#

# Authors:  Stephen Smalley <sds@epoch.ncsc.mil> and Timothy Fraser  

#

#######################################

#

# General file-related types

#

#

# unlabeled_t is the type of unlabeled objects.

# Objects that have no known labeling information or that

# have labels that are no longer valid are treated as having this type.

#

type unlabeled_t, sysadmfile;

#

# fs_t is the default type for conventional filesystems.

#

type fs_t, fs_type;

# needs more work

type eventpollfs_t, fs_type;

type futexfs_t, fs_type;

type bdev_t, fs_type;

type usbfs_t, fs_type;

type nfsd_fs_t, fs_type;

type rpc_pipefs_t, fs_type;

type binfmt_misc_fs_t, fs_type;

#

# file_t is the default type of a file that has not yet been

# assigned an extended attribute (EA) value (when using a filesystem

# that supports EAs).

#

type file_t, file_type, sysadmfile;

# default_t is the default type for files that do not

# match any specification in the file_contexts configuration

# other than the generic /.* specification.

type default_t, file_type, sysadmfile;

#

# root_t is the type for the root directory.

#

type root_t, file_type, sysadmfile;

#

# mnt_t is the type for mount points such as /mnt/cdrom

type mnt_t, file_type, sysadmfile;

#

# home_root_t is the type for the directory where user home directories

# are created

#

type home_root_t, file_type, sysadmfile;

#

# lost_found_t is the type for the lost+found directories.

#

type lost_found_t, file_type, sysadmfile;

#

# boot_t is the type for files in /boot,

# including the kernel.

#

type boot_t, file_type, sysadmfile;

# system_map_t is for the system.map files in /boot

type system_map_t, file_type, sysadmfile;

#

# boot_runtime_t is the type for /boot/kernel.h,

# which is automatically generated at boot time.

# only for red hat

type boot_runtime_t, file_type, sysadmfile;

#

# tmp_t is the type of /tmp and /var/tmp.

#

type tmp_t, file_type, sysadmfile, tmpfile;

#

# etc_t is the type of the system etc directories.

#

type etc_t, file_type, sysadmfile;

#

# shadow_t is the type of the /etc/shadow file

#

type shadow_t, file_type, secure_file_type;

allow auth shadow_t:file { getattr read };

#

# ld_so_cache_t is the type of /etc/ld.so.cache.

#

type ld_so_cache_t, file_type, sysadmfile;

#

# etc_runtime_t is the type of various

# files in /etc that are automatically

# generated during initialization.

#

type etc_runtime_t, file_type, sysadmfile;

#

# fonts_runtime_t is the type of various

# fonts files in /usr that are automatically

# generated during initialization.

#

type fonts_t, file_type, sysadmfile, usercanread;

#

# etc_aliases_t is the type of the aliases database.

#

type etc_aliases_t, file_type, sysadmfile;

# net_conf_t is the type of the /etc/resolv.conf file.

# all DHCP clients and PPP need write access to this file.

type net_conf_t, file_type, sysadmfile;

#

# lib_t is the type of files in the system lib directories.

#

type lib_t, file_type, sysadmfile;

#

# shlib_t is the type of shared objects in the system lib

# directories.

#

ifdef(`targeted_policy', `

typealias lib_t alias shlib_t;

', `

type shlib_t, file_type, sysadmfile;

')

#

# texrel_shlib_t is the type of shared objects in the system lib

# directories, which require text relocation.

#

type texrel_shlib_t, file_type, sysadmfile;

# ld_so_t is the type of the system dynamic loaders.

#

type ld_so_t, file_type, sysadmfile;

#

# bin_t is the type of files in the system bin directories.

#

type bin_t, file_type, sysadmfile;

#

# cert_t is the type of files in the system certs directories.

#

type cert_t, file_type, sysadmfile, secure_file_type;

#

# ls_exec_t is the type of the ls program.

#

type ls_exec_t, file_type, exec_type, sysadmfile;

#

# shell_exec_t is the type of user shells such as /bin/bash.

#

type shell_exec_t, file_type, exec_type, sysadmfile;

#

# sbin_t is the type of files in the system sbin directories.

#

type sbin_t, file_type, sysadmfile;

#

# usr_t is the type for /usr.

#

type usr_t, file_type, sysadmfile;

