365 lines
12 KiB
Text
365 lines
12 KiB
Text
|
policy_module(filesystem, 1.17.2)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Declarations
|
||
|
#
|
||
|
|
||
|
attribute filesystem_type;
|
||
|
attribute filesystem_unconfined_type;
|
||
|
attribute noxattrfs;
|
||
|
|
||
|
##############################
|
||
|
#
|
||
|
# fs_t is the default type for persistent
|
||
|
# filesystems with extended attributes
|
||
|
#
|
||
|
type fs_t;
|
||
|
fs_type(fs_t)
|
||
|
sid fs gen_context(system_u:object_r:fs_t,s0)
|
||
|
typealias fs_t alias vxfs_t;
|
||
|
typealias fs_t alias cephfs_t;
|
||
|
|
||
|
# The inotifyfs_t alias is provided just in case an existing compiled module
|
||
|
# still references this type. It can be removed after some grace period along
|
||
|
# with fs_search_inotifyfs() and friends.
|
||
|
typealias fs_t alias inotifyfs_t;
|
||
|
|
||
|
# Use xattrs for the following filesystem types.
|
||
|
# Requires that a security xattr handler exist for the filesystem.
|
||
|
fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr erofs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr shiftfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr vxfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr odms gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr vxclonefs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0);
|
||
|
|
||
|
# Use the allocating task SID to label inodes in the following filesystem
|
||
|
# types, and label the filesystem itself with the specified context.
|
||
|
# This is appropriate for pseudo filesystems that represent objects
|
||
|
# like pipes and sockets, so that these objects are labeled with the same
|
||
|
# type as the creating task.
|
||
|
fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
|
||
|
fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
|
||
|
|
||
|
##############################
|
||
|
#
|
||
|
# Non-persistent/pseudo filesystems
|
||
|
#
|
||
|
|
||
|
type anon_inodefs_t;
|
||
|
fs_type(anon_inodefs_t)
|
||
|
files_mountpoint(anon_inodefs_t)
|
||
|
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
|
||
|
|
||
|
type bdev_t;
|
||
|
fs_type(bdev_t)
|
||
|
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
|
||
|
|
||
|
type binfmt_misc_fs_t;
|
||
|
fs_type(binfmt_misc_fs_t)
|
||
|
files_mountpoint(binfmt_misc_fs_t)
|
||
|
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
|
||
|
|
||
|
type bpf_t alias bpffs_t;
|
||
|
fs_type(bpf_t)
|
||
|
files_mountpoint(bpf_t)
|
||
|
dev_associate_sysfs(bpf_t)
|
||
|
genfscon bpf / gen_context(system_u:object_r:bpf_t,s0)
|
||
|
|
||
|
type oracleasmfs_t;
|
||
|
fs_type(oracleasmfs_t)
|
||
|
dev_node(oracleasmfs_t)
|
||
|
files_mountpoint(oracleasmfs_t)
|
||
|
genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0)
|
||
|
|
||
|
type capifs_t;
|
||
|
fs_type(capifs_t)
|
||
|
files_mountpoint(capifs_t)
|
||
|
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
|
||
|
|
||
|
type cgroup_t alias cgroupfs_t;
|
||
|
fs_type(cgroup_t)
|
||
|
files_mountpoint(cgroup_t)
|
||
|
dev_associate_sysfs(cgroup_t)
|
||
|
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
|
||
|
genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
|
||
|
|
||
|
type configfs_t;
|
||
|
fs_type(configfs_t)
|
||
|
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
|
||
|
|
||
|
type cpusetfs_t;
|
||
|
fs_type(cpusetfs_t)
|
||
|
allow cpusetfs_t self:filesystem associate;
|
||
|
genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
