1File Labeling Statements
2========================
3
4filecon
5-------
6
7Define entries for labeling files. The compiler will produce these entries in a file called **`file_contexts`**`(5)` by default in the `cwd`. The compiler option `[-f|--filecontext <filename>]` may be used to specify a different path or file name.
8
9**Statement definition:**
10
11    (filecon "path" file_type context_id)
12
13**Where:**
14
15<table>
16<colgroup>
17<col width="25%" />
18<col width="75%" />
19</colgroup>
20<tbody>
21<tr class="odd">
22<td align="left"><p><code>filecon</code></p></td>
23<td align="left"><p>The <code>filecon</code> keyword.</p></td>
24</tr>
25<tr class="even">
26<td align="left"><p><code>path</code></p></td>
27<td align="left"><p>A string representing the file path that may be in the form of a regular expression. The string must be enclosed within double quotes (e.g. <code>&quot;/this/is/a/path(/.*)?&quot;</code>)</p></td>
28</tr>
29<tr class="odd">
30<td align="left"><p><code>file_type</code></p></td>
31<td align="left"><p>A single keyword representing a file type in the <code>file_contexts</code> file as follows:</p>
32<table>
33<colgroup>
34<col width="44%" />
35<col width="55%" />
36</colgroup>
37<tbody>
38<tr class="odd">
39<td align="left"><p><strong>keyword</strong></p></td>
40<td align="left"><p><strong>file_contexts entry</strong></p></td>
41</tr>
42<tr class="even">
43<td align="left"><p><code>file</code></p></td>
44<td align="left"><p><code>--</code></p></td>
45</tr>
46<tr class="odd">
47<td align="left"><p><code>dir</code></p></td>
48<td align="left"><p><code>-d</code></p></td>
49</tr>
50<tr class="even">
51<td align="left"><p><code>char</code></p></td>
52<td align="left"><p><code>-c</code></p></td>
53</tr>
54<tr class="odd">
55<td align="left"><p><code>block</code></p></td>
56<td align="left"><p><code>-b</code></p></td>
57</tr>
58<tr class="even">
59<td align="left"><p><code>socket</code></p></td>
60<td align="left"><p><code>-s</code></p></td>
61</tr>
62<tr class="odd">
63<td align="left"><p><code>pipe</code></p></td>
64<td align="left"><p><code>-p</code></p></td>
65</tr>
66<tr class="even">
67<td align="left"><p><code>symlink</code></p></td>
68<td align="left"><p><code>-l</code></p></td>
69</tr>
70<tr class="odd">
71<td align="left"><p><code>any</code></p></td>
72<td align="left"><p>no entry</p></td>
73</tr>
74</tbody>
75</table></td>
76</tr>
77<tr class="even">
78<td align="left"><p><code>context_id</code></p></td>
79<td align="left"><p>The security context to be allocated to the file, which may be:</p>
80<ul>
81<li><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></li>
82<li><p>An empty context list represented by <code>()</code> can be used to indicate that matching files should not be re-labeled. This will be interpreted as <code>&lt;&lt;none&gt;&gt;</code> within the <strong><code>file_contexts</code></strong><code>(5)</code> file.</p></li>
83</ul></td>
84</tr>
85</tbody>
86</table>
87
88**Examples:**
89
90These examples use one named, one anonymous and one empty context definition:
91
92    (context runas_exec_context (u object_r exec low_low))
93
94    (filecon "/system/bin/run-as" file runas_exec_context)
95    (filecon "/dev/socket/wpa_wlan[0-9]" any u:object_r:wpa.socket:s0-s0)
96    (filecon "/data/local/mine" dir ())
97
98to resolve/build `file_contexts` entries of (assuming MLS enabled policy):
99
100    /system/bin/run-as  -- u:object_r:runas.exec:s0
101    /dev/socket/wpa_wlan[0-9]   u:object_r:wpa.socket:s0
102    /data/local/mine -d <<none>>
103
104fsuse
105-----
106
107Label filesystems that support SELinux security contexts.
