Re: using tmpfs for /tmp and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen Smalley wrote:

On Fri, 2005-03-25 at 15:15 +0100, dragoran wrote:


does this mean that adding restorecon /tmp in rc.sysinit would solve my problem?
I am using selinux-policy-targeted-1.17.30-2.90 is

allow tmpfile tmpfs_t:filesystem associate;

already done in this policy? or do I have to add it myself? I have policy sources installed but I don't know in which file I should add this line before rebuilding the policy.



It is in the rawhide policy, doesn't appear to be in the latest policy
for FC3 yet.  You can temporarily put it
in /etc/selinux/targeted/src/policy/domains/misc/local.te and reload
your policy for now.  The diff Dan proposed for rc.sysinit on selinux
list is below.



------------------------------------------------------------------------

--- initscripts-8.05/rc.d/rc.sysinit~	2005-03-24 15:02:51.000000000 -0500
+++ initscripts-8.05/rc.d/rc.sysinit	2005-03-24 15:03:11.000000000 -0500
@@ -593,6 +593,7 @@
fi

# Clean up various /tmp bits
+restorecon /tmp
rm -f /tmp/.X*-lock /tmp/.lock.* /tmp/.gdm_socket /tmp/.s.PGSQL.*
rm -rf /tmp/.X*-unix /tmp/.ICE-unix /tmp/.font-unix /tmp/hsperfdata_* \
/tmp/kde-* /tmp/ksocket-* /tmp/mc-* /tmp/mcop-* /tmp/orbit-* \


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list

ok now I have the problem that the policy doesn't build:
-
# make reload
make: *** No rule to make target `file_contexts/program/httpd_socket.fc', needed by `file_contexts/file_contexts'. Stop.
-
I tryed:
#stat file_contexts/program/httpd_socket.fc
stat: cannot stat `file_contexts/program/httpd_socket.fc': No such file or directory
this file does not exists....
file_contexts/file_contexts is attached. 
# Distro-specific customizations.

# Comment out all but the one that matches your distro.
# The policy .te files can then wrap distro-specific customizations with
# appropriate ifdefs.








#
# This file describes the security contexts to be applied to files
# when the security policy is installed.  The setfiles program
# reads this file and labels files accordingly.
#
# Each specification has the form:
#       regexp [ -type ] ( context | <<none>> )
#
# By default, the regexp is an anchored match on both ends (i.e. a 
# caret (^) is prepended and a dollar sign ($) is appended automatically).
# This default may be overridden by using .* at the beginning and/or
# end of the regular expression.  
#
# The optional type field specifies the file type as shown in the mode
# field by ls, e.g. use -d to match only directories or -- to match only
# regular files.
#
# The value of <<none> may be used to indicate that matching files
# should not be relabeled.
#
# The last matching specification is used.
#
# If there are multiple hard links to a file that match
# different specifications and those specifications indicate
# different security contexts, then a warning is displayed
# but the file is still labeled based on the last matching
# specification other than <<none>>.
#
# Some of the files listed here get re-created during boot and therefore
# need type transition rules to retain the correct type. These files are
# listed here anyway so that if the setfiles program is used on a running
# system it does not relabel them to something we do not want. An example of
# this is /var/run/utmp.
#

#
# The security context for all files not otherwise specified.
#
/.*				system_u:object_r:default_t

#
# The root directory.
#
/			-d	system_u:object_r:root_t

#
# Ordinary user home directories.
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
# HOME_DIR expands to each user's home directory,
#                  and to HOME_ROOT/[^/]+ for each HOME_ROOT.
# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
#
/home		-d	system_u:object_r:home_root_t
/home/[^/]+		-d	system_u:object_r:user_home_dir_t
/home/[^/]+/.+			system_u:object_r:user_home_t


#
# Mount points; do not relabel subdirectories, since
# we don't want to change any removable media by default.
/mnt(/[^/]*)?		-d	system_u:object_r:mnt_t
/mnt/[^/]*/.*			<<none>>
/media(/[^/]*)?		-d	system_u:object_r:mnt_t
/media/[^/]*/.*			<<none>>

#
# /var
#
/var(/.*)?			system_u:object_r:var_t
/var/catman(/.*)?		system_u:object_r:catman_t
/var/cache/man(/.*)?		system_u:object_r:catman_t
/var/yp(/.*)?			system_u:object_r:var_yp_t
/var/lib(/.*)?			system_u:object_r:var_lib_t
/var/lib/nfs(/.*)?		system_u:object_r:var_lib_nfs_t
/var/lib/texmf(/.*)?		system_u:object_r:tetex_data_t
/var/cache/fonts(/.*)?		system_u:object_r:tetex_data_t
/var/lock(/.*)?			system_u:object_r:var_lock_t
/var/tmp		-d	system_u:object_r:tmp_t
/var/tmp/.*			<<none>>
/var/tmp/vi\.recover	-d	system_u:object_r:tmp_t
/var/lib/nfs/rpc_pipefs(/*)?	<<none>>
/var/mailman/bin(/.*)?		system_u:object_r:bin_t
/var/mailman/pythonlib(/.*)?/.*\.so(\..*)?	-- system_u:object_r:shlib_t

#
# /var/ftp
#
/var/ftp/bin(/.*)?		system_u:object_r:bin_t
/var/ftp/bin/ls		--	system_u:object_r:ls_exec_t
/var/ftp/lib(64)?(/.*)?		system_u:object_r:lib_t
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* --	system_u:object_r:ld_so_t
/var/ftp/lib(64)?/lib[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
/var/ftp/etc(/.*)?		system_u:object_r:etc_t

#
# /bin
#
/bin(/.*)?			system_u:object_r:bin_t
/bin/tcsh		--	system_u:object_r:shell_exec_t
/bin/bash		--	system_u:object_r:shell_exec_t
/bin/bash2		--	system_u:object_r:shell_exec_t
/bin/sash		--	system_u:object_r:shell_exec_t
/bin/d?ash		--	system_u:object_r:shell_exec_t
/bin/zsh.*		--	system_u:object_r:shell_exec_t
/usr/sbin/sesh		--	system_u:object_r:shell_exec_t
/bin/ls			--	system_u:object_r:ls_exec_t

#
# /boot
#
/boot(/.*)?			system_u:object_r:boot_t
/boot/System\.map-.*	--	system_u:object_r:system_map_t
/boot/kernel\.h.*	--	system_u:object_r:boot_runtime_t

#
# /dev
#
/u?dev(/.*)?			system_u:object_r:device_t
/u?dev/pts(/.*)?		<<none>>
/u?dev/cpu/.*		-c	system_u:object_r:cpu_device_t
/u?dev/microcode	-c	system_u:object_r:cpu_device_t
/u?dev/MAKEDEV		--	system_u:object_r:sbin_t
/u?dev/null		-c	system_u:object_r:null_device_t
/u?dev/full		-c	system_u:object_r:null_device_t
/u?dev/zero		-c	system_u:object_r:zero_device_t
/u?dev/console		-c	system_u:object_r:console_device_t
/u?dev/(kmem|mem|port)	-c	system_u:object_r:memory_device_t
/u?dev/nvram		-c	system_u:object_r:memory_device_t
/u?dev/random		-c	system_u:object_r:random_device_t
/u?dev/urandom		-c	system_u:object_r:urandom_device_t
/u?dev/capi.*		-c	system_u:object_r:tty_device_t
/u?dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
/u?dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
/u?dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
/u?dev/isdn.*		-c	system_u:object_r:tty_device_t
/u?dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
/u?dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
/u?dev/cu.*		-c	system_u:object_r:tty_device_t
/u?dev/vcs[^/]*		-c	system_u:object_r:tty_device_t
/u?dev/ip2[^/]*		-c	system_u:object_r:tty_device_t
/u?dev/tty		-c	system_u:object_r:devtty_t
/dev/lp.*		-c	system_u:object_r:printer_device_t
/dev/par.*		-c	system_u:object_r:printer_device_t
/dev/usb/lp.*		-c	system_u:object_r:printer_device_t
/dev/usblp.*		-c	system_u:object_r:printer_device_t

