Home | History | Annotate | Download | only in docs 
      1 File Labeling Statements
      2 ========================
      3 
      4 filecon
      5 -------
      6 
      7 Define entries for labeling files. The compiler will produce these entries in a file called **`file_contexts`**`(5)` by default in the `cwd`. The compiler option `[-f|--filecontext <filename>]` may be used to specify a different path or file name.
      8 
      9 **Statement definition:**
     10 
     11     (filecon "path" file_type context_id)
     12 
     13 **Where:**
     14 
     15 <table>
     16 <colgroup>
     17 <col width="25%" />
     18 <col width="75%" />
     19 </colgroup>
     20 <tbody>
     21 <tr class="odd">
     22 <td align="left"><p><code>filecon</code></p></td>
     23 <td align="left"><p>The <code>filecon</code> keyword.</p></td>
     24 </tr>
     25 <tr class="even">
     26 <td align="left"><p><code>path</code></p></td>
     27 <td align="left"><p>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <code>&quot;/this/is/a/path(/.*)?&quot;</code>)</p></td>
     28 </tr>
     29 <tr class="odd">
     30 <td align="left"><p><code>file_type</code></p></td>
     31 <td align="left"><p>A single keyword representing a file type in the <code>file_contexts</code> file as follows:</p>
     32 <table>
     33 <colgroup>
     34 <col width="44%" />
     35 <col width="55%" />
     36 </colgroup>
     37 <tbody>
     38 <tr class="odd">
     39 <td align="left"><p><strong>keyword</strong></p></td>
     40 <td align="left"><p><strong>file_contexts entry</strong></p></td>
     41 </tr>
     42 <tr class="even">
     43 <td align="left"><p><code>file</code></p></td>
     44 <td align="left"><p><code>--</code></p></td>
     45 </tr>
     46 <tr class="odd">
     47 <td align="left"><p><code>dir</code></p></td>
     48 <td align="left"><p><code>-d</code></p></td>
     49 </tr>
     50 <tr class="even">
     51 <td align="left"><p><code>char</code></p></td>
     52 <td align="left"><p><code>-c</code></p></td>
     53 </tr>
     54 <tr class="odd">
     55 <td align="left"><p><code>block</code></p></td>
     56 <td align="left"><p><code>-b</code></p></td>
     57 </tr>
     58 <tr class="even">
     59 <td align="left"><p><code>socket</code></p></td>
     60 <td align="left"><p><code>-s</code></p></td>
     61 </tr>
     62 <tr class="odd">
     63 <td align="left"><p><code>pipe</code></p></td>
     64 <td align="left"><p><code>-p</code></p></td>
     65 </tr>
     66 <tr class="even">
     67 <td align="left"><p><code>symlink</code></p></td>
     68 <td align="left"><p><code>-l</code></p></td>
     69 </tr>
     70 <tr class="odd">
     71 <td align="left"><p><code>any</code></p></td>
     72 <td align="left"><p>no entry</p></td>
     73 </tr>
     74 </tbody>
     75 </table></td>
     76 </tr>
     77 <tr class="even">
     78 <td align="left"><p><code>context_id</code></p></td>
     79 <td align="left"><p>The security context to be allocated to the file, which may be:</p>
     80 <ul>
     81 <li><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></li>
     82 <li><p>An empty context list represented by <code>()</code> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <code>&lt;&lt;none&gt;&gt;</code> within the <strong><code>file_contexts</code></strong><code>(5)</code> file.</p></li>
     83 </ul></td>
     84 </tr>
     85 </tbody>
     86 </table>
     87 
     88 **Examples:**
     89 
     90 These examples use one named, one anonymous and one empty context definition:
     91 
     92     (context runas_exec_context (u object_r exec low_low))
     93 
     94     (filecon "/system/bin/run-as" file runas_exec_context)
     95     (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
     96     (filecon "/data/local/mine" dir ())
     97 
     98 to resolve/build `file_contexts` entries of (assuming MLS enabled policy):
