8.10 Configuring access control to files on misc file systems

SELinux can do fine-grained access control to files on filesystems that suport extended-attributes, such as ext3, ext2 and xfs. For such files, you configure access control using allow statement. In other filesystems, you should configure allowfs described in this section.

8.10.1 allowfs

• Syntax
  1. allowfs name_of_filesystem [s],[r],[x],[w];
     For name_of_filesystem tmpfs sysfs autofs usbfs cdfs romfs ramfs dosfs smbfs nfs proc proc_kmsg proc_kcore xattrfs can be used.
  2. allowfs name_of_filesystem exclusive label;
  3. allowfs name_of_filesystem label [s],[r],[x],[w];
  4. allowfs name_of_filesystem -all [s],[r],[x],[w];
• Meaning
  
  1. Allow access to files in specified system. For example, allowfs proc s,r; means to grant s,r access to files on proc filesystem(/proc). When you see logs whose types are filesystem_t , you may have to use allowfs. This means, if you find log about read access to sysfs_t is denied, you may add allowfs sysfs s,r;.
  2. In current SELinux, only tmpfs is allowed for name_of_filesystem. This is used things corresponding to SELinux's file_type_auto_trans. Files created in name_of_filesystem is given label type.
  3. In current SELinux, only tmpfs is allowed for name_of_filesystem. This gives access rights to all files that are labeled by file type transition.

• Notice
  In allowfs name_of_filesystem exclusive label;, label must be domain prefix_ name_of_filesystem_t. For example, in httpd_t domain, allowfs tmpfs exclusive httpd_tmpfs_t.
• Notice about name_of_filesystem
  • proc filesystem
    Access control to proc file system is a little fine-grained. proc_kmsg means, /proc/kmsg, proc_kcore means /proc/kcore. proc_pid_self means process information of own process in /proc/pid/. proc_pid_other means proccess information for all others. proc means other files on /proc.
  • xattrfs
    This means filesystem that supports extended-attribute, but not configured to use SELinux's label. For example, if you format USB memory as ext3 on non-SELinux machine. Next you mount the USB memory in SELinux machine, the files on it are recognized as xattrfs. You have to use allowfs xattrfs permissions in such case.
  • cdfs
    This corresponds to iso9660 and udf filesystem.
  • dosfs
    This corresponds to fat, vfat, ntfs.
  • smbfs
    This corresponds to cifs and smbfs.