Import dssp5

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>

40 files changed, 497 insertions, 0 deletions

diff --git a/src/fs/noseclabelfs.cil b/src/fs/noseclabelfs.cil
new file mode 100644
index 0000000..6701423
--- /dev/null
+++ b/src/fs/noseclabelfs.cil
@@ -0,0 +1,32 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block noseclabelfs
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (typeattribute typeattr)
+
+  (blockinherit .fs.all_macro_template_fs)
+
+  (allow typeattr self (filesystem (associate)))
+
+  (call .fs.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (blockinherit .fs.base_template)
+
+    (call .noseclabelfs.type (fs)))
+
+  (block template
+
+    (blockabstract template)
+
+    (blockinherit .fs.macro_template_dirs)
+    (blockinherit .fs.macro_template_files)
+    (blockinherit .fs.macro_template_fs)
+    (blockinherit .noseclabelfs.base_template)))
diff --git a/src/fs/noseclabelfs/aionoseclabelfs.cil b/src/fs/noseclabelfs/aionoseclabelfs.cil
new file mode 100644
index 0000000..b91e583
--- /dev/null
+++ b/src/fs/noseclabelfs/aionoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block aio
+
+  (genfscon "aio" "/" fs_context)
+
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/anoninodenoseclabelfs.cil b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil
new file mode 100644
index 0000000..28f5dec
--- /dev/null
+++ b/src/fs/noseclabelfs/anoninodenoseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block anoninode
+
+  (genfscon "anon_inodefs" "/" fs_context)
+
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/autonoseclabelfs.cil b/src/fs/noseclabelfs/autonoseclabelfs.cil
new file mode 100644
index 0000000..6a0d922
--- /dev/null
+++ b/src/fs/noseclabelfs/autonoseclabelfs.cil
@@ -0,0 +1,14 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block auto
+
+  (genfscon "autofs" "/" fs_context)
+  (genfscon "automount" "/" fs_context)
+
+  (macro getattr_fs_dirs ((type ARG1))
+	 (allow ARG1 fs (dir (getattr))))
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/bdevnoseclabelfs.cil b/src/fs/noseclabelfs/bdevnoseclabelfs.cil
new file mode 100644
index 0000000..dd622d0
--- /dev/null
+++ b/src/fs/noseclabelfs/bdevnoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block bdev
+
+  (genfscon "bdev" "/" fs_context)
+
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil
new file mode 100644
index 0000000..d81fb3d
--- /dev/null
+++ b/src/fs/noseclabelfs/binfmtmiscnoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block binfmtmisc
+
+  (genfscon "binfmt_misc" "/" fs_context)
+
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/bpfnoseclabelfs.cil b/src/fs/noseclabelfs/bpfnoseclabelfs.cil
new file mode 100644
index 0000000..0a8cf05
--- /dev/null
+++ b/src/fs/noseclabelfs/bpfnoseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block bpf
+
+  (genfscon "bpf" "/" fs_context)
+
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/cinoseclabelfs.cil b/src/fs/noseclabelfs/cinoseclabelfs.cil
new file mode 100644
index 0000000..41d6da8
--- /dev/null
+++ b/src/fs/noseclabelfs/cinoseclabelfs.cil
@@ -0,0 +1,14 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ci
+
+  (genfscon "cifs" "/" fs_context)
+  (genfscon "smbfs" "/" fs_context)
+
+  (macro map_fs_files ((type ARG1))
+	 (allow ARG1 fs (file (map))))
+
+  (blockinherit .noseclabelfs.template)
+
+  (call .rbacsep.exempt.obj.type (fs)))
diff --git a/src/fs/noseclabelfs/confignoseclabelfs.cil b/src/fs/noseclabelfs/confignoseclabelfs.cil
new file mode 100644
index 0000000..770f183
--- /dev/null
+++ b/src/fs/noseclabelfs/confignoseclabelfs.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block config
+
+  (genfscon "configfs" "/" fs_context)
