• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1File Labeling Statements
2========================
3
4filecon
5-------
6
7Define entries for labeling files. The compiler will produce these entries in a file called **`file_contexts`**`(5)` by default in the `cwd`. The compiler option `[-f|--filecontext <filename>]` may be used to specify a different path or file name.
8
9**Statement definition:**
10
11```secil
12    (filecon "path" file_type context_id)
13```
14
15**Where:**
16
17<table>
18<colgroup>
19<col width="25%" />
20<col width="75%" />
21</colgroup>
22<tbody>
23<tr class="odd">
24<td align="left"><p><code>filecon</code></p></td>
25<td align="left"><p>The <code>filecon</code> keyword.</p></td>
26</tr>
27<tr class="even">
28<td align="left"><p><code>path</code></p></td>
29<td align="left"><p>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <code>&quot;/this/is/a/path(/.*)?&quot;</code>)</p></td>
30</tr>
31<tr class="odd">
32<td align="left"><p><code>file_type</code></p></td>
33<td align="left"><p>A single keyword representing a file type in the <code>file_contexts</code> file as follows:</p>
34<table>
35<colgroup>
36<col width="44%" />
37<col width="55%" />
38</colgroup>
39<thead>
40<tr class="odd">
41<td align="left"><p><strong>keyword</strong></p></td>
42<td align="left"><p><strong>file_contexts entry</strong></p></td>
43</tr>
44</thead>
45<tbody>
46<tr class="even">
47<td align="left"><p><code>file</code></p></td>
48<td align="left"><p><code>--</code></p></td>
49</tr>
50<tr class="odd">
51<td align="left"><p><code>dir</code></p></td>
52<td align="left"><p><code>-d</code></p></td>
53</tr>
54<tr class="even">
55<td align="left"><p><code>char</code></p></td>
56<td align="left"><p><code>-c</code></p></td>
57</tr>
58<tr class="odd">
59<td align="left"><p><code>block</code></p></td>
60<td align="left"><p><code>-b</code></p></td>
61</tr>
62<tr class="even">
63<td align="left"><p><code>socket</code></p></td>
64<td align="left"><p><code>-s</code></p></td>
65</tr>
66<tr class="odd">
67<td align="left"><p><code>pipe</code></p></td>
68<td align="left"><p><code>-p</code></p></td>
69</tr>
70<tr class="even">
71<td align="left"><p><code>symlink</code></p></td>
72<td align="left"><p><code>-l</code></p></td>
73</tr>
74<tr class="odd">
75<td align="left"><p><code>any</code></p></td>
76<td align="left"><p>no entry</p></td>
77</tr>
78</tbody>
79</table></td>
80</tr>
81<tr class="even">
82<td align="left"><p><code>context_id</code></p></td>
83<td align="left"><p>The security context to be allocated to the file, which may be:</p>
84<ul>
85<li><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></li>
86<li><p>An empty context list represented by <code>()</code> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <code>&lt;&lt;none&gt;&gt;</code> within the <strong><code>file_contexts</code></strong><code>(5)</code> file.</p></li>
87</ul></td>
88</tr>
89</tbody>
90</table>
91
92**Examples:**
93
94These examples use one named, one anonymous and one empty context definition:
95
96```secil
97    (context runas_exec_context (u object_r exec low_low))
98
99    (filecon "/system/bin/run-as" file runas_exec_context)
100    (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
101    (filecon "/data/local/mine" dir ())
102```
103
104to resolve/build `file_contexts` entries of (assuming MLS enabled policy):
105
106```
107    /system/bin/run-as  -- u:object_r:runas.exec:s0
108    /dev/socket/wpa_wlan[0-9]   u:object_r:wpa.socket:s0
109    /data/local/mine -d <<none>>
110```
111
112fsuse
113-----
114
115Label filesystems that support SELinux security contexts.
