;; SPDX-FileCopyrightText: M-BM-) 2025 Dominick Grift ;; SPDX-License-Identifier: Unlicense (sidcontext init (sys.id sys.role sys.subj sys.lowlow)) ;; userspace_initial_context (in lib (filecon "/usr/lib" dir file_context) (filecon "/usr/lib/.*" any file_context) (macro data_file_type_transition_file ((type ARG1)) (call .data.file_type_transition (ARG1 file dir "lib")) (call .data.file_type_transition (ARG1 file dir "lib64"))) (macro root_file_type_transition_file ((type ARG1)) (call .root.file_type_transition (ARG1 file dir "lib")) (call .root.file_type_transition (ARG1 file dir "lib64")))) (in log (filecon "/var/log" dir file_context) (filecon "/var/log/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "log"))) (call .tmp.associate_fs (file))) (in lostfound (filecon "/\.journal" file ()) (filecon "/lost\+found" dir file_context) (filecon "/boot/\.journal" file ()) (filecon "/boot/lost\+found" dir file_context) (filecon "/etc/\.journal" file ()) (filecon "/etc/lost\+found" dir file_context) (filecon "/home/\.journal" file ()) (filecon "/home/lost\+found" dir file_context) (filecon "/opt/\.journal" file ()) (filecon "/opt/lost\+found" dir file_context) (filecon "/run/\.journal" file ()) (filecon "/run/lost\+found" dir file_context) (filecon "/srv/\.journal" file ()) (filecon "/srv/lost\+found" dir file_context) (filecon "/tmp/\.journal" file ()) (filecon "/tmp/lost\+found" dir file_context) (filecon "/usr/\.journal" file ()) (filecon "/usr/lost\+found" dir file_context) (filecon "/usr/tmp/\.journal" file ()) (filecon "/usr/tmp/lost\+found" dir file_context) (filecon "/var/\.journal" file ()) (filecon "/var/lost\+found" dir file_context) (filecon "/var/cache/\.journal" file ()) (filecon "/var/cache/lost\+found" dir file_context) (filecon "/var/db/\.journal" file ()) (filecon "/var/db/lost\+found" dir file_context) (filecon "/var/lib/\.journal" file ()) (filecon "/var/lib/lost\+found" dir file_context) (filecon "/var/log/\.journal" file ()) (filecon "/var/log/lost\+found" dir file_context) (filecon "/var/run/\.journal" file ()) (filecon "/var/run/lost\+found" dir file_context) (filecon "/var/spool/\.journal" file ()) (filecon "/var/spool/lost\+found" dir file_context) (filecon "/var/tmp/\.journal" file ()) (filecon "/var/tmp/lost\+found" dir file_context) (macro boot_file_type_transition_file ((type ARG1)) (call .boot.file_type_transition (ARG1 file dir "lost+found"))) (macro cache_file_type_transition_file ((type ARG1)) (call .cache.file_type_transition (ARG1 file dir "lost+found"))) (macro conf_file_type_transition_file ((type ARG1)) (call .conf.file_type_transition (ARG1 file dir "lost+found"))) (macro data_file_type_transition_file ((type ARG1)) (call .data.file_type_transition (ARG1 file dir "lost+found"))) (macro db_file_type_transition_file ((type ARG1)) (call .db.file_type_transition (ARG1 file dir "lost+found"))) (macro home_file_type_transition_file ((type ARG1)) (call .home.file_type_transition (ARG1 file dir "lost+found"))) (macro log_file_type_transition_file ((type ARG1)) (call .log.file_type_transition (ARG1 file dir "lost+found"))) (macro root_file_type_transition_file ((type ARG1)) (call .root.file_type_transition (ARG1 file dir "lost+found"))) (macro run_file_type_transition_file ((type ARG1)) (call .run.file_type_transition (ARG1 file dir "lost+found"))) (macro spool_file_type_transition_file ((type ARG1)) (call .spool.file_type_transition (ARG1 file dir "lost+found"))) (macro state_file_type_transition_file ((type ARG1)) (call .state.file_type_transition (ARG1 file dir "lost+found"))) (macro tmp_file_type_transition_file ((type ARG1)) (call .tmp.file_type_transition (ARG1 file dir "lost+found"))) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "lost+found")))) (in mail.spool (filecon "/var/spool/mail" dir file_context) (filecon "/var/spool/mail/.