[people/stevee/selinux-policy.git] / policy / modules / kernel / files.te


policy_module(files, 1.13.0)

########################################
#
# Declarations
#

attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;

# For labeling types that are to be polyinstantiated
attribute polydir;

# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;

# And labeling for the member directories
attribute polymember;

# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
# and its opposite
attribute non_security_file_type;

attribute tmpfile;
attribute tmpfsfile;

# this attribute is not currently used and will be removed in the future.
# unfortunately, this attribute can not be removed yet because it may cause
# some policies to fail to link if it is still required.
attribute usercanread;

#
# boot_t is the type for files in /boot
#
type boot_t;
files_mountpoint(boot_t)

# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
type default_t;
files_mountpoint(default_t)

#
# etc_t is the type of the system etc directories.
#
type etc_t, configfile;
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;

#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
type etc_runtime_t;
files_type(etc_runtime_t)
#Temporarily in policy until FC5 dissappears
typealias etc_runtime_t alias firstboot_rw_t;

#
# file_t is the default type of a file that has not yet been
# assigned an extended attribute (EA) value (when using a filesystem
# that supports EAs).
#
type file_t;
files_mountpoint(file_t)
kernel_rootfs_mountpoint(file_t)
sid file gen_context(system_u:object_r:file_t,s0)

#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)

#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
files_type(lost_found_t)

#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t;
files_mountpoint(mnt_t)

#
# modules_object_t is the type for kernel modules
#
type modules_object_t;
files_type(modules_object_t)

type no_access_t;
files_type(no_access_t)

type poly_t;
files_type(poly_t)

type readable_t;
files_type(readable_t)

#
# root_t is the type for rootfs and the root directory.
#
type root_t;
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)

#
# src_t is the type of files in the system src directories.
#
type src_t;
files_mountpoint(src_t)

#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)

#
# tmp_t is the type of the temporary directories
#
type tmp_t;
files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)

#
# usr_t is the type for /usr.
#
type usr_t;
files_mountpoint(usr_t)

#
# var_t is the type of /var
#
type var_t;
files_mountpoint(var_t)

#
# var_lib_t is the type of /var/lib
#
type var_lib_t;
files_mountpoint(var_lib_t)

#
# var_lock_t is tye type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)

#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
files_pid_file(var_run_t)
files_mountpoint(var_run_t)

#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)

########################################
#
# Rules for all file types
#

allow file_type self:filesystem associate;

fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)

########################################
#
# Rules for all tmp file types
#

allow file_type tmp_t:filesystem associate;

fs_associate_tmpfs(tmpfile)

########################################
#
# Rules for all tmpfs file types
#

fs_associate_tmpfs(tmpfsfile)

########################################
#
# Unconfined access to this module
#

# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~execmod;
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;

# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;

