1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228
|
policy_module(files, 1.22.0)
########################################
#
# Declarations
#
attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute spoolfile;
attribute configfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;
# And labeling for the member directories
attribute polymember;
# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
# and its opposite
attribute non_security_file_type;
# sensitive authentication files whose accesses should
# not be dontaudited for uses
attribute auth_file_type;
# and its opposite
attribute non_auth_file_type;
attribute tmpfile;
attribute tmpfsfile;
# this attribute is not currently used and will be removed in the future.
# unfortunately, this attribute can not be removed yet because it may cause
# some policies to fail to link if it is still required.
attribute usercanread;
#
# boot_t is the type for files in /boot
#
type boot_t;
files_mountpoint(boot_t)
# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
type default_t;
files_mountpoint(default_t)
#
# etc_t is the type of the system etc directories.
#
type etc_t, configfile;
files_type(etc_t)
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
type etc_runtime_t;
files_type(etc_runtime_t)
#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)
#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
files_type(lost_found_t)
#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t;
files_mountpoint(mnt_t)
#
# modules_object_t is the type for kernel modules
#
type modules_object_t;
files_type(modules_object_t)
type no_access_t;
files_type(no_access_t)
type poly_t;
files_type(poly_t)
type readable_t;
files_type(readable_t)
#
# root_t is the type for rootfs and the root directory.
#
type root_t;
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
#
# src_t is the type of files in the system src directories.
#
type src_t;
files_mountpoint(src_t)
#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)
#
# tmp_t is the type of the temporary directories
#
type tmp_t;
files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)
#
# usr_t is the type for /usr.
#
type usr_t;
files_mountpoint(usr_t)
#
# var_t is the type of /var
#
type var_t;
files_mountpoint(var_t)
#
# var_lib_t is the type of /var/lib
#
type var_lib_t;
files_mountpoint(var_lib_t)
#
# var_lock_t is tye type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)
#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
optional_policy(`
systemd_tmpfiles_manage_object(var_run_t, lnk_file)
')
#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)
########################################
#
# Rules for all file types
#
allow file_type self:filesystem associate;
fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
fs_associate_hugetlbfs(file_type)
########################################
#
# Rules for all tmp file types
#
allow file_type tmp_t:filesystem associate;
fs_associate_tmpfs(tmpfile)
########################################
#
# Rules for all tmpfs file types
#
fs_associate_tmpfs(tmpfsfile)
########################################
#
# Unconfined access to this module
#
# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:{ file chr_file } ~{ entrypoint execmod };
allow files_unconfined_type file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem *;
tunable_policy(`allow_execmod',`
allow files_unconfined_type file_type:file execmod;
')
|