policy_module(filesystem,1.3.11)

########################################

#

# Declarations

#

attribute filesystem_type;

attribute filesystem_unconfined_type;

attribute noxattrfs;

##############################

#

# fs_t is the default type for persistent

# filesystems with extended attributes

#

type fs_t;

fs_type(fs_t)

sid fs gen_context(system_u:object_r:fs_t,s0)

# Use xattrs for the following filesystem types.

# Requires that a security xattr handler exist for the filesystem.

fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);

fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);

fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);

fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);

fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);

# Use the allocating task SID to label inodes in the following filesystem

# types, and label the filesystem itself with the specified context.

# This is appropriate for pseudo filesystems that represent objects

# like pipes and sockets, so that these objects are labeled with the same

# type as the creating task.  

fs_use_task pipefs gen_context(system_u:object_r:fs_t,s0);

fs_use_task sockfs gen_context(system_u:object_r:fs_t,s0);

##############################

#

# Non-persistent/pseudo filesystems

#

type bdev_t;

fs_type(bdev_t)

genfscon bdev / gen_context(system_u:object_r:bdev_t,s0)

type binfmt_misc_fs_t;

fs_type(binfmt_misc_fs_t)

files_mountpoint(binfmt_misc_fs_t)

genfscon binfmt_misc / gen_context(system_u:object_r:binfmt_misc_fs_t,s0)

type capifs_t;

fs_type(capifs_t)

genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)

type configfs_t;

fs_type(configfs_t)

genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)

type eventpollfs_t;

fs_type(eventpollfs_t)

genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)

type futexfs_t;

fs_type(futexfs_t)

genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)

type hugetlbfs_t;

fs_type(hugetlbfs_t)

files_mountpoint(hugetlbfs_t)

genfscon hugetlbfs / gen_context(system_u:object_r:hugetlbfs_t,s0)

type ibmasmfs_t;

fs_type(ibmasmfs_t)

allow ibmasmfs_t self:filesystem associate;

genfscon ibmasmfs / gen_context(system_u:object_r:ibmasmfs_t,s0)

type inotifyfs_t;

fs_type(inotifyfs_t)

genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0)

type nfsd_fs_t;

fs_type(nfsd_fs_t)

genfscon nfsd / gen_context(system_u:object_r:nfsd_fs_t,s0)

type oprofilefs_t;

fs_type(oprofilefs_t)

genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0)

type ramfs_t;

fs_type(ramfs_t)

genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)

type romfs_t;

fs_type(romfs_t)

genfscon romfs / gen_context(system_u:object_r:romfs_t,s0)

genfscon cramfs / gen_context(system_u:object_r:romfs_t,s0)

type rpc_pipefs_t;

fs_type(rpc_pipefs_t)

genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)

#

# tmpfs_t is the type for tmpfs filesystems

#

type tmpfs_t;

fs_type(tmpfs_t)

files_type(tmpfs_t)

files_mountpoint(tmpfs_t)

# Use a transition SID based on the allocating task SID and the

# filesystem SID to label inodes in the following filesystem types,

# and label the filesystem itself with the specified context.

# This is appropriate for pseudo filesystems like devpts and tmpfs

# where we want to label objects with a derived type.

fs_use_trans mqueue gen_context(system_u:object_r:tmpfs_t,s0);

fs_use_trans shm gen_context(system_u:object_r:tmpfs_t,s0);

fs_use_trans tmpfs gen_context(system_u:object_r:tmpfs_t,s0);

allow tmpfs_t noxattrfs:filesystem associate;

##############################

#

# Filesystems without extended attribute support

#

type autofs_t;

fs_noxattr_type(autofs_t)

files_mountpoint(autofs_t)

genfscon autofs / gen_context(system_u:object_r:autofs_t,s0)

genfscon automount / gen_context(system_u:object_r:autofs_t,s0)

#

# cifs_t is the type for filesystems and their

# files shared from Windows servers

#

type cifs_t alias sambafs_t;

fs_noxattr_type(cifs_t)

genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)

genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)

#

# dosfs_t is the type for fat and vfat

# filesystems and their files.

#

type dosfs_t;

fs_noxattr_type(dosfs_t)

allow dosfs_t fs_t:filesystem associate;

genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)

genfscon msdos / gen_context(system_u:object_r:dosfs_t,s0)

genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)

genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)

#

# iso9660_t is the type for CD filesystems

# and their files.

#

type iso9660_t;

fs_noxattr_type(iso9660_t)

genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0)

genfscon udf / gen_context(system_u:object_r:iso9660_t,s0)

#

# removable_t is the default type of all removable media

#

type removable_t;

allow removable_t noxattrfs:filesystem associate;

fs_noxattr_type(removable_t)

files_type(removable_t)

#

# nfs_t is the default type for NFS file systems

# and their files.

#

type nfs_t;

fs_noxattr_type(nfs_t)

files_mountpoint(nfs_t)

genfscon nfs / gen_context(system_u:object_r:nfs_t,s0)

genfscon nfs4 / gen_context(system_u:object_r:nfs_t,s0)

genfscon afs / gen_context(system_u:object_r:nfs_t,s0)

genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)

genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)

genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)

genfscon gfs / gen_context(system_u:object_r:nfs_t,s0)

########################################

#

# Rules for all filesystem types

#

allow filesystem_type self:filesystem associate;

########################################

#

# Unconfined access to this module

#

allow filesystem_unconfined_type filesystem_type:filesystem *;

# Create/access other files.  fs_type is to pick up various

# pseudo filesystem types that are applied to both the filesystem

# and its files.

allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;