File Labeling Statements ======================== filecon ------- Define entries for labeling files. The compiler will produce these entries in a file called **`file_contexts`**`(5)` by default in the `cwd`. The compiler option `[-f|--filecontext ]` may be used to specify a different path or file name. **Statement definition:** (filecon "path" file_type context_id) **Where:**

filecon

The filecon keyword.

path

A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. "/this/is/a/path(/.*)?")

file_type

A single keyword representing a file type in the file_contexts file as follows:

keyword	file_contexts entry
`file`	`--`
`dir`	`-d`
`char`	`-c`
`block`	`-b`
`socket`	`-s`
`pipe`	`-p`
`symlink`	`-l`
`any`	no entry

context_id

The security context to be allocated to the file, which may be:

A previously declared context identifier or an anonymous security context (user role type levelrange), the range MUST be defined whether the policy is MLS/MCS enabled or not.
An empty context list represented by () can be used to indicate that matching files should not be re-labeled. This will be interpreted as <<none>> within the file_contexts(5) file.

**Examples:** These examples use one named, one anonymous and one empty context definition: (context runas_exec_context (u object_r exec low_low)) (filecon "/system/bin/run-as" file runas_exec_context) (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0) (filecon "/data/local/mine" dir ()) to resolve/build `file_contexts` entries of (assuming MLS enabled policy): /system/bin/run-as -- u:object_r:runas.exec:s0 /dev/socket/wpa_wlan[0-9] u:object_r:wpa.socket:s0 /data/local/mine -d <> fsuse ----- Label filesystems that support SELinux security contexts. **Statement definition:** (fsuse fstype fsname context_id) **Where:**

`fsuse`	The `fsuse` keyword.
`fstype`	A single keyword representing the type of filesystem as follows: `task` - For pseudo filesystems supporting task related services such as pipes and sockets. `trans` - For pseudo filesystems such as pseudo terminals and temporary objects. `xattr` - Filesystems supporting the extended attribute `security.selinux`. The labeling is persistent for filesystems that support extended attributes.
`fsname`	Name of the supported filesystem (e.g. `ext4` or `pipefs`).
`context_id`	The security context to be allocated to the network interface. A previously declared `context` identifier or an anonymous security context (`user role type levelrange`), the range MUST be defined whether the policy is MLS/MCS enabled or not.

**Examples:** The [context](#context) identifiers are declared in the `file` namespace and the [`fsuse`](cil_file_labeling_statements.md#fsuse) statements in the global namespace: (block file (type labeledfs) (roletype object_r labeledfs) (context labeledfs_context (u object_r labeledfs low_low)) (type pipefs) (roletype object_r pipefs) (context pipefs_context (u object_r pipefs low_low)) ... ) (fsuse xattr ex4 file.labeledfs_context) (fsuse xattr btrfs file.labeledfs_context) (fsuse task pipefs file.pipefs_context) (fsuse task sockfs file.sockfs_context) (fsuse trans devpts file.devpts_context) (fsuse trans tmpfs file.tmpfs_context) genfscon -------- Used to allocate a security context to filesystems that cannot support any of the [`fsuse`](cil_file_labeling_statements.md#fsuse) file labeling options. Generally a filesystem would have a single default security context assigned by [`genfscon`](cil_file_labeling_statements.md#genfscon) from the root `(/)` that would then be inherited by all files and directories on that filesystem. The exception to this is the `/proc` filesystem, where directories can be labeled with a specific security context (as shown in the examples). **Statement definition:** (genfscon fsname path context_id) **Where:**

`genfscon`	The `genfscon` keyword.
`fsname`	Name of the supported filesystem (e.g. `rootfs` or `proc`).
`path`	If `fsname` is `proc`, then the partial path (see examples). For all other types this must be ‘`/`’.
`context_id`	A previously declared `context` identifier or an anonymous security context (`user role type levelrange`), the range MUST be defined whether the policy is MLS/MCS enabled or not.

**Examples:** The [context](#context) identifiers are declared in the `file` namespace and the [`genfscon`](cil_file_labeling_statements.md#genfscon) statements are then inserted using the [`in`](cil_container_statements.md#in) container statement: (file (type rootfs) (roletype object_r rootfs) (context rootfs_context (u object_r rootfs low_low)) (type proc) (roletype object_r proc) (context rootfs_context (u object_r proc low_low)) ... ) (in file (genfscon rootfs / rootfs_context) ; proc labeling can be further refined (longest matching prefix). (genfscon proc / proc_context) (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context) (genfscon proc /sysrq-trigger sysrq_proc_context) (genfscon selinuxfs / selinuxfs_context) )