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/cpusetnoseclabelfs.cil b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil
new file mode 100644
index 0000000..2b68ae6
--- /dev/null
+++ b/src/fs/noseclabelfs/cpusetnoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block cpuset
+
+  (genfscon "cpuset" "/" fs_context)
+
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/dosnoseclabelfs.cil b/src/fs/noseclabelfs/dosnoseclabelfs.cil
new file mode 100644
index 0000000..77eecc8
--- /dev/null
+++ b/src/fs/noseclabelfs/dosnoseclabelfs.cil
@@ -0,0 +1,21 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block dos
+
+  (genfscon "fat" "/" fs_context)
+  (genfscon "hfs" "/" fs_context)
+  (genfscon "hfsplus" "/" fs_context)
+  (genfscon "msdos" "/" fs_context)
+  (genfscon "ntfs" "/" fs_context)
+  (genfscon "ntfs-3g" "/" fs_context)
+  (genfscon "ntfs3" "/" fs_context)
+  (genfscon "vfat" "/" fs_context)
+  (genfscon "exfat" "/" fs_context)
+
+  (macro map_fs_files ((type ARG1))
+	 (allow ARG1 fs (file (map))))
+
+  (blockinherit .noseclabelfs.template)
+
+  (call .rbacsep.exempt.obj.type (fs)))
diff --git a/src/fs/noseclabelfs/drmnoseclabelfs.cil b/src/fs/noseclabelfs/drmnoseclabelfs.cil
new file mode 100644
index 0000000..f467da2
--- /dev/null
+++ b/src/fs/noseclabelfs/drmnoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block drm
+
+  (genfscon "drm" "/" fs_context)
+
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/efivarnoseclabelfs.cil b/src/fs/noseclabelfs/efivarnoseclabelfs.cil
new file mode 100644
index 0000000..45141a4
--- /dev/null
+++ b/src/fs/noseclabelfs/efivarnoseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block efivar
+
+  (genfscon "efivarfs" "/" fs_context)
+
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/fusenoseclabelfs.cil b/src/fs/noseclabelfs/fusenoseclabelfs.cil
new file mode 100644
index 0000000..b2ac9fc
--- /dev/null
+++ b/src/fs/noseclabelfs/fusenoseclabelfs.cil
@@ -0,0 +1,16 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in fuse
+
+    (genfscon "fuse" "/" fs_context)
+    (genfscon "fuseblk" "/" fs_context)
+    (genfscon "fusectl" "/" fs_context)
+
+    (macro map_fs_files ((type ARG1))
+	   (allow ARG1 fs (file (map))))
+
+    (blockinherit .fs.macro_template_lnk_files)
+    (blockinherit .noseclabelfs.template)
+
+    (call .rbacsep.exempt.obj.type (fs)))
diff --git a/src/fs/noseclabelfs/iso9660noseclabelfs.cil b/src/fs/noseclabelfs/iso9660noseclabelfs.cil
new file mode 100644
index 0000000..eac7922
--- /dev/null
+++ b/src/fs/noseclabelfs/iso9660noseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block iso9660
+
+  (genfscon "iso9660" "/" fs_context)
+
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/nfsdnoseclabelfs.cil b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil
new file mode 100644
index 0000000..fc0fc01
--- /dev/null
+++ b/src/fs/noseclabelfs/nfsdnoseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block nfsd
+
+  (genfscon "nfsd" "/" fs_context)
+
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/nfsnoseclabelfs.cil b/src/fs/noseclabelfs/nfsnoseclabelfs.cil
new file mode 100644
index 0000000..c8a1f7e
--- /dev/null
+++ b/src/fs/noseclabelfs/nfsnoseclabelfs.cil
@@ -0,0 +1,18 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block nfs
+
+  (genfscon "afs" "/" fs_context)
+  (genfscon "nfs" "/" fs_context)
+  (genfscon "nfs4" "/" fs_context)
+
+  (macro map_fs_files ((type ARG1))
+	 (allow ARG1 fs (file (map))))
+
+  (blockinherit .fs.macro_template_fifo_files)
+  (blockinherit .fs.macro_template_lnk_files)
+  (blockinherit .fs.macro_template_sock_files)
+  (blockinherit .noseclabelfs.template)
+
+  (call .rbacsep.exempt.obj.type (fs)))
diff --git a/src/fs/noseclabelfs/nsnoseclabelfs.cil b/src/fs/noseclabelfs/nsnoseclabelfs.cil
