464c5df247
Entrypoints into unconfined domains, like with confined domains, should be tightly controlled to make arbitrary code execution more difficult.
224 lines
4.6 KiB
Plaintext
224 lines
4.6 KiB
Plaintext
policy_module(files, 1.21.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute file_type;
|
|
attribute files_unconfined_type;
|
|
attribute lockfile;
|
|
attribute mountpoint;
|
|
attribute pidfile;
|
|
attribute configfile;
|
|
|
|
# For labeling types that are to be polyinstantiated
|
|
attribute polydir;
|
|
|
|
# And for labeling the parent directories of those polyinstantiated directories
|
|
# This is necessary for remounting the original in the parent to give
|
|
# security aware apps access
|
|
attribute polyparent;
|
|
|
|
# And labeling for the member directories
|
|
attribute polymember;
|
|
|
|
# sensitive security files whose accesses should
|
|
# not be dontaudited for uses
|
|
attribute security_file_type;
|
|
# and its opposite
|
|
attribute non_security_file_type;
|
|
|
|
# sensitive authentication files whose accesses should
|
|
# not be dontaudited for uses
|
|
attribute auth_file_type;
|
|
# and its opposite
|
|
attribute non_auth_file_type;
|
|
|
|
attribute tmpfile;
|
|
attribute tmpfsfile;
|
|
|
|
# this attribute is not currently used and will be removed in the future.
|
|
# unfortunately, this attribute can not be removed yet because it may cause
|
|
# some policies to fail to link if it is still required.
|
|
attribute usercanread;
|
|
|
|
#
|
|
# boot_t is the type for files in /boot
|
|
#
|
|
type boot_t;
|
|
files_mountpoint(boot_t)
|
|
|
|
# default_t is the default type for files that do not
|
|
# match any specification in the file_contexts configuration
|
|
# other than the generic /.* specification.
|
|
type default_t;
|
|
files_mountpoint(default_t)
|
|
|
|
#
|
|
# etc_t is the type of the system etc directories.
|
|
#
|
|
type etc_t, configfile;
|
|
files_type(etc_t)
|
|
# compatibility aliases for removed types:
|
|
typealias etc_t alias automount_etc_t;
|
|
typealias etc_t alias snmpd_etc_t;
|
|
|
|
#
|
|
# etc_runtime_t is the type of various
|
|
# files in /etc that are automatically
|
|
# generated during initialization.
|
|
#
|
|
type etc_runtime_t;
|
|
files_type(etc_runtime_t)
|
|
|
|
#
|
|
# home_root_t is the type for the directory where user home directories
|
|
# are created
|
|
#
|
|
type home_root_t;
|
|
files_mountpoint(home_root_t)
|
|
files_poly_parent(home_root_t)
|
|
|
|
#
|
|
# lost_found_t is the type for the lost+found directories.
|
|
#
|
|
type lost_found_t;
|
|
files_type(lost_found_t)
|
|
|
|
#
|
|
# mnt_t is the type for mount points such as /mnt/cdrom
|
|
#
|
|
type mnt_t;
|
|
files_mountpoint(mnt_t)
|
|
|
|
#
|
|
# modules_object_t is the type for kernel modules
|
|
#
|
|
type modules_object_t;
|
|
files_type(modules_object_t)
|
|
|
|
type no_access_t;
|
|
files_type(no_access_t)
|
|
|
|
type poly_t;
|
|
files_type(poly_t)
|
|
|
|
type readable_t;
|
|
files_type(readable_t)
|
|
|
|
#
|
|
# root_t is the type for rootfs and the root directory.
|
|
#
|
|
type root_t;
|
|
files_mountpoint(root_t)
|
|
files_poly_parent(root_t)
|
|
kernel_rootfs_mountpoint(root_t)
|
|
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
|
|
|
|
#
|
|
# src_t is the type of files in the system src directories.
|
|
#
|
|
type src_t;
|
|
files_mountpoint(src_t)
|
|
|
|
#
|
|
# system_map_t is for the system.map files in /boot
|
|
#
|
|
type system_map_t;
|
|
files_type(system_map_t)
|
|
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
|
|
|
|
#
|
|
# tmp_t is the type of the temporary directories
|
|
#
|
|
type tmp_t;
|
|
files_tmp_file(tmp_t)
|
|
files_mountpoint(tmp_t)
|
|
files_poly(tmp_t)
|
|
files_poly_parent(tmp_t)
|
|
|
|
#
|
|
# usr_t is the type for /usr.
|
|
#
|
|
type usr_t;
|
|
files_mountpoint(usr_t)
|
|
|
|
#
|
|
# var_t is the type of /var
|
|
#
|
|
type var_t;
|
|
files_mountpoint(var_t)
|
|
|
|
#
|
|
# var_lib_t is the type of /var/lib
|
|
#
|
|
type var_lib_t;
|
|
files_mountpoint(var_lib_t)
|
|
|
|
#
|
|
# var_lock_t is tye type of /var/lock
|
|
#
|
|
type var_lock_t;
|
|
files_lock_file(var_lock_t)
|
|
files_mountpoint(var_lock_t)
|
|
|
|
#
|
|
# var_run_t is the type of /var/run, usually
|
|
# used for pid and other runtime files.
|
|
#
|
|
type var_run_t;
|
|
files_pid_file(var_run_t)
|
|
files_mountpoint(var_run_t)
|
|
|
|
#
|
|
# var_spool_t is the type of /var/spool
|
|
#
|
|
type var_spool_t;
|
|
files_tmp_file(var_spool_t)
|
|
|
|
########################################
|
|
#
|
|
# Rules for all file types
|
|
#
|
|
|
|
allow file_type self:filesystem associate;
|
|
|
|
fs_associate(file_type)
|
|
fs_associate_noxattr(file_type)
|
|
fs_associate_tmpfs(file_type)
|
|
fs_associate_ramfs(file_type)
|
|
fs_associate_hugetlbfs(file_type)
|
|
|
|
########################################
|
|
#
|
|
# Rules for all tmp file types
|
|
#
|
|
|
|
allow file_type tmp_t:filesystem associate;
|
|
|
|
fs_associate_tmpfs(tmpfile)
|
|
|
|
########################################
|
|
#
|
|
# Rules for all tmpfs file types
|
|
#
|
|
|
|
fs_associate_tmpfs(tmpfsfile)
|
|
|
|
########################################
|
|
#
|
|
# Unconfined access to this module
|
|
#
|
|
|
|
# Create/access any file in a labeled filesystem;
|
|
allow files_unconfined_type file_type:{ file chr_file } ~{ entrypoint execmod };
|
|
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
|
|
|
|
# Mount/unmount any filesystem with the context= option.
|
|
allow files_unconfined_type file_type:filesystem *;
|
|
|
|
tunable_policy(`allow_execmod',`
|
|
allow files_unconfined_type file_type:file execmod;
|
|
')
|