244 lines
6.0 KiB
Plaintext
244 lines
6.0 KiB
Plaintext
policy_module(files)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
attribute file_type;
|
|
attribute files_unconfined_type;
|
|
attribute lockfile;
|
|
attribute mountpoint;
|
|
attribute pidfile;
|
|
attribute configfile;
|
|
attribute spoolfile;
|
|
|
|
# For labeling types that are to be polyinstantiated
|
|
attribute polydir;
|
|
|
|
# And for labeling the parent directories of those polyinstantiated directories
|
|
# This is necessary for remounting the original in the parent to give
|
|
# security aware apps access
|
|
attribute polyparent;
|
|
|
|
# And labeling for the member directories
|
|
attribute polymember;
|
|
|
|
# sensitive security files whose accesses should
|
|
# not be dontaudited for uses
|
|
attribute security_file_type;
|
|
# and its opposite
|
|
attribute non_security_file_type;
|
|
|
|
# sensitive authentication files whose accesses should
|
|
# not be dontaudited for uses
|
|
attribute auth_file_type;
|
|
# and its opposite
|
|
attribute non_auth_file_type;
|
|
|
|
attribute tmpfile;
|
|
attribute tmpfsfile;
|
|
|
|
# this attribute is not currently used and will be removed in the future.
|
|
# unfortunately, this attribute can not be removed yet because it may cause
|
|
# some policies to fail to link if it is still required.
|
|
attribute usercanread;
|
|
|
|
#
|
|
# boot_t is the type for files in /boot
|
|
#
|
|
type boot_t;
|
|
files_mountpoint(boot_t)
|
|
|
|
# default_t is the default type for files that do not
|
|
# match any specification in the file_contexts configuration
|
|
# other than the generic /.* specification.
|
|
type default_t;
|
|
files_mountpoint(default_t)
|
|
|
|
#
|
|
# etc_t is the type of the system etc directories.
|
|
#
|
|
type etc_t, configfile;
|
|
files_type(etc_t)
|
|
|
|
optional_policy(`
|
|
# for systemd ProtectSystem
|
|
init_mountpoint(etc_t)
|
|
')
|
|
|
|
#
|
|
# etc_runtime_t is the type of various
|
|
# files in /etc that are automatically
|
|
# generated during initialization.
|
|
#
|
|
type etc_runtime_t, configfile;
|
|
files_type(etc_runtime_t)
|
|
|
|
#
|
|
# home_root_t is the type for the directory where user home directories
|
|
# are created
|
|
#
|
|
type home_root_t;
|
|
files_mountpoint(home_root_t)
|
|
files_poly_parent(home_root_t)
|
|
|
|
#
|
|
# lost_found_t is the type for the lost+found directories.
|
|
#
|
|
type lost_found_t;
|
|
files_type(lost_found_t)
|
|
|
|
#
|
|
# mnt_t is the type for mount points such as /mnt/cdrom
|
|
#
|
|
type mnt_t;
|
|
files_mountpoint(mnt_t)
|
|
|
|
#
|
|
# modules_object_t is the type for kernel modules
|
|
#
|
|
type modules_object_t;
|
|
files_type(modules_object_t)
|
|
|
|
optional_policy(`
|
|
init_mountpoint(modules_object_t)
|
|
')
|
|
|
|
type no_access_t;
|
|
files_type(no_access_t)
|
|
|
|
type poly_t;
|
|
files_type(poly_t)
|
|
|
|
type readable_t;
|
|
files_type(readable_t)
|
|
|
|
#
|
|
# root_t is the type for rootfs and the root directory.
|
|
#
|
|
type root_t;
|
|
files_mountpoint(root_t)
|
|
files_poly_parent(root_t)
|
|
kernel_rootfs_mountpoint(root_t)
