| 1 |
# FLASK |
|---|
| 2 |
|
|---|
| 3 |
# |
|---|
| 4 |
# Security contexts for files in filesystems that |
|---|
| 5 |
# cannot support xattr or use one of the fixed labeling schemes |
|---|
| 6 |
# specified in fs_use. |
|---|
| 7 |
# |
|---|
| 8 |
# Each specifications has the form: |
|---|
| 9 |
# genfscon fstype pathname-prefix [ -type ] context |
|---|
| 10 |
# |
|---|
| 11 |
# The entry with the longest matching pathname prefix is used. |
|---|
| 12 |
# / refers to the root directory of the file system, and |
|---|
| 13 |
# everything is specified relative to this root directory. |
|---|
| 14 |
# If there is no entry with a matching pathname prefix, then |
|---|
| 15 |
# the unlabeled initial SID is used. |
|---|
| 16 |
# |
|---|
| 17 |
# The optional type field specifies the file type as shown in the mode |
|---|
| 18 |
# field by ls, e.g. use -c to match only character device files, -b |
|---|
| 19 |
# to match only block device files. |
|---|
| 20 |
# |
|---|
| 21 |
# Except for proc, in 2.6 other filesystems are limited to a single entry (/) |
|---|
| 22 |
# that covers all entries in the filesystem with a default file context. |
|---|
| 23 |
# For proc, a pathname can be reliably generated from the proc_dir_entry |
|---|
| 24 |
# tree. The proc /sys entries are used for both proc inodes and for sysctl(2) |
|---|
| 25 |
# calls. /proc/PID entries are automatically labeled based on the associated |
|---|
| 26 |
# process. |
|---|
| 27 |
# |
|---|
| 28 |
# Support for other filesystem types requires corresponding code to be |
|---|
| 29 |
# added to the kernel, either as an xattr handler in the filesystem |
|---|
| 30 |
# implementation (preferred, and necessary if you want to access the labels |
|---|
| 31 |
# from userspace) or as logic in the SELinux module. |
|---|
| 32 |
|
|---|
| 33 |
# proc (excluding /proc/PID) |
|---|
| 34 |
genfscon proc / system_u:object_r:proc_t:s0 |
|---|
| 35 |
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255 |
|---|
| 36 |
genfscon proc /kcore system_u:object_r:proc_kcore_t:s15:c0.c255 |
|---|
| 37 |
genfscon proc /mdstat system_u:object_r:proc_mdstat_t:s0 |
|---|
| 38 |
genfscon proc /mtrr system_u:object_r:mtrr_device_t:s0 |
|---|
| 39 |
genfscon proc /net system_u:object_r:proc_net_t:s0 |
|---|
| 40 |
genfscon proc /sysvipc system_u:object_r:proc_t:s0 |
|---|
| 41 |
genfscon proc /sys system_u:object_r:sysctl_t:s0 |
|---|
| 42 |
genfscon proc /sys/kernel system_u:object_r:sysctl_kernel_t:s0 |
|---|
| 43 |
genfscon proc /sys/kernel/modprobe system_u:object_r:sysctl_modprobe_t:s0 |
|---|
| 44 |
genfscon proc /sys/kernel/hotplug system_u:object_r:sysctl_hotplug_t:s0 |
|---|
| 45 |
genfscon proc /sys/net system_u:object_r:sysctl_net_t:s0 |
|---|
| 46 |
genfscon proc /sys/net/unix system_u:object_r:sysctl_net_unix_t:s0 |
|---|
