selinux-policy/policy/modules/kernel/storage.if

753 lines
17 KiB
Plaintext
Raw Normal View History

## <summary>Policy controlling access to storage devices</summary>
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to get the attributes of fixed disk
## device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_getattr_fixed_disk_dev',`
gen_require(`
type fixed_disk_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
')
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_dontaudit_getattr_fixed_disk_dev',`
gen_require(`
type fixed_disk_device_t;
')
dontaudit $1 fixed_disk_device_t:blk_file getattr;
dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
')
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to set the attributes of fixed disk
## device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_setattr_fixed_disk_dev',`
gen_require(`
type fixed_disk_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_dontaudit_setattr_fixed_disk_dev',`
gen_require(`
type fixed_disk_device_t;
')
2005-11-10 21:37:54 +00:00
dontaudit $1 fixed_disk_device_t:blk_file setattr;
')
2005-04-20 19:07:16 +00:00
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`storage_raw_read_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_read;
type fixed_disk_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
2007-08-07 17:06:32 +00:00
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
typeattribute $1 fixed_disk_raw_read;
2005-04-14 20:18:17 +00:00
')
2005-05-18 20:59:38 +00:00
########################################
2005-09-21 20:01:40 +00:00
## <summary>
## Do not audit attempts made by the caller to read
## fixed disk device nodes.
## </summary>
## <param name="domain">
## <summary>
2005-09-21 20:01:40 +00:00
## The type of the process to not audit.
## </summary>
2005-09-21 20:01:40 +00:00
## </param>
#
interface(`storage_dontaudit_read_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
2005-09-21 20:01:40 +00:00
')
dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
2005-09-21 20:01:40 +00:00
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`storage_raw_write_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_write;
type fixed_disk_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
2007-08-07 17:06:32 +00:00
allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
typeattribute $1 fixed_disk_raw_write;
2005-04-14 20:18:17 +00:00
')
2006-01-20 22:02:24 +00:00
########################################
## <summary>
## Do not audit attempts made by the caller to write
## fixed disk device nodes.
## </summary>
## <param name="domain">
## <summary>
2006-01-20 22:02:24 +00:00
## Domain to not audit.
## </summary>
2006-01-20 22:02:24 +00:00
## </param>
#
interface(`storage_dontaudit_write_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
2006-01-20 22:02:24 +00:00
')
2006-12-12 20:08:08 +00:00
dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
2006-01-20 22:02:24 +00:00
')
########################################
## <summary>
2008-12-03 19:16:20 +00:00
## Allow the caller to directly read and write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
## <param name="domain">
2008-12-03 19:16:20 +00:00
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`storage_raw_rw_fixed_disk',`
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
')
2005-05-30 21:17:20 +00:00
########################################
2005-06-28 17:32:57 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Create, read, write, and delete fixed disk device nodes.
2005-06-28 17:32:57 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-05-30 21:17:20 +00:00
#
interface(`storage_manage_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2007-06-11 15:01:10 +00:00
allow $1 self:capability mknod;
2006-12-12 20:08:08 +00:00
allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
2009-03-05 15:49:41 +00:00
allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
2005-07-08 20:44:57 +00:00
')
########################################
## <summary>
## Create block devices in /dev with the fixed disk type
## via an automatic type transition.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`storage_dev_filetrans_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
')
dev_filetrans($1, fixed_disk_device_t, blk_file)
')
########################################
## <summary>
## Create block devices in on a tmpfs filesystem with the
## fixed disk type via an automatic type transition.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`storage_tmpfs_filetrans_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
')
fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
')
2005-06-28 17:32:57 +00:00
########################################
## <summary>
## Relabel fixed disk device nodes.
## </summary>
## <param name="domain">
## <summary>
2005-06-28 17:32:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-28 17:32:57 +00:00
## </param>
#
interface(`storage_relabel_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
2005-06-28 17:32:57 +00:00
')
########################################
## <summary>
## Enable a fixed disk device as swap space
## </summary>
## <param name="domain">
## <summary>
2005-06-28 17:32:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-28 17:32:57 +00:00
## </param>
#
interface(`storage_swapon_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
')
2007-10-29 18:35:32 +00:00
########################################
## <summary>
## Allow the caller to get the attributes
## of device nodes of fuse devices.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`storage_getattr_fuse_dev',`
gen_require(`
type fuse_device_t;
')
dev_list_all_dev_nodes($1)
allow $1 fuse_device_t:chr_file getattr;
')
########################################
## <summary>
## read or write fuse device interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`storage_rw_fuse',`
gen_require(`
type fuse_device_t;
')
allow $1 fuse_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read or write
## fuse device interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`storage_dontaudit_rw_fuse',`
gen_require(`
type fuse_device_t;
')
dontaudit $1 fuse_device_t:chr_file rw_file_perms;
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_getattr_scsi_generic_dev',`
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
2005-09-29 13:32:28 +00:00
allow $1 scsi_generic_device_t:chr_file getattr;
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_setattr_scsi_generic_dev',`
gen_require(`
type scsi_generic_device_t;
')
dev_list_all_dev_nodes($1)
2005-09-29 13:32:28 +00:00
allow $1 scsi_generic_device_t:chr_file setattr;
')
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`storage_read_scsi_generic',`
gen_require(`
attribute scsi_generic_read;
type scsi_generic_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
typeattribute $1 scsi_generic_read;
2005-04-14 20:18:17 +00:00
')
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
interface(`storage_write_scsi_generic',`
gen_require(`
attribute scsi_generic_write;
type scsi_generic_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
typeattribute $1 scsi_generic_write;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Set attributes of the device nodes
## for the SCSI generic inerface.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_setattr_scsi_generic_dev_dev',`
gen_require(`
type scsi_generic_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2005-09-29 13:32:28 +00:00
allow $1 scsi_generic_device_t:chr_file setattr;
')
2006-01-20 22:02:24 +00:00
########################################
## <summary>
## Do not audit attempts to read or write
## SCSI generic device interfaces.
## </summary>
## <param name="domain">
## <summary>
2006-01-20 22:02:24 +00:00
## Domain to not audit.
## </summary>
2006-01-20 22:02:24 +00:00
## </param>
#
interface(`storage_dontaudit_rw_scsi_generic',`
gen_require(`
type scsi_generic_device_t;
')
dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
')
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to get the attributes of removable
## devices device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`storage_getattr_removable_dev',`
gen_require(`
type removable_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file getattr;
2005-04-14 20:18:17 +00:00
')
2005-05-18 20:59:38 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_dontaudit_getattr_removable_dev',`
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file getattr;
')
2005-09-16 14:54:36 +00:00
########################################
## <summary>
## Do not audit attempts made by the caller to read
## removable devices device nodes.
## </summary>
## <param name="domain">
## <summary>
2005-09-16 14:54:36 +00:00
## The type of the process to not audit.
## </summary>
2005-09-16 14:54:36 +00:00
## </param>
#
interface(`storage_dontaudit_read_removable_device',`
gen_require(`
type removable_device_t;
2005-09-16 14:54:36 +00:00
')
dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to set the attributes of removable
## devices device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`storage_setattr_removable_dev',`
gen_require(`
type removable_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file setattr;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process to not audit.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_dontaudit_setattr_removable_dev',`
gen_require(`
type removable_device_t;
')
dontaudit $1 removable_device_t:blk_file setattr;
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`storage_raw_read_removable_device',`
gen_require(`
type removable_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 removable_device_t:blk_file read_blk_file_perms;
')
2006-01-20 22:02:24 +00:00
########################################
## <summary>
## Do not audit attempts to directly read removable devices.
## </summary>
## <param name="domain">
## <summary>
2006-01-20 22:02:24 +00:00
## Domain to not audit.
## </summary>
2006-01-20 22:02:24 +00:00
## </param>
#
interface(`storage_dontaudit_raw_read_removable_device',`
gen_require(`
type removable_device_t;
')
2006-12-12 20:08:08 +00:00
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
2006-01-20 22:02:24 +00:00
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
interface(`storage_raw_write_removable_device',`
gen_require(`
type removable_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 removable_device_t:blk_file write_blk_file_perms;
')
2006-01-20 22:02:24 +00:00
########################################
## <summary>
## Do not audit attempts to directly write removable devices.
## </summary>
## <param name="domain">
## <summary>
2006-01-20 22:02:24 +00:00
## Domain to not audit.
## </summary>
2006-01-20 22:02:24 +00:00
## </param>
#
interface(`storage_dontaudit_raw_write_removable_device',`
gen_require(`
type removable_device_t;
')
2006-12-12 20:08:08 +00:00
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
2006-01-20 22:02:24 +00:00
')
2005-04-14 20:18:17 +00:00
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly read
## a tape device.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`storage_read_tape',`
gen_require(`
type tape_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 tape_device_t:chr_file read_chr_file_perms;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to directly read
## a tape device.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
2005-04-14 20:18:17 +00:00
#
2006-02-02 21:08:12 +00:00
interface(`storage_write_tape',`
gen_require(`
type tape_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2006-12-12 20:08:08 +00:00
allow $1 tape_device_t:chr_file write_chr_file_perms;
2005-04-14 20:18:17 +00:00
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to get the attributes
## of device nodes of tape devices.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_getattr_tape_dev',`
gen_require(`
type tape_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2005-09-29 13:32:28 +00:00
allow $1 tape_device_t:chr_file getattr;
')
########################################
2005-07-05 20:59:51 +00:00
## <summary>
2005-06-23 21:30:57 +00:00
## Allow the caller to set the attributes
## of device nodes of tape devices.
2005-07-05 20:59:51 +00:00
## </summary>
2005-06-23 21:30:57 +00:00
## <param name="domain">
## <summary>
2005-06-23 21:30:57 +00:00
## The type of the process performing this action.
## </summary>
2005-06-23 21:30:57 +00:00
## </param>
#
2006-02-02 21:08:12 +00:00
interface(`storage_setattr_tape_dev',`
gen_require(`
type tape_device_t;
')
2005-06-13 16:22:32 +00:00
dev_list_all_dev_nodes($1)
2005-09-29 13:32:28 +00:00
allow $1 tape_device_t:chr_file setattr;
')
2005-07-05 20:59:51 +00:00
########################################
## <summary>
## Unconfined access to storage devices.
## </summary>
## <param name="domain">
## <summary>
2005-07-05 20:59:51 +00:00
## Domain allowed access.
## </summary>
2005-07-05 20:59:51 +00:00
## </param>
#
interface(`storage_unconfined',`
gen_require(`
attribute storage_unconfined_type;
2005-07-05 20:59:51 +00:00
')
typeattribute $1 storage_unconfined_type;
2005-07-05 20:59:51 +00:00
')