new file mode 100644
index 0000000..59938c1
--- /dev/null
+++ b/src/fs/noseclabelfs/nsnoseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ns
+
+  (genfscon "nsfs" "/" fs_context)
+
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/procnoseclabelfs.cil b/src/fs/noseclabelfs/procnoseclabelfs.cil
new file mode 100644
index 0000000..f9711c2
--- /dev/null
+++ b/src/fs/noseclabelfs/procnoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block proc
+
+  (genfscon "proc" "/" fs_context)
+
+  (blockinherit .fs.macro_template_lnk_files)
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/removablenoseclabelfs.cil b/src/fs/noseclabelfs/removablenoseclabelfs.cil
new file mode 100644
index 0000000..95a7e34
--- /dev/null
+++ b/src/fs/noseclabelfs/removablenoseclabelfs.cil
@@ -0,0 +1,6 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in removable
+
+    (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil
new file mode 100644
index 0000000..50db012
--- /dev/null
+++ b/src/fs/noseclabelfs/rpcpipenoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block rpcpipe
+
+  (genfscon "rpc_pipefs" "/" fs_context)
+
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .noseclabelfs.base_template))
diff --git a/src/fs/noseclabelfs/securitynoseclabelfs.cil b/src/fs/noseclabelfs/securitynoseclabelfs.cil
new file mode 100644
index 0000000..a23e94b
--- /dev/null
+++ b/src/fs/noseclabelfs/securitynoseclabelfs.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block security
+
+  (genfscon "securityfs" "/" fs_context)
+
+  (blockinherit .fs.macro_template_lnk_files)
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/noseclabelfs/selinuxnoseclabelfs.cil b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil
new file mode 100644
index 0000000..d0c7063
--- /dev/null
+++ b/src/fs/noseclabelfs/selinuxnoseclabelfs.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in selinux
+
+    (genfscon "selinuxfs" "/" fs_context)
+
+    (blockinherit .noseclabelfs.template)
+
+    (call .rbacsep.exempt.obj.type (fs)))
diff --git a/src/fs/noseclabelfs/udfnoseclabelfs.cil b/src/fs/noseclabelfs/udfnoseclabelfs.cil
new file mode 100644
index 0000000..61c8ec2
--- /dev/null
+++ b/src/fs/noseclabelfs/udfnoseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block udf
+
+  (genfscon "udf" "/" fs_context)
+
+  (blockinherit .noseclabelfs.template))
diff --git a/src/fs/seclabelfs.cil b/src/fs/seclabelfs.cil
new file mode 100644
index 0000000..eb31584
--- /dev/null
+++ b/src/fs/seclabelfs.cil
@@ -0,0 +1,37 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block seclabelfs
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (typeattribute typeattr)
+
+  (blockinherit .fs.all_macro_template_fs)
+
+  (blockinherit .file.all_macro_template_all_files)
+  (blockinherit .file.all_macro_template_blk_files)
+  (blockinherit .file.all_macro_template_chr_files)
+  (blockinherit .file.all_macro_template_dirs)
+  (blockinherit .file.all_macro_template_fifo_files)
+  (blockinherit .file.all_macro_template_files)
+  (blockinherit .file.all_macro_template_lnk_files)
+  (blockinherit .file.all_macro_template_sock_files)
+
+  (call .fs.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (blockinherit .fs.base_template)
+
+    (call .seclabelfs.type (fs)))
+
+  (block template
+
+    (blockabstract template)
+
+    (blockinherit .fs.macro_template_fs)
+    (blockinherit .seclabelfs.base_template)))
diff --git a/src/fs/seclabelfs/cgroupseclabelfs.cil b/src/fs/seclabelfs/cgroupseclabelfs.cil
new file mode 100644
index 0000000..07c63a2
--- /dev/null
+++ b/src/fs/seclabelfs/cgroupseclabelfs.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block cgroup
+