/dev/root		-b	system_u:object_r:fixed_disk_device_t

/u?dev/[shmx]d[^/]*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/dm-[0-9]+	-b	system_u:object_r:fixed_disk_device_t
/u?dev/sg[0-9]+		-c	system_u:object_r:scsi_generic_device_t
/u?dev/rd.*		-b	system_u:object_r:fixed_disk_device_t
/u?dev/i2o/hd[^/]*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/ubd[^/]*		-b	system_u:object_r:fixed_disk_device_t
/u?dev/cciss/[^/]*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/nb[^/]+		-b	system_u:object_r:fixed_disk_device_t
/u?dev/ataraid/.*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/loop.*		-b	system_u:object_r:fixed_disk_device_t
/u?dev/net/.*		-c	system_u:object_r:tun_tap_device_t
/u?dev/ram.*		-b	system_u:object_r:fixed_disk_device_t
/u?dev/rawctl		-c	system_u:object_r:fixed_disk_device_t
/u?dev/raw/raw[0-9]+	-c	system_u:object_r:fixed_disk_device_t
/u?dev/scramdisk/.*	-b	system_u:object_r:fixed_disk_device_t
/u?dev/initrd		-b	system_u:object_r:fixed_disk_device_t
/u?dev/jsfd		-b	system_u:object_r:fixed_disk_device_t
/u?dev/js.*		-c	system_u:object_r:mouse_device_t
/u?dev/jsflash		-c	system_u:object_r:fixed_disk_device_t
/u?dev/s(cd|r)[^/]*	-b	system_u:object_r:removable_device_t
/u?dev/usb/rio500	-c	system_u:object_r:removable_device_t
/u?dev/fd[^/]+		-b	system_u:object_r:removable_device_t
# I think a parallel port disk is a removable device...
/u?dev/pd[a-d][^/]*	-b	system_u:object_r:removable_device_t
/u?dev/p[fg][0-3]	-b	system_u:object_r:removable_device_t
/u?dev/aztcd		-b	system_u:object_r:removable_device_t
/u?dev/bpcd		-b	system_u:object_r:removable_device_t
/u?dev/gscd		-b	system_u:object_r:removable_device_t
/u?dev/hitcd		-b	system_u:object_r:removable_device_t
/u?dev/pcd[0-3]		-b	system_u:object_r:removable_device_t
/u?dev/mcdx?		-b	system_u:object_r:removable_device_t
/u?dev/cdu.*		-b	system_u:object_r:removable_device_t
/u?dev/cm20.*		-b	system_u:object_r:removable_device_t
/u?dev/optcd		-b	system_u:object_r:removable_device_t
/u?dev/sbpcd.*		-b	system_u:object_r:removable_device_t
/u?dev/sjcd		-b	system_u:object_r:removable_device_t
/u?dev/sonycd		-b	system_u:object_r:removable_device_t
# parallel port ATAPI generic device
/u?dev/pg[0-3]		-c	system_u:object_r:removable_device_t
/u?dev/rtc		-c	system_u:object_r:clock_device_t
/u?dev/psaux		-c	system_u:object_r:mouse_device_t
/u?dev/atibm		-c	system_u:object_r:mouse_device_t
/u?dev/logibm		-c	system_u:object_r:mouse_device_t
/u?dev/.*mouse.*	-c	system_u:object_r:mouse_device_t
/u?dev/input/.*mouse.*	-c	system_u:object_r:mouse_device_t
/u?dev/input/event.*	-c	system_u:object_r:event_device_t
/u?dev/input/mice	-c	system_u:object_r:mouse_device_t
/u?dev/input/js.*	-c	system_u:object_r:mouse_device_t
/u?dev/ptmx		-c	system_u:object_r:ptmx_t
/u?dev/sequencer	-c	system_u:object_r:misc_device_t
/u?dev/fb[0-9]*		-c	system_u:object_r:framebuf_device_t
/u?dev/apm_bios		-c	system_u:object_r:apm_bios_t
/u?dev/cpu/mtrr		-c	system_u:object_r:mtrr_device_t
/u?dev/(radio|video|vbi|vtx).* -c	system_u:object_r:v4l_device_t
/u?dev/winradio.	-c	system_u:object_r:v4l_device_t
/u?dev/vttuner		-c	system_u:object_r:v4l_device_t
/u?dev/tlk[0-3]		-c	system_u:object_r:v4l_device_t
/u?dev/adsp		-c	system_u:object_r:sound_device_t
/u?dev/mixer.*		-c	system_u:object_r:sound_device_t
/u?dev/dsp.*		-c	system_u:object_r:sound_device_t
/u?dev/audio.*		-c	system_u:object_r:sound_device_t
/u?dev/r?midi.*		-c	system_u:object_r:sound_device_t
/u?dev/sequencer2	-c	system_u:object_r:sound_device_t
/u?dev/smpte.*		-c	system_u:object_r:sound_device_t
/u?dev/sndstat		-c	system_u:object_r:sound_device_t
/u?dev/beep		-c	system_u:object_r:sound_device_t
/u?dev/patmgr[01]	-c	system_u:object_r:sound_device_t
/u?dev/mpu401.*		-c	system_u:object_r:sound_device_t
/u?dev/srnd[0-7]	-c	system_u:object_r:sound_device_t
/u?dev/aload.*		-c	system_u:object_r:sound_device_t
/u?dev/amidi.*		-c	system_u:object_r:sound_device_t
/u?dev/amixer.*		-c	system_u:object_r:sound_device_t
/u?dev/snd/.*		-c	system_u:object_r:sound_device_t
/u?dev/n?[hs]t[0-9].*	-c	system_u:object_r:tape_device_t
/u?dev/n?(raw)?[qr]ft[0-3] -c	system_u:object_r:tape_device_t
/u?dev/n?z?qft[0-3]	-c	system_u:object_r:tape_device_t
/u?dev/n?tpqic[12].*	-c	system_u:object_r:tape_device_t
/u?dev/ht[0-1]		-b	system_u:object_r:tape_device_t
/u?dev/n?osst[0-3].*	-c	system_u:object_r:tape_device_t
/u?dev/n?pt[0-9]+	-c	system_u:object_r:tape_device_t
/u?dev/tape.*		-c	system_u:object_r:tape_device_t

/u?dev/usb/scanner.*	-c	system_u:object_r:scanner_device_t
/u?dev/usb/dc2xx.*	-c	system_u:object_r:scanner_device_t
/u?dev/usb/mdc800.*	-c	system_u:object_r:scanner_device_t
/u?dev/usb/tty.*	-c	system_u:object_r:usbtty_device_t
/u?dev/mmetfgrab	-c	system_u:object_r:scanner_device_t
/u?dev/nvidia.*		-c	system_u:object_r:xserver_misc_device_t
/u?dev/dri/.+		-c	system_u:object_r:dri_device_t
/u?dev/radeon		-c	system_u:object_r:dri_device_t
/u?dev/agpgart		-c	system_u:object_r:agp_device_t

/proc(/.*)?			<<none>>
/sys(/.*)?			<<none>>
/selinux(/.*)?			<<none>>
/opt(/.*)?			system_u:object_r:usr_t
/opt/[^/]*/bin(/.*)?		system_u:object_r:bin_t
/opt/[^/]*/lib(/.*)?		system_u:object_r:lib_t
/opt/[^/]*/lib/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
/opt/[^/]*/lib/.*/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
/opt/.*/lib/.*\.so	--	system_u:object_r:shlib_t
/opt/[^/]*/man(/.*)?		system_u:object_r:man_t
/opt/[^/]*/libexec(/.*)?	system_u:object_r:bin_t

