[people/stevee/selinux-policy.git] / policy / modules / kernel / files.te

policy_module(files, 1.14.3)

########################################
#
# Declarations
#

attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute spoolfile;
attribute configfile;
attribute etcfile;

# For labeling types that are to be polyinstantiated
attribute polydir;

# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;

# And labeling for the member directories
attribute polymember;

# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
# and its opposite
attribute non_security_file_type;

attribute tmpfile;
attribute tmpfsfile;

# this attribute is not currently used and will be removed in the future.
# unfortunately, this attribute can not be removed yet because it may cause
# some policies to fail to link if it is still required.
attribute usercanread;

#
# boot_t is the type for files in /boot
#
type boot_t;
files_mountpoint(boot_t)

# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
type default_t;
files_mountpoint(default_t)

#
# etc_t is the type of the system etc directories.
#
type etc_t, configfile;
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;

# system_conf_t is a new type of various
# files in /etc/ that can be managed and
# created by several domains.
# 
type system_conf_t, configfile;
files_type(system_conf_t)
# compatibility aliases for removed type:
typealias system_conf_t alias iptables_conf_t;

#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
type etc_runtime_t, configfile;
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;

#
# file_t is the default type of a file that has not yet been
# assigned an extended attribute (EA) value (when using a filesystem
# that supports EAs).
#
type file_t;
files_mountpoint(file_t)
kernel_rootfs_mountpoint(file_t)
sid file gen_context(system_u:object_r:file_t,s0)

#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)

#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
files_type(lost_found_t)

#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t;
files_mountpoint(mnt_t)

#
# modules_object_t is the type for kernel modules
#
type modules_object_t;
files_type(modules_object_t)

type no_access_t;
files_type(no_access_t)

type poly_t;
files_type(poly_t)

type readable_t;
files_type(readable_t)

#
# root_t is the type for rootfs and the root directory.
#
type root_t;
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)

#
# src_t is the type of files in the system src directories.
#
type src_t;
files_mountpoint(src_t)

#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
kernel_proc_type(system_map_t)
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)

#
# tmp_t is the type of the temporary directories
#
type tmp_t;
files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)

#
# usr_t is the type for /usr.
#
type usr_t;
files_mountpoint(usr_t)

#
# var_t is the type of /var
#
type var_t;
files_mountpoint(var_t)

#
# var_lib_t is the type of /var/lib
#
type var_lib_t;
files_mountpoint(var_lib_t)

#
# var_lock_t is tye type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)

#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
files_pid_file(var_run_t)
files_mountpoint(var_run_t)

#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)
files_spool_file(var_spool_t)

########################################
#
# Rules for all file types
#

allow file_type self:filesystem associate;

fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
fs_associate_hugetlbfs(file_type)

########################################
#
# Rules for all tmp file types
#

allow file_type tmp_t:filesystem associate;

fs_associate_tmpfs(tmpfile)

########################################
#
# Rules for all tmpfs file types
#

fs_associate_tmpfs(tmpfsfile)

########################################
#
# Unconfined access to this module
#

# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;

# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;

