Difference between revisions of "FileStatements"

From SELinux Wiki
Jump to: navigation, search
(New page: = File System Labeling Statements = There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below. The filesystem identi...)
 
 
Line 1: Line 1:
 
 
= File System Labeling Statements =
 
= File System Labeling Statements =
 
There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below.
 
There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below.
Line 5: Line 4:
 
The filesystem identifiers (fs_name) used by these statements are defined by the SELinux teams who are responsible for their development, the policy writer then uses those needed to be supported by the policy.
 
The filesystem identifiers (fs_name) used by these statements are defined by the SELinux teams who are responsible for their development, the policy writer then uses those needed to be supported by the policy.
  
A security context is defined by these filesystem labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section.
+
A security context is defined by these filesystem labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the [[MLSStatements#MLS_range_Definition | MLS range Definition]] section.
  
== fs_use_xattr Statements ==
+
== fs_use_xattr ==
The fs_use_xattr statement is used to allocate a security context to filesystems that support the extended attribute security.selinux. The labeling is persistent for filesystems that support these extended attributes, and the security context is added to these files (and directories) by the SELinux commands such as setfiles.
+
The fs_use_xattr statement is used to allocate a security context to filesystems that support the extended attribute security.selinux. The labeling is persistent for filesystems that support these extended attributes, and the security context is added to these files (and directories) by the SELinux commands such as setfiles as explained in the [[NB_Objects#Labeling_Extended_Attribute_Filesystems | Labeling Extended Attribute Filesystems]] section.
  
 
'''The statement definition is:'''
 
'''The statement definition is:'''
Line 16: Line 15:
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|fs_use_xattr
+
{| border="1"
|The fs_use_xattr keyword.
+
| fs_use_xattr
 +
| The fs_use_xattr keyword.
  
 
|-
 
|-
|fs_name
+
| fs_name
|The filesystem name that supports extended attributes. The known valid names are: encfs, ext2, ext3, ext4, ext4dev, gfs, gfs2, jffs2, jfs, lustre and xfs.
+
| The filesystem name that supports extended attributes. Example names are: encfs, ext2, ext3, ext4, ext4dev, gfs, gfs2, jffs2, jfs, lustre and xfs.
  
 
|-
 
|-
|fs_context
+
| fs_context
|The security context allocated to the filesystem.
+
| The security context allocated to the filesystem.
  
 
|}
 
|}
Line 32: Line 32:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 38: Line 39:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 57: Line 58:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># These statements define file systems that support extended </nowiki>
+
# These statements define file systems that support extended attributes (security.selinux).
<nowiki># attributes (security.selinux).</nowiki>
+
 
+
fs_use_xattr encfs system_u:object_r:fs_t;
+
fs_use_xattr ext2 system_u:object_r:fs_t;
+
fs_use_xattr ext3 system_u:object_r:fs_t;
+
</pre>
+
 
+
'''MLS Examples:'''
+
<pre>
+
<nowiki># These statements define file systems that support extended </nowiki>
+
<nowiki># attributes (security.selinux).</nowiki>
+
  
 
fs_use_xattr encfs system_u:object_r:fs_t:s0;
 
fs_use_xattr encfs system_u:object_r:fs_t:s0;
Line 75: Line 65:
 
</pre>
 
</pre>
  
== fs_use_task Statement ==
+
 
 +
== fs_use_task ==
 
The fs_use_task statement is used to allocate a security context to pseudo filesystems that support task related services such as pipes and sockets.  
 
The fs_use_task statement is used to allocate a security context to pseudo filesystems that support task related services such as pipes and sockets.  
  
Line 82: Line 73:
 
fs_use_task fs_name fs_context;
 
fs_use_task fs_name fs_context;
 
</pre>
 
</pre>
 
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|fs_use_task
+
{| border="1"
|The fs_use_task keyword.
+
| fs_use_task
 +
| The fs_use_task keyword.
  
 
|-
 
|-
|fs_name
+
| fs_name
|Filesystem name that supports task related services. The known valid names are: eventpollfs, pipefs and sockfs.
+
| Filesystem name that supports task related services. Example valid names are: eventpollfs, pipefs and sockfs.
  
 
|-
 
|-
|fs_context
+
| fs_context
|The security context allocated to the task based filesystem.
+
| The security context allocated to the task based filesystem.
  