#

# src_t is the type of files in the system src directories.

#

type src_t, file_type, sysadmfile;

#

# var_t is the type for /var.

#

type var_t, file_type,  sysadmfile;

#

# Types for subdirectories of /var.

#

type var_run_t, file_type, sysadmfile;

type var_log_t, file_type, sysadmfile, logfile;

type faillog_t, file_type, sysadmfile, logfile;

type var_lock_t, file_type, sysadmfile, lockfile;

type var_lib_t, file_type, sysadmfile;

# for /var/{spool,lib}/texmf index files

type tetex_data_t, file_type, sysadmfile, tmpfile;

type var_spool_t, file_type, sysadmfile, tmpfile;

type var_yp_t, file_type, sysadmfile;

# Type for /var/log/ksyms.

type var_log_ksyms_t, file_type, sysadmfile, logfile;

# Type for /var/log/lastlog.

type lastlog_t, file_type, sysadmfile, logfile;

# Type for /var/lib/nfs.

type var_lib_nfs_t, file_type, sysadmfile, usercanread;

#

# wtmp_t is the type of /var/log/wtmp.

#

type wtmp_t, file_type, sysadmfile, logfile;

#

# catman_t is the type for /var/catman.

#

type catman_t, file_type, sysadmfile, tmpfile;

#

# cron_spool_t is the type for /var/spool/cron.

#

type cron_spool_t, file_type, sysadmfile;

#

# print_spool_t is the type for /var/spool/lpd and /var/spool/cups.

#

type print_spool_t, file_type, sysadmfile, tmpfile;

#

# mail_spool_t is the type for /var/spool/mail.

#

type mail_spool_t, file_type, sysadmfile;

#

# mqueue_spool_t is the type for /var/spool/mqueue.

#

type mqueue_spool_t, file_type, sysadmfile;

#

# man_t is the type for the man directories.

#

type man_t, file_type, sysadmfile;

#

# readable_t is a general type for

# files that are readable by all domains.

#

type readable_t, file_type, sysadmfile;

# 

# Base type for the tests directory.

# 

type test_file_t, file_type, sysadmfile;

#

# poly_t is the type for the polyinstantiated directories.

#

type poly_t, file_type, sysadmfile;

#

# swapfile_t is for swap files

#

type swapfile_t, file_type, sysadmfile;

#

# locale_t is the type for system localization

# 

type locale_t, file_type, sysadmfile;

#

# Allow each file type to be associated with 

# the default file system type.

#

allow { file_type device_type ttyfile } fs_t:filesystem associate;

ifdef(`distro_redhat', `

allow { dev_fs ttyfile } tmpfs_t:filesystem associate;

')

# Allow the pty to be associated with the file system.

allow devpts_t self:filesystem associate;

type tmpfs_t, file_type, sysadmfile, fs_type;

allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;

type autofs_t, fs_type, noexattrfile, sysadmfile;

allow autofs_t self:filesystem associate;

type usbdevfs_t, fs_type, noexattrfile, sysadmfile;

allow usbdevfs_t self:filesystem associate;

type sysfs_t, fs_type,  sysadmfile;

allow sysfs_t self:filesystem associate;

type iso9660_t, fs_type, noexattrfile, sysadmfile;

allow iso9660_t self:filesystem associate;

type romfs_t, fs_type, sysadmfile;

allow romfs_t self:filesystem associate;

type ramfs_t, fs_type, sysadmfile;

allow ramfs_t self:filesystem associate;

type dosfs_t, fs_type, noexattrfile, sysadmfile;

allow dosfs_t self:filesystem associate;

# udev_runtime_t is the type of the udev table file

type udev_runtime_t, file_type, sysadmfile;

# krb5_conf_t is the type of the /etc/krb5.conf file

type krb5_conf_t, file_type, sysadmfile;

type cifs_t, fs_type, noexattrfile, sysadmfile;

allow cifs_t self:filesystem associate;

typealias cifs_t alias sambafs_t;

# removable_t is the default type of all removable media

type removable_t, file_type, sysadmfile, usercanread;

allow removable_t self:filesystem associate;

allow file_type removable_t:filesystem associate;

allow file_type noexattrfile:filesystem associate;