|
||
|
|
||
|
type ecryptfs_t;
|
||
|
fs_noxattr_type(ecryptfs_t)
|
||
|
files_mountpoint(ecryptfs_t)
|
||
|
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
|
||
|
|
||
|
type efivarfs_t;
|
||
|
fs_type(efivarfs_t)
|
||
|
fs_noxattr_type(efivarfs_t)
|
||
|
files_mountpoint(efivarfs_t)
|
||
|
dev_associate_sysfs(efivarfs_t)
|
||
|
genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
|
||
|
|
||
|
type futexfs_t;
|
||
|
fs_type(futexfs_t)
|
||
|
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
|
||
|
|
||
|
type hugetlbfs_t;
|
||
|
fs_type(hugetlbfs_t)
|
||
|
files_mountpoint(hugetlbfs_t)
|
||
|
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
|
||
|
dev_associate(hugetlbfs_t)
|
||
|
|
||
|
type ibmasmfs_t;
|
||
|
fs_type(ibmasmfs_t)
|
||
|
allow ibmasmfs_t self:filesystem associate;
|
||
|
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
|
||
|
|
||
|
type infinibandeventfs_t;
|
||
|
fs_type(infinibandeventfs_t)
|
||
|
allow infinibandeventfs_t self:filesystem associate;
|
||
|
genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
|
||
|
|
||
|
type mvfs_t;
|
||
|
fs_noxattr_type(mvfs_t)
|
||
|
allow mvfs_t self:filesystem associate;
|
||
|
genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
|
||
|
|
||
|
type nfsd_fs_t;
|
||
|
fs_type(nfsd_fs_t)
|
||
|
files_mountpoint(nfsd_fs_t)
|
||
|
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
|
||
|
|
||
|
type nsfs_t;
|
||
|
fs_type(nsfs_t)
|
||
|
genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
|
||
|
|
||
|
type onload_fs_t;
|
||
|
fs_type(onload_fs_t)
|
||
|
files_mountpoint(onload_fs_t)
|
||
|
genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0)
|
||
|
|
||
|
type oprofilefs_t;
|
||
|
fs_type(oprofilefs_t)
|
||
|
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
|
||
|
|
||
|
type pstore_t alias pstorefs_t;
|
||
|
fs_type(pstore_t)
|
||
|
files_mountpoint(pstore_t)
|
||
|
dev_associate_sysfs(pstore_t)
|
||
|
genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
|
||
|
|
||
|
type romfs_t;
|
||
|
fs_type(romfs_t)
|
||
|
genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
|
||
|
genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
|
||
|
|
||
|
type rpc_pipefs_t;
|
||
|
fs_type(rpc_pipefs_t)
|
||
|
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
|
||
|
files_mountpoint(rpc_pipefs_t)
|
||
|
|
||
|
type spufs_t;
|
||
|
fs_type(spufs_t)
|
||
|
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
|
||
|
files_mountpoint(spufs_t)
|
||
|
|
||
|
type sysv_t;
|
||
|
fs_noxattr_type(sysv_t)
|
||
|
files_mountpoint(sysv_t)
|
||
|
genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
|
||
|
genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
|
||
|
|
||
|
type tracefs_t;
|
||
|
fs_type(tracefs_t)
|
||
|
files_mountpoint(tracefs_t)
|
||
|
genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)
|
||
|
|
||
|
type vmblock_t;
|
||
|
fs_noxattr_type(vmblock_t)
|
||
|
files_mountpoint(vmblock_t)
|
||
|
genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
|
||
|
genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
|
||
|
genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
|
||
|
|
||
|
#
|
||
|
# tmpfs_t is the type for tmpfs filesystems
|
||
|
#
|
||
|
type tmpfs_t alias ramfs_t;
|
||
|
dev_associate(tmpfs_t)
|
||
|
fs_type(tmpfs_t)
|
||
|
files_type(tmpfs_t)
|
||
|
files_mountpoint(tmpfs_t)
|
||
|
files_poly_parent(tmpfs_t)
|
||
|
dev_associate(tmpfs_t)
|
||
|
mls_trusted_object(tmpfs_t)