#
# /etc
#
/etc(/.*)?			system_u:object_r:etc_t
/var/db/.*\.db		--	system_u:object_r:etc_t
/etc/\.pwd\.lock	--	system_u:object_r:shadow_t
/etc/passwd\.lock	--	system_u:object_r:shadow_t
/etc/group\.lock	--	system_u:object_r:shadow_t
/etc/shadow.*		--	system_u:object_r:shadow_t
/etc/gshadow.*		--	system_u:object_r:shadow_t
/var/db/shadow.*	--	system_u:object_r:shadow_t
/etc/blkid\.tab		--	system_u:object_r:etc_runtime_t
/etc/fstab\.REVOKE	--	system_u:object_r:etc_runtime_t
/etc/HOSTNAME		--	system_u:object_r:etc_runtime_t
/etc/ioctl\.save	--	system_u:object_r:etc_runtime_t
/etc/mtab		--	system_u:object_r:etc_runtime_t
/etc/motd		--	system_u:object_r:etc_runtime_t
/etc/issue		--	system_u:object_r:etc_runtime_t
/etc/issue\.net		--	system_u:object_r:etc_runtime_t
/etc/sysconfig/hwconf	--	system_u:object_r:etc_runtime_t
/etc/sysconfig/iptables.save -- system_u:object_r:etc_runtime_t
/etc/sysconfig/firstboot --	system_u:object_r:etc_runtime_t
/etc/asound\.state	--	system_u:object_r:etc_runtime_t
/etc/ptal/ptal-printd-like -- 	system_u:object_r:etc_runtime_t

/etc/ld\.so\.cache	--	system_u:object_r:ld_so_cache_t
/etc/ld\.so\.preload	--	system_u:object_r:ld_so_cache_t
/etc/yp\.conf.*		--	system_u:object_r:net_conf_t
/etc/resolv\.conf.*	--	system_u:object_r:net_conf_t

/etc/selinux(/.*)?		system_u:object_r:selinux_config_t
/etc/security/selinux(/.*)?	system_u:object_r:policy_config_t	
/etc/security/selinux/src(/.*)?	system_u:object_r:policy_src_t
/etc/security/default_contexts.*	system_u:object_r:default_context_t
/etc/services		--	system_u:object_r:etc_t

/etc/selinux/[^/]*/policy(/.*)?	system_u:object_r:policy_config_t
/etc/selinux/[^/]*/src(/.*)?	system_u:object_r:policy_src_t
/etc/selinux/[^/]*/contexts(/.*)?	system_u:object_r:default_context_t
/etc/selinux/[^/]*/contexts/files(/.*)? system_u:object_r:file_context_t


#
# /lib(64)?
#
/lib(64)?(/.*)?			system_u:object_r:lib_t
/lib(64)?/ld[^/]*\.so(\.[^/]*)*		--	system_u:object_r:ld_so_t
/lib(64)?/tls/ld[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
/lib(64)?/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
/lib(64)?/[^/]*/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
/lib(64)?/security/[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
/lib(64)?/tls/i686/cmov/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t
/lib(64)?/tls/i.86/[^/]*\.so(\.[^/]*)* --	system_u:object_r:shlib_t


#
# /sbin
#
/sbin(/.*)?			system_u:object_r:sbin_t

#
# /tmp
#
/tmp			-d	system_u:object_r:tmp_t
/tmp/.*				<<none>>

#
# /usr
#
/usr(/.*)?			system_u:object_r:usr_t
/usr/etc(/.*)?			system_u:object_r:etc_t
/usr/libexec(/.*)?		system_u:object_r:bin_t
/usr/src(/.*)?			system_u:object_r:src_t
/usr/tmp(/.*)?			system_u:object_r:tmp_t
/usr/man(/.*)?			system_u:object_r:man_t
/usr/share/man(/.*)?		system_u:object_r:man_t
/usr/share/mc/extfs/.*	--	system_u:object_r:bin_t
/usr/share/texmf/teTeX/bin(/.*)?	system_u:object_r:bin_t


#
# /usr/bin
#
/usr/bin(/.*)?			system_u:object_r:bin_t

#
# /usr/lib(64)?
#
/usr/lib(64)?(/.*)?			system_u:object_r:lib_t
/usr/lib(64)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
/usr/lib(64)?/perl5/man(/.*)?	system_u:object_r:man_t
/usr/lib(64)?/selinux(/.*)?		system_u:object_r:policy_src_t
/usr/lib(64)?/emacsen-common/.*	system_u:object_r:bin_t
/usr/lib(64)?/.*/bin(/.*)?		system_u:object_r:bin_t
/usr/share/guile/g-wrapped/.*\.so -- system_u:object_r:shlib_t

#
# /usr/.*glibc.*-linux/lib(64)?
#
/usr/.*glibc.*-linux/lib(64)?(/.*)?	system_u:object_r:lib_t
/usr/.*glibc.*-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
/usr/.*glibc.*-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t

#
# /usr/.*redhat-linux/lib(64)?
#

/usr/.*redhat-linux/lib(64)?(/.*)?	system_u:object_r:lib_t
/usr/.*redhat-linux/lib(64)?/ld[^/]*\.so(\.[^/]*)*	--	system_u:object_r:ld_so_t
/usr/.*redhat-linux/lib(64)?/lib[^/]*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t


#
# /usr/.*linux-libc.*/lib(64)?
#
/usr/.*linux-libc.*/lib(64)?(/.*)? system_u:object_r:lib_t
/usr/.*linux-libc.*/lib(64)?/ld[^/]*\.so(\.[^/]*)*	-- system_u:object_r:ld_so_t
/usr/.*linux-libc.*/lib(64)?/lib[^/]*\.so(\.[^/]*)*	-- system_u:object_r:shlib_t

#
# /usr/.*-.*-linux-gnu
#


#
# /usr/local
#
/usr/local/etc(/.*)?		system_u:object_r:etc_t
/usr/local/src(/.*)?		system_u:object_r:src_t
/usr/local/sbin(/.*)?		system_u:object_r:sbin_t
/usr/local/man(/.*)?		system_u:object_r:man_t

