2005-05-10 19:51:00 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# /
|
|
|
|
#
|
2005-10-06 19:33:06 +00:00
|
|
|
/.* gen_context(system_u:object_r:default_t,s0)
|
|
|
|
/ -d gen_context(system_u:object_r:root_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
/\.journal <<none>>
|
2009-06-11 15:00:48 +00:00
|
|
|
/afs -d gen_context(system_u:object_r:mnt_t,s0)
|
2006-03-02 23:41:11 +00:00
|
|
|
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
|
|
|
|
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
|
2005-11-03 18:08:36 +00:00
|
|
|
|
2005-09-13 13:06:07 +00:00
|
|
|
ifdef(`distro_redhat',`
|
2005-10-06 19:33:06 +00:00
|
|
|
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2006-07-28 15:13:58 +00:00
|
|
|
/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-10-06 19:33:06 +00:00
|
|
|
/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-09-13 13:06:07 +00:00
|
|
|
')
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2005-11-03 18:08:36 +00:00
|
|
|
ifdef(`distro_suse',`
|
2006-09-25 18:53:06 +00:00
|
|
|
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-11-03 18:08:36 +00:00
|
|
|
')
|
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /boot
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/boot -d gen_context(system_u:object_r:boot_t,s0)
|
|
|
|
/boot/.* gen_context(system_u:object_r:boot_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
/boot/\.journal <<none>>
|
2008-12-02 22:40:49 +00:00
|
|
|
/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
|
2006-10-04 17:25:34 +00:00
|
|
|
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2005-09-16 19:36:10 +00:00
|
|
|
/boot/lost\+found/.* <<none>>
|
2006-03-02 23:41:11 +00:00
|
|
|
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2005-11-03 18:08:36 +00:00
|
|
|
#
|
|
|
|
# /emul
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/emul -d gen_context(system_u:object_r:usr_t,s0)
|
|
|
|
/emul/.* gen_context(system_u:object_r:usr_t,s0)
|
2005-11-03 18:08:36 +00:00
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /etc
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/etc -d gen_context(system_u:object_r:etc_t,s0)
|
|
|
|
/etc/.* gen_context(system_u:object_r:etc_t,s0)
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2006-03-23 19:19:38 +00:00
|
|
|
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
|
2010-06-09 13:09:34 +00:00
|
|
|
/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2006-09-25 18:53:06 +00:00
|
|
|
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2010-06-09 13:09:34 +00:00
|
|
|
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
|
|
|
|
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2012-06-26 13:51:57 +00:00
|
|
|
/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2007-06-20 19:47:10 +00:00
|
|
|
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
|
2005-10-23 22:10:59 +00:00
|
|
|
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
|
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
2005-07-14 18:15:47 +00:00
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-05-10 20:06:04 +00:00
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2017-10-31 05:37:07 +00:00
|
|
|
/etc/zfs/zpool.cache -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
ifdef(`distro_gentoo', `
|
2005-10-06 19:33:06 +00:00
|
|
|
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
|
|
|
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
')
|
|
|
|
|
2005-11-03 18:08:36 +00:00
|
|
|
ifdef(`distro_redhat',`
|
|
|
|
/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
|
|
|
')
|
|
|
|
|
|
|
|
ifdef(`distro_suse',`
|
|
|
|
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2012-08-15 14:12:39 +00:00
|
|
|
/etc/rc\.d/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
2005-11-03 18:08:36 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
#
|
|
|
|
# HOME_ROOT
|
|
|
|
# expanded by genhomedircon
|
|
|
|
#
|
2006-10-04 17:25:34 +00:00
|
|
|
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
|
2011-04-14 14:05:56 +00:00
|
|
|
HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)
|
2005-06-08 22:32:43 +00:00
|
|
|
HOME_ROOT/\.journal <<none>>
|
2006-10-04 17:25:34 +00:00
|
|
|
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2012-05-10 14:33:54 +00:00
|
|
|
HOME_ROOT/lost\+found/.* <<none>>
|
2005-06-08 22:32:43 +00:00
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /initrd
|
|
|
|
#
|
|
|
|
# initrd mount point, only used during boot
|
2005-10-06 19:33:06 +00:00
|
|
|
/initrd -d gen_context(system_u:object_r:root_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# /lost+found
|
|
|
|
#
|
2006-10-04 17:25:34 +00:00
|
|
|
/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2005-09-16 19:36:10 +00:00
|
|
|
/lost\+found/.* <<none>>
|
2005-05-10 19:51:00 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# /media