+  (genfscon "cgroup" "/" fs_context)
+  (genfscon "cgroup2" "/" fs_context)
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_files)
+  (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/debugseclabelfs.cil b/src/fs/seclabelfs/debugseclabelfs.cil
new file mode 100644
index 0000000..b406228
--- /dev/null
+++ b/src/fs/seclabelfs/debugseclabelfs.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in debug
+
+    (genfscon "debugfs" "/" fs_context)
+
+    (blockinherit .fs.macro_template_dirs)
+    (blockinherit .fs.macro_template_files)
+    (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/devptsseclabelfs.cil b/src/fs/seclabelfs/devptsseclabelfs.cil
new file mode 100644
index 0000000..4c5827c
--- /dev/null
+++ b/src/fs/seclabelfs/devptsseclabelfs.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block devpts
+
+  (fsuse trans "devpts" fs_context)
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_chr_files)
+  (blockinherit .fs.macro_template_fs)
+  (blockinherit .seclabelfs.base_template))
diff --git a/src/fs/seclabelfs/devtmpseclabelfs.cil b/src/fs/seclabelfs/devtmpseclabelfs.cil
new file mode 100644
index 0000000..ff814e6
--- /dev/null
+++ b/src/fs/seclabelfs/devtmpseclabelfs.cil
@@ -0,0 +1,16 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block devtmp
+
+  (fsuse trans "devtmpfs" fs_context)
+
+  (blockinherit .fs.macro_template_all_files)
+  (blockinherit .fs.macro_template_blk_files)
+  (blockinherit .fs.macro_template_chr_files)
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_fifo_files)
+  (blockinherit .fs.macro_template_files)
+  (blockinherit .fs.macro_template_lnk_files)
+  (blockinherit .fs.macro_template_sock_files)
+  (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/eventpollseclabelfs.cil b/src/fs/seclabelfs/eventpollseclabelfs.cil
new file mode 100644
index 0000000..058bb7b
--- /dev/null
+++ b/src/fs/seclabelfs/eventpollseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block eventpoll
+
+  (fsuse task "eventpollfs" fs_context)
+
+  (blockinherit .seclabelfs.base_template))
diff --git a/src/fs/seclabelfs/hugetlbseclabelfs.cil b/src/fs/seclabelfs/hugetlbseclabelfs.cil
new file mode 100644
index 0000000..1b0857e
--- /dev/null
+++ b/src/fs/seclabelfs/hugetlbseclabelfs.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block hugetlb
+
+  (fsuse trans "hugetlbfs" fs_context)
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_files)
+  (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/mqueueseclabelfs.cil b/src/fs/seclabelfs/mqueueseclabelfs.cil
new file mode 100644
index 0000000..553389f
--- /dev/null
+++ b/src/fs/seclabelfs/mqueueseclabelfs.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block mqueue
+
+  (fsuse trans "mqueue" fs_context)
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_files)
+  (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/pipeseclabelfs.cil b/src/fs/seclabelfs/pipeseclabelfs.cil
new file mode 100644
index 0000000..c115ff5
--- /dev/null
+++ b/src/fs/seclabelfs/pipeseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block pipe
+
+  (fsuse task "pipefs" fs_context)
+
+  (blockinherit .seclabelfs.base_template))
diff --git a/src/fs/seclabelfs/pstoreseclabelfs.cil b/src/fs/seclabelfs/pstoreseclabelfs.cil
new file mode 100644
index 0000000..96d6272
--- /dev/null
+++ b/src/fs/seclabelfs/pstoreseclabelfs.cil
@@ -0,0 +1,12 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block pstore
+
+  (genfscon "pstore" "/" fs_context)
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_files)
+  (blockinherit .seclabelfs.template)
+
+  (allow fs self (filesystem (associate))))
diff --git a/src/fs/seclabelfs/rootseclabelfs.cil b/src/fs/seclabelfs/rootseclabelfs.cil
new file mode 100644
index 0000000..d345922