*" any file_context) (macro spool_file_type_transition_file ((type ARG1)) (call .spool.file_type_transition (ARG1 file dir "mail"))) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "mail")))) (in media (filecon "/media" dir file_context) (filecon "/media/cdrom" symlink file_context) (filecon "/media/.*" any ()) (filecon "/mnt" dir file_context) (filecon "/mnt/.*" any ()) (filecon "/run/media" dir file_context) (filecon "/run/media/.*" any ()) (macro root_file_type_transition_file ((type ARG1)) (call .root.file_type_transition (ARG1 file dir "media")) (call .root.file_type_transition (ARG1 file dir "mnt"))) (macro run_file_type_transition_file ((type ARG1)) (call .run.file_type_transition (ARG1 file dir "media"))) (call .tmp.associate_fs (file))) (in mod (filecon "/usr/lib/modules" dir file_context) (filecon "/usr/lib/modules/.*" any file_context) (macro lib_file_type_transition_file ((type ARG1)) (call .lib.file_type_transition (ARG1 file dir "modules")))) (in mqueue (filecon "/dev/mqueue" dir ()) (filecon "/dev/mqueue/.*" any ()) (allow fs self (filesystem (associate)))) (in proc (filecon "/proc" dir fs_context) (filecon "/proc/.*" any ()) (macro root_file_type_transition_fs ((type ARG1)) (call .root.file_type_transition (ARG1 fs dir "proc"))) (call .xattr.associate_fs (fs))) (in pstore (filecon "/sys/fs/pstore" dir ()) (filecon "/sys/fs/pstore/.*" any ())) (in root (filecon "/usr/bin" symlink file_context) (filecon "/usr/lib" symlink file_context) (allow fs self (filesystem (associate)))) (in rpcpipe (filecon "/run/rpc_pipefs" dir ()) (filecon "/run/rpc_pipefs/.*" any ())) (in run (filecon "/run" dir file_context) (filecon "/run/.*" any file_context) (macro root_file_type_transition_file ((type ARG1)) (call .root.file_type_transition (ARG1 file dir "run"))) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "run"))) (call .root.associate_fs (file))) (in runlock (filecon "/run/lock" dir file_context) (filecon "/run/lock/.*" any ()) (filecon "/run/lock/subsys" dir file_context) (macro run_file_type_transition_file ((type ARG1)) (call .run.file_type_transition (ARG1 file dir "lock"))) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "lock")))) (in runuser (filecon "/run/user" dir file_context) (filecon "/run/user/.*" any file_context) (macro run_file_type_transition_file ((type ARG1)) (call .run.file_type_transition (ARG1 file dir "user")))) (in security (filecon "/sys/kernel/security" dir ()) (filecon "/sys/kernel/security/.*" any ())) (in selinux (filecon "/sys/fs/selinux" dir ()) (filecon "/sys/fs/selinux/.*" any ())) (in spool (filecon "/var/spool" dir file_context) (filecon "/var/spool/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "spool")))) (in src (filecon "/usr/src" dir file_context) (filecon "/usr/src/.*" any file_context) (macro data_file_type_transition_file ((type ARG1)) (call .data.file_type_transition (ARG1 file dir "src")))) (in state (filecon "/var/lib" dir file_context) (filecon "/var/lib/.*" any file_context) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "lib"))) (call .root.associate_fs (file))) (in sys (filecon "/sys" dir fs_context) (filecon "/sys/.