Skip to content
Snippets Groups Projects
Normal view Permalink
genfs_contexts 1.71 KiB
Newer Older
  • Learn to ignore specific revisions
    • William Roberts's avatar
    Support for ocontexts per device.
    William Roberts committed
    1 2 3 4 
    # Label inodes with the fs label.
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
    Robert Craig's avatar
    Make /proc/net a proc_net type.  
    Robert Craig committed
    5 
    genfscon proc /net u:object_r:proc_net:s0
    hqjiang's avatar
    Target the denials/policies over qtaguid file and device: 1. Relabel...  
    hqjiang committed
    6 
    genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
    Stephen Smalley's avatar
    Address system_server denials.  
    Stephen Smalley committed
    7 
    genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
    Stephen Smalley's avatar
    Restrict the ability to set usermodehelpers and proc security settings.  
    Stephen Smalley committed
    8 9 10 11 12 13 14 15 16 17 18 19 
    genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
    Robert Craig's avatar
    Create proc_net type for /proc/sys/net entries.  
    Robert Craig committed
    20 
    genfscon proc /sys/net u:object_r:proc_net:s0
    Stephen Smalley's avatar
    Restrict mapping low memory.  
    Stephen Smalley committed
    21 
    genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
    William Roberts's avatar
    Support for ocontexts per device.
    William Roberts committed
    22 23 24 25 26 27 
    # selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon inotifyfs / u:object_r:inotify:s0
    Ed Heyl's avatar
    reconcile aosp (4da3bb1481e4e894a7dee3f3b9ec8cef6f6b1aed) after branching. Please do not merge.  
    Ed Heyl committed
    28 
    genfscon vfat / u:object_r:vfat:s0
    William Roberts's avatar
    Support for ocontexts per device.
    William Roberts committed
    29 
    genfscon debugfs / u:object_r:debugfs:s0
    Ed Heyl's avatar
    reconcile aosp (4da3bb1481e4e894a7dee3f3b9ec8cef6f6b1aed) after branching. Please do not merge.  
    Ed Heyl committed
    30 
    genfscon fuse / u:object_r:fuse:s0
    jaejyn.shin's avatar
    pstore file system labeling  
    jaejyn.shin committed
    31 
    genfscon pstore / u:object_r:pstorefs:s0
    Nick Kralevich's avatar
    Label /dev/usb-ffs/adb functionfs  
    Nick Kralevich committed
    32 
    genfscon functionfs / u:object_r:functionfs:s0
    Nick Kralevich's avatar
    label usbfs  
    Nick Kralevich committed
    33 
    genfscon usbfs / u:object_r:usbfs:s0