2005-04-20 19:07:16 +00:00
|
|
|
# Copyright (C) 2005 Tresys Technology, LLC
|
|
|
|
|
2005-04-26 17:00:25 +00:00
|
|
|
policy_module(storage,1.0)
|
|
|
|
|
2005-05-06 21:36:11 +00:00
|
|
|
attribute fixed_disk_raw_read;
|
|
|
|
attribute fixed_disk_raw_write;
|
|
|
|
attribute scsi_generic_read;
|
|
|
|
attribute scsi_generic_write;
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
|
|
|
# fixed_disk_device_t is the type of
|
|
|
|
# /dev/hd* and /dev/sd*.
|
|
|
|
#
|
|
|
|
type fixed_disk_device_t;
|
2005-05-06 21:36:11 +00:00
|
|
|
devices_make_device_node(fixed_disk_device_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
|
|
|
|
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
|
|
|
|
|
2005-05-06 21:36:11 +00:00
|
|
|
#
|
|
|
|
# lvm_vg_t is the type of logical volume groups
|
|
|
|
#
|
2005-04-29 20:35:49 +00:00
|
|
|
type lvm_vg_t;
|
|
|
|
devices_make_device_node(lvm_vg_t)
|
|
|
|
|
2005-05-06 21:36:11 +00:00
|
|
|
# from the subject's point of view, same as read/writing a regular
|
|
|
|
# fixed disk, so use the same assertions as above
|
|
|
|
neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
|
|
|
|
neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };
|
|
|
|
|
2005-04-14 20:18:17 +00:00
|
|
|
#
|
|
|
|
# scsi_generic_device_t is the type of /dev/sg*
|
|
|
|
# it gives access to ALL SCSI devices (both fixed and removable)
|
|
|
|
#
|
|
|
|
type scsi_generic_device_t;
|
2005-05-06 21:36:11 +00:00
|
|
|
devices_make_device_node(scsi_generic_device_t)
|
2005-04-14 20:18:17 +00:00
|
|
|
|
|
|
|
neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
|
|
|
|
neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
|
|
|
|
|
|
|
|
#
|
|
|
|
# removable_device_t is the type of
|
|
|
|
# /dev/scd* and /dev/fd*.
|
|
|
|
#
|
|
|
|
type removable_device_t;
|
|
|
|
devices_make_device_node(removable_device_t)
|
|
|
|
|
|
|
|
#
|
|
|
|
# tape_device_t is the type of
|
|
|
|
#
|
|
|
|
type tape_device_t;
|
|
|
|
devices_make_device_node(tape_device_t)
|