / system_u:object_r:dosfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon fat / system_u:object_r:dosfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon ntfs / system_u:object_r:dosfs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# samba
|
|
Chris PeBenito |
0fbfa5 |
genfscon cifs / system_u:object_r:cifs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon smbfs / system_u:object_r:cifs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# nfs
|
|
Chris PeBenito |
0fbfa5 |
genfscon nfs / system_u:object_r:nfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon nfs4 / system_u:object_r:nfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon afs / system_u:object_r:nfs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# reiserfs - until xattr security support works properly
|
|
Chris PeBenito |
0fbfa5 |
genfscon reiserfs / system_u:object_r:nfs_t
|
|
Chris PeBenito |
0fbfa5 |
|
|
Chris PeBenito |
0fbfa5 |
# needs more work
|
|
Chris PeBenito |
0fbfa5 |
genfscon eventpollfs / system_u:object_r:eventpollfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon futexfs / system_u:object_r:futexfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon bdev / system_u:object_r:bdev_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon usbfs / system_u:object_r:usbfs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon nfsd / system_u:object_r:nfsd_fs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t
|
|
Chris PeBenito |
0fbfa5 |
genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t
|
|
Chris PeBenito |
0fbfa5 |
|