]>
Commit | Line | Data |
---|---|---|
e181fe05 | 1 | |
9570b288 | 2 | policy_module(files, 1.12.0) |
960373dd | 3 | |
fd89e19f CP |
4 | ######################################## |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
b4cd1533 | 9 | attribute file_type; |
b518fc2e | 10 | attribute files_unconfined_type; |
b4cd1533 | 11 | attribute lockfile; |
46410fd2 | 12 | attribute mountpoint; |
b4cd1533 | 13 | attribute pidfile; |
e8779130 | 14 | attribute configfile; |
a1fcff33 CP |
15 | |
16 | # For labeling types that are to be polyinstantiated | |
17 | attribute polydir; | |
18 | ||
19 | # And for labeling the parent directories of those polyinstantiated directories | |
20 | # This is necessary for remounting the original in the parent to give | |
21 | # security aware apps access | |
22 | attribute polyparent; | |
23 | ||
24 | # And labeling for the member directories | |
25 | attribute polymember; | |
26 | ||
a2868f6e CP |
27 | # sensitive security files whose accesses should |
28 | # not be dontaudited for uses | |
29 | attribute security_file_type; | |
3338f231 CP |
30 | # and its opposite |
31 | attribute non_security_file_type; | |
a2868f6e | 32 | |
b4cd1533 | 33 | attribute tmpfile; |
46410fd2 | 34 | attribute tmpfsfile; |
b4cd1533 | 35 | |
bbb7cc89 CP |
36 | # this attribute is not currently used and will be removed in the future. |
37 | # unfortunately, this attribute can not be removed yet because it may cause | |
38 | # some policies to fail to link if it is still required. | |
a65611d2 CP |
39 | attribute usercanread; |
40 | ||
1c1ac67f CP |
41 | # |
42 | # boot_t is the type for files in /boot | |
43 | # | |
44 | type boot_t; | |
1c1ac67f CP |
45 | files_mountpoint(boot_t) |
46 | ||
b4cd1533 CP |
47 | # default_t is the default type for files that do not |
48 | # match any specification in the file_contexts configuration | |
49 | # other than the generic /.* specification. | |
a65611d2 CP |
50 | type default_t; |
51 | files_mountpoint(default_t) | |
b4cd1533 CP |
52 | |
53 | # | |
54 | # etc_t is the type of the system etc directories. | |
55 | # | |
a65611d2 CP |
56 | type etc_t; |
57 | files_type(etc_t) | |
6b19be33 CP |
58 | # compatibility aliases for removed types: |
59 | typealias etc_t alias automount_etc_t; | |
788d88c9 | 60 | typealias etc_t alias snmpd_etc_t; |
b4cd1533 CP |
61 | |
62 | # | |
63 | # etc_runtime_t is the type of various | |
64 | # files in /etc that are automatically | |
65 | # generated during initialization. | |
66 | # | |
a65611d2 CP |
67 | type etc_runtime_t; |
68 | files_type(etc_runtime_t) | |
693d4aed CP |
69 | #Temporarily in policy until FC5 dissappears |
70 | typealias etc_runtime_t alias firstboot_rw_t; | |
b4cd1533 CP |
71 | |
72 | # | |
73 | # file_t is the default type of a file that has not yet been | |
74 | # assigned an extended attribute (EA) value (when using a filesystem | |
75 | # that supports EAs). | |
76 | # | |
a65611d2 CP |
77 | type file_t; |
78 | files_mountpoint(file_t) | |
0fd9dc55 | 79 | kernel_rootfs_mountpoint(file_t) |
e02c61cf | 80 | sid file gen_context(system_u:object_r:file_t,s0) |
b4cd1533 | 81 | |
b4cd1533 CP |
82 | # |
83 | # home_root_t is the type for the directory where user home directories | |
84 | # are created | |
85 | # | |
a65611d2 CP |
86 | type home_root_t; |
87 | files_mountpoint(home_root_t) | |
0f27d98d | 88 | files_poly_parent(home_root_t) |
b4cd1533 CP |
89 | |
90 | # | |
91 | # lost_found_t is the type for the lost+found directories. | |
92 | # | |
a65611d2 CP |
93 | type lost_found_t; |
94 | files_type(lost_found_t) | |
b4cd1533 CP |
95 | |
96 | # | |
97 | # mnt_t is the type for mount points such as /mnt/cdrom | |
98 | # | |
a65611d2 CP |
99 | type mnt_t; |
100 | files_mountpoint(mnt_t) | |
b4cd1533 | 101 | |
1c1ac67f CP |
102 | # |
103 | # modules_object_t is the type for kernel modules | |
104 | # | |
105 | type modules_object_t; | |
106 | files_type(modules_object_t) | |