 
|}
 
|}
Line 101: Line 92:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 107: Line 99:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 126: Line 118:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># These statements define the file systems that support pseudo </nowiki>
+
# These statements define the file systems that support pseudo  
<nowiki># filesystems that represent objects like pipes and sockets, so </nowiki>
+
# filesystems that represent objects like pipes and sockets, so  
<nowiki># that these objects are labeled with the same type as the</nowiki>
+
# that these objects are labeled with the same type as the creating task.
<nowiki># creating task.</nowiki>
+
#  
<nowiki># </nowiki>
+
 
+
fs_use_task eventpollfs system_u:object_r:fs_t;
+
fs_use_task pipefs system_u:object_r:fs_t;
+
fs_use_task sockfs system_u:object_r:fs_t;
+
</pre>
+
 
+
'''MLS Example:'''
+
<pre>
+
<nowiki># These statements define the file systems that support pseudo </nowiki>
+
<nowiki># filesystems that represent objects like pipes and sockets, so </nowiki>
+
<nowiki># that these objects are labeled with the same type as the</nowiki>
+
<nowiki># creating task.</nowiki>
+
<nowiki># </nowiki>
+
  
 
fs_use_task eventpollfs system_u:object_r:fs_t:s0;
 
fs_use_task eventpollfs system_u:object_r:fs_t:s0;
Line 151: Line 129:
  
  
== fs_use_trans Statement ==
+
== fs_use_trans ==
 
The fs_use_trans statement is used to allocate a security context to pseudo filesystems such as pseudo terminals and temporary objects. The assigned context is derived from the creating process and that of the filesystem type based on transition rules.
 
The fs_use_trans statement is used to allocate a security context to pseudo filesystems such as pseudo terminals and temporary objects. The assigned context is derived from the creating process and that of the filesystem type based on transition rules.
  
Line 158: Line 136:
 
fs_use_trans fs_name fs_context;
 
fs_use_trans fs_name fs_context;
 
</pre>
 
</pre>
 
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|fs_use_trans
+
{| border="1"
|The fs_use_trans keyword.
+
| fs_use_trans
 +
| The fs_use_trans keyword.
  
 
|-
 
|-
|fs_name
+
| fs_name
|Filesystem name that supports transition rules. The known valid names are: mqueue, shm, tmpfs and devpts.
+
| Filesystem name that supports transition rules. Example names are: mqueue, shm, tmpfs and devpts.
  
 
|-
 
|-
|fs_context
+
| fs_context
|The security context allocated to the transition based on that of the filesystem.
+
| The security context allocated to the transition based on that of the filesystem.
  
 
|}
 
|}
Line 177: Line 155:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 183: Line 162:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
Line 202: Line 181:
 
'''Example:'''
 
'''Example:'''
 
<pre>
 
<pre>
<nowiki># These statements define </nowiki>pseudo filesystems such as devpts  
+
# These statements define pseudo filesystems such as devpts  
<nowiki># and </nowiki>tmpfs where objects are labeled with a derived context.
+
# and tmpfs where objects are labeled with a derived context.
<nowiki>#</nowiki>
+
#
 
+
fs_use_trans mqueue system_u:object_r:tmpfs_t;
+
fs_use_trans shm system_u:object_r:tmpfs_t;
+
fs_use_trans tmpfs system_u:object_r:tmpfs_t;
+
fs_use_trans devpts system_u:object_r:devpts_t;
+
</pre>
+
 
+
'''MLS Example:'''
+
<pre>
+
<nowiki># These statements define </nowiki>pseudo filesystems such as devpts
+
<nowiki># and </nowiki>tmpfs where objects are labeled with a derived context.
+
<nowiki>#</nowiki>
+
  
 
fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
 
fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
Line 225: Line 192:
  
  
== genfscon Statements ==
+
== genfscon ==
 
The genfscon statement is used to allocate a security context to filesystems that cannot support any of the other file labeling statements (fs_use_xattr, fs_use_task or fs_use_trans). Generally a filesystem would have a single default security context assigned by genfscon from the root (/) that would then be inherited by all files and directories on that filesystem. The exception to this is the /proc filesystem, where directories can be labeled with a specific security context (as shown in the examples). Note that there is no terminating semi-colon (<nowiki>;</nowiki>) on this statement.
 
The genfscon statement is used to allocate a security context to filesystems that cannot support any of the other file labeling statements (fs_use_xattr, fs_use_task or fs_use_trans). Generally a filesystem would have a single default security context assigned by genfscon from the root (/) that would then be inherited by all files and directories on that filesystem. The exception to this is the /proc filesystem, where directories can be labeled with a specific security context (as shown in the examples). Note that there is no terminating semi-colon (<nowiki>;</nowiki>) on this statement.
  
