1<!-- Common Interface Language (CIL) Reference Guide --> 2 <!-- file_labeling_statements.xml --> 3 4 <sect1> 5 <title>File Labeling Statements</title> 6 <sect2 id="filecon"> 7 <title>filecon</title> 8 <para>Define entries for labeling files. The compiler will produce these entries in a file called <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> by default in the <literal>cwd</literal>. The compiler option <literal>[-f|--filecontext <filename>]</literal> may be used to specify a different path or file name.</para> 9 <para><emphasis role="bold">Statement definition:</emphasis></para> 10 <programlisting><![CDATA[(filecon "path" file_type context_id)]]></programlisting> 11 <para><emphasis role="bold">Where:</emphasis></para> 12 <informaltable frame="all"> 13 <tgroup cols="2"> 14 <colspec colwidth="2 *"/> 15 <colspec colwidth="6 *"/> 16 <tbody> 17 <row> 18 <entry> 19 <para><literal>filecon</literal></para> 20 </entry> 21 <entry> 22 <para>The <literal>filecon</literal> keyword.</para> 23 </entry> 24 </row> 25 <row> 26 <entry> 27 <para><literal>path</literal></para> 28 </entry> 29 <entry> 30 <para>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <literal>"/this/is/a/path(/.*)?"</literal>)</para> 31 </entry> 32 </row> 33 <row> 34 <entry> 35 <para><literal>file_type</literal></para> 36 </entry> 37 <entry> 38 <para>A single keyword representing a file type in the <literal>file_contexts</literal> file as follows:</para> 39 <para> 40 <informaltable frame="all"> 41 <tgroup cols="2"> 42 <colspec colwidth="1 in"/> 43 <colspec colwidth="1.25 in"/> 44 <tbody> 45 <row> 46 <entry> 47 <para><emphasis role="bold">keyword</emphasis></para> 48 </entry> 49 <entry> 50 <para><emphasis role="bold">file_contexts entry</emphasis></para> 51 </entry> 52 </row> 53 <row> 54 <entry> 55 <para><literal>file</literal></para> 56 </entry> 57 <entry> 58 <para><literal>--</literal></para> 59 </entry> 60 </row> 61 <row> 62 <entry> 63 <para><literal>dir</literal></para> 64 </entry> 65 <entry> 66 <para><literal>-d</literal></para> 67 </entry> 68 </row> 69 <row> 70 <entry> 71 <para><literal>char</literal></para> 72 </entry> 73 <entry> 74 <para><literal>-c</literal></para> 75 </entry> 76 </row> 77 <row> 78 <entry> 79 <para><literal>block</literal></para> 80 </entry> 81 <entry> 82 <para><literal>-b</literal></para> 83 </entry> 84 </row> 85 <row> 86 <entry> 87 <para><literal>socket</literal></para> 88 </entry> 89 <entry> 90 <para><literal>-s</literal></para> 91 </entry> 92 </row> 93 <row> 94 <entry> 95 <para><literal>pipe</literal></para> 96 </entry> 97 <entry> 98 <para><literal>-p</literal></para> 99 </entry> 100 </row> 101 <row> 102 <entry> 103 <para><literal>symlink</literal></para> 104 </entry> 105 <entry> 106 <para><literal>-l</literal></para> 107 </entry> 108 </row> 109 <row> 110 <entry> 111 <para><literal>any</literal></para> 112 </entry> 113 <entry> 114 <para>no entry</para> 115 </entry> 116 </row> 117 </tbody></tgroup> 118 </informaltable> 119 </para> 120 </entry> 121 </row> 122 <row> 123 <entry> 124 <para><literal>context_id</literal></para> 125 </entry> 126 <entry> 127 <para>The security context to be allocated to the file, which may be:</para> 128 <itemizedlist> 129 <listitem><para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para></listitem> 130 <listitem><para>An empty context list represented by <literal>()</literal> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <literal><<none>></literal> within the <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> file.</para></listitem> 131 </itemizedlist> 132 </entry> 133 </row> 134 </tbody></tgroup> 135 </informaltable> 136 137 <para><emphasis role="bold">Examples:</emphasis></para> 138 <para>These examples use one named, one anonymous and one empty context definition:</para> 139 <programlisting><![CDATA[ 140(context runas_exec_context (u object_r exec low_low)) 141 142(filecon "/system/bin/run-as" file runas_exec_context) 143(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0) 144(filecon "/data/local/mine" dir ())]]> 145 </programlisting> 146 <simpara>to resolve/build <literal>file_contexts</literal> entries of (assuming MLS enabled policy):</simpara> 147 <programlisting><![CDATA[ 148/system/bin/run-as -- u:object_r:runas.exec:s0 149/dev/socket/wpa_wlan[0-9] u:object_r:wpa.socket:s0 150/data/local/mine -d <<none>>]]> 151 </programlisting> 152 </sect2> 153 154 <sect2 id="fsuse"> 155 <title>fsuse</title> 156 <para>Label filesystems that support SELinux security contexts.</para> 157 <para><emphasis role="bold">Statement definition:</emphasis></para> 158 <programlisting><![CDATA[(fsuse fstype fsname context_id)]]></programlisting> 159 <para><emphasis role="bold">Where:</emphasis></para> 160 <informaltable frame="all"> 161 <tgroup cols="2"> 162 <colspec colwidth="2 *"/> 163 <colspec colwidth="6 *"/> 164 <tbody> 165 <row> 166 <entry> 167 <para><literal>fsuse</literal></para> 168 </entry> 169 <entry> 170 <para>The <literal>fsuse</literal> keyword.