116
117**Statement definition:**
118
119```secil
120    (fsuse fstype fsname context_id)
121```
122
123**Where:**
124
125<table>
126<colgroup>
127<col width="25%" />
128<col width="75%" />
129</colgroup>
130<tbody>
131<tr class="odd">
132<td align="left"><p><code>fsuse</code></p></td>
133<td align="left"><p>The <code>fsuse</code> keyword.</p></td>
134</tr>
135<tr class="even">
136<td align="left"><p><code>fstype</code></p></td>
137<td align="left"><p>A single keyword representing the type of filesystem as follows:</p>
138<ul>
139<li><p><code>task</code> - For pseudo filesystems supporting task related services such as pipes and sockets.</p></li>
140<li><p><code>trans</code> - For pseudo filesystems such as pseudo terminals and temporary objects.</p></li>
141<li><p><code>xattr</code> - Filesystems supporting the extended attribute <code>security.selinux</code>. The labeling is persistent for filesystems that support extended attributes.</p></li>
142</ul></td>
143</tr>
144<tr class="odd">
145<td align="left"><p><code>fsname</code></p></td>
146<td align="left"><p>Name of the supported filesystem (e.g. <code>ext4</code> or <code>pipefs</code>).</p></td>
147</tr>
148<tr class="even">
149<td align="left"><p><code>context_id</code></p></td>
150<td align="left"><p>The security context to be allocated to the network interface.</p>
151<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
152</tr>
153</tbody>
154</table>
155
156**Examples:**
157
158The [context](#context) identifiers are declared in the `file` namespace and the [`fsuse`](cil_file_labeling_statements.md#fsuse) statements in the global namespace:
159
160```secil
161    (block file
162        (type labeledfs)
163        (roletype object_r labeledfs)
164        (context labeledfs_context (u object_r labeledfs low_low))
165
166        (type pipefs)
167        (roletype object_r pipefs)
168        (context pipefs_context (u object_r pipefs low_low))
169        ...
170    )
171
172    (fsuse xattr ex4 file.labeledfs_context)
173    (fsuse xattr btrfs file.labeledfs_context)
174
175    (fsuse task pipefs file.pipefs_context)
176    (fsuse task sockfs file.sockfs_context)
177
178    (fsuse trans devpts file.devpts_context)
179    (fsuse trans tmpfs file.tmpfs_context)
180```
181
182genfscon
183--------
184
185Used to allocate a security context to filesystems that cannot support any of the [`fsuse`](cil_file_labeling_statements.md#fsuse) file labeling options. Generally a filesystem would have a single default security context assigned by [`genfscon`](cil_file_labeling_statements.md#genfscon) from the root `(/)` that would then be inherited by all files and directories on that filesystem. The exception to this is the `/proc` filesystem, where directories can be labeled with a specific security context (as shown in the examples).
186
187**Statement definition:**
188
189```secil
190    (genfscon fsname path [file_type] context_id)
191```
192
193**Where:**
194
195<table>
196<colgroup>
197<col width="25%" />
198<col width="75%" />
199</colgroup>
200<tbody>
201<tr class="odd">
202<td align="left"><p><code>genfscon</code></p></td>
203<td align="left"><p>The <code>genfscon</code> keyword.</p></td>
204</tr>
205<tr class="even">
206<td align="left"><p><code>fsname</code></p></td>
207<td align="left"><p>Name of the supported filesystem (e.g. <code>rootfs</code> or <code>proc</code>).</p></td>
208</tr>
209<tr class="odd">
210<td align="left"><p><code>path</code></p></td>
211<td align="left"><p>If <code>fsname</code> is <code>proc</code>, then the partial path (see examples). For all other types this must be ‘<code>/</code>’.</p></td>
212</tr>
213<tr class="even">
214<td align="left"><p><code>file_type</code></p></td>
215<td align="left"><p>Optional keyword representing a file type. Valid values are the same as in [`filecon`](cil_file_labeling_statements.md#filecon) rules.</p></td>
216</tr>
217<tr class="odd">
218<td align="left"><p><code>context_id</code></p></td>
219<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
220</tr>
221</tbody>
222</table>
223
224**Examples:**
225
226The [context](#context) identifiers are declared in the `file` namespace and the [`genfscon`](cil_file_labeling_statements.md#genfscon) statements are then inserted using the [`in`](cil_container_statements.md#in) container statement:
227
228```secil
229    (file
230        (type rootfs)
231        (roletype object_r rootfs)
232        (context rootfs_context (u object_r rootfs low_low))
233
234        (type proc)
235        (roletype object_r proc)
236        (context rootfs_context (u object_r proc low_low))
237        ...
238    )
239
240    (in file
241        (genfscon rootfs / rootfs_context)
242        ; proc labeling can be further refined (longest matching prefix).
243        (genfscon proc / proc_context)
244        (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
245        (genfscon proc /sysrq-trigger sysrq_proc_context)
246        (genfscon selinuxfs / selinuxfs_context)
247    )
248```
249