]>
Commit | Line | Data |
---|---|---|
e541d13a | 1 | policy_module(files, 1.14.3) |
960373dd | 2 | |
fd89e19f CP |
3 | ######################################## |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
b4cd1533 | 8 | attribute file_type; |
b518fc2e | 9 | attribute files_unconfined_type; |
b4cd1533 | 10 | attribute lockfile; |
46410fd2 | 11 | attribute mountpoint; |
b4cd1533 | 12 | attribute pidfile; |
0059652b | 13 | attribute spoolfile; |
e8779130 | 14 | attribute configfile; |
3eaa9939 | 15 | attribute etcfile; |
a1fcff33 CP |
16 | |
17 | # For labeling types that are to be polyinstantiated | |
18 | attribute polydir; | |
19 | ||
20 | # And for labeling the parent directories of those polyinstantiated directories | |
21 | # This is necessary for remounting the original in the parent to give | |
22 | # security aware apps access | |
23 | attribute polyparent; | |
24 | ||
25 | # And labeling for the member directories | |
26 | attribute polymember; | |
27 | ||
a2868f6e CP |
28 | # sensitive security files whose accesses should |
29 | # not be dontaudited for uses | |
30 | attribute security_file_type; | |
3338f231 CP |
31 | # and its opposite |
32 | attribute non_security_file_type; | |
a2868f6e | 33 | |
b4cd1533 | 34 | attribute tmpfile; |
46410fd2 | 35 | attribute tmpfsfile; |
b4cd1533 | 36 | |
bbb7cc89 CP |
37 | # this attribute is not currently used and will be removed in the future. |
38 | # unfortunately, this attribute can not be removed yet because it may cause | |
39 | # some policies to fail to link if it is still required. | |
a65611d2 CP |
40 | attribute usercanread; |
41 | ||
1c1ac67f CP |
42 | # |
43 | # boot_t is the type for files in /boot | |
44 | # | |
45 | type boot_t; | |
1c1ac67f CP |
46 | files_mountpoint(boot_t) |
47 | ||
b4cd1533 CP |
48 | # default_t is the default type for files that do not |
49 | # match any specification in the file_contexts configuration | |
50 | # other than the generic /.* specification. | |
a65611d2 CP |
51 | type default_t; |
52 | files_mountpoint(default_t) | |
b4cd1533 CP |
53 | |
54 | # | |
55 | # etc_t is the type of the system etc directories. | |
56 | # | |
910b1d8e | 57 | type etc_t, configfile; |
a65611d2 | 58 | files_type(etc_t) |
6b19be33 CP |
59 | # compatibility aliases for removed types: |
60 | typealias etc_t alias automount_etc_t; | |
788d88c9 | 61 | typealias etc_t alias snmpd_etc_t; |
b4cd1533 | 62 | |
3eaa9939 DW |
63 | # system_conf_t is a new type of various |
64 | # files in /etc/ that can be managed and | |
65 | # created by several domains. | |
66 | # | |
67 | type system_conf_t, configfile; | |
68 | files_type(system_conf_t) | |
69 | # compatibility aliases for removed type: | |
70 | typealias system_conf_t alias iptables_conf_t; | |
71 | ||
b4cd1533 CP |
72 | # |
73 | # etc_runtime_t is the type of various | |
74 | # files in /etc that are automatically | |
75 | # generated during initialization. | |
76 | # | |
3eaa9939 | 77 | type etc_runtime_t, configfile; |
a65611d2 | 78 | files_type(etc_runtime_t) |
693d4aed CP |
79 | #Temporarily in policy until FC5 dissappears |
80 | typealias etc_runtime_t alias firstboot_rw_t; | |
b4cd1533 CP |
81 | |
82 | # | |
83 | # file_t is the default type of a file that has not yet been | |
84 | # assigned an extended attribute (EA) value (when using a filesystem | |
85 | # that supports EAs). | |
86 | # | |
a65611d2 CP |
87 | type file_t; |
88 | files_mountpoint(file_t) | |
0fd9dc55 | 89 | kernel_rootfs_mountpoint(file_t) |
e02c61cf | 90 | sid file gen_context(system_u:object_r:file_t,s0) |
b4cd1533 | 91 | |
b4cd1533 CP |
92 | # |
93 | # home_root_t is the type for the directory where user home directories | |
94 | # are created | |
95 | # | |
a65611d2 CP |
96 | type home_root_t; |
97 | files_mountpoint(home_root_t) | |
0f27d98d | 98 | files_poly_parent(home_root_t) |
b4cd1533 CP |
99 | |
100 | # | |
101 | # lost_found_t is the type for the lost+found directories. | |
102 | # | |
a65611d2 CP |
103 | type lost_found_t; |
104 | files_type(lost_found_t) | |
b4cd1533 CP |
105 | |
106 | # | |
107 | # mnt_t is the type for mount points such as /mnt/cdrom | |
108 | # | |
a65611d2 CP |
109 | type mnt_t; |
110 | files_mountpoint(mnt_t) | |
b4cd1533 | 111 | |
1c1ac67f CP |
112 | # |
