selinux-refpolicy/policy/modules/kernel/files.te
Chris PeBenito 464c5df247 Reduce broad entrypoints for unconfined domains.
Entrypoints into unconfined domains, like with confined domains, should be
tightly controlled to make arbitrary code execution more difficult.
2016-03-22 15:43:30 -04:00

224 lines
4.6 KiB
Plaintext

policy_module(files, 1.21.1)
########################################
#
# Declarations
#
attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;
# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
# and its opposite
attribute non_security_file_type;
# sensitive authentication files whose accesses should
# not be dontaudited for uses
attribute auth_file_type;
# and its opposite
attribute non_auth_file_type;
attribute tmpfile;
attribute tmpfsfile;
# this attribute is not currently used and will be removed in the future.
# unfortunately, this attribute can not be removed yet because it may cause
# some policies to fail to link if it is still required.
attribute usercanread;
#
# boot_t is the type for files in /boot
#
type boot_t;
files_mountpoint(boot_t)
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
type default_t;
files_mountpoint(default_t)
#
# etc_t is the type of the system etc directories.
#
type etc_t, configfile;
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
type etc_runtime_t;
files_type(etc_runtime_t)
#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
files_type(lost_found_t)
#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t;
files_mountpoint(mnt_t)
#
# modules_object_t is the type for kernel modules
#
type modules_object_t;
files_type(modules_object_t)
type no_access_t;
files_type(no_access_t)
type poly_t;
files_type(poly_t)
type readable_t;
files_type(readable_t)
#
# root_t is the type for rootfs and the root directory.
#
type root_t;
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
# src_t is the type of files in the system src directories.
#
type src_t;
files_mountpoint(src_t)
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
#
# tmp_t is the type of the temporary directories
#
type tmp_t;
files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)
#
# usr_t is the type for /usr.
#
type usr_t;
files_mountpoint(usr_t)
#
# var_t is the type of /var
#
type var_t;
files_mountpoint(var_t)
#
# var_lib_t is the type of /var/lib
#
type var_lib_t;
files_mountpoint(var_lib_t)
#
# var_lock_t is tye type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)
########################################
#
# Rules for all file types
#
allow file_type self:filesystem associate;
fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
fs_associate_hugetlbfs(file_type)
########################################
#
# Rules for all tmp file types
#
allow file_type tmp_t:filesystem associate;
fs_associate_tmpfs(tmpfile)
########################################
#
# Rules for all tmpfs file types
#
fs_associate_tmpfs(tmpfsfile)
########################################
#
# Unconfined access to this module
#
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~{ entrypoint execmod };
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;
tunable_policy(`allow_execmod',`
allow files_unconfined_type file_type:file execmod;
')