| 47 |
genfscon proc /sys/vm system_u:object_r:sysctl_vm_t:s0 |
|---|
| 48 |
genfscon proc /sys/dev system_u:object_r:sysctl_dev_t:s0 |
|---|
| 49 |
genfscon proc /net/rpc system_u:object_r:sysctl_rpc_t:s0 |
|---|
| 50 |
genfscon proc /irq system_u:object_r:sysctl_irq_t:s0 |
|---|
| 51 |
|
|---|
| 52 |
# rootfs |
|---|
| 53 |
genfscon rootfs / system_u:object_r:root_t:s0 |
|---|
| 54 |
|
|---|
| 55 |
# sysfs |
|---|
| 56 |
genfscon sysfs / system_u:object_r:sysfs_t:s0 |
|---|
| 57 |
|
|---|
| 58 |
# selinuxfs |
|---|
| 59 |
genfscon selinuxfs / system_u:object_r:security_t:s0 |
|---|
| 60 |
|
|---|
| 61 |
# autofs |
|---|
| 62 |
genfscon autofs / system_u:object_r:autofs_t:s0 |
|---|
| 63 |
genfscon automount / system_u:object_r:autofs_t:s0 |
|---|
| 64 |
|
|---|
| 65 |
# usbdevfs |
|---|
| 66 |
genfscon usbdevfs / system_u:object_r:usbdevfs_t:s0 |
|---|
| 67 |
|
|---|
| 68 |
# iso9660 |
|---|
| 69 |
genfscon iso9660 / system_u:object_r:iso9660_t:s0 |
|---|
| 70 |
genfscon udf / system_u:object_r:iso9660_t:s0 |
|---|
| 71 |
|
|---|
| 72 |
# romfs |
|---|
| 73 |
genfscon romfs / system_u:object_r:romfs_t:s0 |
|---|
| 74 |
genfscon cramfs / system_u:object_r:romfs_t:s0 |
|---|
| 75 |
|
|---|
| 76 |
# ramfs |
|---|
| 77 |
genfscon ramfs / system_u:object_r:ramfs_t:s0 |
|---|
| 78 |
|
|---|
| 79 |
# vfat, msdos |
|---|
| 80 |
genfscon vfat / system_u:object_r:dosfs_t:s0 |
|---|
| 81 |
genfscon msdos / system_u:object_r:dosfs_t:s0 |
|---|
| 82 |
genfscon fat / system_u:object_r:dosfs_t:s0 |
|---|
| 83 |
genfscon ntfs / system_u:object_r:dosfs_t:s0 |
|---|
| 84 |
|
|---|
| 85 |
# samba |
|---|
| 86 |
genfscon cifs / system_u:object_r:cifs_t:s0 |
|---|
| 87 |
genfscon smbfs / system_u:object_r:cifs_t:s0 |
|---|
| 88 |
|
|---|
| 89 |
# nfs |
|---|
| 90 |
genfscon nfs / system_u:object_r:nfs_t:s0 |
|---|
| 91 |
genfscon nfs4 / system_u:object_r:nfs_t:s0 |
|---|
| 92 |
genfscon afs / system_u:object_r:nfs_t:s0 |
|---|
| 93 |
|
|---|
| 94 |
genfscon debugfs / system_u:object_r:debugfs_t:s0 |
|---|
| 95 |
genfscon inotifyfs / system_u:object_r:inotifyfs_t:s0 |
|---|
| 96 |
genfscon hugetlbfs / system_u:object_r:hugetlbfs_t:s0 |
|---|
| 97 |
genfscon capifs / system_u:object_r:capifs_t:s0 |
|---|
| 98 |
genfscon configfs / system_u:object_r:configfs_t:s0 |
|---|
| 99 |
|
|---|
| 100 |
# needs more work |
|---|
| 101 |
genfscon eventpollfs / system_u:object_r:eventpollfs_t:s0 |
|---|
| 102 |
genfscon futexfs / system_u:object_r:futexfs_t:s0 |
|---|
| 103 |
genfscon bdev / system_u:object_r:bdev_t:s0 |
|---|
| 104 |
genfscon usbfs / system_u:object_r:usbfs_t:s0 |
|---|
| 105 |
genfscon nfsd / system_u:object_r:nfsd_fs_t:s0 |
|---|
| 106 |
genfscon rpc_pipefs / system_u:object_r:rpc_pipefs_t:s0 |
|---|
| 107 |
genfscon binfmt_misc / system_u:object_r:binfmt_misc_fs_t:s0 |
|---|
| 108 |
|
|---|
