FileStatements - Revision history http://selinuxproject.org/w/?title=FileStatements&action=history Revision history for this page on the wiki en MediaWiki 1.23.13 Tue, 19 Mar 2024 11:51:10 GMT RichardHaines at 13:03, 28 January 2015 http://selinuxproject.org/w/?title=FileStatements&diff=1751&oldid=prev http://selinuxproject.org/w/?title=FileStatements&diff=1751&oldid=prev <p></p> <a href="http://selinuxproject.org/w/?title=FileStatements&amp;diff=1751&amp;oldid=845">Show changes</a> Wed, 28 Jan 2015 13:03:14 GMT RichardHaines http://selinuxproject.org/page/Talk:FileStatements RichardHaines: New page: = File System Labeling Statements = There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below. The filesystem identi... http://selinuxproject.org/w/?title=FileStatements&diff=845&oldid=prev http://selinuxproject.org/w/?title=FileStatements&diff=845&oldid=prev <p>New page: = File System Labeling Statements = There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below. The filesystem identi...</p> <p><b>New page</b></p><div><br /> = File System Labeling Statements =<br /> There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below.<br /> <br /> The filesystem identifiers (fs_name) used by these statements are defined by the SELinux teams who are responsible for their development, the policy writer then uses those needed to be supported by the policy.<br /> <br /> A security context is defined by these filesystem labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section.<br /> <br /> == fs_use_xattr Statements ==<br /> The fs_use_xattr statement is used to allocate a security context to filesystems that support the extended attribute security.selinux. The labeling is persistent for filesystems that support these extended attributes, and the security context is added to these files (and directories) by the SELinux commands such as setfiles.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> fs_use_xattr fs_name fs_context;<br /> &lt;/pre&gt;<br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |fs_use_xattr<br /> |The fs_use_xattr keyword.<br /> <br /> |-<br /> |fs_name<br /> |The filesystem name that supports extended attributes. The known valid names are: encfs, ext2, ext3, ext4, ext4dev, gfs, gfs2, jffs2, jfs, lustre and xfs.<br /> <br /> |-<br /> |fs_context<br /> |The security context allocated to the filesystem.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# These statements define file systems that support extended &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# attributes (security.selinux).&lt;/nowiki&gt;<br /> <br /> fs_use_xattr encfs system_u:object_r:fs_t;<br /> fs_use_xattr ext2 system_u:object_r:fs_t;<br /> fs_use_xattr ext3 system_u:object_r:fs_t;<br /> &lt;/pre&gt;<br /> <br /> '''MLS Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# These statements define file systems that support extended &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# attributes (security.selinux).&lt;/nowiki&gt;<br /> <br /> fs_use_xattr encfs system_u:object_r:fs_t:s0;<br /> fs_use_xattr ext2 system_u:object_r:fs_t:s0;<br /> fs_use_xattr ext3 system_u:object_r:fs_t:s0;<br /> &lt;/pre&gt;<br /> <br /> == fs_use_task Statement ==<br /> The fs_use_task statement is used to allocate a security context to pseudo filesystems that support task related services such as pipes and sockets. <br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> fs_use_task fs_name fs_context;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |fs_use_task<br /> |The fs_use_task keyword.<br /> <br /> |-<br /> |fs_name<br /> |Filesystem name that supports task related services. The known valid names are: eventpollfs, pipefs and sockfs.<br /> <br /> |-<br /> |fs_context<br /> |The security context allocated to the task based filesystem.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# These statements define the file systems that support pseudo &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# filesystems that represent objects like pipes and sockets, so &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# that these objects are labeled with the same type as the&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# creating task.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;<br /> <br /> fs_use_task eventpollfs system_u:object_r:fs_t;<br /> fs_use_task pipefs system_u:object_r:fs_t;<br /> fs_use_task sockfs system_u:object_r:fs_t;<br /> &lt;/pre&gt;<br /> <br /> '''MLS Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# These statements define the file systems that support pseudo &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# filesystems that represent objects like pipes and sockets, so &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# that these objects are labeled with the same type as the&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# creating task.&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;<br /> <br /> fs_use_task eventpollfs system_u:object_r:fs_t:s0;<br /> fs_use_task pipefs system_u:object_r:fs_t:s0;<br /> fs_use_task sockfs system_u:object_r:fs_t:s0;<br /> &lt;/pre&gt;<br /> <br /> <br /> == fs_use_trans Statement ==<br /> The fs_use_trans statement is used to allocate a security context to pseudo filesystems such as pseudo terminals and temporary objects. The assigned context is derived from the creating process and that of the filesystem type based on transition rules.