2020-08-11 12:35:00 +00:00
|
|
|
policy_module(files, 1.28.5)
|
2005-04-26 17:00:25 +00:00
|
|
|
|
2005-06-30 18:54:08 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
attribute file_type;
|
2006-04-10 21:04:51 +00:00
|
|
|
attribute files_unconfined_type;
|
2005-04-14 20:18:17 +00:00
|
|
|
attribute lockfile;
|
2005-05-23 15:49:31 +00:00
|
|
|
attribute mountpoint;
|
2005-04-14 20:18:17 +00:00
|
|
|
attribute pidfile;
|
2009-11-09 22:54:00 +00:00
|
|
|
attribute configfile;
|
2017-02-18 14:39:01 +00:00
|
|
|
attribute spoolfile;
|
2005-09-19 21:17:45 +00:00
|
|
|
|
|
|
|
# For labeling types that are to be polyinstantiated
|
|
|
|
attribute polydir;
|
|
|
|
|
|
|
|
# And for labeling the parent directories of those polyinstantiated directories
|
|
|
|
# This is necessary for remounting the original in the parent to give
|
|
|
|
# security aware apps access
|
|
|
|
attribute polyparent;
|
|
|
|
|
|
|
|
# And labeling for the member directories
|
|
|
|
attribute polymember;
|
|
|
|
|
2005-09-28 19:07:22 +00:00
|
|
|
# sensitive security files whose accesses should
|
|
|
|
# not be dontaudited for uses
|
|
|
|
attribute security_file_type;
|
2008-07-31 14:05:46 +00:00
|
|
|
# and its opposite
|
|
|
|
attribute non_security_file_type;
|
2005-09-28 19:07:22 +00:00
|
|
|
|
2012-04-25 14:25:42 +00:00
|
|
|
# sensitive authentication files whose accesses should
|
|
|
|
# not be dontaudited for uses
|
|
|
|
attribute auth_file_type;
|
|
|
|
# and its opposite
|
|
|
|
attribute non_auth_file_type;
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
attribute tmpfile;
|
2005-05-23 15:49:31 +00:00
|
|
|
attribute tmpfsfile;
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2007-02-26 16:13:23 +00:00
|
|
|
# this attribute is not currently used and will be removed in the future.
|
|
|
|
# unfortunately, this attribute can not be removed yet because it may cause
|
|
|
|
# some policies to fail to link if it is still required.
|
2006-03-28 19:54:07 +00:00
|
|
|
attribute usercanread;
|
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
#
|
|
|
|
# boot_t is the type for files in /boot
|
|
|
|
#
|
|
|
|
type boot_t;
|
|
|
|
files_mountpoint(boot_t)
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
# default_t is the default type for files that do not
|
|
|
|
# match any specification in the file_contexts configuration
|
|
|
|
# other than the generic /.* specification.
|
2006-03-28 19:54:07 +00:00
|
|
|
type default_t;
|
|
|
|
files_mountpoint(default_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# etc_t is the type of the system etc directories.
|
|
|
|
#
|
2009-11-24 13:49:15 +00:00
|
|
|
type etc_t, configfile;
|
2006-03-28 19:54:07 +00:00
|
|
|
files_type(etc_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2020-01-10 16:42:29 +00:00
|
|
|
optional_policy(`
|
|
|
|
# for systemd ProtectSystem
|
|
|
|
init_mountpoint(etc_t)
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
|
|
|
# etc_runtime_t is the type of various
|
|
|
|
# files in /etc that are automatically
|
|
|
|
# generated during initialization.
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type etc_runtime_t;
|
|
|
|
files_type(etc_runtime_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# home_root_t is the type for the directory where user home directories
|
|
|
|
# are created
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type home_root_t;
|
|
|
|
files_mountpoint(home_root_t)
|
2006-02-27 16:23:39 +00:00
|
|
|
files_poly_parent(home_root_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# lost_found_t is the type for the lost+found directories.
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type lost_found_t;
|
|
|
|
files_type(lost_found_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# mnt_t is the type for mount points such as /mnt/cdrom
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type mnt_t;
|
|
|
|
files_mountpoint(mnt_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
#
|
|
|
|
# modules_object_t is the type for kernel modules
|
|
|
|
#
|
|
|
|
type modules_object_t;
|
|
|
|
files_type(modules_object_t)
|
|
|
|
|
2020-04-17 18:42:18 +00:00
|
|
|
optional_policy(`
|
|
|
|
init_mountpoint(modules_object_t)
|
|
|
|
')
|
|
|
|
|
2006-03-28 19:54:07 +00:00
|
|
|
type no_access_t;
|
|
|
|
files_type(no_access_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2006-03-28 19:54:07 +00:00
|
|
|
type poly_t;
|
|
|
|
files_type(poly_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2006-03-28 19:54:07 +00:00
|
|
|
type readable_t;
|
|
|
|
files_type(readable_t)
