# Sample SELinux Labeling Policy File

# Syntax of 'file_contexts' file and other SELinux configuration files:

/usr/lib/.*/program/foo\.so -- user:role:type:s0:c0-dsds.sd:sdsd
/.* system_u:object_r:default_t:s0
/sys(/.*)? system_u:object_r:sysfs_t:s0
/xen(/.*)? system_u:object_r:xen_image_t:s1
/mnt(/[^/]*)? -d system_u:object_r:mnt_t:s1-5
/mnt(/[^/]*)? -l system_u:object_r:mnt_t:s0.s2
/tmp/.* <>
/root(/.*)? system_u:object_r:admin_home_t:s0
/dev/[0-9].* -c system_u:object_r:usb_device_t:s0
/run/.*\.*pid <>
/mnt/[^/]*/.* <>
/etc/[mg]dm(/.*)? system_u:object_r:xdm_etc_t:s5-s6:c0
/dev/(misc/)?psaux -c system_u:object_r:mouse_device_t:s0-s3:c0.c5

HOME_DIR/.+ system_u:object_r:user_home_t:s0
HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t:s0
HOME_DIR/\.cache/google-chrome(/.*)? system_u:object_r:chrome_sandbox_home_t:s0

/dev/(misc/)?rtc[0-9]* -c system_u:object_r:clock_device_t:s0-s2:c1
/var/(db|adm)/sudo(/.*)? system_u:object_r:pam_var_run_t:s0
/dev/pcd[0-3] -b system_u:object_r:removable_device_t:s0
/etc/ppp(/.*)? -- system_u:object_r:pppd_etc_rw_t:s0
/var/www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/usr/lib(.*/)?bin(/.*)? system_u:object_r:bin_t:s0
/dev/shm/.* <>
/usr/lib/(sse2/)?hello-.*\.so.* -- system_u:object_r:textrel_shlib_t:s0
/sbin/grub.* -- system_u:object_r:bootloader_exec_t:s0.s3
/sbin/lilo.* -- system_u:object_r:bootloader_exec_t:s0
/etc/group[-\+]? -- system_u:object_r:passwd_file_t:s0:c1-c5
/etc/rc\.d/init\.d/mpd -- system_u:object_r:mpd_initrc_exec_t:s0


# Syntax of *.fc files, from the SELinux reference policy:

/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0,c0)
/etc/aiccu\.conf -- gen_context(system_u:object_r:aiccu_etc_t,s0-s2,c1.c5)
HOME_DIR/\.mtpz-data -- gen_context(system_u:object_r:libmtp_home_t,s0)
/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/dasd[^/]* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh,s1)
HOME_ROOT -l gen_context(system_u:object_r:home_root_t,s0)

ifdef(`distro_debian',`
/run/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
/run/shm/.* <>
')
ifdef(`distro_suse',`
/success -- gen_context(system_u:object_r:etc_runtime_t,s0)
')
ifdef(`init_systemd',`
/run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
')

# Android contexts

android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
* u:object_r:default_android_hwservice:s0
ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int

# Tests

# Variables
HOME_DIR/path
HOME_ROOT/path
/path/HOME_DIR/HOME_ROOT

# Open brackets
/hello(world
/hello[wo

/path[^0-8]+
/path(hello|bye)
/path.*a+b?
/path\wa\Wa\sa\da\ba\Ba\(a
/usr/hi\"esc\sesc\032esc\*3esds

# Security contexts
user:role
user:role:
user:role:type
user:role:type:level_sensitivity
user:role:type:level_sensitivity:level_category
user:role:type:level_sensitivity:level_category:other:other
user:role:type:level_sensitivity:level_category-sens:cat:other
user:role:type:s0.s1.s3:c0.c1,c2,c3 - s5.s6:c4,c5:other
user : role : type : s0 . s1 . s3 : c0 . c1 , c2 , c3 - s5 . s6 : c4 , c5 : other
user:role:type:s0,other

(user:role:type,)
(user:role:type,level_s,)
(user:role:type,level_s,level_c)
(user:role:type,level_s,level_c,other,other,other)
(user:role:type:level_s:level_c,other,other)
(user:role:type:level_s:level_c:other,other,other)

us er:role:type:level_s:level_c
user:ro le:type:level_s:level_c
user:role:ty pe:level_s:level_c
user:role:type:lev el_s:level_c
user:role:type:level_s:lev el_c

(u ser:role:type,level_s,level_c,other,other)
(user:ro le:type,level_s,level_c,other,other)
(user:role:ty pe,level_s,level_c,other,other)
(user:role:type,le vel_s,level_c,other,other)
(user:role:type,level_s,le vel_c,other,other)

( user :role:type, level_s , level_c , other )
( user:role:type, level_s , level_c , other )