--- /dev/null
+++ b/src/fs/seclabelfs/rootseclabelfs.cil
@@ -0,0 +1,13 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in root
+
+    (genfscon "rootfs" "/" fs_context)
+
+    (blockinherit .fs.macro_template_dirs)
+    (blockinherit .fs.macro_template_fifo_files)
+    (blockinherit .fs.macro_template_files)
+    (blockinherit .fs.macro_template_lnk_files)
+    (blockinherit .fs.macro_template_sock_files)
+    (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/sockseclabelfs.cil b/src/fs/seclabelfs/sockseclabelfs.cil
new file mode 100644
index 0000000..6c8eeee
--- /dev/null
+++ b/src/fs/seclabelfs/sockseclabelfs.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block sock
+
+  (fsuse task "sockfs" fs_context)
+
+  (blockinherit .seclabelfs.base_template))
diff --git a/src/fs/seclabelfs/sysseclabelfs.cil b/src/fs/seclabelfs/sysseclabelfs.cil
new file mode 100644
index 0000000..946a5ef
--- /dev/null
+++ b/src/fs/seclabelfs/sysseclabelfs.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in sys
+
+    (genfscon "sysfs" "/" fs_context)
+
+    (blockinherit .fs.macro_template_dirs)
+    (blockinherit .fs.macro_template_files)
+    (blockinherit .fs.macro_template_lnk_files)
+    (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/tmpseclabelfs.cil b/src/fs/seclabelfs/tmpseclabelfs.cil
new file mode 100644
index 0000000..9563056
--- /dev/null
+++ b/src/fs/seclabelfs/tmpseclabelfs.cil
@@ -0,0 +1,18 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block tmp
+
+  (fsuse trans "ramfs" fs_context)
+  (fsuse trans "shm" fs_context)
+  (fsuse trans "tmpfs" fs_context)
+
+  (blockinherit .fs.macro_template_all_files)
+  (blockinherit .fs.macro_template_blk_files)
+  (blockinherit .fs.macro_template_chr_files)
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_fifo_files)
+  (blockinherit .fs.macro_template_files)
+  (blockinherit .fs.macro_template_lnk_files)
+  (blockinherit .fs.macro_template_sock_files)
+  (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/traceseclabelfs.cil b/src/fs/seclabelfs/traceseclabelfs.cil
new file mode 100644
index 0000000..4aab6df
--- /dev/null
+++ b/src/fs/seclabelfs/traceseclabelfs.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block trace
+
+  (genfscon "tracefs" "/" fs_context)
+
+  (blockinherit .fs.macro_template_dirs)
+  (blockinherit .fs.macro_template_files)
+  (blockinherit .seclabelfs.template))
diff --git a/src/fs/seclabelfs/xattrseclabelfs.cil b/src/fs/seclabelfs/xattrseclabelfs.cil
new file mode 100644
index 0000000..fbe482d
--- /dev/null
+++ b/src/fs/seclabelfs/xattrseclabelfs.cil
@@ -0,0 +1,35 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block xattr
+
+  (fsuse xattr "btrfs" fs_context)
+  (fsuse xattr "ceph" fs_context)
+  (fsuse xattr "encfs" fs_context)
+  (fsuse xattr "erofs" fs_context)
+  (fsuse xattr "ext2" fs_context)
+  (fsuse xattr "ext3" fs_context)
+  (fsuse xattr "ext4" fs_context)
+  (fsuse xattr "ext4dev" fs_context)
+  (fsuse xattr "f2fs" fs_context)
+  (fsuse xattr "gfs" fs_context)
+  (fsuse xattr "gfs2" fs_context)
+  (fsuse xattr "gpfs" fs_context)
+  (fsuse xattr "incremental-fs" fs_context)
+  (fsuse xattr "jffs2" fs_context)
+  (fsuse xattr "jfs" fs_context)
+  (fsuse xattr "lustre" fs_context)
+  (fsuse xattr "ocfs2" fs_context)
+  (fsuse xattr "odms" fs_context)
+  (fsuse xattr "overlay" fs_context)
+  (fsuse xattr "shiftfs" fs_context)
+  (fsuse xattr "squashfs" fs_context)
+  (fsuse xattr "ubifs" fs_context)
+  (fsuse xattr "virtiofs" fs_context)
+  (fsuse xattr "vxclonefs" fs_context)
+  (fsuse xattr "vxfs" fs_context)
+  (fsuse xattr "xfs" fs_context)
+  (fsuse xattr "yaffs2" fs_context)
+  (fsuse xattr "zfs" fs_context)
+
+  (blockinherit .seclabelfs.template))