108
109**Statement definition:**
110
111    (fsuse fstype fsname context_id)
112
113**Where:**
114
115<table>
116<colgroup>
117<col width="25%" />
118<col width="75%" />
119</colgroup>
120<tbody>
121<tr class="odd">
122<td align="left"><p><code>fsuse</code></p></td>
123<td align="left"><p>The <code>fsuse</code> keyword.</p></td>
124</tr>
125<tr class="even">
126<td align="left"><p><code>fstype</code></p></td>
127<td align="left"><p>A single keyword representing the type of filesystem as follows:</p>
128<ul>
129<li><p><code>task</code> - For pseudo filesystems supporting task related services such as pipes and sockets.</p></li>
130<li><p><code>trans</code> - For pseudo filesystems such as pseudo terminals and temporary objects.</p></li>
131<li><p><code>xattr</code> - Filesystems supporting the extended attribute <code>security.selinux</code>. The labeling is persistent for filesystems that support extended attributes.</p></li>
132</ul></td>
133</tr>
134<tr class="odd">
135<td align="left"><p><code>fsname</code></p></td>
136<td align="left"><p>Name of the supported filesystem (e.g. <code>ext4</code> or <code>pipefs</code>).</p></td>
137</tr>
138<tr class="even">
139<td align="left"><p><code>context_id</code></p></td>
140<td align="left"><p>The security context to be allocated to the network interface.</p>
141<p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
142</tr>
143</tbody>
144</table>
145
146**Examples:**
147
148The [context](#context) identifiers are declared in the `file` namespace and the [`fsuse`](cil_file_labeling_statements.md#fsuse) statements in the global namespace:
149
150    (block file
151        (type labeledfs)
152        (roletype object_r labeledfs)
153        (context labeledfs_context (u object_r labeledfs low_low))
154
155        (type pipefs)
156        (roletype object_r pipefs)
157        (context pipefs_context (u object_r pipefs low_low))
158        ...
159    )
160
161    (fsuse xattr ex4 file.labeledfs_context)
162    (fsuse xattr btrfs file.labeledfs_context)
163
164    (fsuse task pipefs file.pipefs_context)
165    (fsuse task sockfs file.sockfs_context)
166
167    (fsuse trans devpts file.devpts_context)
168    (fsuse trans tmpfs file.tmpfs_context)
169
170genfscon
171--------
172
173Used to allocate a security context to filesystems that cannot support any of the [`fsuse`](cil_file_labeling_statements.md#fsuse) file labeling options. Generally a filesystem would have a single default security context assigned by [`genfscon`](cil_file_labeling_statements.md#genfscon) from the root `(/)` that would then be inherited by all files and directories on that filesystem. The exception to this is the `/proc` filesystem, where directories can be labeled with a specific security context (as shown in the examples).
174
175**Statement definition:**
176
177    (genfscon fsname path context_id)
178
179**Where:**
180
181<table>
182<colgroup>
183<col width="25%" />
184<col width="75%" />
185</colgroup>
186<tbody>
187<tr class="odd">
188<td align="left"><p><code>genfscon</code></p></td>
189<td align="left"><p>The <code>genfscon</code> keyword.</p></td>
190</tr>
191<tr class="even">
192<td align="left"><p><code>fsname</code></p></td>
193<td align="left"><p>Name of the supported filesystem (e.g. <code>rootfs</code> or <code>proc</code>).</p></td>
194</tr>
195<tr class="odd">
196<td align="left"><p><code>path</code></p></td>
197<td align="left"><p>If <code>fsname</code> is <code>proc</code>, then the partial path (see examples). For all other types this must be ‘<code>/</code>’.</p></td>
198</tr>
199<tr class="even">
200<td align="left"><p><code>context_id</code></p></td>
201<td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
202</tr>
203</tbody>
204</table>
205
206**Examples:**
207
208The [context](#context) identifiers are declared in the `file` namespace and the [`genfscon`](cil_file_labeling_statements.md#genfscon) statements are then inserted using the [`in`](cil_container_statements.md#in) container statement:
209
210    (file
211        (type rootfs)
212        (roletype object_r rootfs)
213        (context rootfs_context (u object_r rootfs low_low))
214
215        (type proc)
216        (roletype object_r proc)
217        (context rootfs_context (u object_r proc low_low))
218        ...
219    )
220
221    (in file
222        (genfscon rootfs / rootfs_context)
223        ; proc labeling can be further refined (longest matching prefix).
224        (genfscon proc / proc_context)
225        (genfscon proc /net/xt_qtaguid/ctrl qtaguid_proc_context)
226        (genfscon proc /sysrq-trigger sysrq_proc_context)
227        (genfscon selinuxfs / selinuxfs_context)
228    )
229