selinux-refpolicy/policy/modules/kernel/files.fc
Chris PeBenito b4cbbb1fd8 Allow mount to write to all of its runtime files, from Guido Trentalancia
Allow mount to write not only to /etc/mtab but also to the /etc/mtab~[0-9]\{0,20\}
lock files (the number corresponds to the PID). Such files are still mistakenly
being labelled as etc_t instead of etc_runtime_t (thus preventing the successful
completion of the write operation and the accumulation of unremovable stale lock
files over several operation attempts as in normal system reboots, for example).

Do the same with the standard mount temporary file /etc/mtab.tmp.

The above refers to mount from util-linux-2.21.2 from kernel.org. See mount -vvv
for the location of such files.
2012-06-26 09:51:57 -04:00

267 lines
7.9 KiB
Plaintext

#
# /
#
/.* gen_context(system_u:object_r:default_t,s0)
/ -d gen_context(system_u:object_r:root_t,s0)
/\.journal <<none>>
/afs -d gen_context(system_u:object_r:mnt_t,s0)
/initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
/vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
ifdef(`distro_redhat',`
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
/\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
/\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
/fastboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
/forcefsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
/poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`distro_suse',`
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
#
# /boot
#
/boot -d gen_context(system_u:object_r:boot_t,s0)
/boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>>
/boot/efi(/.*)?/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/boot/lost\+found/.* <<none>>
/boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
#
# /emul
#
/emul -d gen_context(system_u:object_r:usr_t,s0)
/emul/.* gen_context(system_u:object_r:usr_t,s0)
#
# /etc
#
/etc -d gen_context(system_u:object_r:etc_t,s0)
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/cmtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
/etc/network/ifstate -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
ifdef(`distro_gentoo', `
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`distro_redhat',`
/etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
')
ifdef(`distro_suse',`
/etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
#
# HOME_ROOT
# expanded by genhomedircon
#
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)
HOME_ROOT/\.journal <<none>>
HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
HOME_ROOT/lost\+found/.* <<none>>
#
# /initrd
#
# initrd mount point, only used during boot
/initrd -d gen_context(system_u:object_r:root_t,s0)
#
# /lib(64)?
#
/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
ifdef(`distro_debian',`
# on Debian /lib/init/rw is a tmpfs used like /var/run but
# before /var is mounted
/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
')
#
# /lost+found
#
/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/lost\+found/.* <<none>>
#
# /media
#
# Mount points; do not relabel subdirectories, since
# we don't want to change any removable media by default.
/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
/media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
#
# /misc
#
/misc -d gen_context(system_u:object_r:mnt_t,s0)
#
# /mnt
#
/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/mnt/[^/]*/.* <<none>>
#
# /net
#
/net -d gen_context(system_u:object_r:mnt_t,s0)
#
# /opt
#
/opt -d gen_context(system_u:object_r:usr_t,s0)
/opt/.* gen_context(system_u:object_r:usr_t,s0)
/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
#
# /proc
#
/proc -d <<none>>
/proc/.* <<none>>
#
# /run
#
/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/run/.* gen_context(system_u:object_r:var_run_t,s0)
/run/.*\.*pid <<none>>
/run/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
#
# /selinux
#
/selinux -d <<none>>
/selinux/.* <<none>>
#
# /srv
#
/srv -d gen_context(system_u:object_r:var_t,s0)
/srv/.* gen_context(system_u:object_r:var_t,s0)
#
# /tmp
#
/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/tmp/.* <<none>>
/tmp/\.journal <<none>>
/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/tmp/lost\+found/.* <<none>>
#
# /usr
#
/usr -d gen_context(system_u:object_r:usr_t,s0)
/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/local/\.journal <<none>>
/usr/local/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/local/lost\+found/.* <<none>>
/usr/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/usr/lost\+found/.* <<none>>
/usr/share/doc(/.*)?/README.* gen_context(system_u:object_r:usr_t,s0)
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/usr/tmp/.* <<none>>
ifndef(`distro_redhat',`
/usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
')
#
# /var
#
/var -d gen_context(system_u:object_r:var_t,s0)
/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
/var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0)
/var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/lost\+found/.* <<none>>
/var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
/var/run -l gen_context(system_u:object_r:var_run_t,s0)
/var/run/.* gen_context(system_u:object_r:var_run_t,s0)
/var/run/.*\.*pid <<none>>
/var/spool(/.*)? gen_context(system_u:object_r:var_spool_t,s0)
/var/spool/postfix/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
/var/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
/var/tmp -l gen_context(system_u:object_r:tmp_t,s0)
/var/tmp/.* <<none>>
/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
ifdef(`distro_debian',`
/var/run/motd -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')