policy_module(filesystem, 1.17.2) ######################################## # # Declarations # attribute filesystem_type; attribute filesystem_unconfined_type; attribute noxattrfs; ############################## # # fs_t is the default type for persistent # filesystems with extended attributes # type fs_t; fs_type(fs_t) sid fs gen_context(system_u:object_r:fs_t,s0) typealias fs_t alias vxfs_t; typealias fs_t alias cephfs_t; # The inotifyfs_t alias is provided just in case an existing compiled module # still references this type. It can be removed after some grace period along # with fs_search_inotifyfs() and friends. typealias fs_t alias inotifyfs_t; # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr erofs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ocfs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr shiftfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr vxfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr odms gen_context(system_u:object_r:fs_t,s0); fs_use_xattr vxclonefs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0); fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0); # Use the allocating task SID to label inodes in the following filesystem # types, and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems that represent objects # like pipes and sockets, so that these objects are labeled with the same # type as the creating task. fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0); fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0); fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0); ############################## # # Non-persistent/pseudo filesystems # type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) type bdev_t; fs_type(bdev_t) genfscon bdev / gen_context(system_u:object_r:bdev_t,s0) type binfmt_misc_fs_t; fs_type(binfmt_misc_fs_t) files_mountpoint(binfmt_misc_fs_t) genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0) type bpf_t alias bpffs_t; fs_type(bpf_t) files_mountpoint(bpf_t) dev_associate_sysfs(bpf_t) genfscon bpf / gen_context(system_u:object_r:bpf_t,s0) type oracleasmfs_t; fs_type(oracleasmfs_t) dev_node(oracleasmfs_t) files_mountpoint(oracleasmfs_t) genfscon oracleasmfs / gen_context(system_u:object_r:oracleasmfs_t,s0) type capifs_t; fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) type cgroup_t alias cgroupfs_t; fs_type(cgroup_t) files_mountpoint(cgroup_t) dev_associate_sysfs(cgroup_t) genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0) genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) type configfs_t; fs_type(configfs_t) genfscon configfs / gen_context(system_u:object_r:configfs_t,s0) type cpusetfs_t; fs_type(cpusetfs_t) allow cpusetfs_t self:filesystem associate; genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0) type ecryptfs_t; fs_noxattr_type(ecryptfs_t) files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) type efivarfs_t; fs_type(efivarfs_t) fs_noxattr_type(efivarfs_t) files_mountpoint(efivarfs_t) dev_associate_sysfs(efivarfs_t) genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0) type futexfs_t; fs_type(futexfs_t) genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0) type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); dev_associate(hugetlbfs_t) type ibmasmfs_t; fs_type(ibmasmfs_t) allow ibmasmfs_t self:filesystem associate; genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0) type infinibandeventfs_t; fs_type(infinibandeventfs_t) allow infinibandeventfs_t self:filesystem associate; genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0) type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) files_mountpoint(nfsd_fs_t) genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0) type nsfs_t; fs_type(nsfs_t) genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) type onload_fs_t; fs_type(onload_fs_t) files_mountpoint(onload_fs_t) genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0) type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) type pstore_t alias pstorefs_t; fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) genfscon pstore / gen_context(system_u:object_r:pstore_t,s0) type romfs_t; fs_type(romfs_t) genfscon romfs / gen_context(system_u:object_r:romfs_t,s0) genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0) type rpc_pipefs_t; fs_type(rpc_pipefs_t) genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0) files_mountpoint(rpc_pipefs_t) type spufs_t; fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) type sysv_t; fs_noxattr_type(sysv_t) files_mountpoint(sysv_t) genfscon sysv / gen_context(system_u:object_r:sysv_t,s0) genfscon v7 / gen_context(system_u:object_r:sysv_t,s0) type tracefs_t; fs_type(tracefs_t) files_mountpoint(tracefs_t) genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0) type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0) genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0) genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0) # # tmpfs_t is the type for tmpfs filesystems # type tmpfs_t alias ramfs_t; dev_associate(tmpfs_t) fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) dev_associate(tmpfs_t) mls_trusted_object(tmpfs_t) # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, # and label the filesystem itself with the specified context. # This is appropriate for pseudo filesystems like devpts and tmpfs # where we want to label objects with a derived type. fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0); fs_use_trans ramfs gen_context(system_u:object_r:tmpfs_t,s0); allow tmpfs_t noxattrfs:filesystem associate; type xenfs_t; fs_noxattr_type(xenfs_t) files_mountpoint(xenfs_t) genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0) ############################## # # Filesystems without extended attribute support # type autofs_t; fs_noxattr_type(autofs_t) files_mountpoint(autofs_t) genfscon autofs / gen_context(system_u:object_r:autofs_t,s0) genfscon automount / gen_context(system_u:object_r:autofs_t,s0) # # cifs_t is the type for filesystems and their # files shared from Windows servers # type cifs_t alias sambafs_t; fs_noxattr_type(cifs_t) files_mountpoint(cifs_t) genfscon cifs / gen_context(system_u:object_r:cifs_t,s0) genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0) # # dosfs_t is the type for fat, vfat and exfat # filesystems and their files. # type dosfs_t; fs_noxattr_type(dosfs_t) files_mountpoint(dosfs_t) allow dosfs_t fs_t:filesystem associate; genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0) genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0) genfscon ntfs3 / gen_context(system_u:object_r:dosfs_t,s0) genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0) genfscon exfat / gen_context(system_u:object_r:dosfs_t,s0) type fusefs_t; fs_noxattr_type(fusefs_t) files_mountpoint(fusefs_t) allow fusefs_t self:filesystem associate; allow fusefs_t fs_t:filesystem associate; genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0) genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0) genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0) # # iso9660_t is the type for CD filesystems # and their files. # type iso9660_t; fs_noxattr_type(iso9660_t) files_mountpoint(iso9660_t) genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) # # removable_t is the default type of all removable media # type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) files_type(removable_t) dev_node(removable_t) files_mountpoint(removable_t) # # nfs_t is the default type for NFS file systems # and their files. # type nfs_t; fs_noxattr_type(nfs_t) files_mountpoint(nfs_t) genfscon nfs / gen_context(system_u:object_r:nfs_t,s0) genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0) genfscon afs / gen_context(system_u:object_r:nfs_t,s0) genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0) genfscon coda / gen_context(system_u:object_r:nfs_t,s0) genfscon lustre / gen_context(system_u:object_r:nfs_t,s0) genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) genfscon 9p / gen_context(system_u:object_r:nfs_t,s0) # # virtiofs_t is the default type for virtio file systems # and their files. # type virtiofs_t; fs_noxattr_type(virtiofs_t) files_mountpoint(virtiofs_t) genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0) ######################################## # # Rules for all filesystem types # fs_associate(filesystem_type) allow filesystem_type self:filesystem associate; ######################################## # # Rules for filesystems without xattr support # # Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example fs_associate_noxattr(noxattrfs) ######################################## # # Unconfined access to this module # allow filesystem_unconfined_type filesystem_type:filesystem all_filesystem_perms; # Create/access other files. fs_type is to pick up various # pseudo filesystem types that are applied to both the filesystem # and its files. allow filesystem_unconfined_type filesystem_type:{ file } ~entrypoint; allow filesystem_unconfined_type filesystem_type:dir ~map; allow filesystem_unconfined_type filesystem_type:{ lnk_file sock_file fifo_file chr_file blk_file } *;