*" any ()) (macro root_file_type_transition_fs ((type ARG1)) (call .root.file_type_transition (ARG1 fs dir "sys"))) (allow fs self (filesystem (associate))) (call hugetlbfs.hugetlb_fs_type_transition_file (subj "*")) (call mqueuefs.mqueue_fs_type_transition_file (subj "*")) (call tmp.tmp_file_type_transition_file (subj dir "*")) (call tmp.tmp_file_type_transition_file (subj fifo_file "*")) (call tmp.tmp_file_type_transition_file (subj file "*")) (call tmp.tmp_file_type_transition_file (subj lnk_file "*")) (call tmp.tmp_file_type_transition_file (subj sock_file "*")) (call tmpfs.tmp_fs_type_transition_file (subj dir "*")) (call tmpfs.tmp_fs_type_transition_file (subj fifo_file "*")) (call tmpfs.tmp_fs_type_transition_file (subj file "*")) (call tmpfs.tmp_fs_type_transition_file (subj lnk_file "*")) (call tmpfs.tmp_fs_type_transition_file (subj sock_file "*")) (call .tmp.sys_tmp_file_type_transition_file (subj)) (call .xattr.associate_fs (fs))) (in sys.home (filecon "/root" dir file_context) (filecon "/root/.*" any file_context) (macro root_file_type_transition_file ((type ARG1)) (call .root.fs_type_transition (ARG1 file dir "root")))) (in sys.hugetlbfs (macro hugetlb_fs_type_transition_file ((type ARG1)(name ARG2)) (call .hugetlb.fs_type_transition (ARG1 file file ARG2)))) (in sys.mqueuefs (macro mqueue_fs_type_transition_file ((type ARG1)(name ARG2)) (call .mqueue.fs_type_transition (ARG1 file file ARG2)))) (in sys.tmp (macro tmp_file_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) (call .tmp.file_type_transition (ARG1 file ARG2 ARG3)))) (in sys.tmpfs (macro tmp_fs_type_transition_file ((type ARG1)(class ARG2)(name ARG3)) (call .tmp.fs_type_transition (ARG1 file ARG2 ARG3)))) (in sys.unconfined (allow typeattr subj (system (reboot reload start status stop)))) (in tmp (filecon "/dev/shm" dir fs_context) (filecon "/dev/shm/.*" any ()) (filecon "/run/initramfs/.*" any ()) (filecon "/tmp" dir file_context) (filecon "/tmp/.*" any ()) (filecon "/tmp/\.font-unix" dir file_context) (filecon "/tmp/\.font-unix/.*" any ()) (filecon "/tmp/\.ICE-unix" dir file_context) (filecon "/tmp/\.ICE-unix/.*" any ()) (filecon "/tmp/\.Test-unix" dir file_context) (filecon "/tmp/\.Test-unix/.*" any ()) (filecon "/tmp/\.X11-unix" dir file_context) (filecon "/tmp/\.X11-unix/.*" any ()) (filecon "/tmp/\.XIM-unix" dir file_context) (filecon "/tmp/\.XIM-unix/.*" any ()) (macro data_file_type_transition_file ((type ARG1)) (call .data.file_type_transition (ARG1 file dir "tmp"))) (macro root_file_type_transition_file ((type ARG1)) (call .root.file_type_transition (ARG1 file dir "tmp"))) (macro sys_tmp_file_type_transition_file ((type ARG1)) (call .sys.tmp.file_type_transition (ARG1 file dir "tmp"))) (macro var_file_type_transition_file ((type ARG1)) (call .var.file_type_transition (ARG1 file dir "tmp"))) (allow fs self (filesystem (associate))) (call .devtmp.associate_fs (fs))) (in trace (filecon "/sys/kernel/tracing" dir ()) (filecon "/sys/kernel/tracing/.*" any ())) (in var (filecon "/run" symlink file_context) (filecon "/run/lock" symlink file_context) (filecon "/srv" dir file_context) (filecon "/srv/.*" any file_context) (filecon "/var" dir file_context) (filecon "/var/.*" any file_context) (filecon "/var/spool/mail" symlink file_context) (macro root_file_type_transition_file ((type ARG1)) (call .root.file_type_transition (ARG1 file dir "srv")) (call .root.file_type_transition (ARG1 file dir "var")))) (typealias dpkg_script_t) (in sys (typealiasactual dpkg_script_t subj)) (boolean xserver_object_manager false)