#
# /usr/local/bin
#
/usr/local/bin(/.*)?		system_u:object_r:bin_t
/usr/local/Acrobat.*/bin/ 	system_u:object_r:bin_t
#
# /usr/local/lib(64)?
#
/usr/local/lib(64)?(/.*)?		system_u:object_r:lib_t
/usr/local/lib(64)?(/.*)+\.so(\.[^/]*)*	--	system_u:object_r:shlib_t

#
# /usr/sbin
#
/usr/sbin(/.*)?			system_u:object_r:sbin_t

#
# /usr/X11R6/(.*/)?bin
#
/usr/X11R6/(.*/)?bin(/.*)?	system_u:object_r:bin_t

#
# /usr/X11R6/(.*/)?lib(64)?
#
/usr/X11R6/(.*/)?lib(64)?(/.*)?		system_u:object_r:lib_t
/usr/X11R6/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* --	system_u:object_r:shlib_t

#
# /usr/X11R6/man
#
/usr/X11R6/man(/.*)?		system_u:object_r:man_t

#
# /usr/kerberos
#
/usr/kerberos/bin(/.*)?		system_u:object_r:bin_t
/usr/kerberos/sbin(/.*)?	system_u:object_r:sbin_t
/usr/kerberos/lib(64)?(/.*)?		system_u:object_r:lib_t
/usr/kerberos/lib(64)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t

#
# Fonts dir
#
/usr/X11R6/lib/X11/fonts(/.*)?		system_u:object_r:fonts_t

/usr/share/fonts(/.*)?			system_u:object_r:fonts_t
/usr/local/share/fonts(/.*)?		system_u:object_r:fonts_t

#
# /var/run
#
/var/run(/.*)?			system_u:object_r:var_run_t
/var/run/.*\.*pid		<<none>>

#
# /var/spool
#
/var/spool(/.*)?		system_u:object_r:var_spool_t
/var/spool/texmf(/.*)?		system_u:object_r:tetex_data_t

# 
# /var/log
#
/var/log(/.*)?			system_u:object_r:var_log_t
/var/log/wtmp.*		--	system_u:object_r:wtmp_t
/var/log/btmp.*		--	system_u:object_r:faillog_t
/var/log/faillog	--	system_u:object_r:faillog_t
/var/log/ksyms.*	--	system_u:object_r:var_log_ksyms_t
/var/log/dmesg		--	system_u:object_r:var_log_t
/var/log/lastlog	--	system_u:object_r:lastlog_t
/var/log/ksymoops(/.*)?		system_u:object_r:var_log_ksyms_t
/var/log/syslog		--	system_u:object_r:var_log_t

#
# Journal files
#
/\.journal			<<none>>
/usr/\.journal			<<none>>
/boot/\.journal			<<none>>
/home/\.journal		<<none>>
/var/\.journal			<<none>>
/tmp/\.journal			<<none>>
/usr/local/\.journal		<<none>>

#
# Lost and found directories.
#
/lost\+found(/.*)?		system_u:object_r:lost_found_t
/usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
/boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
/home/lost\+found(/.*)?	system_u:object_r:lost_found_t
/var/lost\+found(/.*)?		system_u:object_r:lost_found_t
/tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
/usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t

#
# system localization
#
/usr/share/zoneinfo(/.*)?	system_u:object_r:locale_t
/usr/share/locale(/.*)?		system_u:object_r:locale_t
/usr/lib/locale(/.*)?		system_u:object_r:locale_t
/etc/localtime		--	system_u:object_r:locale_t
/etc/localtime		-l	system_u:object_r:etc_t

#
# Gnu Cash
#
/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t
/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t

#
# initrd mount point, only used during boot
#
/initrd			-d	system_u:object_r:root_t

#
# The Sun Java development kit, RPM install
#
/usr/java/(.*/)?bin(/.*)?		system_u:object_r:bin_t
/usr/java/(.*/)?jre/lib(64)?/i386(/.*)?	system_u:object_r:lib_t
/usr/java/(.*/)?plugin/i386(/.*)?/lib[^/]*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
/usr/java/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* --	system_u:object_r:shlib_t

#
#  The krb5.conf file is always being tested for writability, so
#  we defined a type to dontautit
#
/etc/krb5\.conf		--	system_u:object_r:krb5_conf_t