|
||
|
|
||
|
# Use a transition SID based on the allocating task SID and the
|
||
|
# filesystem SID to label inodes in the following filesystem types,
|
||
|
# and label the filesystem itself with the specified context.
|
||
|
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
||
|
# where we want to label objects with a derived type.
|
||
|
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
|
||
|
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
|
||
|
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
|
||
|
fs_use_trans ramfs gen_context(system_u:object_r:tmpfs_t,s0);
|
||
|
|
||
|
allow tmpfs_t noxattrfs:filesystem associate;
|
||
|
|
||
|
type xenfs_t;
|
||
|
fs_noxattr_type(xenfs_t)
|
||
|
files_mountpoint(xenfs_t)
|
||
|
genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
|
||
|
|
||
|
##############################
|
||
|
#
|
||
|
# Filesystems without extended attribute support
|
||
|
#
|
||
|
|
||
|
type autofs_t;
|
||
|
fs_noxattr_type(autofs_t)
|
||
|
files_mountpoint(autofs_t)
|
||
|
genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
|
||
|
genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
|
||
|
|
||
|
#
|
||
|
# cifs_t is the type for filesystems and their
|
||
|
# files shared from Windows servers
|
||
|
#
|
||
|
type cifs_t alias sambafs_t;
|
||
|
fs_noxattr_type(cifs_t)
|
||
|
files_mountpoint(cifs_t)
|
||
|
genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
|
||
|
genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
|
||
|
|
||
|
#
|
||
|
# dosfs_t is the type for fat, vfat and exfat
|
||
|
# filesystems and their files.
|
||
|
#
|
||
|
type dosfs_t;
|
||
|
fs_noxattr_type(dosfs_t)
|
||
|
files_mountpoint(dosfs_t)
|
||
|
allow dosfs_t fs_t:filesystem associate;
|
||
|
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon ntfs3 / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
genfscon exfat / gen_context(system_u:object_r:dosfs_t,s0)
|
||
|
|
||
|
type fusefs_t;
|
||
|
fs_noxattr_type(fusefs_t)
|
||
|
files_mountpoint(fusefs_t)
|
||
|
allow fusefs_t self:filesystem associate;
|
||
|
allow fusefs_t fs_t:filesystem associate;
|
||
|
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
|
||
|
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
|
||
|
genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
|
||
|
|
||
|
#
|
||
|
# iso9660_t is the type for CD filesystems
|
||
|
# and their files.
|
||
|
#
|
||
|
type iso9660_t;
|
||
|
fs_noxattr_type(iso9660_t)
|
||
|
files_mountpoint(iso9660_t)
|
||
|
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
|
||
|
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
|
||
|
|
||
|
#
|
||
|
# removable_t is the default type of all removable media
|
||
|
#
|
||
|
type removable_t;
|
||
|
allow removable_t noxattrfs:filesystem associate;
|
||
|
fs_noxattr_type(removable_t)
|
||
|
files_type(removable_t)
|
||
|
dev_node(removable_t)
|
||
|
files_mountpoint(removable_t)
|
||
|
|
||
|
#
|
||
|
# nfs_t is the default type for NFS file systems
|
||
|
# and their files.
|
||
|
#
|
||
|
type nfs_t;
|
||
|
fs_noxattr_type(nfs_t)
|
||
|
files_mountpoint(nfs_t)
|
||
|
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
genfscon 9p / gen_context(system_u:object_r:nfs_t,s0)
|
||
|
|
||
|
#
|
||
|
# virtiofs_t is the default type for virtio file systems
|
||
|
# and their files.
|
||
|
#
|
||
|
type virtiofs_t;
|
||
|
fs_noxattr_type(virtiofs_t)
|
||
|
files_mountpoint(virtiofs_t)
|
||
|
genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Rules for all filesystem types
|
||
|
#
|
||
|
|
||
|
fs_associate(filesystem_type)
|
||
|
allow filesystem_type self:filesystem associate;
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Rules for filesystems without xattr support
|
||
|
#
|
||
|
|
||
|
# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
|
||
|
fs_associate_noxattr(noxattrfs)
|
||
|
|
||
|
########################################
|
||
|
#
|
||
|
# Unconfined access to this module
|
||
|
#
|
||
|
|
||
|
allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms;
|
||
|
|
||
|
# Create/access other files. fs_type is to pick up various
|
||
|
# pseudo filesystem types that are applied to both the filesystem
|
||
|
# and its files.
|
||
|
allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint;
|
||
|
allow filesystem_unconfined_type filesystem_type:dir ~map;
|
||
|
allow filesystem_unconfined_type filesystem_type:{ lnk_file sock_file fifo_file chr_file blk_file } *;
|