-
Notifications
You must be signed in to change notification settings - Fork 143
/
filesystem.te
371 lines (313 loc) · 12.3 KB
/
filesystem.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
policy_module(filesystem)
########################################
#
# Declarations
#
attribute filesystem_image_file_type;
attribute filesystem_type;
attribute filesystem_unconfined_type;
attribute noxattrfs;
attribute pseudofs;
attribute xattrfs;
##############################
#
# fs_t is the default type for persistent
# filesystems with extended attributes
#
type fs_t;
fs_xattr_type(fs_t)
sid fs gen_context(system_u:object_r:fs_t,s0)
# Use xattrs for the following filesystem types.
# Requires that a security xattr handler exist for the filesystem.
fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr erofs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ubifs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
# types, and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems that represent objects
# like pipes and sockets, so that these objects are labeled with the same
# type as the creating task.
fs_use_task eventpollfs gen_context(system_u:object_r:fs_t,s0);
fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);
fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);
##############################
#
# Non-persistent/pseudo filesystems
#
type anon_inodefs_t;
fs_type(anon_inodefs_t)
files_mountpoint(anon_inodefs_t)
genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0)
type bdev_t;
fs_type(bdev_t)
genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)
type binfmt_misc_fs_t;
fs_type(binfmt_misc_fs_t)
files_mountpoint(binfmt_misc_fs_t)
genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)
type bpf_t;
fs_type(bpf_t)
files_mountpoint(bpf_t)
dev_associate_sysfs(bpf_t)
genfscon bpf / gen_context(system_u:object_r:bpf_t,s0)
optional_policy(`
kubernetes_mountpoint(bpf_t)
')
type capifs_t;
fs_type(capifs_t)
files_mountpoint(capifs_t)
genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
attribute cgroup_types;
type cgroup_t;
typeattribute cgroup_t cgroup_types;
fs_type(cgroup_t)
files_mountpoint(cgroup_t)
dev_associate_sysfs(cgroup_t)
genfscon cgroup / gen_context(system_u:object_r:cgroup_t,s0)
genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0)
# When running under systemd, the cgroup file memory.pressure will have this
# separate label, to allow unprivileged process to access it without accessing
# the rest of the cgroup tree.
type memory_pressure_t;
typeattribute memory_pressure_t cgroup_types;
files_type(memory_pressure_t)
dev_associate_sysfs(memory_pressure_t)
type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
type cpusetfs_t;
fs_type(cpusetfs_t)
allow cpusetfs_t self:filesystem associate;
genfscon cpuset / gen_context(system_u:object_r:cpusetfs_t,s0)
type ecryptfs_t;
fs_noxattr_type(ecryptfs_t)
files_mountpoint(ecryptfs_t)
genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
type efivarfs_t;
fs_pseudo_type(efivarfs_t)
files_mountpoint(efivarfs_t)
genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
type hugetlbfs_t;
fs_xattr_type(hugetlbfs_t)
files_mountpoint(hugetlbfs_t)
dev_associate(hugetlbfs_t)
fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0);
type ibmasmfs_t;
fs_type(ibmasmfs_t)
allow ibmasmfs_t self:filesystem associate;
genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)
type infinibandeventfs_t;
fs_type(infinibandeventfs_t)
allow infinibandeventfs_t self:filesystem associate;
genfscon infinibandeventfs / gen_context(system_u:object_r:infinibandeventfs_t,s0)
type inotifyfs_t;
fs_type(inotifyfs_t)
genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)
type mvfs_t;
fs_noxattr_type(mvfs_t)
allow mvfs_t self:filesystem associate;
genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0)
type nfsd_fs_t;
fs_type(nfsd_fs_t)
genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)
type nsfs_t;
fs_type(nsfs_t)
genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0)
type oprofilefs_t;
fs_type(oprofilefs_t)
genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)
type pstore_t;
fs_type(pstore_t)
files_mountpoint(pstore_t)
dev_associate_sysfs(pstore_t)
genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
type ramfs_t;
fs_xattr_type(ramfs_t)
files_mountpoint(ramfs_t)
fs_use_trans ramfs gen_context(system_u:object_r:ramfs_t,s0);
type romfs_t;
fs_type(romfs_t)
genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)
genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)
type rpc_pipefs_t;
fs_type(rpc_pipefs_t)
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
files_mountpoint(rpc_pipefs_t)
type spufs_t;
fs_type(spufs_t)
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
type sysv_t;
fs_noxattr_type(sysv_t)
files_mountpoint(sysv_t)
genfscon sysv / gen_context(system_u:object_r:sysv_t,s0)
genfscon v7 / gen_context(system_u:object_r:sysv_t,s0)
type tracefs_t;
fs_type(tracefs_t)
genfscon tracefs / gen_context(system_u:object_r:tracefs_t,s0)
optional_policy(`
init_mountpoint(tracefs_t)
')