/usr/share/system-config-network(/netconfig)?/[^/]+.py -- system_u:object_r:bin_t
/etc/sysconfig/networking/profiles/.*/resolv.conf -- system_u:object_r:net_conf_t
/etc/sysconfig/network-scripts/.*resolv.conf -- system_u:object_r:net_conf_t
/usr/share/rhn/rhn_applet/applet.py -- system_u:object_r:bin_t
/usr/share/rhn/rhn_applet/eggtrayiconmodule.so -- system_u:object_r:shlib_t
/usr/share/rhn/rhn_applet/needed-packages.py	--	system_u:object_r:bin_t
/usr/share/authconfig/authconfig-gtk.py -- system_u:object_r:bin_t
/usr/share/hwbrowser/hwbrowser -- system_u:object_r:bin_t
/usr/share/system-config-httpd/system-config-httpd -- system_u:object_r:bin_t
/usr/share/system-config-services/system-config-services -- system_u:object_r:bin_t
/usr/share/system-logviewer/system-logviewer.py -- system_u:object_r:bin_t
/usr/share/system-config-date/system-config-date.py -- system_u:object_r:bin_t
/usr/share/system-config-display/system-config-display -- system_u:object_r:bin_t
/usr/share/system-config-keyboard/system-config-keyboard -- system_u:object_r:bin_t
/usr/share/system-config-language/system-config-language -- system_u:object_r:bin_t
/usr/share/system-config-mouse/system-config-mouse -- system_u:object_r:bin_t
/usr/share/system-config-netboot/system-config-netboot.py -- system_u:object_r:bin_t
/usr/share/system-config-netboot/pxeos.py -- system_u:object_r:bin_t
/usr/share/system-config-netboot/pxeboot.py -- system_u:object_r:bin_t
/usr/share/system-config-nfs/system-config-nfs.py -- system_u:object_r:bin_t
/usr/share/system-config-rootpassword/system-config-rootpassword -- system_u:object_r:bin_t
/usr/share/system-config-samba/system-config-samba.py -- system_u:object_r:bin_t
/usr/share/system-config-securitylevel/system-config-securitylevel.py -- system_u:object_r:bin_t
/usr/share/system-config-services/serviceconf.py -- system_u:object_r:bin_t
/usr/share/system-config-soundcard/system-config-soundcard -- system_u:object_r:bin_t
/usr/share/system-config-users/system-config-users -- system_u:object_r:bin_t
/usr/share/switchdesk/switchdesk-gui.py	--	system_u:object_r:bin_t
/usr/share/system-config-network/neat-control.py	--	system_u:object_r:bin_t
/usr/share/system-config-nfs/nfs-export.py	--	system_u:object_r:bin_t
/usr/share/pydict/pydict.py	--	system_u:object_r:bin_t
/usr/share/cvs/contrib/rcs2log	--	system_u:object_r:bin_t


# apache
/home/[^/]+/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t
/var/www(/.*)?			system_u:object_r:httpd_sys_content_t
/var/www/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
/usr/lib/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
/var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_exec_t
/var/www/icons(/.*)?		system_u:object_r:httpd_sys_content_t
/var/cache/httpd(/.*)?		system_u:object_r:httpd_cache_t
/etc/httpd		-d	system_u:object_r:httpd_config_t
/etc/httpd/conf.*		system_u:object_r:httpd_config_t
/etc/httpd/logs			system_u:object_r:httpd_log_t
/etc/httpd/modules		system_u:object_r:httpd_modules_t
/etc/apache(2)?(/.*)?		system_u:object_r:httpd_config_t
/etc/vhosts		--	system_u:object_r:httpd_config_t
/usr/lib(64)?/apache(/.*)?		system_u:object_r:httpd_modules_t
/usr/lib(64)?/apache2/modules(/.*)?	system_u:object_r:httpd_modules_t
/usr/lib(64)?/httpd(/.*)?		system_u:object_r:httpd_modules_t
/usr/sbin/httpd		--	system_u:object_r:httpd_exec_t
/usr/sbin/apache(2)?	--	system_u:object_r:httpd_exec_t
/usr/sbin/suexec	--	system_u:object_r:httpd_suexec_exec_t
/usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
/usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t
/var/log/httpd(/.*)?		system_u:object_r:httpd_log_t
/var/log/apache(2)?(/.*)?	system_u:object_r:httpd_log_t
/var/log/cgiwrap.log.*	--	system_u:object_r:httpd_log_t
/var/cache/ssl.*\.sem	--	system_u:object_r:httpd_cache_t
/var/cache/mod_ssl(/.*)?	system_u:object_r:httpd_cache_t
/var/run/apache(2)?.pid.* --	system_u:object_r:httpd_var_run_t
/var/lib/httpd(/.*)?		system_u:object_r:httpd_var_lib_t
/etc/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_config_t
/usr/lib/apache-ssl(/.*)? --	system_u:object_r:httpd_exec_t
/usr/sbin/apache-ssl(2)? --	system_u:object_r:httpd_exec_t
/var/log/apache-ssl(2)?(/.*)?	system_u:object_r:httpd_log_t
/var/run/apache-ssl(2)?.pid.* -- system_u:object_r:httpd_var_run_t
/var/run/gcache_port	-s	system_u:object_r:httpd_var_run_t

# dhcpd
/etc/dhcpd.conf		--	system_u:object_r:dhcp_etc_t
/etc/dhcp3(/.*)?		system_u:object_r:dhcp_etc_t
/usr/sbin/dhcpd.*	--	system_u:object_r:dhcpd_exec_t
/var/lib/dhcp(3)?/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
/var/run/dhcpd\.pid	-d	system_u:object_r:dhcpd_var_run_t

/var/lib/dhcp(3)?	-d	system_u:object_r:dhcp_state_t


# hotplug
/etc/hotplug(/.*)?		system_u:object_r:hotplug_etc_t
/sbin/hotplug		--	system_u:object_r:hotplug_exec_t
/etc/hotplug.d/default/default.* system_u:object_r:sbin_t
/etc/hotplug/.*agent	--	system_u:object_r:sbin_t
/etc/hotplug/.*rc	-- 	system_u:object_r:sbin_t
/etc/hotplug/hotplug.functions --	system_u:object_r:sbin_t
/var/run/usb(/.*)?		system_u:object_r:hotplug_var_run_t
# init rc scripts
/etc/X11/prefdm		--	system_u:object_r:initrc_exec_t
/etc/rc\.d/rc		--	system_u:object_r:initrc_exec_t
/etc/rc\.d/rc\.sysinit	--	system_u:object_r:initrc_exec_t
/etc/rc\.d/rc\.local	--	system_u:object_r:initrc_exec_t
/etc/rc\.d/init\.d/.*	--	system_u:object_r:initrc_exec_t
/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t
/etc/init\.d/.*		--	system_u:object_r:initrc_exec_t
/etc/init\.d/functions	--	system_u:object_r:etc_t
/var/run/utmp		--	system_u:object_r:initrc_var_run_t
/var/run/runlevel\.dir		system_u:object_r:initrc_var_run_t
/var/run/random-seed	--	system_u:object_r:initrc_var_run_t
/var/run/setmixer_flag	--	system_u:object_r:initrc_var_run_t