     99 
    100     /system/bin/run-as  -- u:object_r:runas.exec:s0
    101     /dev/socket/wpa_wlan[0-9]   u:object_r:wpa.socket:s0
    102     /data/local/mine -d <<none>>
    103 
    104 fsuse
    105 -----
    106 
    107 Label filesystems that support SELinux security contexts.
    108 
    109 **Statement definition:**
    110 
    111     (fsuse fstype fsname context_id)
    112 
    113 **Where:**
    114 
    115 <table>
    116 <colgroup>
    117 <col width="25%" />
    118 <col width="75%" />
    119 </colgroup>
    120 <tbody>
    121 <tr class="odd">
    122 <td align="left"><p><code>fsuse</code></p></td>
    123 <td align="left"><p>The <code>fsuse</code> keyword.</p></td>
    124 </tr>
    125 <tr class="even">
    126 <td align="left"><p><code>fstype</code></p></td>
    127 <td align="left"><p>A single keyword representing the type of filesystem as follows:</p>
    128 <ul>
    129 <li><p><code>task</code> - For pseudo filesystems supporting task related services such as pipes and sockets.</p></li>
    130 <li><p><code>trans</code> - For pseudo filesystems such as pseudo terminals and temporary objects.</p></li>
    131 <li><p><code>xattr</code> - Filesystems supporting the extended attribute <code>security.selinux</code>. The labeling is persistent for filesystems that support extended attributes.</p></li>
    132 </ul></td>
    133 </tr>
    134 <tr class="odd">
    135 <td align="left"><p><code>fsname</code></p></td>
    136 <td align="left"><p>Name of the supported filesystem (e.g. <code>ext4</code> or <code>pipefs</code>).</p></td>
    137 </tr>
    138 <tr class="even">
    139 <td align="left"><p><code>context_id</code></p></td>
    140 <td align="left"><p>The security context to be allocated to the network interface.</p>
    141 <p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
    142 </tr>
    143 </tbody>
    144 </table>
    145 
    146 **Examples:**
    147 
    148 The [context](#context) identifiers are declared in the `file` namespace and the [`fsuse`](cil_file_labeling_statements.md#fsuse) statements in the global namespace:
    149 
    150     (block file
    151         (type labeledfs)
    152         (roletype object_r labeledfs)
    153         (context labeledfs_context (u object_r labeledfs low_low))
    154 
    155         (type pipefs)
    156         (roletype object_r pipefs)
    157         (context pipefs_context (u object_r pipefs low_low))
    158         ...
    159     )
    160 
    161     (fsuse xattr ex4 file.labeledfs_context)
    162     (fsuse xattr btrfs file.labeledfs_context)
    163 
    164     (fsuse task pipefs file.pipefs_context)
    165     (fsuse task sockfs file.sockfs_context)
    166 
    167     (fsuse trans devpts file.devpts_context)
    168     (fsuse trans tmpfs file.tmpfs_context)
    169 
    170 genfscon
    171 --------
    172 
    173 Used to allocate a security context to filesystems that cannot support any of the [`fsuse`](cil_file_labeling_statements.md#fsuse) file labeling options. Generally a filesystem would have a single default security context assigned by [`genfscon`](cil_file_labeling_statements.md#genfscon) from the root `(/)` that would then be inherited by all files and directories on that filesystem. The exception to this is the `/proc` filesystem, where directories can be labeled with a specific security context (as shown in the examples).
    174 
    175 **Statement definition:**
    176 
    177     (genfscon fsname path context_id)
    178 
    179 **Where:**
    180 
    181 <table>
    182 <colgroup>
    183 <col width="25%" />
    184 <col width="75%" />
    185 </colgroup>
    186 <tbody>
    187 <tr class="odd">
    188 <td align="left"><p><code>genfscon</code></p></td>
    189 <td align="left"><p>The <code>genfscon</code> keyword.</p></td>
    190 </tr>
    191 <tr class="even">
    192 <td align="left"><p><code>fsname</code></p></td>
    193 <td align="left"><p>Name of the supported filesystem (e.g. <code>rootfs</code> or <code>proc</code>).</p></td>
    194 </tr>
    195 <tr class="odd">
    196 <td align="left"><p><code>path</code></p></td>
    197 <td align="left"><p>If <code>fsname</code> is <code>proc</code>, then the partial path (see examples). For all other types this must be <code>/</code>.</p></td>
    198 </tr>
    199 <tr class="even">
    200 <td align="left"><p><code>context_id</code></p></td>
    201 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
    202 </tr>
    203 </tbody>
    204 </table>
    205 
    206 **Examples:**
    207 
    208 The [context](#context) identifiers are declared in the `file` namespace and the [`genfscon`](cil_file_labeling_statements.md#genfscon) statements are then inserted using the [`in`](cil_container_statements.md#in) container statement:
    209 
    210     (file
    211         (type rootfs)
    212         (roletype object_r rootfs)
    213         (context rootfs_context (u object_r rootfs low_low))
    214 
    215         (type proc)
    216         (roletype object_r proc)
    217         (context rootfs_context (u object_r proc low_low))
    218         ...
    219     )
    220 
    221     (in file
    222         (genfscon rootfs / rootfs_context)
    223         ; proc labeling can be further refined (longest matching prefix).
    224         (genfscon proc / proc_context)
    225         (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
    226         (genfscon proc /sysrq-trigger sysrq_proc_context)
    227         (genfscon selinuxfs / selinuxfs_context)
    228     )
    229