selinux-policy/policy/modules/kernel/storage.te

61 lines
1.5 KiB
Plaintext
Raw Normal View History

2005-04-20 19:07:16 +00:00
policy_module(storage, 1.8.1)
2005-06-30 18:54:08 +00:00
########################################
#
# Declarations
#
attribute fixed_disk_raw_read;
attribute fixed_disk_raw_write;
attribute scsi_generic_read;
attribute scsi_generic_write;
attribute storage_unconfined_type;
2005-04-14 20:18:17 +00:00
#
2009-11-24 16:11:38 +00:00
# fixed_disk_device_t is the type of
2005-04-14 20:18:17 +00:00
# /dev/hd* and /dev/sd*.
#
type fixed_disk_device_t;
2005-06-13 16:22:32 +00:00
dev_node(fixed_disk_device_t)
2005-04-14 20:18:17 +00:00
neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
2005-04-14 20:18:17 +00:00
2007-10-29 18:35:32 +00:00
#
# fuse_device_t is the type of /dev/fuse
#
type fuse_device_t;
dev_node(fuse_device_t)
2005-04-14 20:18:17 +00:00
#
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
type scsi_generic_device_t;
2005-06-13 16:22:32 +00:00
dev_node(scsi_generic_device_t)
2005-04-14 20:18:17 +00:00
neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
2005-04-14 20:18:17 +00:00
#
# removable_device_t is the type of
# /dev/scd* and /dev/fd*.
#
type removable_device_t;
2005-06-13 16:22:32 +00:00
dev_node(removable_device_t)
2005-04-14 20:18:17 +00:00
#
# tape_device_t is the type of
#
type tape_device_t;
2005-06-13 16:22:32 +00:00
dev_node(tape_device_t)
########################################
#
# Unconfined access to this module
#
allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;