</para> 171 </entry> 172 </row> 173 <row> 174 <entry> 175 <para><literal>fstype</literal></para> 176 </entry> 177 <entry> 178 <para>A single keyword representing the type of filesystem as follows:</para> 179 <itemizedlist mark="none"> 180 <listitem><simpara><literal>task</literal> - For pseudo filesystems supporting task related services such as pipes and sockets.</simpara></listitem> 181 <listitem><simpara><literal>trans</literal> - For pseudo filesystems such as pseudo terminals and temporary objects.</simpara></listitem> 182 <listitem><simpara><literal>xattr</literal> - Filesystems supporting the extended attribute <literal>security.selinux</literal>. The labeling is persistent for filesystems that support extended attributes.</simpara></listitem> 183 </itemizedlist> 184 </entry> 185 </row> 186 <row> 187 <entry> 188 <para><literal>fsname</literal></para> 189 </entry> 190 <entry> 191 <para>Name of the supported filesystem (e.g. <literal>ext4</literal> or <literal>pipefs</literal>).</para> 192 </entry> 193 </row> 194 <row> 195 <entry> 196 <para><literal>context_id</literal></para> 197 </entry> 198 <entry> 199 <para>The security context to be allocated to the network interface.</para> 200 <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para> 201 </entry> 202 </row> 203 </tbody></tgroup> 204 </informaltable> 205 206 <para><emphasis role="bold">Examples:</emphasis></para> 207 <para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>fsuse</literal> statements in the global namespace:</para> 208 <programlisting><![CDATA[ 209(block file 210 (type labeledfs) 211 (roletype object_r labeledfs) 212 (context labeledfs_context (u object_r labeledfs low_low)) 213 214 (type pipefs) 215 (roletype object_r pipefs) 216 (context pipefs_context (u object_r pipefs low_low)) 217 ... 218) 219 220(fsuse xattr ex4 file.labeledfs_context) 221(fsuse xattr btrfs file.labeledfs_context) 222 223(fsuse task pipefs file.pipefs_context) 224(fsuse task sockfs file.sockfs_context) 225 226(fsuse trans devpts file.devpts_context) 227(fsuse trans tmpfs file.tmpfs_context)]]> 228 </programlisting> 229 </sect2> 230 231 <sect2 id="genfscon"> 232 <title>genfscon</title> 233 <para>Used to allocate a security context to filesystems that cannot support any of the <literal><link linkend="fsuse">fsuse</link></literal> file labeling options. Generally a filesystem would have a single default security context assigned by <literal>genfscon</literal> from the root <literal>(/)</literal> that would then be inherited by all files and directories on that filesystem. The exception to this is the <literal>/proc</literal> filesystem, where directories can be labeled with a specific security context (as shown in the examples).</para> 234 <para><emphasis role="bold">Statement definition:</emphasis></para> 235 <programlisting><![CDATA[(genfscon fsname path context_id)]]></programlisting> 236 <para><emphasis role="bold">Where:</emphasis></para> 237 <informaltable frame="all"> 238 <tgroup cols="2"> 239 <colspec colwidth="2 *"/> 240 <colspec colwidth="6 *"/> 241 <tbody> 242 <row> 243 <entry> 244 <para><literal>genfscon</literal></para> 245 </entry> 246 <entry> 247 <para>The <literal>genfscon</literal> keyword.</para> 248 </entry> 249 </row> 250 <row> 251 <entry> 252 <para><literal>fsname</literal></para> 253 </entry> 254 <entry> 255 <para>Name of the supported filesystem (e.g. <literal>rootfs</literal> or <literal>proc</literal>).</para> 256 </entry> 257 </row> 258 <row> 259 <entry> 260 <para><literal>path</literal></para> 261 </entry> 262 <entry> 263 <para>If <literal>fsname</literal> is <literal>proc</literal>, then the partial path (see examples). For all other types this must be ‘<literal>/</literal>’.</para> 264 </entry> 265 </row> 266 <row> 267 <entry> 268 <para><literal>context_id</literal></para> 269 </entry> 270 <entry> 271 <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para> 272 </entry> 273 </row> 274 </tbody></tgroup> 275 </informaltable> 276 277 <para><emphasis role="bold">Examples:</emphasis></para> 278 <para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>genfscon</literal> statements are then inserted using the <literal><link linkend="in">in</link></literal> container statement:</para> 279 <programlisting><![CDATA[ 280(file 281 (type rootfs) 282 (roletype object_r rootfs) 283 (context rootfs_context (u object_r rootfs low_low)) 284 285 (type proc) 286 (roletype object_r proc) 287 (context rootfs_context (u object_r proc low_low)) 288 ... 289) 290 291(in file 292 (genfscon rootfs / rootfs_context) 293 ; proc labeling can be further refined (longest matching prefix). 294 (genfscon proc / proc_context) 295 (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context) 296 (genfscon proc /sysrq-trigger sysrq_proc_context) 297 (genfscon selinuxfs / selinuxfs_context) 298)]]> 299 </programlisting> 300 </sect2> 301 302 </sect1> 303