Line 234: Line 201:
  
 
'''Where:'''
 
'''Where:'''
{|border="1"
+
 
|genfscon
+
{| border="1"
|The genfscon keyword.
+
| genfscon
 +
| The genfscon keyword.
  
 
|-
 
|-
|fs_name
+
| fs_name
|The filesystem name.
+
| The filesystem name.
  
 
|-
 
|-
|partial_path
+
| partial_path
|If fs_name is proc, then the partial path (see the examples). For all other types, this must be '/'.
+
| If fs_name is proc, then the partial path (see the examples). For all other types, this must be '/'.
  
 
|-
 
|-
|fs_context
+
| fs_context
|The security context allocated to the filesystem
+
| The security context allocated to the filesystem
  
 
|}
 
|}
Line 254: Line 222:
  
 
'''The statement is valid in:'''
 
'''The statement is valid in:'''
{|border="1"
+
 
 +
{| border="1"
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Monolithic Policy'''</center>
 
|<center>'''Base Policy'''</center>
 
|<center>'''Base Policy'''</center>
Line 260: Line 229:
  
 
|-
 
|-
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>Yes</center>
+
| <center>'''Yes'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|-
 
|-
|<center>'''Conditional Policy (if) Statement'''</center>
+
| <center>[[ConditionalStatements#if | if Statement]]</center>
|<center>'''optional Statement'''</center>
+
| <center>[[PolicyStatements#optional | optional Statement]] </center>
|<center>'''require Statement'''</center>
+
| <center>[[PolicyStatements#require | require Statement]] </center>
  
 
|-
 
|-
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
|<center>No</center>
+
| <center>'''No'''</center>
  
 
|}
 
|}
  
 
'''Examples:'''
 
<pre>
 
<nowiki># The following examples show those filesystems that only </nowiki>
 
<nowiki># support a single security context across the filesystem.</nowiki>
 
 
genfscon msdos / system_u:object_r:dosfs_t
 
genfscon iso9660 / system_u:object_r:iso9660_t
 
genfscon usbfs / system_u:object_r:usbfs_t
 
genfscon selinuxfs / system_u:object_r:security_t
 
 
<nowiki># The following show some example /proc entries that can have</nowiki>
 
<nowiki># directories added to the path.</nowiki>
 
 
genfscon proc / system_u:object_r:proc_t
 
genfscon proc /sysvipc system_u:object_r:proc_t
 
genfscon proc /fs/openafs system_u:object_r:proc_afs_t
 
genfscon proc /kmsg system_u:object_r:proc_kmsg_t
 
</pre>
 
  
 
'''MLS Examples:'''
 
'''MLS Examples:'''
 
<pre>
 
<pre>
<nowiki># The following examples show those filesystems that only </nowiki>
+
# The following examples show those filesystems that only  
<nowiki># support a single security context across the filesystem</nowiki>
+
# support a single security context across the filesystem
<nowiki># with the MLS levels added.</nowiki>
+
# with the MLS levels added.
  
 
genfscon msdos / system_u:object_r:dosfs_t:s0
 
genfscon msdos / system_u:object_r:dosfs_t:s0
Line 306: Line 256:
 
genfscon usbfs / system_u:object_r:usbfs_t:s0
 
genfscon usbfs / system_u:object_r:usbfs_t:s0
 
genfscon selinuxfs / system_u:object_r:security_t:s0
 
genfscon selinuxfs / system_u:object_r:security_t:s0
 
+
</pre>
<nowiki># The following show some example /proc entries. Note that the</nowiki>
+
<pre>
<nowiki># </nowiki>/kmsg has the highest sensitivity level assigned (s15) because  
+
# The following show some example /proc entries. Note that the
<nowiki># it is a trusted process.</nowiki>
+
# /kmsg has the highest sensitivity level assigned (s15) because  
 +
# it is a trusted process.
  
 
genfscon proc / system_u:object_r:proc_t:s0
 
genfscon proc / system_u:object_r:proc_t:s0
Line 316: Line 267:
 
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
 
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
 
</pre>
 
</pre>
 +
 +
 +
{| style="width: 100%;" border="0"
 +
|-
 +
| [[SIDStatements | '''Previous''']]
 +
| <center>[[NewUsers | '''Home''']]</center>
 +
| <center>[[NetworkStatements | '''Next''']]</center>
 +
|}
 +
 +
 +
----
 +
<references/>
 +
 +
[[Category:Notebook]]

Latest revision as of 13:03, 28 January 2015

File System Labeling Statements

There are four types of file labeling statements: fs_use_xattr, fs_use_task, fs_use_trans and genfscon that are explained below.

