selinux-refpolicy/policy/modules/kernel/files.te

244 lines
6.0 KiB
Plaintext

policy_module(files)
########################################
#
# Declarations
#
attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
attribute spoolfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;
# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
# and its opposite
attribute non_security_file_type;
# sensitive authentication files whose accesses should
# not be dontaudited for uses
attribute auth_file_type;
# and its opposite
attribute non_auth_file_type;
attribute tmpfile;
attribute tmpfsfile;
# this attribute is not currently used and will be removed in the future.
# unfortunately, this attribute can not be removed yet because it may cause
# some policies to fail to link if it is still required.
attribute usercanread;
#
# boot_t is the type for files in /boot
#
type boot_t;
files_mountpoint(boot_t)
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
type default_t;
files_mountpoint(default_t)
#
# etc_t is the type of the system etc directories.
#
type etc_t, configfile;
files_type(etc_t)
optional_policy(`
# for systemd ProtectSystem
init_mountpoint(etc_t)
')
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
type etc_runtime_t, configfile;
files_type(etc_runtime_t)
#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
files_type(lost_found_t)
#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t;
files_mountpoint(mnt_t)
#
# modules_object_t is the type for kernel modules
#
type modules_object_t;
files_type(modules_object_t)
optional_policy(`
init_mountpoint(modules_object_t)
')
type no_access_t;
files_type(no_access_t)
type poly_t;
files_type(poly_t)
type readable_t;
files_type(readable_t)
#
# root_t is the type for rootfs and the root directory.
#
type root_t;
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
# src_t is the type of files in the system src directories.
#
type src_t;
files_mountpoint(src_t)
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
optional_policy(`
init_mountpoint(system_map_t)
')
#
# tmp_t is the type of the temporary directories
#
type tmp_t;
files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)
#
# usr_t is the type for /usr.
#
type usr_t;
files_mountpoint(usr_t)
#
# var_t is the type of /var
#
type var_t;
files_mountpoint(var_t)
#
# var_lib_t is the type of /var/lib
#
type var_lib_t;
files_mountpoint(var_lib_t)
#
# var_lock_t is the type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
files_runtime_file(var_run_t)
files_mountpoint(var_run_t)
optional_policy(`
systemd_tmpfilesd_managed(var_run_t)
')
#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)
########################################
#
# Rules for all file types
#
allow file_type self:filesystem associate;
fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
fs_associate_hugetlbfs(file_type)
########################################
#
# Rules for all tmp file types
#
allow file_type tmp_t:filesystem associate;
fs_associate_tmpfs(tmpfile)
########################################
#
# Rules for all tmpfs file types
#
fs_associate_tmpfs(tmpfsfile)
########################################
#
# Unconfined access to this module
#
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:file { exec_file_perms manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow files_unconfined_type file_type:lnk_file { append execmod execute manage_lnk_file_perms map mounton open quotaon relabel_lnk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow files_unconfined_type file_type:sock_file { execmod execute manage_sock_file_perms map mounton quotaon relabel_sock_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow files_unconfined_type file_type:fifo_file { execmod execute manage_fifo_file_perms map mounton quotaon relabel_fifo_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow files_unconfined_type file_type:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow files_unconfined_type file_type:chr_file { execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow files_unconfined_type file_type:dir { add_name append execmod execute manage_dir_perms map mounton quotaon relabel_dir_perms remove_name reparent rmdir search watch watch_mount watch_reads watch_sb watch_with_perm };
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem { associate getattr mount quotaget quotamod relabelfrom relabelto remount unmount watch };
tunable_policy(`allow_execmod',`
allow files_unconfined_type file_type:file execmod;
')