|
|
|
|
#
|
|
|
|
# Mount points; do not relabel subdirectories, since
|
|
|
|
# we don't want to change any removable media by default.
|
2006-09-04 18:22:12 +00:00
|
|
|
/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
|
2005-10-06 19:33:06 +00:00
|
|
|
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
/media/[^/]*/.* <<none>>
|
2006-10-31 21:01:48 +00:00
|
|
|
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2006-01-25 15:53:35 +00:00
|
|
|
#
|
|
|
|
# /misc
|
|
|
|
#
|
|
|
|
/misc -d gen_context(system_u:object_r:mnt_t,s0)
|
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /mnt
|
|
|
|
#
|
2006-09-04 18:22:12 +00:00
|
|
|
/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
|
2005-10-06 19:33:06 +00:00
|
|
|
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
/mnt/[^/]*/.* <<none>>
|
|
|
|
|
2006-01-27 20:13:08 +00:00
|
|
|
#
|
|
|
|
# /net
|
|
|
|
#
|
|
|
|
/net -d gen_context(system_u:object_r:mnt_t,s0)
|
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /opt
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/opt -d gen_context(system_u:object_r:usr_t,s0)
|
|
|
|
/opt/.* gen_context(system_u:object_r:usr_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2006-04-17 17:54:57 +00:00
|
|
|
/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# /proc
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/proc -d <<none>>
|
|
|
|
/proc/.* <<none>>
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2011-04-14 14:05:56 +00:00
|
|
|
#
|
|
|
|
# /run
|
|
|
|
#
|
|
|
|
/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
|
2016-12-16 20:07:56 +00:00
|
|
|
/run -l gen_context(system_u:object_r:var_run_t,s0)
|
2017-03-25 16:56:03 +00:00
|
|
|
/run/shm -l gen_context(system_u:object_r:var_run_t,s0)
|
2017-02-16 15:08:47 +00:00
|
|
|
/run/.* <<none>>
|
2011-04-14 14:05:56 +00:00
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /selinux
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/selinux -d <<none>>
|
|
|
|
/selinux/.* <<none>>
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2005-09-16 19:36:10 +00:00
|
|
|
#
|
|
|
|
# /srv
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/srv -d gen_context(system_u:object_r:var_t,s0)
|
|
|
|
/srv/.* gen_context(system_u:object_r:var_t,s0)
|
2005-09-16 19:36:10 +00:00
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /tmp
|
|
|
|
#
|
2006-10-04 17:25:34 +00:00
|
|
|
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
2005-05-10 19:51:00 +00:00
|
|
|
/tmp/.* <<none>>
|
|
|
|
/tmp/\.journal <<none>>
|
|
|
|
|
2012-05-10 14:33:54 +00:00
|
|
|
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2005-09-16 19:36:10 +00:00
|
|
|
/tmp/lost\+found/.* <<none>>
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2014-08-23 11:35:51 +00:00
|
|
|
/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
|
|
|
/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
|
|
|
/tmp/systemd-private-[^/]+/tmp/.* <<none>>
|
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /usr
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/usr -d gen_context(system_u:object_r:usr_t,s0)
|
|
|
|
/usr/.* gen_context(system_u:object_r:usr_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
/usr/\.journal <<none>>
|
|
|
|
|
2012-05-10 14:33:54 +00:00
|
|
|
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
2006-02-13 22:05:08 +00:00
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2019-08-27 20:39:37 +00:00
|
|
|
# Avoid calling m4's include by using en empty string
|
|
|
|
/usr/include`'(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
|
|
|
/usr/local/\.journal <<none>>
|
2005-05-27 20:29:17 +00:00