113 | # modules_object_t is the type for kernel modules | |
114 | # | |
115 | type modules_object_t; | |
116 | files_type(modules_object_t) | |
117 | ||
a65611d2 CP |
118 | type no_access_t; |
119 | files_type(no_access_t) | |
219bcf7a | 120 | |
a65611d2 CP |
121 | type poly_t; |
122 | files_type(poly_t) | |
219bcf7a | 123 | |
a65611d2 CP |
124 | type readable_t; |
125 | files_type(readable_t) | |
219bcf7a | 126 | |
a2d8246b CP |
127 | # |
128 | # root_t is the type for rootfs and the root directory. | |
129 | # | |
a65611d2 CP |
130 | type root_t; |
131 | files_mountpoint(root_t) | |
0f27d98d | 132 | files_poly_parent(root_t) |
0fd9dc55 | 133 | kernel_rootfs_mountpoint(root_t) |
e02c61cf | 134 | genfscon rootfs / gen_context(system_u:object_r:root_t,s0) |
a2d8246b | 135 | |
b4cd1533 CP |
136 | # |
137 | # src_t is the type of files in the system src directories. | |
138 | # | |
a65611d2 CP |
139 | type src_t; |
140 | files_mountpoint(src_t) | |
b4cd1533 | 141 | |
1c1ac67f CP |
142 | # |
143 | # system_map_t is for the system.map files in /boot | |
144 | # | |
145 | type system_map_t; | |
146 | files_type(system_map_t) | |
b5d3774a | 147 | kernel_proc_type(system_map_t) |
037fc0f4 | 148 | genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) |
1c1ac67f | 149 | |
b4cd1533 CP |
150 | # |
151 | # tmp_t is the type of the temporary directories | |
152 | # | |
a65611d2 | 153 | type tmp_t; |
c3cf6693 | 154 | files_tmp_file(tmp_t) |
a65611d2 CP |
155 | files_mountpoint(tmp_t) |
156 | files_poly(tmp_t) | |
0f27d98d | 157 | files_poly_parent(tmp_t) |
b4cd1533 CP |
158 | |
159 | # | |
160 | # usr_t is the type for /usr. | |
161 | # | |
a65611d2 CP |
162 | type usr_t; |
163 | files_mountpoint(usr_t) | |
b4cd1533 CP |
164 | |
165 | # | |
166 | # var_t is the type of /var | |
167 | # | |
a65611d2 CP |
168 | type var_t; |
169 | files_mountpoint(var_t) | |
b4cd1533 CP |
170 | |
171 | # | |
172 | # var_lib_t is the type of /var/lib | |
173 | # | |
a65611d2 CP |
174 | type var_lib_t; |
175 | files_mountpoint(var_lib_t) | |
b4cd1533 CP |
176 | |
177 | # | |
178 | # var_lock_t is tye type of /var/lock | |
179 | # | |
a65611d2 | 180 | type var_lock_t; |
54b4b8ab | 181 | files_lock_file(var_lock_t) |
ef1dec5b | 182 | files_mountpoint(var_lock_t) |
b4cd1533 CP |
183 | |
184 | # | |
185 | # var_run_t is the type of /var/run, usually | |
186 | # used for pid and other runtime files. | |
187 | # | |
a65611d2 CP |
188 | type var_run_t; |
189 | files_pid_file(var_run_t) | |
14c0edc7 | 190 | files_mountpoint(var_run_t) |
b4cd1533 CP |
191 | |
192 | # | |
193 | # var_spool_t is the type of /var/spool | |
194 | # | |
c3cf6693 CP |
195 | type var_spool_t; |
196 | files_tmp_file(var_spool_t) | |
0059652b | 197 | files_spool_file(var_spool_t) |
a65611d2 CP |
198 | |
199 | ######################################## | |
200 | # | |
201 | # Rules for all file types | |
202 | # | |
203 | ||
204 | allow file_type self:filesystem associate; | |
205 | ||
206 | fs_associate(file_type) | |
207 | fs_associate_noxattr(file_type) | |
350b6ab7 | 208 | fs_associate_tmpfs(file_type) |
495df416 | 209 | fs_associate_ramfs(file_type) |
48e0aa86 | 210 | fs_associate_hugetlbfs(file_type) |
165b42d2 | 211 | |
a65611d2 CP |
212 | ######################################## |
213 | # | |
214 | # Rules for all tmp file types | |
215 | # | |
216 | ||
a65fd90a | 217 | allow file_type tmp_t:filesystem associate; |
a65611d2 CP |
218 | |
219 | fs_associate_tmpfs(tmpfile) | |
220 | ||
221 | ######################################## | |
222 | # | |
223 | # Rules for all tmpfs file types | |
224 | # | |
225 | ||
226 | fs_associate_tmpfs(tmpfsfile) | |
b518fc2e CP |
227 | |
228 | ######################################## | |
229 | # | |
230 | # Unconfined access to this module | |
231 | # | |
232 | ||
233 | # Create/access any file in a labeled filesystem; | |
234 | allow files_unconfined_type file_type:{ file chr_file } ~execmod; | |
235 | allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; | |
236 | ||
dccbb80c | 237 | # Mount/unmount any filesystem with the context= option. |
b518fc2e CP |
238 | allow files_unconfined_type file_type:filesystem *; |
239 | ||
350b6ab7 CP |
240 | tunable_policy(`allow_execmod',` |
241 | allow files_unconfined_type file_type:file execmod; | |
b518fc2e | 242 | ') |