tunable_policy(`allow_execmod',`
	allow files_unconfined_type file_type:file execmod;
')
Commit	Line	Data
e181fe05	1
29af4c13	2	policy_module(files, 1.13.0)
960373dd	3
fd89e19f CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
b4cd1533	9	attribute file_type;
b518fc2e	10	attribute files_unconfined_type;
b4cd1533	11	attribute lockfile;
46410fd2	12	attribute mountpoint;
b4cd1533	13	attribute pidfile;
e8779130	14	attribute configfile;
a1fcff33 CP	15
	16	# For labeling types that are to be polyinstantiated
	17	attribute polydir;
	18
	19	# And for labeling the parent directories of those polyinstantiated directories
	20	# This is necessary for remounting the original in the parent to give
	21	# security aware apps access
	22	attribute polyparent;
	23
	24	# And labeling for the member directories
	25	attribute polymember;
	26
a2868f6e CP	27	# sensitive security files whose accesses should
	28	# not be dontaudited for uses
	29	attribute security_file_type;
3338f231 CP	30	# and its opposite
3338f231 CP	31	attribute non_security_file_type;
a2868f6e	32
b4cd1533	33	attribute tmpfile;
46410fd2	34	attribute tmpfsfile;
b4cd1533	35
bbb7cc89 CP	36	# this attribute is not currently used and will be removed in the future.
	37	# unfortunately, this attribute can not be removed yet because it may cause
	38	# some policies to fail to link if it is still required.
a65611d2 CP	39	attribute usercanread;
a65611d2 CP	40
1c1ac67f CP	41	#
	42	# boot_t is the type for files in /boot
	43	#
	44	type boot_t;
1c1ac67f CP	45	files_mountpoint(boot_t)
1c1ac67f CP	46
b4cd1533 CP	47	# default_t is the default type for files that do not
	48	# match any specification in the file_contexts configuration
	49	# other than the generic /.* specification.
a65611d2 CP	50	type default_t;
a65611d2 CP	51	files_mountpoint(default_t)
b4cd1533 CP	52
	53	#
	54	# etc_t is the type of the system etc directories.
	55	#
910b1d8e	56	type etc_t, configfile;
a65611d2	57	files_type(etc_t)
6b19be33 CP	58	# compatibility aliases for removed types:
6b19be33 CP	59	typealias etc_t alias automount_etc_t;
788d88c9	60	typealias etc_t alias snmpd_etc_t;
b4cd1533 CP	61
	62	#
	63	# etc_runtime_t is the type of various
	64	# files in /etc that are automatically
	65	# generated during initialization.
	66	#
a65611d2 CP	67	type etc_runtime_t;
a65611d2 CP	68	files_type(etc_runtime_t)
693d4aed CP	69	#Temporarily in policy until FC5 dissappears
693d4aed CP	70	typealias etc_runtime_t alias firstboot_rw_t;
b4cd1533 CP	71
	72	#
	73	# file_t is the default type of a file that has not yet been
	74	# assigned an extended attribute (EA) value (when using a filesystem
	75	# that supports EAs).
	76	#
a65611d2 CP	77	type file_t;
a65611d2 CP	78	files_mountpoint(file_t)
0fd9dc55	79	kernel_rootfs_mountpoint(file_t)
e02c61cf	80	sid file gen_context(system_u:object_r:file_t,s0)
b4cd1533	81
b4cd1533 CP	82	#
	83	# home_root_t is the type for the directory where user home directories
	84	# are created
	85	#
a65611d2 CP	86	type home_root_t;
a65611d2 CP	87	files_mountpoint(home_root_t)
0f27d98d	88	files_poly_parent(home_root_t)
b4cd1533 CP	89
	90	#
	91	# lost_found_t is the type for the lost+found directories.
	92	#
a65611d2 CP	93	type lost_found_t;
a65611d2 CP	94	files_type(lost_found_t)
b4cd1533 CP	95
	96	#
	97	# mnt_t is the type for mount points such as /mnt/cdrom
	98	#
a65611d2 CP	99	type mnt_t;
a65611d2 CP	100	files_mountpoint(mnt_t)
b4cd1533	101
1c1ac67f CP	102	#
	103	# modules_object_t is the type for kernel modules
	104	#
	105	type modules_object_t;
	106	files_type(modules_object_t)
	107
a65611d2 CP	108	type no_access_t;
a65611d2 CP	109	files_type(no_access_t)
219bcf7a	110
a65611d2 CP	111	type poly_t;
a65611d2 CP	112	files_type(poly_t)
219bcf7a	113
a65611d2 CP	114	type readable_t;
a65611d2 CP	115	files_type(readable_t)
219bcf7a	116
a2d8246b CP	117	#
	118	# root_t is the type for rootfs and the root directory.
	119	#
a65611d2 CP	120	type root_t;
a65611d2 CP	121	files_mountpoint(root_t)
0f27d98d	122	files_poly_parent(root_t)
0fd9dc55	123	kernel_rootfs_mountpoint(root_t)
e02c61cf	124	genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
a2d8246b	125
b4cd1533 CP	126	#
	127	# src_t is the type of files in the system src directories.
	128	#
a65611d2 CP	129	type src_t;
a65611d2 CP	130	files_mountpoint(src_t)
b4cd1533	131
1c1ac67f CP	132	#
	133	# system_map_t is for the system.map files in /boot
	134	#
	135	type system_map_t;
	136	files_type(system_map_t)
037fc0f4	137	genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
1c1ac67f	138
b4cd1533 CP	139	#
	140	# tmp_t is the type of the temporary directories
	141	#
a65611d2	142	type tmp_t;
c3cf6693	143	files_tmp_file(tmp_t)
a65611d2 CP	144	files_mountpoint(tmp_t)
a65611d2 CP	145	files_poly(tmp_t)
0f27d98d	146	files_poly_parent(tmp_t)
b4cd1533 CP	147
	148	#
	149	# usr_t is the type for /usr.
	150	#
a65611d2 CP	151	type usr_t;
a65611d2 CP	152	files_mountpoint(usr_t)
b4cd1533 CP	153
	154	#
	155	# var_t is the type of /var
	156	#
a65611d2 CP	157	type var_t;
a65611d2 CP	158	files_mountpoint(var_t)
b4cd1533 CP	159
	160	#
	161	# var_lib_t is the type of /var/lib
	162	#
a65611d2 CP	163	type var_lib_t;
a65611d2 CP	164	files_mountpoint(var_lib_t)
b4cd1533 CP	165
	166	#
	167	# var_lock_t is tye type of /var/lock
	168	#
a65611d2 CP	169	type var_lock_t;
a65611d2 CP	170	files_lock_file(var_lock_t)
b4cd1533 CP	171
	172	#
	173	# var_run_t is the type of /var/run, usually
	174	# used for pid and other runtime files.
	175	#
a65611d2 CP	176	type var_run_t;
a65611d2 CP	177	files_pid_file(var_run_t)
14c0edc7	178	files_mountpoint(var_run_t)
b4cd1533 CP	179
	180	#
	181	# var_spool_t is the type of /var/spool
	182	#
c3cf6693 CP	183	type var_spool_t;
c3cf6693 CP	184	files_tmp_file(var_spool_t)
a65611d2 CP	185
	186	########################################
	187	#
	188	# Rules for all file types
	189	#
	190
	191	allow file_type self:filesystem associate;
	192
	193	fs_associate(file_type)
	194	fs_associate_noxattr(file_type)
350b6ab7	195	fs_associate_tmpfs(file_type)
495df416	196	fs_associate_ramfs(file_type)
165b42d2	197
a65611d2 CP	198	########################################
	199	#
	200	# Rules for all tmp file types
	201	#
	202
a65fd90a	203	allow file_type tmp_t:filesystem associate;
a65611d2 CP	204
	205	fs_associate_tmpfs(tmpfile)
	206
	207	########################################
	208	#
	209	# Rules for all tmpfs file types
	210	#
	211
	212	fs_associate_tmpfs(tmpfsfile)
b518fc2e CP	213
	214	########################################
	215	#
	216	# Unconfined access to this module
	217	#
	218
	219	# Create/access any file in a labeled filesystem;
	220	allow files_unconfined_type file_type:{ file chr_file } ~execmod;
	221	allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
	222
dccbb80c	223	# Mount/unmount any filesystem with the context= option.
b518fc2e CP	224	allow files_unconfined_type file_type:filesystem *;
b518fc2e CP	225
350b6ab7 CP	226	tunable_policy(`allow_execmod',`
350b6ab7 CP	227	allow files_unconfined_type file_type:file execmod;
b518fc2e	228	')