107 | ||
a65611d2 CP |
108 | type no_access_t; |
109 | files_type(no_access_t) | |
219bcf7a | 110 | |
a65611d2 CP |
111 | type poly_t; |
112 | files_type(poly_t) | |
219bcf7a | 113 | |
a65611d2 CP |
114 | type readable_t; |
115 | files_type(readable_t) | |
219bcf7a | 116 | |
a2d8246b CP |
117 | # |
118 | # root_t is the type for rootfs and the root directory. | |
119 | # | |
a65611d2 CP |
120 | type root_t; |
121 | files_mountpoint(root_t) | |
0f27d98d | 122 | files_poly_parent(root_t) |
0fd9dc55 | 123 | kernel_rootfs_mountpoint(root_t) |
e02c61cf | 124 | genfscon rootfs / gen_context(system_u:object_r:root_t,s0) |
a2d8246b | 125 | |
b4cd1533 CP |
126 | # |
127 | # src_t is the type of files in the system src directories. | |
128 | # | |
a65611d2 CP |
129 | type src_t; |
130 | files_mountpoint(src_t) | |
b4cd1533 | 131 | |
1c1ac67f CP |
132 | # |
133 | # system_map_t is for the system.map files in /boot | |
134 | # | |
135 | type system_map_t; | |
136 | files_type(system_map_t) | |
037fc0f4 | 137 | genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0) |
1c1ac67f | 138 | |
b4cd1533 CP |
139 | # |
140 | # tmp_t is the type of the temporary directories | |
141 | # | |
a65611d2 | 142 | type tmp_t; |
c3cf6693 | 143 | files_tmp_file(tmp_t) |
a65611d2 CP |
144 | files_mountpoint(tmp_t) |
145 | files_poly(tmp_t) | |
0f27d98d | 146 | files_poly_parent(tmp_t) |
b4cd1533 CP |
147 | |
148 | # | |
149 | # usr_t is the type for /usr. | |
150 | # | |
a65611d2 CP |
151 | type usr_t; |
152 | files_mountpoint(usr_t) | |
b4cd1533 CP |
153 | |
154 | # | |
155 | # var_t is the type of /var | |
156 | # | |
a65611d2 CP |
157 | type var_t; |
158 | files_mountpoint(var_t) | |
b4cd1533 CP |
159 | |
160 | # | |
161 | # var_lib_t is the type of /var/lib | |
162 | # | |
a65611d2 CP |
163 | type var_lib_t; |
164 | files_mountpoint(var_lib_t) | |
b4cd1533 CP |
165 | |
166 | # | |
167 | # var_lock_t is tye type of /var/lock | |
168 | # | |
a65611d2 CP |
169 | type var_lock_t; |
170 | files_lock_file(var_lock_t) | |
b4cd1533 CP |
171 | |
172 | # | |
173 | # var_run_t is the type of /var/run, usually | |
174 | # used for pid and other runtime files. | |
175 | # | |
a65611d2 CP |
176 | type var_run_t; |
177 | files_pid_file(var_run_t) | |
14c0edc7 | 178 | files_mountpoint(var_run_t) |
b4cd1533 CP |
179 | |
180 | # | |
181 | # var_spool_t is the type of /var/spool | |
182 | # | |
c3cf6693 CP |
183 | type var_spool_t; |
184 | files_tmp_file(var_spool_t) | |
a65611d2 CP |
185 | |
186 | ######################################## | |
187 | # | |
188 | # Rules for all file types | |
189 | # | |
190 | ||
191 | allow file_type self:filesystem associate; | |
192 | ||
193 | fs_associate(file_type) | |
194 | fs_associate_noxattr(file_type) | |
350b6ab7 | 195 | fs_associate_tmpfs(file_type) |
495df416 | 196 | fs_associate_ramfs(file_type) |
165b42d2 | 197 | |
a65611d2 CP |
198 | ######################################## |
199 | # | |
200 | # Rules for all tmp file types | |
201 | # | |
202 | ||
a65fd90a | 203 | allow file_type tmp_t:filesystem associate; |
a65611d2 CP |
204 | |
205 | fs_associate_tmpfs(tmpfile) | |
206 | ||
207 | ######################################## | |
208 | # | |
209 | # Rules for all tmpfs file types | |
210 | # | |
211 | ||
212 | fs_associate_tmpfs(tmpfsfile) | |
b518fc2e CP |
213 | |
214 | ######################################## | |
215 | # | |
216 | # Unconfined access to this module | |
217 | # | |
218 | ||
219 | # Create/access any file in a labeled filesystem; | |
220 | allow files_unconfined_type file_type:{ file chr_file } ~execmod; | |
221 | allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *; | |
222 | ||
223 | # Mount/unmount any filesystem with the context= option. | |
224 | allow files_unconfined_type file_type:filesystem *; | |
225 | ||
350b6ab7 CP |
226 | tunable_policy(`allow_execmod',` |
227 | allow files_unconfined_type file_type:file execmod; | |
b518fc2e | 228 | ') |