# run_init
/usr/sbin/run_init	--	system_u:object_r:run_init_exec_t

/etc/nologin.*		--	system_u:object_r:etc_runtime_t
/etc/nohotplug		--	system_u:object_r:etc_runtime_t

/halt			--	system_u:object_r:etc_runtime_t
/\.autofsck		--	system_u:object_r:etc_runtime_t

# init
/dev/initctl		-p	system_u:object_r:initctl_t
/sbin/init		--	system_u:object_r:init_exec_t
# mailman list server
/var/lib/mailman(/.*)?		   system_u:object_r:mailman_data_t
/var/log/mailman(/.*)?		   system_u:object_r:mailman_log_t
/usr/lib/mailman/cron/.*	-- system_u:object_r:mailman_queue_exec_t
/usr/lib/mailman/bin/mailmanctl -- system_u:object_r:mailman_mail_exec_t
/var/run/mailman(/.*)?		   system_u:object_r:mailman_lock_t
/var/lib/mailman/archives(/.*)?	system_u:object_r:mailman_archive_t




/usr/lib/mailman/cgi-bin/.*	 -- system_u:object_r:mailman_cgi_exec_t
/var/lock/mailman(/.*)?		    system_u:object_r:mailman_lock_t
/usr/lib/mailman/scripts/mailman -- system_u:object_r:mailman_mail_exec_t
/usr/lib/mailman/bin/qrunner  	 -- system_u:object_r:mailman_queue_exec_t
/etc/mailman(/.*)?		   system_u:object_r:mailman_data_t
/var/spool/mailman(/.*)?	   system_u:object_r:mailman_data_t

# module utilities
/etc/modules\.conf.*	--	system_u:object_r:modules_conf_t
/etc/modprobe\.conf.*	--	system_u:object_r:modules_conf_t
/lib(64)?/modules/modprobe.conf --	system_u:object_r:modules_conf_t
/lib(64)?/modules(/.*)?		system_u:object_r:modules_object_t
/lib(64)?/modules/[^/]+/modules\..+ -- system_u:object_r:modules_dep_t
/lib(64)?/modules/modprobe\.conf.* -- system_u:object_r:modules_conf_t
/sbin/depmod.*		--	system_u:object_r:depmod_exec_t
/sbin/modprobe.*	--	system_u:object_r:insmod_exec_t
/sbin/insmod.*		--	system_u:object_r:insmod_exec_t
/sbin/insmod_ksymoops_clean --	system_u:object_r:sbin_t
/sbin/rmmod.*		--	system_u:object_r:insmod_exec_t
/sbin/update-modules	--	system_u:object_r:update_modules_exec_t
/sbin/generate-modprobe.conf -- system_u:object_r:update_modules_exec_t
# mysql database server
/usr/sbin/mysqld	--	system_u:object_r:mysqld_exec_t
/usr/libexec/mysqld	--	system_u:object_r:mysqld_exec_t
/var/run/mysqld(/.*)?		system_u:object_r:mysqld_var_run_t
/var/log/mysql.*	--	system_u:object_r:mysqld_log_t
/var/lib/mysql(/.*)?		system_u:object_r:mysqld_db_t
/var/lib/mysql/mysql.sock -s	system_u:object_r:mysqld_var_run_t
/etc/my\.cnf		--	system_u:object_r:mysqld_etc_t
/etc/mysql(/.*)?		system_u:object_r:mysqld_etc_t

# named

/var/named(/.*)?		system_u:object_r:named_zone_t
/var/named/slaves(/.*)?		system_u:object_r:named_cache_t
/var/named/data(/.*)?		system_u:object_r:named_cache_t
/etc/named\.conf	--	system_u:object_r:named_conf_t
 
 
/etc/rndc.*		--	system_u:object_r:named_conf_t
/usr/sbin/named      	--	system_u:object_r:named_exec_t
/usr/sbin/r?ndc		--	system_u:object_r:ndc_exec_t
/var/run/ndc		-s	system_u:object_r:named_var_run_t
/var/run/bind(/.*)?		system_u:object_r:named_var_run_t
/var/run/named(/.*)?		system_u:object_r:named_var_run_t
/usr/sbin/lwresd	--	system_u:object_r:named_exec_t