#
# virtiofs_t is the default type for virtio file systems
# and their files.
#
type virtiofs_t;
fs_noxattr_type(virtiofs_t)
files_mountpoint(virtiofs_t)
genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0)
type vmblock_t;
fs_noxattr_type(vmblock_t)
files_mountpoint(vmblock_t)
genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
genfscon vmhgfs / gen_context(system_u:object_r:vmblock_t,s0)
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0)
#
# tmpfs_t is the type for tmpfs filesystems
#
type tmpfs_t;
dev_associate(tmpfs_t)
fs_xattr_type(tmpfs_t)
files_type(tmpfs_t)
files_mountpoint(tmpfs_t)
files_poly_parent(tmpfs_t)
# Use a transition SID based on the allocating task SID and the
# filesystem SID to label inodes in the following filesystem types,
# and label the filesystem itself with the specified context.
# This is appropriate for pseudo filesystems like devpts and tmpfs
# where we want to label objects with a derived type.
fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);
fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);
allow tmpfs_t noxattrfs:filesystem associate;
type xenfs_t;
fs_noxattr_type(xenfs_t)
files_mountpoint(xenfs_t)
genfscon xenfs / gen_context(system_u:object_r:xenfs_t,s0)
##############################
#
# Filesystems without extended attribute support
#
type autofs_t;
fs_noxattr_type(autofs_t)
files_mountpoint(autofs_t)
genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)
genfscon automount / gen_context(system_u:object_r:autofs_t,s0)
#
# cifs_t is the type for filesystems and their
# files shared from Windows servers
#
type cifs_t;
fs_noxattr_type(cifs_t)
files_mountpoint(cifs_t)
genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
#
# dosfs_t is the type for fat and vfat
# filesystems and their files.
#
type dosfs_t;
fs_noxattr_type(dosfs_t)
files_mountpoint(dosfs_t)
allow dosfs_t fs_t:filesystem associate;
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)
genfscon ntfs-3g / gen_context(system_u:object_r:dosfs_t,s0)
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
type fusefs_t;
fs_noxattr_type(fusefs_t)
files_mountpoint(fusefs_t)
allow fusefs_t self:filesystem associate;
allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
optional_policy(`
container_mountpoint(fusefs_t)
')
#
# iso9660_t is the type for CD filesystems
# and their files.
#
type iso9660_t;
fs_noxattr_type(iso9660_t)
files_mountpoint(iso9660_t)
genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)
genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)
#
# removable_t is the default type of all removable media
#
type removable_t;
allow removable_t noxattrfs:filesystem associate;
fs_noxattr_type(removable_t)
files_mountpoint(removable_t)
#
# nfs_t is the default type for NFS file systems
# and their files.
#
type nfs_t;
fs_noxattr_type(nfs_t)
files_mountpoint(nfs_t)
genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)
genfscon afs / gen_context(system_u:object_r:nfs_t,s0)
genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
genfscon coda / gen_context(system_u:object_r:nfs_t,s0)
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
# Rules for all filesystem types
#
allow filesystem_type self:filesystem associate;
########################################
#
# Rules for filesystems without xattr support
#
# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
fs_associate_noxattr(noxattrfs)
########################################
#
# Unconfined access to this module
#
allow filesystem_unconfined_type filesystem_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch };
# Create/access other files. fs_type is to pick up various
# pseudo filesystem types that are applied to both the filesystem
# and its files.
allow filesystem_unconfined_type filesystem_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch watch_mount watch_reads watch_sb watch_with_perm };
allow filesystem_unconfined_type filesystem_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch watch_mount watch_reads watch_sb watch_with_perm };
allow filesystem_unconfined_type filesystem_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm };
allow filesystem_unconfined_type filesystem_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm };
allow filesystem_unconfined_type filesystem_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm };
allow filesystem_unconfined_type filesystem_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch watch_mount watch_reads watch_sb watch_with_perm };
allow filesystem_unconfined_type filesystem_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch watch_mount watch_reads watch_sb watch_with_perm };