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> fs_use_trans fs_name fs_context;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |fs_use_trans<br /> |The fs_use_trans keyword.<br /> <br /> |-<br /> |fs_name<br /> |Filesystem name that supports transition rules. The known valid names are: mqueue, shm, tmpfs and devpts.<br /> <br /> |-<br /> |fs_context<br /> |The security context allocated to the transition based on that of the filesystem.<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# These statements define &lt;/nowiki&gt;pseudo filesystems such as devpts <br /> &lt;nowiki&gt;# and &lt;/nowiki&gt;tmpfs where objects are labeled with a derived context.<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> <br /> fs_use_trans mqueue system_u:object_r:tmpfs_t;<br /> fs_use_trans shm system_u:object_r:tmpfs_t;<br /> fs_use_trans tmpfs system_u:object_r:tmpfs_t;<br /> fs_use_trans devpts system_u:object_r:devpts_t;<br /> &lt;/pre&gt;<br /> <br /> '''MLS Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# These statements define &lt;/nowiki&gt;pseudo filesystems such as devpts <br /> &lt;nowiki&gt;# and &lt;/nowiki&gt;tmpfs where objects are labeled with a derived context.<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> <br /> fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;<br /> fs_use_trans shm system_u:object_r:tmpfs_t:s0;<br /> fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;<br /> fs_use_trans devpts system_u:object_r:devpts_t:s0;<br /> &lt;/pre&gt;<br /> <br /> <br /> == genfscon Statements ==<br /> The genfscon statement is used to allocate a security context to filesystems that cannot support any of the other file labeling statements (fs_use_xattr, fs_use_task or fs_use_trans). Generally a filesystem would have a single default security context assigned by genfscon from the root (/) that would then be inherited by all files and directories on that filesystem. The exception to this is the /proc filesystem, where directories can be labeled with a specific security context (as shown in the examples). Note that there is no terminating semi-colon (&lt;nowiki&gt;;&lt;/nowiki&gt;) on this statement.<br /> <br /> '''The statement definition is:'''<br /> &lt;pre&gt;<br /> genfscon fs_name partial_path fs_context<br /> &lt;/pre&gt;<br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |genfscon<br /> |The genfscon keyword.<br /> <br /> |-<br /> |fs_name<br /> |The filesystem name.<br /> <br /> |-<br /> |partial_path<br /> |If fs_name is proc, then the partial path (see the examples). For all other types, this must be '/'.<br /> <br /> |-<br /> |fs_context<br /> |The security context allocated to the filesystem<br /> <br /> |}<br /> <br /> <br /> '''The statement is valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> |&lt;center&gt;No&lt;/center&gt;<br /> <br /> |}<br /> <br /> <br /> '''Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# The following examples show those filesystems that only &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# support a single security context across the filesystem.&lt;/nowiki&gt;<br /> <br /> genfscon msdos / system_u:object_r:dosfs_t<br /> genfscon iso9660 / system_u:object_r:iso9660_t<br /> genfscon usbfs / system_u:object_r:usbfs_t<br /> genfscon selinuxfs / system_u:object_r:security_t<br /> <br /> &lt;nowiki&gt;# The following show some example /proc entries that can have&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# directories added to the path.&lt;/nowiki&gt;<br /> <br /> genfscon proc / system_u:object_r:proc_t<br /> genfscon proc /sysvipc system_u:object_r:proc_t<br /> genfscon proc /fs/openafs system_u:object_r:proc_afs_t<br /> genfscon proc /kmsg system_u:object_r:proc_kmsg_t<br /> &lt;/pre&gt;<br /> <br /> '''MLS Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# The following examples show those filesystems that only &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# support a single security context across the filesystem&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# with the MLS levels added.&lt;/nowiki&gt;<br /> <br /> genfscon msdos / system_u:object_r:dosfs_t:s0<br /> genfscon iso9660 / system_u:object_r:iso9660_t:s0<br /> genfscon usbfs / system_u:object_r:usbfs_t:s0<br /> genfscon selinuxfs / system_u:object_r:security_t:s0<br /> <br /> &lt;nowiki&gt;# The following show some example /proc entries. Note that the&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;/kmsg has the highest sensitivity level assigned (s15) because <br /> &lt;nowiki&gt;# it is a trusted process.&lt;/nowiki&gt;<br /> <br /> genfscon proc / system_u:object_r:proc_t:s0<br /> genfscon proc /sysvipc system_u:object_r:proc_t:s0<br /> genfscon proc /fs/openafs system_u:object_r:proc_afs_t:s0<br /> genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255<br /> &lt;/pre&gt;</div> Mon, 30 Nov 2009 11:36:18 GMT RichardHaines http://selinuxproject.org/page/Talk:FileStatements