69 lines
2.5 KiB
Text
69 lines
2.5 KiB
Text
sid kernel u:r:kernel:s0
|
|
sid security u:object_r:kernel:s0
|
|
sid unlabeled u:object_r:unlabeled:s0
|
|
sid fs u:object_r:labeledfs:s0
|
|
sid file u:object_r:unlabeled:s0
|
|
sid file_labels u:object_r:unlabeled:s0
|
|
sid init u:object_r:unlabeled:s0
|
|
sid any_socket u:object_r:unlabeled:s0
|
|
sid port u:object_r:port:s0
|
|
sid netif u:object_r:netif:s0
|
|
sid netmsg u:object_r:unlabeled:s0
|
|
sid node u:object_r:node:s0
|
|
sid igmp_packet u:object_r:unlabeled:s0
|
|
sid icmp_socket u:object_r:unlabeled:s0
|
|
sid tcp_socket u:object_r:unlabeled:s0
|
|
sid sysctl_modprobe u:object_r:unlabeled:s0
|
|
sid sysctl u:object_r:proc:s0
|
|
sid sysctl_fs u:object_r:unlabeled:s0
|
|
sid sysctl_kernel u:object_r:unlabeled:s0
|
|
sid sysctl_net u:object_r:unlabeled:s0
|
|
sid sysctl_net_unix u:object_r:unlabeled:s0
|
|
sid sysctl_vm u:object_r:unlabeled:s0
|
|
sid sysctl_dev u:object_r:unlabeled:s0
|
|
sid kmod u:object_r:unlabeled:s0
|
|
sid policy u:object_r:unlabeled:s0
|
|
sid scmp_packet u:object_r:unlabeled:s0
|
|
sid devnull u:object_r:null_device:s0
|
|
|
|
# Label inodes via getxattr.
|
|
fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
|
|
fs_use_xattr jffs2 u:object_r:labeledfs:s0;
|
|
fs_use_xattr ext2 u:object_r:labeledfs:s0;
|
|
fs_use_xattr ext3 u:object_r:labeledfs:s0;
|
|
fs_use_xattr ext4 u:object_r:labeledfs:s0;
|
|
fs_use_xattr xfs u:object_r:labeledfs:s0;
|
|
fs_use_xattr btrfs u:object_r:labeledfs:s0;
|
|
|
|
# Label inodes from task label.
|
|
fs_use_task pipefs u:object_r:pipefs:s0;
|
|
fs_use_task sockfs u:object_r:sockfs:s0;
|
|
|
|
# Label inodes from combination of task label and fs label.
|
|
# Define type_transition rules if you want per-domain types.
|
|
fs_use_trans devpts u:object_r:devpts:s0;
|
|
fs_use_trans tmpfs u:object_r:tmpfs:s0;
|
|
fs_use_trans devtmpfs u:object_r:device:s0;
|
|
fs_use_trans shm u:object_r:shm:s0;
|
|
fs_use_trans mqueue u:object_r:mqueue:s0;
|
|
|
|
# Label inodes with the fs label.
|
|
genfscon rootfs / u:object_r:rootfs:s0
|
|
# proc labeling can be further refined (longest matching prefix).
|
|
genfscon proc / u:object_r:proc:s0
|
|
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid:s0
|
|
# These proc entries are for the CSR GPS chip
|
|
# XXX Can we label these as device specific?
|
|
genfscon proc /mcspi1_cs3_ctrl u:object_r:gps_control:s0
|
|
# selinuxfs booleans can be individually labeled.
|
|
genfscon selinuxfs / u:object_r:selinuxfs:s0
|
|
genfscon cgroup / u:object_r:cgroup:s0
|
|
# sysfs labels can be set by userspace.
|
|
genfscon sysfs / u:object_r:sysfs:s0
|
|
genfscon inotifyfs / u:object_r:inotify:s0
|
|
genfscon vfat / u:object_r:sdcard:s0
|
|
genfscon debugfs / u:object_r:debugfs:s0
|
|
genfscon fuse / u:object_r:sdcard:s0
|
|
|
|
# portcon statements go here, e.g.
|
|
# portcon tcp 80 u:object_r:http_port:s0
|