tunable_policy(`allow_execmod',`
	allow files_unconfined_type file_type:file execmod;
')
Commit	Line	Data
e541d13a	1	policy_module(files, 1.14.3)
960373dd	2
fd89e19f CP	3	########################################
	4	#
	5	# Declarations
	6	#
	7
b4cd1533	8	attribute file_type;
b518fc2e	9	attribute files_unconfined_type;
b4cd1533	10	attribute lockfile;
46410fd2	11	attribute mountpoint;
b4cd1533	12	attribute pidfile;
0059652b	13	attribute spoolfile;
e8779130	14	attribute configfile;
3eaa9939	15	attribute etcfile;
a1fcff33 CP	16
	17	# For labeling types that are to be polyinstantiated
	18	attribute polydir;
	19
	20	# And for labeling the parent directories of those polyinstantiated directories
	21	# This is necessary for remounting the original in the parent to give
	22	# security aware apps access
	23	attribute polyparent;
	24
	25	# And labeling for the member directories
	26	attribute polymember;
	27
a2868f6e CP	28	# sensitive security files whose accesses should
	29	# not be dontaudited for uses
	30	attribute security_file_type;
3338f231 CP	31	# and its opposite
3338f231 CP	32	attribute non_security_file_type;
a2868f6e	33
b4cd1533	34	attribute tmpfile;
46410fd2	35	attribute tmpfsfile;
b4cd1533	36
bbb7cc89 CP	37	# this attribute is not currently used and will be removed in the future.
	38	# unfortunately, this attribute can not be removed yet because it may cause
	39	# some policies to fail to link if it is still required.
a65611d2 CP	40	attribute usercanread;
a65611d2 CP	41
1c1ac67f CP	42	#
	43	# boot_t is the type for files in /boot
	44	#
	45	type boot_t;
1c1ac67f CP	46	files_mountpoint(boot_t)
1c1ac67f CP	47
b4cd1533 CP	48	# default_t is the default type for files that do not
	49	# match any specification in the file_contexts configuration
	50	# other than the generic /.* specification.
a65611d2 CP	51	type default_t;
a65611d2 CP	52	files_mountpoint(default_t)
b4cd1533 CP	53
	54	#
	55	# etc_t is the type of the system etc directories.
	56	#
910b1d8e	57	type etc_t, configfile;
a65611d2	58	files_type(etc_t)
6b19be33 CP	59	# compatibility aliases for removed types:
6b19be33 CP	60	typealias etc_t alias automount_etc_t;
788d88c9	61	typealias etc_t alias snmpd_etc_t;
b4cd1533	62
3eaa9939 DW	63	# system_conf_t is a new type of various
	64	# files in /etc/ that can be managed and
	65	# created by several domains.
	66	#
	67	type system_conf_t, configfile;
	68	files_type(system_conf_t)
	69	# compatibility aliases for removed type:
	70	typealias system_conf_t alias iptables_conf_t;
	71
b4cd1533 CP	72	#
	73	# etc_runtime_t is the type of various
	74	# files in /etc that are automatically
	75	# generated during initialization.
	76	#
3eaa9939	77	type etc_runtime_t, configfile;
a65611d2	78	files_type(etc_runtime_t)
693d4aed CP	79	#Temporarily in policy until FC5 dissappears
693d4aed CP	80	typealias etc_runtime_t alias firstboot_rw_t;
b4cd1533 CP	81
	82	#
	83	# file_t is the default type of a file that has not yet been
	84	# assigned an extended attribute (EA) value (when using a filesystem
	85	# that supports EAs).
	86	#
a65611d2 CP	87	type file_t;
a65611d2 CP	88	files_mountpoint(file_t)
0fd9dc55	89	kernel_rootfs_mountpoint(file_t)
e02c61cf	90	sid file gen_context(system_u:object_r:file_t,s0)
b4cd1533	91
b4cd1533 CP	92	#
	93	# home_root_t is the type for the directory where user home directories
	94	# are created
	95	#
a65611d2 CP	96	type home_root_t;
a65611d2 CP	97	files_mountpoint(home_root_t)
0f27d98d	98	files_poly_parent(home_root_t)
b4cd1533 CP	99
	100	#
	101	# lost_found_t is the type for the lost+found directories.
	102	#
a65611d2 CP	103	type lost_found_t;
a65611d2 CP	104	files_type(lost_found_t)
b4cd1533 CP	105
	106	#
	107	# mnt_t is the type for mount points such as /mnt/cdrom
	108	#
a65611d2 CP	109	type mnt_t;
a65611d2 CP	110	files_mountpoint(mnt_t)
