File: cil_file_labeling_statements.md

package info (click to toggle)
android-platform-external-libselinux 10.0.0%2Br36-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 34,176 kB
  • sloc: ansic: 147,112; python: 25,790; makefile: 1,930; yacc: 1,389; sh: 1,206; lex: 452; xml: 180
file content (228 lines) | stat: -rw-r--r-- 8,225 bytes parent folder | download | duplicates (7) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
 
File Labeling Statements
========================

filecon
-------

Define entries for labeling files. The compiler will produce these entries in a file called **`file_contexts`**`(5)` by default in the `cwd`. The compiler option `[-f|--filecontext <filename>]` may be used to specify a different path or file name.

**Statement definition:**

    (filecon "path" file_type context_id)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>filecon</code></p></td>
<td align="left"><p>The <code>filecon</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>path</code></p></td>
<td align="left"><p>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <code>&quot;/this/is/a/path(/.*)?&quot;</code>)</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>file_type</code></p></td>
<td align="left"><p>A single keyword representing a file type in the <code>file_contexts</code> file as follows:</p>
<table>
<colgroup>
<col width="44%" />
<col width="55%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>keyword</strong></p></td>
<td align="left"><p><strong>file_contexts entry</strong></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>file</code></p></td>
<td align="left"><p><code>--</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>dir</code></p></td>
<td align="left"><p><code>-d</code></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>char</code></p></td>
<td align="left"><p><code>-c</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>block</code></p></td>
<td align="left"><p><code>-b</code></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>socket</code></p></td>
<td align="left"><p><code>-s</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>pipe</code></p></td>
<td align="left"><p><code>-p</code></p></td>
</tr>
<tr class="even">
<td align="left"><p><code>symlink</code></p></td>
<td align="left"><p><code>-l</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>any</code></p></td>
<td align="left"><p>no entry</p></td>
</tr>
</tbody>
</table></td>
</tr>
<tr class="even">
<td align="left"><p><code>context_id</code></p></td>
<td align="left"><p>The security context to be allocated to the file, which may be:</p>
<ul>
<li><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></li>
<li><p>An empty context list represented by <code>()</code> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <code>&lt;&lt;none&gt;&gt;</code> within the <strong><code>file_contexts</code></strong><code>(5)</code> file.</p></li>
</ul></td>
</tr>
</tbody>
</table>

**Examples:**

These examples use one named, one anonymous and one empty context definition:

    (context runas_exec_context (u object_r exec low_low))

    (filecon "/system/bin/run-as" file runas_exec_context)
    (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
    (filecon "/data/local/mine" dir ())

to resolve/build `file_contexts` entries of (assuming MLS enabled policy):

    /system/bin/run-as  -- u:object_r:runas.exec:s0
    /dev/socket/wpa_wlan[0-9]   u:object_r:wpa.socket:s0
    /data/local/mine -d <<none>>

fsuse
-----

Label filesystems that support SELinux security contexts.

**Statement definition:**

    (fsuse fstype fsname context_id)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>fsuse</code></p></td>
<td align="left"><p>The <code>fsuse</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>fstype</code></p></td>
<td align="left"><p>A single keyword representing the type of filesystem as follows:</p>
<ul>
<li><p><code>task</code> - For pseudo filesystems supporting task related services such as pipes and sockets.</p></li>
<li><p><code>trans</code> - For pseudo filesystems such as pseudo terminals and temporary objects.</p></li>
<li><p><code>xattr</code> - Filesystems supporting the extended attribute <code>security.selinux</code>. The labeling is persistent for filesystems that support extended attributes.</p></li>
</ul></td>
</tr>
<tr class="odd">
<td align="left"><p><code>fsname</code></p></td>
<td align="left"><p>Name of the supported filesystem (e.g. <code>ext4</code> or <code>pipefs</code>).</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>context_id</code></p></td>
<td align="left"><p>The security context to be allocated to the network interface.</p>
<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
</tr>
</tbody>
</table>

**Examples:**

The [context](#context) identifiers are declared in the `file` namespace and the [`fsuse`](cil_file_labeling_statements.md#fsuse) statements in the global namespace:

    (block file
        (type labeledfs)
        (roletype object_r labeledfs)
        (context labeledfs_context (u object_r labeledfs low_low))

        (type pipefs)
        (roletype object_r pipefs)
        (context pipefs_context (u object_r pipefs low_low))
        ...
    )

    (fsuse xattr ex4 file.labeledfs_context)
    (fsuse xattr btrfs file.labeledfs_context)

    (fsuse task pipefs file.pipefs_context)
    (fsuse task sockfs file.sockfs_context)

    (fsuse trans devpts file.devpts_context)
    (fsuse trans tmpfs file.tmpfs_context)

genfscon
--------

Used to allocate a security context to filesystems that cannot support any of the [`fsuse`](cil_file_labeling_statements.md#fsuse) file labeling options. Generally a filesystem would have a single default security context assigned by [`genfscon`](cil_file_labeling_statements.md#genfscon) from the root `(/)` that would then be inherited by all files and directories on that filesystem. The exception to this is the `/proc` filesystem, where directories can be labeled with a specific security context (as shown in the examples).

**Statement definition:**

    (genfscon fsname path context_id)

**Where:**

<table>
<colgroup>
<col width="25%" />
<col width="75%" />
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><code>genfscon</code></p></td>
<td align="left"><p>The <code>genfscon</code> keyword.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>fsname</code></p></td>
<td align="left"><p>Name of the supported filesystem (e.g. <code>rootfs</code> or <code>proc</code>).</p></td>
</tr>
<tr class="odd">
<td align="left"><p><code>path</code></p></td>
<td align="left"><p>If <code>fsname</code> is <code>proc</code>, then the partial path (see examples). For all other types this must be ‘<code>/</code>’.</p></td>
</tr>
<tr class="even">
<td align="left"><p><code>context_id</code></p></td>
<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
</tr>
</tbody>
</table>

**Examples:**

The [context](#context) identifiers are declared in the `file` namespace and the [`genfscon`](cil_file_labeling_statements.md#genfscon) statements are then inserted using the [`in`](cil_container_statements.md#in) container statement:

    (file
        (type rootfs)
        (roletype object_r rootfs)
        (context rootfs_context (u object_r rootfs low_low))

        (type proc)
        (roletype object_r proc)
        (context rootfs_context (u object_r proc low_low))
        ...
    )

    (in file
        (genfscon rootfs / rootfs_context)
        ; proc labeling can be further refined (longest matching prefix).
        (genfscon proc / proc_context)
        (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
        (genfscon proc /sysrq-trigger sysrq_proc_context)
        (genfscon selinuxfs / selinuxfs_context)
    )