Skip to content

Commit 4f5a43c

Browse files
jbrindlejbrindle
authored
Merge pull request #22 from cgzones/genfscon
RFE: update genfscon documentation
2 parents b0e1056 + 4dda48e commit 4f5a43c

File tree

1 file changed

+33
-11
lines changed

1 file changed

+33
-11
lines changed

src/file_labeling_statements.md

Lines changed: 33 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -184,16 +184,17 @@ The *genfscon* statement is used to allocate a security context to
184184
filesystems that cannot support any of the other file labeling
185185
statements (*fs_use_xattr*, *fs_use_task* or *fs_use_trans*). Generally
186186
a filesystem would have a single default security context assigned by
187-
*genfscon* from the root (/) that would then be inherited by all files and
188-
directories on that filesystem. The exception to this is the */proc*
189-
filesystem, where directories can be labeled with a specific security
190-
context (as shown in the examples). Note that there is no terminating
191-
semi-colon on this statement.
187+
*genfscon* from the root (*/*) that would then be inherited by all files and
188+
directories on that filesystem. File entries can be, if supported by the
189+
underlying filesystem, labeled with a specific security context (as shown in
190+
the examples), which is useful for pseudo filesystems exporting kernel state
191+
(e.g. *proc*, *sysfs*, *cgroup2*, *securityfs*, *selinuxfs*).
192+
Note that there is no terminating semi-colon on this statement.
192193

193194
**The statement definition is:**
194195

195196
```
196-
genfscon fs_name partial_path fs_context
197+
genfscon fs_name partial_path [filetype_specifier] fs_context
197198
```
198199

199200
**Where:**
@@ -208,8 +209,23 @@ The filesystem name.
208209

209210
*partial_path*
210211

211-
If *fs_name* is *proc*, then the partial path (see the examples). For all other
212-
types, this must be */*.
212+
If *fs_name* is a virtual kernel filesystem, then the partial path (see the
213+
examples). For all other types, this must be */*.
214+
215+
*filetype_specifier*
216+
217+
Optional filetype specifier to apply the context only to a specific file type.
218+
Valid specifiers are:
219+
220+
- *-b* block device
221+
- *-c* character device
222+
- *-d* directory
223+
- *-p* named pipe
224+
- *-l* symbolic link
225+
- *-s* socket
226+
- *--* regular file
227+
228+
If omitted the context applies to all file types.
213229

214230
*fs_context*
215231

@@ -241,14 +257,20 @@ genfscon selinuxfs / system_u:object_r:security_t:s0
241257
```
242258

243259
```
244-
# The following show some example /proc entries. Note that the
245-
# /kmsg has the highest sensitivity level assigned (s15) because
246-
# it is a trusted process.
260+
# The following examples show pseudo kernel filesystem entries. Note that
261+
# the /kmsg has the highest sensitivity level assigned (s15) because
262+
# it is a file containing possibly sensitive information.
263+
264+
genfscon cgroup2 "/user.slice" -d system_u:object_r:cgroup_user_slice_t:s0
247265
248266
genfscon proc / system_u:object_r:proc_t:s0
249267
genfscon proc /sysvipc system_u:object_r:proc_t:s0
250268
genfscon proc /fs/openafs system_u:object_r:proc_afs_t:s0
251269
genfscon proc /kmsg system_u:object_r:proc_kmsg_t:s15:c0.c255
270+
271+
genfscon selinuxfs /booleans/secure_mode_policyload -- system_u:object_r:secure_mode_policyload_boolean_t:s0
272+
273+
genfscon sysfs /devices/system/cpu/online -- system_u:object_r:cpu_online_sysfs_t:s0
252274
```
253275

254276
<!-- %CUTHERE% -->

0 commit comments

Comments
 (0)