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
2005-05-27 20:29:17 +00:00
|
|
|
|
2006-10-04 17:25:34 +00:00
|
|
|
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2005-09-16 19:36:10 +00:00
|
|
|
/usr/local/lost\+found/.* <<none>>
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2012-05-10 14:33:54 +00:00
|
|
|
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2005-09-16 19:36:10 +00:00
|
|
|
/usr/lost\+found/.* <<none>>
|
|
|
|
|
2007-10-29 18:35:32 +00:00
|
|
|
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2012-05-10 14:33:54 +00:00
|
|
|
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
2005-05-10 19:51:00 +00:00
|
|
|
/usr/tmp/.* <<none>>
|
|
|
|
|
2017-02-04 20:19:35 +00:00
|
|
|
ifdef(`distro_debian',`
|
2017-03-25 16:56:03 +00:00
|
|
|
# on Debian /lib/init/rw is a tmpfs used like /run
|
2017-02-04 20:19:35 +00:00
|
|
|
/usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
|
2017-04-06 20:59:47 +00:00
|
|
|
/run/resolvconf(/.*)? -d gen_context(system_u:object_r:etc_t,s0)
|
2017-02-04 20:19:35 +00:00
|
|
|
')
|
|
|
|
|
2010-06-09 13:09:34 +00:00
|
|
|
ifndef(`distro_redhat',`
|
|
|
|
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
|
|
|
|
|
|
|
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
|
|
|
|
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
|
|
|
|
')
|
|
|
|
|
2005-05-10 19:51:00 +00:00
|
|
|
#
|
|
|
|
# /var
|
|
|
|
#
|
2006-04-17 17:54:57 +00:00
|
|
|
/var -d gen_context(system_u:object_r:var_t,s0)
|
|
|
|
/var/.* gen_context(system_u:object_r:var_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
/var/\.journal <<none>>
|
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2005-10-06 19:33:06 +00:00
|
|
|
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2005-05-27 20:29:17 +00:00
|
|
|
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2017-02-16 15:08:47 +00:00
|
|
|
/var/lock -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh)
|
|
|
|
/var/lock -l gen_context(system_u:object_r:var_lock_t,s0)
|
|
|
|
/var/lock/subsys -d gen_context(system_u:object_r:var_lock_t,s0-mls_systemhigh)
|
|
|
|
/var/lock/.* <<none>>
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2012-08-25 22:38:29 +00:00
|
|
|
/var/log/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
|
|
|
/var/log/lost\+found/.* <<none>>
|
|
|
|
|
|
|
|
/var/log/audit/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
|
|
|
/var/log/audit/lost\+found/.* <<none>>
|
|
|
|
|
2012-05-10 14:33:54 +00:00
|
|
|
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2005-09-16 19:36:10 +00:00
|
|
|
/var/lost\+found/.* <<none>>
|
2005-05-27 20:29:17 +00:00
|
|
|
|
2012-05-10 14:33:54 +00:00
|
|
|
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2012-05-10 14:33:54 +00:00
|
|
|
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
|
2006-02-02 20:41:12 +00:00
|
|
|
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
|
2011-04-14 14:05:56 +00:00
|
|
|
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
|
|
|
/var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
|
2005-05-10 19:51:00 +00:00
|
|
|
/var/tmp/.* <<none>>
|
2006-10-04 17:25:34 +00:00
|
|
|
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
|
2005-09-16 19:36:10 +00:00
|
|
|
/var/tmp/lost\+found/.* <<none>>
|
2014-08-23 11:35:51 +00:00
|
|
|
/var/tmp/systemd-private-[^/]+ -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
|
|
|
/var/tmp/systemd-private-[^/]+/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
|
|
|
|
/var/tmp/systemd-private-[^/]+/tmp/.* <<none>>
|
2005-10-06 19:33:06 +00:00
|
|
|
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
|