2005-05-16 21:10:33 +00:00
|
|
|
## <summary>Policy controlling access to storage devices</summary>
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to get the attributes of fixed disk
|
|
|
|
|
## device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_getattr_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file getattr;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 fixed_disk_device_t:blk_file getattr;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts made by the caller to get
|
|
|
|
|
## the attributes of fixed disk device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process to not audit.
|
|
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_dontaudit_getattr_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file getattr;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
|
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to set the attributes of fixed disk
|
|
|
|
|
## device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_setattr_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file setattr;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 fixed_disk_device_t:blk_file setattr;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
2005-06-16 20:33:51 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts made by the caller to set
|
|
|
|
|
## the attributes of fixed disk device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process to not audit.
|
|
|
|
|
## </param>
|
2005-06-16 20:33:51 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_dontaudit_setattr_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-11-10 21:37:54 +00:00
|
|
|
dontaudit $1 fixed_disk_device_t:blk_file setattr;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
2005-04-20 19:07:16 +00:00
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly read from a fixed disk.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_raw_read_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute fixed_disk_raw_read;
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file r_file_perms;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 fixed_disk_device_t:blk_file r_file_perms;
|
|
|
|
|
typeattribute $1 fixed_disk_raw_read;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-09-21 20:01:40 +00:00
|
|
|
## <summary>
|
|
|
|
|
## Do not audit attempts made by the caller to read
|
|
|
|
|
## fixed disk device nodes.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process to not audit.
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`storage_dontaudit_read_fixed_disk',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly write to a fixed disk.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_raw_write_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute fixed_disk_raw_write;
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-10-21 21:35:25 +00:00
|
|
|
allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };
|
2005-06-03 12:25:14 +00:00
|
|
|
typeattribute $1 fixed_disk_raw_write;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-30 21:17:20 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create block devices in /dev with the fixed disk type.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-05-30 21:17:20 +00:00
|
|
|
#
|
2005-06-29 14:26:41 +00:00
|
|
|
interface(`storage_create_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file create_file_perms;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_create_dev_node($1,fixed_disk_device_t,blk_file)
|
2005-06-03 12:25:14 +00:00
|
|
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
2005-06-28 17:32:57 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Create, read, write, and delete fixed disk device nodes.
|
2005-06-28 17:32:57 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-05-30 21:17:20 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_manage_fixed_disk',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file create_file_perms;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
|
|
|
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
2005-05-30 21:17:20 +00:00
|
|
|
')
|
|
|
|
|
|
2005-07-08 20:44:57 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Create fixed disk device nodes on a tmpfs filesystem.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`storage_create_fixed_disk_tmpfs',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file create_file_perms;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
|
|
|
|
fs_create_tmpfs_data($1,fixed_disk_device_t,blk_file)
|
|
|
|
|
|
|
|
|
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
|
|
|
|
')
|
|
|
|
|
|
2005-06-28 17:32:57 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Relabel fixed disk device nodes.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`storage_relabel_fixed_disk',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file { relabelfrom relabelto };
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
|
|
|
allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Enable a fixed disk device as swap space
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`storage_swapon_fixed_disk',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t;
|
|
|
|
|
class blk_file { getattr swapon };
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
dev_list_all_dev_nodes($1)
|
|
|
|
|
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
|
|
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly read from a logical volume.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-05-06 21:36:11 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_raw_read_lvm_volume',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute fixed_disk_raw_read;
|
|
|
|
|
type lvm_vg_t;
|
|
|
|
|
class blk_file r_file_perms;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 lvm_vg_t:blk_file r_file_perms;
|
|
|
|
|
typeattribute $1 fixed_disk_raw_read;
|
2005-05-06 21:36:11 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly read from a logical volume.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-05-06 21:36:11 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_raw_write_lvm_volume',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute fixed_disk_raw_write;
|
|
|
|
|
type lvm_vg_t;
|
|
|
|
|
class blk_file { getattr write ioctl };
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
|
|
|
|
typeattribute $1 fixed_disk_raw_write;
|
2005-05-06 21:36:11 +00:00
|
|
|
')
|
|
|
|
|
|
2005-06-20 17:41:29 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to get the attributes of
|
|
|
|
|
## the generic SCSI interface device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-06-20 17:41:29 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_getattr_scsi_generic',`
|
2005-06-20 17:41:29 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type scsi_generic_device_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 scsi_generic_device_t:chr_file getattr;
|
2005-06-20 17:41:29 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to set the attributes of
|
|
|
|
|
## the generic SCSI interface device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-06-20 17:41:29 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_setattr_scsi_generic',`
|
2005-06-20 17:41:29 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type scsi_generic_device_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 scsi_generic_device_t:chr_file setattr;
|
2005-06-20 17:41:29 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly read, in a
|
|
|
|
|
## generic fashion, from any SCSI device.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_read_scsi_generic',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute scsi_generic_read;
|
|
|
|
|
type scsi_generic_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-23 19:38:34 +00:00
|
|
|
allow $1 scsi_generic_device_t:chr_file r_file_perms;
|
2005-06-03 12:25:14 +00:00
|
|
|
typeattribute $1 scsi_generic_read;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly write, in a
|
|
|
|
|
## generic fashion, from any SCSI device.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_write_scsi_generic',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
attribute scsi_generic_write;
|
|
|
|
|
type scsi_generic_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };
|
2005-06-03 12:25:14 +00:00
|
|
|
typeattribute $1 scsi_generic_write;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-22 19:31:32 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Get attributes of the device nodes
|
|
|
|
|
## for the SCSI generic inerface.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-22 19:31:32 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_getattr_scsi_generic',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type scsi_generic_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 scsi_generic_device_t:chr_file getattr;
|
2005-04-22 19:31:32 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Set attributes of the device nodes
|
|
|
|
|
## for the SCSI generic inerface.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-22 19:31:32 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_set_scsi_generic_attributes',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type scsi_generic_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 scsi_generic_device_t:chr_file setattr;
|
2005-04-22 19:31:32 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to get the attributes of removable
|
|
|
|
|
## devices device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_getattr_removable_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type removable_device_t;
|
|
|
|
|
class blk_file getattr;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 removable_device_t:blk_file getattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
2005-05-18 20:59:38 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts made by the caller to get
|
|
|
|
|
## the attributes of removable devices device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process to not audit.
|
|
|
|
|
## </param>
|
2005-05-16 21:10:33 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_dontaudit_getattr_removable_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type removable_device_t;
|
|
|
|
|
class blk_file getattr;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
|
|
|
|
dontaudit $1 removable_device_t:blk_file getattr;
|
2005-05-16 21:10:33 +00:00
|
|
|
')
|
|
|
|
|
|
2005-09-16 14:54:36 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Do not audit attempts made by the caller to read
|
|
|
|
|
## removable devices device nodes.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process to not audit.
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`storage_dontaudit_read_removable_device',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type removable_device_t;
|
|
|
|
|
class blk_file { getattr ioctl read };
|
|
|
|
|
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
|
|
|
|
|
')
|
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to set the attributes of removable
|
|
|
|
|
## devices device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_setattr_removable_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type removable_device_t;
|
|
|
|
|
class blk_file setattr;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 removable_device_t:blk_file setattr;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
2005-06-20 17:41:29 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Do not audit attempts made by the caller to set
|
|
|
|
|
## the attributes of removable devices device nodes.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process to not audit.
|
|
|
|
|
## </param>
|
2005-06-20 17:41:29 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_dontaudit_setattr_removable_device',`
|
2005-06-20 17:41:29 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type removable_device_t;
|
|
|
|
|
class blk_file setattr;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
dontaudit $1 removable_device_t:blk_file setattr;
|
|
|
|
|
')
|
|
|
|
|
|
2005-04-22 19:31:32 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly read from
|
|
|
|
|
## a removable device.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-22 19:31:32 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_raw_read_removable_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type removable_device_t;
|
|
|
|
|
class blk_file r_file_perms;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 removable_device_t:blk_file r_file_perms;
|
2005-04-22 19:31:32 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly write to
|
|
|
|
|
## a removable device.
|
|
|
|
|
## This is extremly dangerous as it can bypass the
|
|
|
|
|
## SELinux protections for filesystem objects, and
|
|
|
|
|
## should only be used by trusted domains.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-22 19:31:32 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_raw_write_removable_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type removable_device_t;
|
|
|
|
|
class blk_file { getattr write ioctl };
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-06-03 12:25:14 +00:00
|
|
|
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
2005-04-22 19:31:32 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly read
|
|
|
|
|
## a tape device.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_read_tape_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type tape_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-23 19:38:34 +00:00
|
|
|
allow $1 tape_device_t:chr_file r_file_perms;
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to directly read
|
|
|
|
|
## a tape device.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_write_tape_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type tape_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 tape_device_t:chr_file { getattr write ioctl };
|
2005-04-14 20:18:17 +00:00
|
|
|
')
|
|
|
|
|
|
2005-04-22 19:31:32 +00:00
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to get the attributes
|
|
|
|
|
## of device nodes of tape devices.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-22 19:31:32 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_getattr_tape_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type tape_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 tape_device_t:chr_file getattr;
|
2005-04-22 19:31:32 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
2005-07-05 20:59:51 +00:00
|
|
|
## <summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## Allow the caller to set the attributes
|
|
|
|
|
## of device nodes of tape devices.
|
2005-07-05 20:59:51 +00:00
|
|
|
## </summary>
|
2005-06-23 21:30:57 +00:00
|
|
|
## <param name="domain">
|
|
|
|
|
## The type of the process performing this action.
|
|
|
|
|
## </param>
|
2005-04-22 19:31:32 +00:00
|
|
|
#
|
2005-06-22 19:21:31 +00:00
|
|
|
interface(`storage_setattr_tape_device',`
|
2005-06-16 20:33:51 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type tape_device_t;
|
|
|
|
|
')
|
2005-06-03 12:25:14 +00:00
|
|
|
|
2005-06-13 16:22:32 +00:00
|
|
|
dev_list_all_dev_nodes($1)
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 tape_device_t:chr_file setattr;
|
2005-04-22 19:31:32 +00:00
|
|
|
')
|
|
|
|
|
|
2005-07-05 20:59:51 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Unconfined access to storage devices.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`storage_unconfined',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type fixed_disk_device_t, removable_device_t;
|
|
|
|
|
type lvm_vg_t, scsi_generic_device_t, tape_device_t;
|
2005-09-14 00:30:10 +00:00
|
|
|
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
|
|
|
|
attribute scsi_generic_read, scsi_generic_write;
|
2005-07-05 20:59:51 +00:00
|
|
|
')
|
|
|
|
|
|
2005-09-29 13:32:28 +00:00
|
|
|
allow $1 { fixed_disk_device_t removable_device_t lvm_vg_t }:blk_file *;
|
|
|
|
|
allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;
|
2005-07-05 20:59:51 +00:00
|
|
|
|
|
|
|
|
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
|
|
|
|
typeattribute $1 scsi_generic_read, scsi_generic_write;
|
|
|
|
|
')
|