The filesystem identifiers (fs_name) used by these statements are defined by the SELinux teams who are responsible for their development, the policy writer then uses those needed to be supported by the policy.

A security context is defined by these filesystem labeling statements, therefore if the policy supports MCS / MLS, then an mls_range is required as described in the MLS range Definition section.

fs_use_xattr

The fs_use_xattr statement is used to allocate a security context to filesystems that support the extended attribute security.selinux. The labeling is persistent for filesystems that support these extended attributes, and the security context is added to these files (and directories) by the SELinux commands such as setfiles as explained in the Labeling Extended Attribute Filesystems section.

The statement definition is:

fs_use_xattr fs_name fs_context;

Where:

fs_use_xattr The fs_use_xattr keyword.
fs_name The filesystem name that supports extended attributes. Example names are: encfs, ext2, ext3, ext4, ext4dev, gfs, gfs2, jffs2, jfs, lustre and xfs.
fs_context The security context allocated to the filesystem.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# These statements define file systems that support extended attributes (security.selinux).

fs_use_xattr encfs system_u:object_r:fs_t:s0;
fs_use_xattr ext2 system_u:object_r:fs_t:s0;
fs_use_xattr ext3 system_u:object_r:fs_t:s0;


fs_use_task

The fs_use_task statement is used to allocate a security context to pseudo filesystems that support task related services such as pipes and sockets.

The statement definition is:

fs_use_task fs_name fs_context;

Where:

fs_use_task The fs_use_task keyword.
fs_name Filesystem name that supports task related services. Example valid names are: eventpollfs, pipefs and sockfs.
fs_context The security context allocated to the task based filesystem.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# These statements define the file systems that support pseudo 
# filesystems that represent objects like pipes and sockets, so 
# that these objects are labeled with the same type as the creating task.
# 

fs_use_task eventpollfs system_u:object_r:fs_t:s0;
fs_use_task pipefs system_u:object_r:fs_t:s0;
fs_use_task sockfs system_u:object_r:fs_t:s0;


fs_use_trans

The fs_use_trans statement is used to allocate a security context to pseudo filesystems such as pseudo terminals and temporary objects. The assigned context is derived from the creating process and that of the filesystem type based on transition rules.

The statement definition is:

fs_use_trans fs_name fs_context;

Where:

fs_use_trans The fs_use_trans keyword.
fs_name Filesystem name that supports transition rules. Example names are: mqueue, shm, tmpfs and devpts.
fs_context The security context allocated to the transition based on that of the filesystem.


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


Example:

# These statements define pseudo filesystems such as devpts 
# and tmpfs where objects are labeled with a derived context.
#

fs_use_trans mqueue system_u:object_r:tmpfs_t:s0;
fs_use_trans shm system_u:object_r:tmpfs_t:s0;
fs_use_trans tmpfs system_u:object_r:tmpfs_t:s0;
fs_use_trans devpts system_u:object_r:devpts_t:s0;


genfscon

The genfscon statement is used to allocate a security context to filesystems that cannot support any of the other file labeling statements (fs_use_xattr, fs_use_task or fs_use_trans). Generally a filesystem would have a single default security context assigned by genfscon from the root (/) that would then be inherited by all files and directories on that filesystem. The exception to this is the /proc filesystem, where directories can be labeled with a specific security context (as shown in the examples). Note that there is no terminating semi-colon (;) on this statement.

The statement definition is:

genfscon fs_name partial_path fs_context

Where:

genfscon The genfscon keyword.
fs_name The filesystem name.
partial_path If fs_name is proc, then the partial path (see the examples). For all other types, this must be '/'.
fs_context The security context allocated to the filesystem


The statement is valid in:

Monolithic Policy
Base Policy
Module Policy
Yes
Yes
No
if Statement
optional Statement
require Statement
No
No
No


MLS Examples:

# The following examples show those filesystems that only 
# support a single security context across the filesystem
# with the MLS levels added.

genfscon msdos / system_u:object_r:dosfs_t:s0
genfscon iso9660 / system_u:object_r:iso9660_t:s0
genfscon usbfs / system_u:object_r:usbfs_t:s0
genfscon selinuxfs / system_u:object_r:security_t:s0
# The following show some example /proc entries. Note that the
# /kmsg has the highest sensitivity level assigned (s15) because 
# it is a trusted process.

genfscon proc / system_u:object_r:proc_t:s0
genfscon proc /sysvipc system_u:object_r:proc_t:s0
genfscon proc /fs/openafs system_u:object_r:proc_afs_t:s0
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255


Previous
Home
Next