Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> Acked-by: Petr Lautrbach <lautrbach@redhat.com>
8.4 KiB
File Labeling Statements
filecon
Define entries for labeling files. The compiler will produce these entries in a file called file_contexts
(5)
by default in the cwd
. The compiler option [-f|--filecontext <filename>]
may be used to specify a different path or file name.
Statement definition:
(filecon "path" file_type context_id)
Where:
|
The |
||||||||||||||||||
|
A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. |
||||||||||||||||||
|
A single keyword representing a file type in the
|
||||||||||||||||||
|
The security context to be allocated to the file, which may be:
|
Examples:
These examples use one named, one anonymous and one empty context definition:
(context runas_exec_context (u object_r exec low_low))
(filecon "/system/bin/run-as" file runas_exec_context)
(filecon "/dev/socket/wpa_wlan[0-9]" any (u object_r wpa.socket ((s0)(s0))))
(filecon "/data/local/mine" dir ())
to resolve/build file_contexts
entries of (assuming MLS enabled policy):
/system/bin/run-as -- u:object_r:runas.exec:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa.socket:s0
/data/local/mine -d <<none>>
fsuse
Label filesystems that support SELinux security contexts.
Statement definition:
(fsuse fstype fsname context_id)
Where:
|
The |
|
A single keyword representing the type of filesystem as follows:
|
|
Name of the supported filesystem (e.g. |
|
The security context to be allocated to the network interface. A previously declared |
Examples:
The context identifiers are declared in the file
namespace and the fsuse
statements in the global namespace:
(block file
(type labeledfs)
(roletype object_r labeledfs)
(context labeledfs_context (u object_r labeledfs low_low))
(type pipefs)
(roletype object_r pipefs)
(context pipefs_context (u object_r pipefs low_low))
...
)
(fsuse xattr ex4 file.labeledfs_context)
(fsuse xattr btrfs file.labeledfs_context)
(fsuse task pipefs file.pipefs_context)
(fsuse task sockfs file.sockfs_context)
(fsuse trans devpts file.devpts_context)
(fsuse trans tmpfs file.tmpfs_context)
genfscon
Used to allocate a security context to filesystems that cannot support any of the fsuse
file labeling options. Generally a filesystem would have a single default security context assigned by genfscon
from the root (/)
that would then be inherited by all files and directories on that filesystem. The exception to this is the /proc
filesystem, where directories can be labeled with a specific security context (as shown in the examples).
Statement definition:
(genfscon fsname path [file_type] context_id)
Where:
|
The |
|
Name of the supported filesystem (e.g. |
|
If |
|
Optional keyword representing a file type. Valid values are the same as in [`filecon`](cil_file_labeling_statements.md#filecon) rules. |
|
A previously declared |
Examples:
The context identifiers are declared in the file
namespace and the genfscon
statements are then inserted using the in
container statement:
(file
(type rootfs)
(roletype object_r rootfs)
(context rootfs_context (u object_r rootfs low_low))
(type proc)
(roletype object_r proc)
(context rootfs_context (u object_r proc low_low))
...
)
(in file
(genfscon rootfs / rootfs_context)
; proc labeling can be further refined (longest matching prefix).
(genfscon proc / proc_context)
(genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
(genfscon proc /sysrq-trigger sysrq_proc_context)
(genfscon selinuxfs / selinuxfs_context)
)