Next: 10 Access control to
Up: Specification of Simplified Policy
Previous: 8.2 allowdev(2)
Contents
SELinux can do fine-grained access control to files on filesystems that
support extended-attributes, such as ext3, ext2 and xfs. For such files,
you configure access control using allow statement. In other
filesystems, you should configure allowfs described in this
section.
- Syntax
- allowfs name_of_filesystem [s],[r],[x],[w];
For name_of_filesystem tmpfs sysfs autofs usbfs cdfs romfs
ramfs dosfs smbfs nfs proc proc_kmsg proc_kcore xattrfs can be
used.
- Meaning
- Allow access to files in specified system. For example, allowfs proc s,r; means to grant s,r access to files on proc
filesystem(/proc). When you see logs whose types are filesystem_t , you may have to use allowfs. This means, if you
find log about read access to sysfs_t is denied, you may
add allowfs sysfs s,r;.
- Notice about name_of_filesystem
- proc filesystem
Access control to proc file system is a little
fine-grained. proc_kmsg means, /proc/kmsg, proc_kcore
means /proc/kcore. proc_pid_self means process information of
own process in /proc/pid/. proc_pid_other means process information for all
others. proc means other files on /proc.
- xattrfs
This means filesystem that supports extended-attribute,
but not configured to use SELinux's label. For example, if
you format USB memory as ext3 on non-SELinux machine. Next
you mount the USB memory in SELinux machine,
the files on it are recognized
as xattrfs. You have to use allowfs xattrfs
permissions in such case.
- cdfs
This corresponds to iso9660 and udf filesystem.
- dosfs
This corresponds to fat, vfat, ntfs.
- smbfs
This corresponds to cifs and smbfs.
Next: 10 Access control to
Up: Specification of Simplified Policy
Previous: 8.2 allowdev(2)
Contents
Yuichi Nakamura
2006-11-13