|
|
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
|
|
|
|
#
|
|
# src_t is the type of files in the system src directories.
|
|
#
|
|
type src_t;
|
|
files_mountpoint(src_t)
|
|
|
|
#
|
|
# system_map_t is for the system.map files in /boot
|
|
#
|
|
type system_map_t;
|
|
files_type(system_map_t)
|
|
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
|
|
|
|
optional_policy(`
|
|
init_mountpoint(system_map_t)
|
|
')
|
|
|
|
#
|
|
# tmp_t is the type of the temporary directories
|
|
#
|
|
type tmp_t;
|
|
files_tmp_file(tmp_t)
|
|
files_mountpoint(tmp_t)
|
|
files_poly(tmp_t)
|
|
files_poly_parent(tmp_t)
|
|
|
|
#
|
|
# usr_t is the type for /usr.
|
|
#
|
|
type usr_t;
|
|
files_mountpoint(usr_t)
|
|
|
|
#
|
|
# var_t is the type of /var
|
|
#
|
|
type var_t;
|
|
files_mountpoint(var_t)
|
|
|
|
#
|
|
# var_lib_t is the type of /var/lib
|
|
#
|
|
type var_lib_t;
|
|
files_mountpoint(var_lib_t)
|
|
|
|
#
|
|
# var_lock_t is the type of /var/lock
|
|
#
|
|
type var_lock_t;
|
|
files_lock_file(var_lock_t)
|
|
files_mountpoint(var_lock_t)
|
|
|
|
#
|
|
# var_run_t is the type of /var/run, usually
|
|
# used for pid and other runtime files.
|
|
#
|
|
type var_run_t;
|
|
files_runtime_file(var_run_t)
|
|
files_mountpoint(var_run_t)
|
|
|
|
optional_policy(`
|
|
systemd_tmpfilesd_managed(var_run_t)
|
|
')
|
|
|
|
#
|
|
# var_spool_t is the type of /var/spool
|
|
#
|
|
type var_spool_t;
|
|
files_tmp_file(var_spool_t)
|
|
|
|
########################################
|
|
#
|
|
# Rules for all file types
|
|
#
|
|
|
|
allow file_type self:filesystem associate;
|
|
|
|
fs_associate(file_type)
|
|
fs_associate_noxattr(file_type)
|
|
fs_associate_tmpfs(file_type)
|
|
fs_associate_ramfs(file_type)
|
|
fs_associate_hugetlbfs(file_type)
|
|
|
|
########################################
|
|
#
|
|
# Rules for all tmp file types
|
|
#
|
|
|
|
allow file_type tmp_t:filesystem associate;
|
|
|
|
fs_associate_tmpfs(tmpfile)
|
|
|
|
########################################
|
|
#
|
|
# Rules for all tmpfs file types
|
|
#
|
|
|
|
fs_associate_tmpfs(tmpfsfile)
|
|
|
|
########################################
|
|
#
|
|
# Unconfined access to this module
|
|
#
|
|
|
|
# Create/access any file in a labeled filesystem;
|
|
allow files_unconfined_type file_type:file { exec_file_perms manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
|
|
allow files_unconfined_type file_type:lnk_file { append execmod execute manage_lnk_file_perms map mounton open quotaon relabel_lnk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
|
|
allow files_unconfined_type file_type:sock_file { execmod execute manage_sock_file_perms map mounton quotaon relabel_sock_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
|
|
allow files_unconfined_type file_type:fifo_file { execmod execute manage_fifo_file_perms map mounton quotaon relabel_fifo_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
|
|
allow files_unconfined_type file_type:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
|
|
allow files_unconfined_type file_type:chr_file { execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
|
|
allow files_unconfined_type file_type:dir { add_name append execmod execute manage_dir_perms map mounton quotaon relabel_dir_perms remove_name reparent rmdir search watch watch_mount watch_reads watch_sb watch_with_perm };
|
|
|
|
# Mount/unmount any filesystem with the context= option.
|
|
allow files_unconfined_type file_type:filesystem { associate getattr mount quotaget quotamod relabelfrom relabelto remount unmount watch };
|
|
|
|
tunable_policy(`allow_execmod',`
|
|
allow files_unconfined_type file_type:file execmod;
|
|
')
|