374b2a198a
Rename sdcard_internal/external types to fuse and vfat respectively to make it clear that they are assigned to any fuse or vfat filesystem by default (absent a context= mount option) and do not necessarily represent the SDcard. The sdcard_type attribute is still assigned to both types and can still be used in allow rules to permit access to either the internal or external SDcard. Define type aliases for the old names to preserve compatibility on policy reload and for device-specific policies that may not yet be updated. Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
33 lines
1.7 KiB
Text
33 lines
1.7 KiB
Text
# Label inodes with the fs label.
|
|
genfscon rootfs / u:object_r:rootfs:s0
|
|
# proc labeling can be further refined (longest matching prefix).
|
|
genfscon proc / u:object_r:proc:s0
|
|
genfscon proc /net u:object_r:proc_net:s0
|
|
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
|
|
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
|
|
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
|
|
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
|
|
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
|
|
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
|
|
genfscon proc /sys/net u:object_r:proc_net:s0
|
|
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
|
|
# selinuxfs booleans can be individually labeled.
|
|
genfscon selinuxfs / u:object_r:selinuxfs:s0
|
|
genfscon cgroup / u:object_r:cgroup:s0
|
|
# sysfs labels can be set by userspace.
|
|
genfscon sysfs / u:object_r:sysfs:s0
|
|
genfscon inotifyfs / u:object_r:inotify:s0
|
|
genfscon vfat / u:object_r:vfat:s0
|
|
genfscon debugfs / u:object_r:debugfs:s0
|
|
genfscon fuse / u:object_r:fuse:s0
|
|
genfscon pstore / u:object_r:pstorefs:s0
|
|
genfscon functionfs / u:object_r:functionfs:s0
|
|
genfscon usbfs / u:object_r:usbfs:s0
|