policy_module(files, 1.26.0) ######################################## # # Declarations # attribute file_type; attribute files_unconfined_type; attribute lockfile; attribute mountpoint; attribute pidfile; attribute configfile; attribute spoolfile; # For labeling types that are to be polyinstantiated attribute polydir; # And for labeling the parent directories of those polyinstantiated directories # This is necessary for remounting the original in the parent to give # security aware apps access attribute polyparent; # And labeling for the member directories attribute polymember; # sensitive security files whose accesses should # not be dontaudited for uses attribute security_file_type; # and its opposite attribute non_security_file_type; # sensitive authentication files whose accesses should # not be dontaudited for uses attribute auth_file_type; # and its opposite attribute non_auth_file_type; attribute tmpfile; attribute tmpfsfile; # this attribute is not currently used and will be removed in the future. # unfortunately, this attribute can not be removed yet because it may cause # some policies to fail to link if it is still required. attribute usercanread; # # boot_t is the type for files in /boot # type boot_t; files_mountpoint(boot_t) # compatibility aliases for removed types: typealias boot_t alias bootloader_run_t; # default_t is the default type for files that do not # match any specification in the file_contexts configuration # other than the generic /.* specification. type default_t; files_mountpoint(default_t) # # etc_t is the type of the system etc directories. # type etc_t, configfile; files_type(etc_t) # compatibility aliases for removed types: typealias etc_t alias automount_etc_t; typealias etc_t alias snmpd_etc_t; # # etc_runtime_t is the type of various # files in /etc that are automatically # generated during initialization. # type etc_runtime_t; files_type(etc_runtime_t) # # home_root_t is the type for the directory where user home directories # are created # type home_root_t; files_mountpoint(home_root_t) files_poly_parent(home_root_t) # # lost_found_t is the type for the lost+found directories. # type lost_found_t; files_type(lost_found_t) # # mnt_t is the type for mount points such as /mnt/cdrom # type mnt_t; files_mountpoint(mnt_t) # # modules_object_t is the type for kernel modules # type modules_object_t; files_type(modules_object_t) type no_access_t; files_type(no_access_t) type poly_t; files_type(poly_t) type readable_t; files_type(readable_t) # # root_t is the type for rootfs and the root directory. # type root_t; files_mountpoint(root_t) files_poly_parent(root_t) kernel_rootfs_mountpoint(root_t) genfscon rootfs / gen_context(system_u:object_r:root_t,s0) # # src_t is the type of files in the system src directories. # type src_t; files_mountpoint(src_t) # # system_map_t is for the system.map files in /boot # type system_map_t; files_type(system_map_t) genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) # # tmp_t is the type of the temporary directories # type tmp_t; files_tmp_file(tmp_t) files_mountpoint(tmp_t) files_poly(tmp_t) files_poly_parent(tmp_t) # # usr_t is the type for /usr. # type usr_t; files_mountpoint(usr_t) # # var_t is the type of /var # type var_t; files_mountpoint(var_t) # # var_lib_t is the type of /var/lib # type var_lib_t; files_mountpoint(var_lib_t) # # var_lock_t is tye type of /var/lock # type var_lock_t; files_lock_file(var_lock_t) files_mountpoint(var_lock_t) # # var_run_t is the type of /var/run, usually # used for pid and other runtime files. # type var_run_t; files_pid_file(var_run_t) files_mountpoint(var_run_t) optional_policy(` systemd_tmpfilesd_managed(var_run_t, lnk_file) ') # # var_spool_t is the type of /var/spool # type var_spool_t; files_tmp_file(var_spool_t) ######################################## # # Rules for all file types # allow file_type self:filesystem associate; fs_associate(file_type) fs_associate_noxattr(file_type) fs_associate_tmpfs(file_type) fs_associate_ramfs(file_type) fs_associate_hugetlbfs(file_type) ######################################## # # Rules for all tmp file types # allow file_type tmp_t:filesystem associate; fs_associate_tmpfs(tmpfile) ######################################## # # Rules for all tmpfs file types # fs_associate_tmpfs(tmpfsfile) ######################################## # # Unconfined access to this module # # Create/access any file in a labeled filesystem; allow files_unconfined_type file_type:file { manage_file_perms relabelfrom relabelto map execute swapon quotaon mounton execute_no_trans audit_access }; allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabelfrom relabelto append map execute swapon quotaon mounton open audit_access execmod }; allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute swapon quotaon mounton audit_access execmod }; allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute swapon quotaon mounton audit_access execmod }; allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute swapon quotaon mounton audit_access execmod }; allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute swapon quotaon mounton execute_no_trans audit_access }; allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute swapon quotaon mounton add_name remove_name reparent search rmdir audit_access execmod }; # Mount/unmount any filesystem with the context= option. allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto transition associate quotamod quotaget }; tunable_policy(`allow_execmod',` allow files_unconfined_type file_type:file execmod; ')