9 Access control to files on misc file systems:allowfs

SELinux can do fine-grained access control to files on filesystems that support extended-attributes, such as ext3, ext2 and xfs. For such files, you configure access control using allow statement. In other filesystems, you should configure allowfs described in this section.

• Syntax
  1. allowfs name_of_filesystem [s],[r],[x],[w];
     For name_of_filesystem tmpfs sysfs autofs usbfs cdfs romfs ramfs dosfs smbfs nfs proc proc_kmsg proc_kcore xattrfs can be used.
• Meaning
  
  1. Allow access to files in specified system. For example, allowfs proc s,r; means to grant s,r access to files on proc filesystem(/proc). When you see logs whose types are filesystem_t , you may have to use allowfs. This means, if you find log about read access to sysfs_t is denied, you may add allowfs sysfs s,r;.

• Notice about name_of_filesystem
  • proc filesystem
    Access control to proc file system is a little fine-grained. proc_kmsg means, /proc/kmsg, proc_kcore means /proc/kcore. proc_pid_self means process information of own process in /proc/pid/. proc_pid_other means process information for all others. proc means other files on /proc.
  • xattrfs
    This means filesystem that supports extended-attribute, but not configured to use SELinux's label. For example, if you format USB memory as ext3 on non-SELinux machine. Next you mount the USB memory in SELinux machine, the files on it are recognized as xattrfs. You have to use allowfs xattrfs permissions in such case.
  • cdfs
    This corresponds to iso9660 and udf filesystem.
  • dosfs
    This corresponds to fat, vfat, ntfs.
  • smbfs
    This corresponds to cifs and smbfs.