b4cd1533	111
1c1ac67f CP	112	#
	113	# modules_object_t is the type for kernel modules
	114	#
	115	type modules_object_t;
	116	files_type(modules_object_t)
	117
a65611d2 CP	118	type no_access_t;
a65611d2 CP	119	files_type(no_access_t)
219bcf7a	120
a65611d2 CP	121	type poly_t;
a65611d2 CP	122	files_type(poly_t)
219bcf7a	123
a65611d2 CP	124	type readable_t;
a65611d2 CP	125	files_type(readable_t)
219bcf7a	126
a2d8246b CP	127	#
	128	# root_t is the type for rootfs and the root directory.
	129	#
a65611d2 CP	130	type root_t;
a65611d2 CP	131	files_mountpoint(root_t)
0f27d98d	132	files_poly_parent(root_t)
0fd9dc55	133	kernel_rootfs_mountpoint(root_t)
e02c61cf	134	genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
a2d8246b	135
b4cd1533 CP	136	#
	137	# src_t is the type of files in the system src directories.
	138	#
a65611d2 CP	139	type src_t;
a65611d2 CP	140	files_mountpoint(src_t)
b4cd1533	141
1c1ac67f CP	142	#
	143	# system_map_t is for the system.map files in /boot
	144	#
	145	type system_map_t;
	146	files_type(system_map_t)
b5d3774a	147	kernel_proc_type(system_map_t)
037fc0f4	148	genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
1c1ac67f	149
b4cd1533 CP	150	#
	151	# tmp_t is the type of the temporary directories
	152	#
a65611d2	153	type tmp_t;
c3cf6693	154	files_tmp_file(tmp_t)
a65611d2 CP	155	files_mountpoint(tmp_t)
a65611d2 CP	156	files_poly(tmp_t)
0f27d98d	157	files_poly_parent(tmp_t)
b4cd1533 CP	158
	159	#
	160	# usr_t is the type for /usr.
	161	#
a65611d2 CP	162	type usr_t;
a65611d2 CP	163	files_mountpoint(usr_t)
b4cd1533 CP	164
	165	#
	166	# var_t is the type of /var
	167	#
a65611d2 CP	168	type var_t;
a65611d2 CP	169	files_mountpoint(var_t)
b4cd1533 CP	170
	171	#
	172	# var_lib_t is the type of /var/lib
	173	#
a65611d2 CP	174	type var_lib_t;
a65611d2 CP	175	files_mountpoint(var_lib_t)
b4cd1533 CP	176
	177	#
	178	# var_lock_t is tye type of /var/lock
	179	#
a65611d2	180	type var_lock_t;
54b4b8ab	181	files_lock_file(var_lock_t)
ef1dec5b	182	files_mountpoint(var_lock_t)
b4cd1533 CP	183
	184	#
	185	# var_run_t is the type of /var/run, usually
	186	# used for pid and other runtime files.
	187	#
a65611d2 CP	188	type var_run_t;
a65611d2 CP	189	files_pid_file(var_run_t)
14c0edc7	190	files_mountpoint(var_run_t)
b4cd1533 CP	191
	192	#
	193	# var_spool_t is the type of /var/spool
	194	#
c3cf6693 CP	195	type var_spool_t;
c3cf6693 CP	196	files_tmp_file(var_spool_t)
0059652b	197	files_spool_file(var_spool_t)
a65611d2 CP	198
	199	########################################
	200	#
	201	# Rules for all file types
	202	#
	203
	204	allow file_type self:filesystem associate;
	205
	206	fs_associate(file_type)
	207	fs_associate_noxattr(file_type)
350b6ab7	208	fs_associate_tmpfs(file_type)
495df416	209	fs_associate_ramfs(file_type)
48e0aa86	210	fs_associate_hugetlbfs(file_type)
165b42d2	211
a65611d2 CP	212	########################################
	213	#
	214	# Rules for all tmp file types
	215	#
	216
a65fd90a	217	allow file_type tmp_t:filesystem associate;
a65611d2 CP	218
	219	fs_associate_tmpfs(tmpfile)
	220
	221	########################################
	222	#
	223	# Rules for all tmpfs file types
	224	#
	225
	226	fs_associate_tmpfs(tmpfsfile)
b518fc2e CP	227
	228	########################################
	229	#
	230	# Unconfined access to this module
	231	#
	232
	233	# Create/access any file in a labeled filesystem;
	234	allow files_unconfined_type file_type:{ file chr_file } ~execmod;
	235	allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
	236
dccbb80c	237	# Mount/unmount any filesystem with the context= option.
b518fc2e CP	238	allow files_unconfined_type file_type:filesystem *;
b518fc2e CP	239
350b6ab7 CP	240	tunable_policy(`allow_execmod',`
350b6ab7 CP	241	allow files_unconfined_type file_type:file execmod;
b518fc2e	242	')