aboutsummaryrefslogtreecommitdiff
blob: 1bb1ad49c0dfb40333ee7fd7e19affc0d0da5251 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
policy_module(files, 1.28.5)

########################################
#
# Declarations
#

attribute file_type;
attribute files_unconfined_type;
attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
attribute spoolfile;

# For labeling types that are to be polyinstantiated
attribute polydir;

# And for labeling the parent directories of those polyinstantiated directories
# This is necessary for remounting the original in the parent to give
# security aware apps access
attribute polyparent;

# And labeling for the member directories
attribute polymember;

# sensitive security files whose accesses should
# not be dontaudited for uses
attribute security_file_type;
# and its opposite
attribute non_security_file_type;

# sensitive authentication files whose accesses should
# not be dontaudited for uses
attribute auth_file_type;
# and its opposite
attribute non_auth_file_type;

attribute tmpfile;
attribute tmpfsfile;

# this attribute is not currently used and will be removed in the future.
# unfortunately, this attribute can not be removed yet because it may cause
# some policies to fail to link if it is still required.
attribute usercanread;

#
# boot_t is the type for files in /boot
#
type boot_t;
files_mountpoint(boot_t)

# default_t is the default type for files that do not
# match any specification in the file_contexts configuration
# other than the generic /.* specification.
type default_t;
files_mountpoint(default_t)

#
# etc_t is the type of the system etc directories.
#
type etc_t, configfile;
files_type(etc_t)

optional_policy(`
	# for systemd ProtectSystem
	init_mountpoint(etc_t)
')

#
# etc_runtime_t is the type of various
# files in /etc that are automatically
# generated during initialization.
#
type etc_runtime_t;
files_type(etc_runtime_t)

#
# home_root_t is the type for the directory where user home directories
# are created
#
type home_root_t;
files_mountpoint(home_root_t)
files_poly_parent(home_root_t)

#
# lost_found_t is the type for the lost+found directories.
#
type lost_found_t;
files_type(lost_found_t)

#
# mnt_t is the type for mount points such as /mnt/cdrom
#
type mnt_t;
files_mountpoint(mnt_t)

#
# modules_object_t is the type for kernel modules
#
type modules_object_t;
files_type(modules_object_t)

optional_policy(`
	init_mountpoint(modules_object_t)
')

type no_access_t;
files_type(no_access_t)

type poly_t;
files_type(poly_t)

type readable_t;
files_type(readable_t)

#
# root_t is the type for rootfs and the root directory.
#
type root_t;
files_mountpoint(root_t)
files_poly_parent(root_t)
kernel_rootfs_mountpoint(root_t)
genfscon rootfs / gen_context(system_u:object_r:root_t,s0)

#
# src_t is the type of files in the system src directories.
#
type src_t;
files_mountpoint(src_t)

#
# system_map_t is for the system.map files in /boot
#
type system_map_t;
files_type(system_map_t)
genfscon proc /kallsyms gen_context(system_u:object_r:system_map_t,s0)

optional_policy(`
	init_mountpoint(system_map_t)
')

#
# tmp_t is the type of the temporary directories
#
type tmp_t;
files_tmp_file(tmp_t)
files_mountpoint(tmp_t)
files_poly(tmp_t)
files_poly_parent(tmp_t)

#
# usr_t is the type for /usr.
#
type usr_t;
files_mountpoint(usr_t)

#
# var_t is the type of /var
#
type var_t;
files_mountpoint(var_t)

#
# var_lib_t is the type of /var/lib
#
type var_lib_t;
files_mountpoint(var_lib_t)

#
# var_lock_t is tye type of /var/lock
#
type var_lock_t;
files_lock_file(var_lock_t)
files_mountpoint(var_lock_t)

#
# var_run_t is the type of /var/run, usually
# used for pid and other runtime files.
#
type var_run_t;
files_runtime_file(var_run_t)
files_mountpoint(var_run_t)

optional_policy(`
	systemd_tmpfilesd_managed(var_run_t, lnk_file)
')

#
# var_spool_t is the type of /var/spool
#
type var_spool_t;
files_tmp_file(var_spool_t)

########################################
#
# Rules for all file types
#

allow file_type self:filesystem associate;

fs_associate(file_type)
fs_associate_noxattr(file_type)
fs_associate_tmpfs(file_type)
fs_associate_ramfs(file_type)
fs_associate_hugetlbfs(file_type)

########################################
#
# Rules for all tmp file types
#

allow file_type tmp_t:filesystem associate;

fs_associate_tmpfs(tmpfile)

########################################
#
# Rules for all tmpfs file types
#

fs_associate_tmpfs(tmpfsfile)

########################################
#
# Unconfined access to this module
#

# Create/access any file in a labeled filesystem;
allow files_unconfined_type file_type:file { manage_file_perms relabelfrom relabelto map execute quotaon mounton execute_no_trans audit_access watch };
allow files_unconfined_type file_type:lnk_file  { manage_lnk_file_perms relabelfrom relabelto append map execute quotaon mounton open audit_access execmod watch };
allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch };
allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch };
allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabelfrom relabelto map execute quotaon mounton audit_access execmod watch };
allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabelfrom relabelto map execute quotaon mounton audit_access watch };
allow files_unconfined_type file_type:dir { manage_dir_perms relabelfrom relabelto append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch };

# Mount/unmount any filesystem with the context= option.
allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };

tunable_policy(`allow_execmod',`
	allow files_unconfined_type file_type:file execmod;
')