|
2005-04-25 19:54:27 +00:00
|
|
|
|
2005-04-28 21:41:09 +00:00
|
|
|
#
|
|
|
|
# root_t is the type for rootfs and the root directory.
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type root_t;
|
|
|
|
files_mountpoint(root_t)
|
2006-02-27 16:23:39 +00:00
|
|
|
files_poly_parent(root_t)
|
2005-06-10 01:01:13 +00:00
|
|
|
kernel_rootfs_mountpoint(root_t)
|
2005-10-06 19:33:06 +00:00
|
|
|
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
|
2005-04-28 21:41:09 +00:00
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
|
|
|
# src_t is the type of files in the system src directories.
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type src_t;
|
|
|
|
files_mountpoint(src_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2006-03-02 23:41:11 +00:00
|
|
|
#
|
|
|
|
# system_map_t is for the system.map files in /boot
|
|
|
|
#
|
|
|
|
type system_map_t;
|
|
|
|
files_type(system_map_t)
|
2008-02-15 19:59:10 +00:00
|
|
|
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
|
2006-03-02 23:41:11 +00:00
|
|
|
|
2020-05-17 11:36:56 +00:00
|
|
|
optional_policy(`
|
|
|
|
init_mountpoint(system_map_t)
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
|
|
|
# tmp_t is the type of the temporary directories
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type tmp_t;
|
2005-10-25 20:06:27 +00:00
|
|
|
files_tmp_file(tmp_t)
|
2006-03-28 19:54:07 +00:00
|
|
|
files_mountpoint(tmp_t)
|
|
|
|
files_poly(tmp_t)
|
2006-02-27 16:23:39 +00:00
|
|
|
files_poly_parent(tmp_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# usr_t is the type for /usr.
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type usr_t;
|
|
|
|
files_mountpoint(usr_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# var_t is the type of /var
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type var_t;
|
|
|
|
files_mountpoint(var_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# var_lib_t is the type of /var/lib
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type var_lib_t;
|
|
|
|
files_mountpoint(var_lib_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
2020-08-11 13:01:34 +00:00
|
|
|
# var_lock_t is the type of /var/lock
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type var_lock_t;
|
|
|
|
files_lock_file(var_lock_t)
|
2013-01-15 10:23:39 +00:00
|
|
|
files_mountpoint(var_lock_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# var_run_t is the type of /var/run, usually
|
|
|
|
# used for pid and other runtime files.
|
|
|
|
#
|
2006-03-28 19:54:07 +00:00
|
|
|
type var_run_t;
|
2020-06-27 21:11:48 +00:00
|
|
|
files_runtime_file(var_run_t)
|
2008-12-02 22:40:49 +00:00
|
|
|
files_mountpoint(var_run_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
2017-02-24 01:03:23 +00:00
|
|
|
optional_policy(`
|
|
|
|
systemd_tmpfilesd_managed(var_run_t, lnk_file)
|
|
|
|
')
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
|
|
|
# var_spool_t is the type of /var/spool
|
|
|
|
#
|
2005-10-25 20:06:27 +00:00
|
|
|
type var_spool_t;
|
|
|
|
files_tmp_file(var_spool_t)
|
2006-03-28 19:54:07 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Rules for all file types
|
|
|
|
#
|
|
|
|
|
|
|
|
allow file_type self:filesystem associate;
|
|
|
|
|
|
|
|
fs_associate(file_type)
|
|
|
|
fs_associate_noxattr(file_type)
|
2007-10-02 16:04:50 +00:00
|
|
|
fs_associate_tmpfs(file_type)
|
2007-10-29 18:35:32 +00:00
|
|
|
fs_associate_ramfs(file_type)
|
2010-06-09 13:09:34 +00:00
|
|
|
fs_associate_hugetlbfs(file_type)
|
2006-05-17 14:50:31 +00:00
|
|
|
|
2006-03-28 19:54:07 +00:00
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Rules for all tmp file types
|
|
|
|
#
|
|
|
|
|
2009-06-11 15:00:48 +00:00
|
|
|
allow file_type tmp_t:filesystem associate;
|
2006-03-28 19:54:07 +00:00
|
|
|
|
|
|
|
fs_associate_tmpfs(tmpfile)
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Rules for all tmpfs file types
|
|
|
|
#
|
|
|
|
|
|
|
|
fs_associate_tmpfs(tmpfsfile)
|
2006-04-10 21:04:51 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Unconfined access to this module
|
|
|
|
#
|
|
|
|
|
|
|
|
# Create/access any file in a labeled filesystem;
|
2019-12-20 15:44:20 +00:00
|
|
|
allow files_unconfined_type file_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch };
|
|
|
|
allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch };
|
|
|
|
allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch };
|
|
|
|
allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch };
|
|
|
|
allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch };
|
|
|
|
allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access watch };
|
|
|
|
allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch };
|
2006-04-10 21:04:51 +00:00
|
|
|
|
2009-11-24 16:11:38 +00:00
|
|
|
# Mount/unmount any filesystem with the context= option.
|
2019-12-20 15:44:20 +00:00
|
|
|
allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
|
2006-04-10 21:04:51 +00:00
|
|
|
|
2007-10-02 16:04:50 +00:00
|
|
|
tunable_policy(`allow_execmod',`
|
|
|
|
allow files_unconfined_type file_type:file execmod;
|
2006-04-10 21:04:51 +00:00
|
|
|
')
|