/var/named/named\.ca	--	system_u:object_r:named_conf_t
/var/named/chroot(/.*)?		system_u:object_r:named_conf_t
/var/named/chroot/dev/null   -c	system_u:object_r:null_device_t
/var/named/chroot/dev/random -c	system_u:object_r:random_device_t
/var/named/chroot/dev/zero -c	system_u:object_r:zero_device_t
/var/named/chroot/etc/named\.conf -- system_u:object_r:named_conf_t
/var/named/chroot/etc/rndc.* -- system_u:object_r:named_conf_t
/var/named/chroot/var/run/named(/.*)? system_u:object_r:named_var_run_t
/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named(/.*)?	system_u:object_r:named_zone_t
/var/named/chroot/var/named/slaves(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named/named\.ca	--	system_u:object_r:named_conf_t
 # nscd
/usr/sbin/nscd		--	system_u:object_r:nscd_exec_t
/var/run/\.nscd_socket	-s	system_u:object_r:nscd_var_run_t
/var/run/nscd\.pid	--	system_u:object_r:nscd_var_run_t
/var/db/nscd(/.*)?		system_u:object_r:nscd_var_run_t
/var/run/nscd(/.*)?		system_u:object_r:nscd_var_run_t
/var/lib/ntp(/.*)?			system_u:object_r:ntp_drift_t
/etc/ntp/data(/.*)?			system_u:object_r:ntp_drift_t
/etc/ntp(d)?\.conf		--	system_u:object_r:net_conf_t
/etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
/usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
/usr/sbin/ntpdate		--	system_u:object_r:ntpd_exec_t
/var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
/var/log/ntpd.*			--	system_u:object_r:ntpd_log_t
/var/log/xntpd.*		--	system_u:object_r:ntpd_log_t
/var/run/ntpd.pid		--	system_u:object_r:ntpd_var_run_t
/etc/cron\.(daily|weekly)/ntp-simple -- system_u:object_r:ntpd_exec_t
/etc/cron\.(daily|weekly)/ntp-server -- system_u:object_r:ntpd_exec_t
# portmap
/sbin/portmap		--	system_u:object_r:portmap_exec_t
/sbin/pmap_dump		--	system_u:object_r:portmap_exec_t
# rpm
/var/lib/rpm(/.*)?		system_u:object_r:rpm_var_lib_t
/var/lib/alternatives(/.*)?	system_u:object_r:rpm_var_lib_t
/bin/rpm 		--	system_u:object_r:rpm_exec_t
/usr/bin/yum 		--	system_u:object_r:rpm_exec_t
/usr/bin/apt-get 	--	system_u:object_r:rpm_exec_t
/usr/bin/apt-shell    	-- 	system_u:object_r:rpm_exec_t
/usr/bin/synaptic   --    	system_u:object_r:rpm_exec_t 
/usr/lib(64)?/rpm/rpmd	-- 	system_u:object_r:bin_t
/usr/lib(64)?/rpm/rpmq	-- 	system_u:object_r:bin_t
/usr/lib(64)?/rpm/rpmk	-- 	system_u:object_r:bin_t
/usr/lib(64)?/rpm/rpmv	-- 	system_u:object_r:bin_t
/var/log/rpmpkgs.*	--	system_u:object_r:rpm_log_t
/var/log/yum.log	--	system_u:object_r:rpm_log_t

/usr/sbin/up2date	--	system_u:object_r:rpm_exec_t
/usr/sbin/rhn_check	--	system_u:object_r:rpm_exec_t

# SuSE

# snmpd
/usr/sbin/snmp(trap)?d	--	system_u:object_r:snmpd_exec_t
/var/lib/snmp(/.*)?		system_u:object_r:snmpd_var_lib_t
/etc/snmp/snmp(trap)?d\.conf -- system_u:object_r:snmpd_etc_t
/usr/share/snmp/mibs/\.index -- system_u:object_r:snmpd_var_lib_t
/var/run/snmpd\.pid	--	system_u:object_r:snmpd_var_run_t
/var/run/snmpd		-d	system_u:object_r:snmpd_var_run_t
/var/net-snmp(/.*)		system_u:object_r:snmpd_var_lib_t
/var/log/snmpd.log	--	system_u:object_r:snmpd_log_t
# squid
/usr/sbin/squid		--	system_u:object_r:squid_exec_t
/var/cache/squid(/.*)?		system_u:object_r:squid_cache_t
/var/spool/squid(/.*)?		system_u:object_r:squid_cache_t
/var/log/squid(/.*)?		system_u:object_r:squid_log_t
/etc/squid(/.*)?		system_u:object_r:squid_conf_t
/var/run/squid\.pid	--	system_u:object_r:squid_var_run_t
/usr/share/squid(/.*)?		system_u:object_r:squid_conf_t
# syslogd
/sbin/syslogd		--	system_u:object_r:syslogd_exec_t
/sbin/minilogd		--	system_u:object_r:syslogd_exec_t
/usr/sbin/syslogd	--	system_u:object_r:syslogd_exec_t
/sbin/syslog-ng		--	system_u:object_r:syslogd_exec_t
/dev/log		-s	system_u:object_r:devlog_t
/var/run/log		-s	system_u:object_r:devlog_t
/var/run/syslogd\.pid	--	system_u:object_r:syslogd_var_run_t
# udev
/sbin/udevsend	--	system_u:object_r:udev_exec_t
/sbin/udev	--	system_u:object_r:udev_exec_t
/sbin/udevd	--	system_u:object_r:udev_exec_t
/sbin/start_udev --	system_u:object_r:udev_exec_t
/usr/bin/udevinfo --	system_u:object_r:udev_exec_t
/etc/dev\.d/.+	--	system_u:object_r:udev_helper_exec_t
/etc/udev/scripts/.+	-- system_u:object_r:udev_helper_exec_t
/etc/hotplug.d/default/udev.* -- system_u:object_r:udev_helper_exec_t
/dev/udev\.tbl	--	system_u:object_r:udev_tbl_t
/dev/\.udev\.tdb --	system_u:object_r:udev_tbl_t
# ypbind
/sbin/ypbind		--	system_u:object_r:ypbind_exec_t

#
# User-specific file contexts
#

/root		-d	root:object_r:user_home_dir_t
/root/.+			root:object_r:user_home_t
/root/((www)|(web)|(public_html))(/.+)? root:object_r:httpd_user_content_t
/root/.default_contexts	-- 	system_u:object_r:default_context_t
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux