secilc/docs/cil_file_labeling_statements.xml - platform/external/selinux - Git at Google

 <!-- Common Interface Language (CIL) Reference Guide -->
            <!-- file_labeling_statements.xml -->

    <sect1>
       <title>File Labeling Statements</title>
       <sect2 id="filecon">
          <title>filecon</title>
          <para>Define entries for labeling files. The compiler will produce these entries in a file called <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> by default in the <literal>cwd</literal>. The compiler option <literal>[-f|--filecontext &lt;filename>]</literal> may be used to specify a different path or file name.</para>
          <para><emphasis role="bold">Statement definition:</emphasis></para>
          <programlisting><![CDATA[(filecon "path" file_type context_id)]]></programlisting>
          <para><emphasis role="bold">Where:</emphasis></para>
          <informaltable frame="all">
             <tgroup cols="2">
             <colspec colwidth="2 *"/>
             <colspec colwidth="6 *"/>
                <tbody>
                <row>
                   <entry>
                      <para><literal>filecon</literal></para>
                   </entry>
                   <entry>
                      <para>The <literal>filecon</literal> keyword.</para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>path</literal></para>
                   </entry>
                   <entry>
                      <para>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <literal>"/this/is/a/path(/.*)?"</literal>)</para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>file_type</literal></para>
                   </entry>
                   <entry>
                      <para>A single keyword representing a file type in the <literal>file_contexts</literal> file as follows:</para>
                      <para>
                         <informaltable frame="all">
                            <tgroup cols="2">
                            <colspec colwidth="1 in"/>
                            <colspec colwidth="1.25 in"/>
                               <tbody>
                               <row>
                                  <entry>
                                     <para><emphasis role="bold">keyword</emphasis></para>
                                  </entry>
                                  <entry>
                                     <para><emphasis role="bold">file_contexts entry</emphasis></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>file</literal></para>
                                  </entry>
                                  <entry>
                                     <para><literal>--</literal></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>dir</literal></para>
                                  </entry>
                                  <entry>
                                     <para><literal>-d</literal></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>char</literal></para>
                                  </entry>
                                  <entry>
                                     <para><literal>-c</literal></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>block</literal></para>
                                  </entry>
                                  <entry>
                                     <para><literal>-b</literal></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>socket</literal></para>
                                  </entry>
                                  <entry>
                                     <para><literal>-s</literal></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>pipe</literal></para>
                                  </entry>
                                  <entry>
                                     <para><literal>-p</literal></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>symlink</literal></para>
                                  </entry>
                                  <entry>
                                     <para><literal>-l</literal></para>
                                  </entry>
                               </row>
                               <row>
                                  <entry>
                                     <para><literal>any</literal></para>
                                  </entry>
                                  <entry>
                                     <para>no entry</para>
                                  </entry>
                               </row>
                            </tbody></tgroup>
                         </informaltable>
                      </para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>context_id</literal></para>
                   </entry>
                   <entry>
                      <para>The security context to be allocated to the file, which may be:</para>
                      <itemizedlist>
                         <listitem><para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para></listitem>
                         <listitem><para>An empty context list represented by <literal>()</literal> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <literal>&lt;&lt;none>></literal> within the <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> file.</para></listitem>
                      </itemizedlist>
                   </entry>
                </row>
             </tbody></tgroup>
          </informaltable>

          <para><emphasis role="bold">Examples:</emphasis></para>
          <para>These examples use one named, one anonymous and one empty context definition:</para>
             <programlisting><![CDATA[
 (context runas_exec_context (u object_r exec low_low))

 (filecon "/system/bin/run-as" file runas_exec_context)
 (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
 (filecon "/data/local/mine" dir ())]]>
             </programlisting>
          <simpara>to resolve/build <literal>file_contexts</literal> entries of (assuming MLS enabled policy):</simpara>
             <programlisting><![CDATA[
 /system/bin/run-as  -- u:object_r:runas.exec:s0
 /dev/socket/wpa_wlan[0-9]   u:object_r:wpa.socket:s0
 /data/local/mine -d <<none>>]]>
          </programlisting>
       </sect2>

       <sect2 id="fsuse">
          <title>fsuse</title>
          <para>Label filesystems that support SELinux security contexts.</para>
          <para><emphasis role="bold">Statement definition:</emphasis></para>
          <programlisting><![CDATA[(fsuse fstype fsname context_id)]]></programlisting>
          <para><emphasis role="bold">Where:</emphasis></para>
          <informaltable frame="all">
             <tgroup cols="2">
             <colspec colwidth="2 *"/>
             <colspec colwidth="6 *"/>
                <tbody>
                <row>
                   <entry>
                      <para><literal>fsuse</literal></para>
                   </entry>
                   <entry>
                      <para>The <literal>fsuse</literal> keyword.</para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>fstype</literal></para>
                   </entry>
                   <entry>
                      <para>A single keyword representing the type of filesystem as follows:</para>
                      <itemizedlist mark="none">
                         <listitem><simpara><literal>task</literal> - For pseudo filesystems supporting task related services such as pipes and sockets.</simpara></listitem>
                         <listitem><simpara><literal>trans</literal> - For pseudo filesystems such as pseudo terminals and temporary objects.</simpara></listitem>
                         <listitem><simpara><literal>xattr</literal> - Filesystems supporting the extended attribute <literal>security.selinux</literal>. The labeling is persistent for filesystems that support extended attributes.</simpara></listitem>
                      </itemizedlist>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>fsname</literal></para>
                   </entry>
                   <entry>
                      <para>Name of the supported filesystem (e.g. <literal>ext4</literal> or <literal>pipefs</literal>).</para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>context_id</literal></para>
                   </entry>
                   <entry>
                      <para>The security context to be allocated to the network interface.</para>
                      <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
                   </entry>
                </row>
             </tbody></tgroup>
          </informaltable>

          <para><emphasis role="bold">Examples:</emphasis></para>
          <para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>fsuse</literal> statements in the global namespace:</para>
          <programlisting><![CDATA[
 (block file
     (type labeledfs)
     (roletype object_r labeledfs)
     (context labeledfs_context (u object_r labeledfs low_low))

     (type pipefs)
     (roletype object_r pipefs)
     (context pipefs_context (u object_r pipefs low_low))
     ...
 )

 (fsuse xattr ex4 file.labeledfs_context)
 (fsuse xattr btrfs file.labeledfs_context)

 (fsuse task pipefs file.pipefs_context)
 (fsuse task sockfs file.sockfs_context)

 (fsuse trans devpts file.devpts_context)
 (fsuse trans tmpfs file.tmpfs_context)]]>
       </programlisting>
       </sect2>

       <sect2 id="genfscon">
          <title>genfscon</title>
          <para>Used to allocate a security context to filesystems that cannot support any of the <literal><link linkend="fsuse">fsuse</link></literal> file labeling options. Generally a filesystem would have a single default security context assigned by <literal>genfscon</literal> from the root <literal>(/)</literal> that would then be inherited by all files and directories on that filesystem. The exception to this is the <literal>/proc</literal> filesystem, where directories can be labeled with a specific security context (as shown in the examples).</para>
          <para><emphasis role="bold">Statement definition:</emphasis></para>
          <programlisting><![CDATA[(genfscon fsname path context_id)]]></programlisting>
          <para><emphasis role="bold">Where:</emphasis></para>
          <informaltable frame="all">
             <tgroup cols="2">
             <colspec colwidth="2 *"/>
             <colspec colwidth="6 *"/>
                <tbody>
                <row>
                   <entry>
                      <para><literal>genfscon</literal></para>
                   </entry>
                   <entry>
                      <para>The <literal>genfscon</literal> keyword.</para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>fsname</literal></para>
                   </entry>
                   <entry>
                      <para>Name of the supported filesystem (e.g. <literal>rootfs</literal> or <literal>proc</literal>).</para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>path</literal></para>
                   </entry>
                   <entry>
                      <para>If <literal>fsname</literal> is <literal>proc</literal>, then the partial path (see examples). For all other types this must be ‘<literal>/</literal>’.</para>
                   </entry>
                </row>
                <row>
                   <entry>
                      <para><literal>context_id</literal></para>
                   </entry>
                   <entry>
                      <para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
                   </entry>
                </row>
             </tbody></tgroup>
          </informaltable>

          <para><emphasis role="bold">Examples:</emphasis></para>
          <para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>genfscon</literal> statements are then inserted using the <literal><link linkend="in">in</link></literal> container statement:</para>
          <programlisting><![CDATA[
 (file
     (type rootfs)
     (roletype object_r rootfs)
     (context rootfs_context (u object_r rootfs low_low))

     (type proc)
     (roletype object_r proc)
     (context rootfs_context (u object_r proc low_low))
     ...
 )

 (in file
     (genfscon rootfs / rootfs_context)
     ; proc labeling can be further refined (longest matching prefix).
     (genfscon proc / proc_context)
     (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
     (genfscon proc /sysrq-trigger sysrq_proc_context)
     (genfscon selinuxfs / selinuxfs_context)
 )]]>
          </programlisting>
       </sect2>

    </sect1>
	<!-- Common Interface Language (CIL) Reference Guide -->
	<!-- file_labeling_statements.xml -->

	<sect1>
	<title>File Labeling Statements</title>
	<sect2 id="filecon">
	<title>filecon</title>
	<para>Define entries for labeling files. The compiler will produce these entries in a file called <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> by default in the <literal>cwd</literal>. The compiler option <literal>[-f\|--filecontext <filename>]</literal> may be used to specify a different path or file name.</para>
	<para><emphasis role="bold">Statement definition:</emphasis></para>
	<programlisting><![CDATA[(filecon "path" file_type context_id)]]></programlisting>
	<para><emphasis role="bold">Where:</emphasis></para>
	<informaltable frame="all">
	<tgroup cols="2">
	<colspec colwidth="2 *"/>
	<colspec colwidth="6 *"/>
	<tbody>
	<row>
	<entry>
	<para><literal>filecon</literal></para>
	</entry>
	<entry>
	<para>The <literal>filecon</literal> keyword.</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>path</literal></para>
	</entry>
	<entry>
	<para>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <literal>"/this/is/a/path(/.*)?"</literal>)</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>file_type</literal></para>
	</entry>
	<entry>
	<para>A single keyword representing a file type in the <literal>file_contexts</literal> file as follows:</para>
	<para>
	<informaltable frame="all">
	<tgroup cols="2">
	<colspec colwidth="1 in"/>
	<colspec colwidth="1.25 in"/>
	<tbody>
	<row>
	<entry>
	<para><emphasis role="bold">keyword</emphasis></para>
	</entry>
	<entry>
	<para><emphasis role="bold">file_contexts entry</emphasis></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>file</literal></para>
	</entry>
	<entry>
	<para><literal>--</literal></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>dir</literal></para>
	</entry>
	<entry>
	<para><literal>-d</literal></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>char</literal></para>
	</entry>
	<entry>
	<para><literal>-c</literal></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>block</literal></para>
	</entry>
	<entry>
	<para><literal>-b</literal></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>socket</literal></para>
	</entry>
	<entry>
	<para><literal>-s</literal></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>pipe</literal></para>
	</entry>
	<entry>
	<para><literal>-p</literal></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>symlink</literal></para>
	</entry>
	<entry>
	<para><literal>-l</literal></para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>any</literal></para>
	</entry>
	<entry>
	<para>no entry</para>
	</entry>
	</row>
	</tbody></tgroup>
	</informaltable>
	</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>context_id</literal></para>
	</entry>
	<entry>
	<para>The security context to be allocated to the file, which may be:</para>
	<itemizedlist>
	<listitem><para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para></listitem>
	<listitem><para>An empty context list represented by <literal>()</literal> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <literal><<none>></literal> within the <emphasis role="bold"><literal>file_contexts</literal></emphasis><literal>(5)</literal> file.</para></listitem>
	</itemizedlist>
	</entry>
	</row>
	</tbody></tgroup>
	</informaltable>

	<para><emphasis role="bold">Examples:</emphasis></para>
	<para>These examples use one named, one anonymous and one empty context definition:</para>
	<programlisting><![CDATA[
	(context runas_exec_context (u object_r exec low_low))

	(filecon "/system/bin/run-as" file runas_exec_context)
	(filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
	(filecon "/data/local/mine" dir ())]]>
	</programlisting>
	<simpara>to resolve/build <literal>file_contexts</literal> entries of (assuming MLS enabled policy):</simpara>
	<programlisting><![CDATA[
	/system/bin/run-as -- u:object_r:runas.exec:s0
	/dev/socket/wpa_wlan[0-9] u:object_r:wpa.socket:s0
	/data/local/mine -d <<none>>]]>
	</programlisting>
	</sect2>

	<sect2 id="fsuse">
	<title>fsuse</title>
	<para>Label filesystems that support SELinux security contexts.</para>
	<para><emphasis role="bold">Statement definition:</emphasis></para>
	<programlisting><![CDATA[(fsuse fstype fsname context_id)]]></programlisting>
	<para><emphasis role="bold">Where:</emphasis></para>
	<informaltable frame="all">
	<tgroup cols="2">
	<colspec colwidth="2 *"/>
	<colspec colwidth="6 *"/>
	<tbody>
	<row>
	<entry>
	<para><literal>fsuse</literal></para>
	</entry>
	<entry>
	<para>The <literal>fsuse</literal> keyword.</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>fstype</literal></para>
	</entry>
	<entry>
	<para>A single keyword representing the type of filesystem as follows:</para>
	<itemizedlist mark="none">
	<listitem><simpara><literal>task</literal> - For pseudo filesystems supporting task related services such as pipes and sockets.</simpara></listitem>
	<listitem><simpara><literal>trans</literal> - For pseudo filesystems such as pseudo terminals and temporary objects.</simpara></listitem>
	<listitem><simpara><literal>xattr</literal> - Filesystems supporting the extended attribute <literal>security.selinux</literal>. The labeling is persistent for filesystems that support extended attributes.</simpara></listitem>
	</itemizedlist>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>fsname</literal></para>
	</entry>
	<entry>
	<para>Name of the supported filesystem (e.g. <literal>ext4</literal> or <literal>pipefs</literal>).</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>context_id</literal></para>
	</entry>
	<entry>
	<para>The security context to be allocated to the network interface.</para>
	<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
	</entry>
	</row>
	</tbody></tgroup>
	</informaltable>

	<para><emphasis role="bold">Examples:</emphasis></para>
	<para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>fsuse</literal> statements in the global namespace:</para>
	<programlisting><![CDATA[
	(block file
	(type labeledfs)
	(roletype object_r labeledfs)
	(context labeledfs_context (u object_r labeledfs low_low))

	(type pipefs)
	(roletype object_r pipefs)
	(context pipefs_context (u object_r pipefs low_low))
	...
	)

	(fsuse xattr ex4 file.labeledfs_context)
	(fsuse xattr btrfs file.labeledfs_context)

	(fsuse task pipefs file.pipefs_context)
	(fsuse task sockfs file.sockfs_context)

	(fsuse trans devpts file.devpts_context)
	(fsuse trans tmpfs file.tmpfs_context)]]>
	</programlisting>
	</sect2>

	<sect2 id="genfscon">
	<title>genfscon</title>
	<para>Used to allocate a security context to filesystems that cannot support any of the <literal><link linkend="fsuse">fsuse</link></literal> file labeling options. Generally a filesystem would have a single default security context assigned by <literal>genfscon</literal> from the root <literal>(/)</literal> that would then be inherited by all files and directories on that filesystem. The exception to this is the <literal>/proc</literal> filesystem, where directories can be labeled with a specific security context (as shown in the examples).</para>
	<para><emphasis role="bold">Statement definition:</emphasis></para>
	<programlisting><![CDATA[(genfscon fsname path context_id)]]></programlisting>
	<para><emphasis role="bold">Where:</emphasis></para>
	<informaltable frame="all">
	<tgroup cols="2">
	<colspec colwidth="2 *"/>
	<colspec colwidth="6 *"/>
	<tbody>
	<row>
	<entry>
	<para><literal>genfscon</literal></para>
	</entry>
	<entry>
	<para>The <literal>genfscon</literal> keyword.</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>fsname</literal></para>
	</entry>
	<entry>
	<para>Name of the supported filesystem (e.g. <literal>rootfs</literal> or <literal>proc</literal>).</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>path</literal></para>
	</entry>
	<entry>
	<para>If <literal>fsname</literal> is <literal>proc</literal>, then the partial path (see examples). For all other types this must be ‘<literal>/</literal>’.</para>
	</entry>
	</row>
	<row>
	<entry>
	<para><literal>context_id</literal></para>
	</entry>
	<entry>
	<para>A previously declared <literal><link linkend="context">context</link></literal> identifier or an anonymous security context (<literal><link linkend="user">user</link> <link linkend="role">role</link> <link linkend="type">type</link> <link linkend="levelrange">levelrange</link></literal>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</para>
	</entry>
	</row>
	</tbody></tgroup>
	</informaltable>

	<para><emphasis role="bold">Examples:</emphasis></para>
	<para>The <link linkend="context">context</link> identifiers are declared in the <literal>file</literal> namespace and the <literal>genfscon</literal> statements are then inserted using the <literal><link linkend="in">in</link></literal> container statement:</para>
	<programlisting><![CDATA[
	(file
	(type rootfs)
	(roletype object_r rootfs)
	(context rootfs_context (u object_r rootfs low_low))

	(type proc)
	(roletype object_r proc)
	(context rootfs_context (u object_r proc low_low))
	...
	)

	(in file
	(genfscon rootfs / rootfs_context)
	; proc labeling can be further refined (longest matching prefix).
	(genfscon proc / proc_context)
	(genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
	(genfscon proc /sysrq-trigger sysrq_proc_context)
	(genfscon selinuxfs / selinuxfs_context)
	)]]>
	</programlisting>
	</sect2>

	</sect1>