38


Chapter 3. Targeted Policy Overview


|


|   procfs.te


|


|   security.te


|


`   x.te


`   users


3.3. Understanding the File Contexts Files


The files in


$SELINUX_SRC/file_contexts/


declare the security contexts that are applied to files


when the policy is installed. You can read more about what a file context is at Section 2.4 File System


Security Contexts.


The file context descriptions use regular expression pattern matching (regexp) to match a file, set of


files, directory, or directory and associated files. A specific SELinux label is then applied to that:


# Syntax of file context description


regexp


 type


(


file_label


|


none


)


B


C


B


C


BDB


CEC


The regexp is anchored on both ends, meaning the expression search only considers matches that start


with the first character and end with the last character. This means that it ignores an expression that


appears in the middle of a sentence, the way


/var/run


appears in this sentence, and only declares a


match if the pattern is on a line by itself:


/var/run


This is the way a directory is displayed by the output of


ls


, and is how


setfiles


sees files and


directories when it traverses the directory tree. In regexp notation, this kind of match is denoted by


prepending a


^


(caret) symbol and appending a


$


(dollar sign or ding) to the expression. This is done


automatically by SELinux, and can be overridden using the match anything pattern


.*


on either or


both sides of the regexp pattern.


The field


 type


is optional and can be left blank. When it is filled, it is similar to the mode field for


the


ls


command. For example, the


 d


means to match only directories, the


  


means to match only


files.


The value field is the last field on the right, and is set to either a single security label such as


system_u:object_r:home_root_t


or is set to


none


. The


none


value tells the re 


FGF


HGH


FGF


HGH


labeling application to not relabel the matching file. In the case where there is more than one match,


the last matching value is used. Hard linked files that have different contexts generate a labeling error,


and the file is labeled based on the last matching specification other than


none


.


FGF


HGH


There are files listed in


types.fc


that are not persistent, but get created each time during boot. Those


files gain their labels through type transition rules, but they are listed here to prevent their label being


overwritten by a relabeling operation during runtime. One example of this is


/var/run/utmp


.


Here are some examples from


$SELINUX_SRC/file_contexts/types.fc


, the main file describ 


ing file contexts:


/bin(/.*)?


system_u:object_r:bin_t


/bin/bash


   system_u:object_r:shell_exec_t


/u?dev(/.*)?


system_u:object_r:device_t


/u?dev/pts(/.*)?


none


BDB


CDC


ifdef(`distro_redhat', `


/dev/root


 b system_u:object_r:fixed_disk_device_t


')


/proc(/.*)?


none


BDB


CDC


/sys(/.*)?


none


BDB


CEC








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      adult web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved