| <!-- Common Interface Language (CIL) Reference Guide --> |
| <!-- file_labeling_statements.xml --> |
| |
| <sect1> |
| <title>File Labeling Statements</title> |
| <sect2 id="filecon"> |
| <title>filecon</title> |
| <para>Define entries for labeling files. The compiler will produce these entries in a file called <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> by default in the <literal>cwd</literal>. The compiler option <literal>[-f|--filecontext <filename>]</literal> may be used to specify a different path or file name.</para> |
| <para><emphasis role="bold">Statement definition:</emphasis></para> |
| <programlisting><![CDATA[(filecon "path" file_type context_id)]]></programlisting> |
| <para><emphasis role="bold">Where:</emphasis></para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="2 *"/> |
| <colspec colwidth="6 *"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><literal>filecon</literal></para> |
| </entry> |
| <entry> |
| <para>The <literal>filecon</literal> keyword.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>path</literal></para> |
| </entry> |
| <entry> |
| <para>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <literal>"/this/is/a/path(/.*)?"</literal>)</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>file_type</literal></para> |
| </entry> |
| <entry> |
| <para>A single keyword representing a file type in the <literal>file_contexts</literal> file as follows:</para> |
| <para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="1 in"/> |
| <colspec colwidth="1.25 in"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><emphasis role="bold">keyword</emphasis></para> |
| </entry> |
| <entry> |
| <para><emphasis role="bold">file_contexts entry</emphasis></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>file</literal></para> |
| </entry> |
| <entry> |
| <para><literal>--</literal></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>dir</literal></para> |
| </entry> |
| <entry> |
| <para><literal>-d</literal></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>char</literal></para> |
| </entry> |
| <entry> |
| <para><literal>-c</literal></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>block</literal></para> |
| </entry> |
| <entry> |
| <para><literal>-b</literal></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>socket</literal></para> |
| </entry> |
| <entry> |
| <para><literal>-s</literal></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>pipe</literal></para> |
| </entry> |
| <entry> |
| <para><literal>-p</literal></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>symlink</literal></para> |
| </entry> |
| <entry> |
| <para><literal>-l</literal></para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>any</literal></para> |
| </entry> |
| <entry> |
| <para>no entry</para> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| </para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>context_id</literal></para> |
| </entry> |
| <entry> |
| <para>The security context to be allocated to the file, which may be:</para> |
| <itemizedlist> |
| <listitem><para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para></listitem> |
| <listitem><para>An empty context list represented by <literal>()</literal> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <literal><<none>></literal> within the <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> file.</para></listitem> |
| </itemizedlist> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| |
| <para><emphasis role="bold">Examples:</emphasis></para> |
| <para>These examples use one named, one anonymous and one empty context definition:</para> |
| <programlisting><![CDATA[ |
| (context runas_exec_context (u object_r exec low_low)) |
| |
| (filecon "/system/bin/run-as" file runas_exec_context) |
| (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0) |
| (filecon "/data/local/mine" dir ())]]> |
| </programlisting> |
| <simpara>to resolve/build <literal>file_contexts</literal> entries of (assuming MLS enabled policy):</simpara> |
| <programlisting><![CDATA[ |
| /system/bin/run-as -- u:object_r:runas.exec:s0 |
| /dev/socket/wpa_wlan[0-9] u:object_r:wpa.socket:s0 |
| /data/local/mine -d <<none>>]]> |
| </programlisting> |
| </sect2> |
| |
| <sect2 id="fsuse"> |
| <title>fsuse</title> |
| <para>Label filesystems that support SELinux security contexts.</para> |
| <para><emphasis role="bold">Statement definition:</emphasis></para> |
| <programlisting><![CDATA[(fsuse fstype fsname context_id)]]></programlisting> |
| <para><emphasis role="bold">Where:</emphasis></para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="2 *"/> |
| <colspec colwidth="6 *"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><literal>fsuse</literal></para> |
| </entry> |
| <entry> |
| <para>The <literal>fsuse</literal> keyword.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>fstype</literal></para> |
| </entry> |
| <entry> |
| <para>A single keyword representing the type of filesystem as follows:</para> |
| <itemizedlist mark="none"> |
| <listitem><simpara><literal>task</literal> - For pseudo filesystems supporting task related services such as pipes and sockets.</simpara></listitem> |
| <listitem><simpara><literal>trans</literal> - For pseudo filesystems such as pseudo terminals and temporary objects.</simpara></listitem> |
| <listitem><simpara><literal>xattr</literal> - Filesystems supporting the extended attribute <literal>security.selinux</literal>. The labeling is persistent for filesystems that support extended attributes.</simpara></listitem> |
| </itemizedlist> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>fsname</literal></para> |
| </entry> |
| <entry> |
| <para>Name of the supported filesystem (e.g. <literal>ext4</literal> or <literal>pipefs</literal>).</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>context_id</literal></para> |
| </entry> |
| <entry> |
| <para>The security context to be allocated to the network interface.</para> |
| <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| |
| <para><emphasis role="bold">Examples:</emphasis></para> |
| <para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>fsuse</literal> statements in the global namespace:</para> |
| <programlisting><![CDATA[ |
| (block file |
| (type labeledfs) |
| (roletype object_r labeledfs) |
| (context labeledfs_context (u object_r labeledfs low_low)) |
| |
| (type pipefs) |
| (roletype object_r pipefs) |
| (context pipefs_context (u object_r pipefs low_low)) |
| ... |
| ) |
| |
| (fsuse xattr ex4 file.labeledfs_context) |
| (fsuse xattr btrfs file.labeledfs_context) |
| |
| (fsuse task pipefs file.pipefs_context) |
| (fsuse task sockfs file.sockfs_context) |
| |
| (fsuse trans devpts file.devpts_context) |
| (fsuse trans tmpfs file.tmpfs_context)]]> |
| </programlisting> |
| </sect2> |
| |
| <sect2 id="genfscon"> |
| <title>genfscon</title> |
| <para>Used to allocate a security context to filesystems that cannot support any of the <literal><link linkend="fsuse">fsuse</link></literal> file labeling options. Generally a filesystem would have a single default security context assigned by <literal>genfscon</literal> from the root <literal>(/)</literal> that would then be inherited by all files and directories on that filesystem. The exception to this is the <literal>/proc</literal> filesystem, where directories can be labeled with a specific security context (as shown in the examples).</para> |
| <para><emphasis role="bold">Statement definition:</emphasis></para> |
| <programlisting><![CDATA[(genfscon fsname path context_id)]]></programlisting> |
| <para><emphasis role="bold">Where:</emphasis></para> |
| <informaltable frame="all"> |
| <tgroup cols="2"> |
| <colspec colwidth="2 *"/> |
| <colspec colwidth="6 *"/> |
| <tbody> |
| <row> |
| <entry> |
| <para><literal>genfscon</literal></para> |
| </entry> |
| <entry> |
| <para>The <literal>genfscon</literal> keyword.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>fsname</literal></para> |
| </entry> |
| <entry> |
| <para>Name of the supported filesystem (e.g. <literal>rootfs</literal> or <literal>proc</literal>).</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>path</literal></para> |
| </entry> |
| <entry> |
| <para>If <literal>fsname</literal> is <literal>proc</literal>, then the partial path (see examples). For all other types this must be ‘<literal>/</literal>’.</para> |
| </entry> |
| </row> |
| <row> |
| <entry> |
| <para><literal>context_id</literal></para> |
| </entry> |
| <entry> |
| <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para> |
| </entry> |
| </row> |
| </tbody></tgroup> |
| </informaltable> |
| |
| <para><emphasis role="bold">Examples:</emphasis></para> |
| <para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>genfscon</literal> statements are then inserted using the <literal><link linkend="in">in</link></literal> container statement:</para> |
| <programlisting><![CDATA[ |
| (file |
| (type rootfs) |
| (roletype object_r rootfs) |
| (context rootfs_context (u object_r rootfs low_low)) |
| |
| (type proc) |
| (roletype object_r proc) |
| (context rootfs_context (u object_r proc low_low)) |
| ... |
| ) |
| |
| (in file |
| (genfscon rootfs / rootfs_context) |
| ; proc labeling can be further refined (longest matching prefix). |
| (genfscon proc / proc_context) |
| (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context) |
| (genfscon proc /sysrq-trigger sysrq_proc_context) |
| (genfscon selinuxfs / selinuxfs_context) |
| )]]> |
| </programlisting> |
| </sect2> |
| |
| </sect1> |