# FLASK

#
# Security contexts for files in filesystems that
# cannot support xattr or use one of the fixed labeling schemes 
# specified in fs_use.
#
# Each specifications has the form:
# 	genfscon fstype pathname-prefix [ -type ] context
#
# The entry with the longest matching pathname prefix is used.
# / refers to the root directory of the file system, and
# everything is specified relative to this root directory.
# If there is no entry with a matching pathname prefix, then 
# the unlabeled initial SID is used.
#
# The optional type field specifies the file type as shown in the mode
# field by ls, e.g. use -c to match only character device files, -b
# to match only block device files.
#
# Except for proc, other filesystems are limited to a single entry (/)
# that covers all entries in the filesystem with a default file context.
# For proc, a pathname can be reliably generated from the proc_dir_entry
# tree.  The proc /sys entries are used for both proc inodes and for sysctl(2)
# calls. /proc/PID entries are automatically labeled based on the associated
# process.
#
# Support for other filesystem types requires corresponding code to be
# added to the kernel, either as an xattr handler in the filesystem 
# implementation (preferred, and necessary if you want to access the labels
# from userspace) or as logic in the SELinux module.

# proc (excluding /proc/PID)
genfscon proc /				system_u:object_r:proc_t
genfscon proc /kmsg			system_u:object_r:proc_kmsg_t
genfscon proc /kcore			system_u:object_r:proc_kcore_t
genfscon proc /sysvipc			system_u:object_r:proc_t
genfscon proc /sys			system_u:object_r:sysctl_t
genfscon proc /sys/kernel		system_u:object_r:sysctl_kernel_t
genfscon proc /sys/kernel/modprobe	system_u:object_r:sysctl_modprobe_t
genfscon proc /sys/net			system_u:object_r:sysctl_net_t
genfscon proc /sys/net/unix		system_u:object_r:sysctl_net_unix_t
genfscon proc /sys/vm			system_u:object_r:sysctl_vm_t
genfscon proc /sys/dev			system_u:object_r:sysctl_dev_t

# rootfs
genfscon rootfs /			system_u:object_r:root_t

# sysfs
genfscon sysfs /			system_u:object_r:sysfs_t

# selinuxfs
genfscon selinuxfs /			system_u:object_r:security_t

# autofs
ifdef(`automount.te', `
genfscon autofs /			system_u:object_r:autofs_t
')

# iso9660
genfscon iso9660 /			system_u:object_r:iso9660_t

# vfat, msdos
genfscon vfat /				system_u:object_r:dosfs_t
genfscon msdos /			system_u:object_r:dosfs_t

# nfs
genfscon nfs /				system_u:object_r:nfs_t
