Devices patch from Dan Walsh.

policy/modules/kernel/devices.fc

@@ -16,13 +16,16 @@
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -61,6 +64,7 @@
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.*		-c	gen_context(system_u:object_r:dlm_control_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
@@ -80,6 +84,7 @@
 /dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
@@ -98,6 +103,8 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/uio[0-9]+		-c	gen_context(system_u:object_r:userio_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
 /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)

policy/modules/kernel/devices.if

@@ -477,6 +477,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
 	dontaudit $1 device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Read and write generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file rw_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to set the attributes
@@ -824,6 +842,24 @@ interface(`dev_dontaudit_read_all_blk_files',`
 	dontaudit $1 device_node:blk_file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Dontaudit write on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:blk_file write;
+')
+
 ########################################
 ## <summary>
 ##	Dontaudit read on all character file device nodes.
@@ -842,6 +878,24 @@ interface(`dev_dontaudit_read_all_chr_files',`
 	dontaudit $1 device_node:chr_file { getattr read };
 ')
 
+########################################
+## <summary>
+##	Dontaudit write on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:chr_file write;
+')
+
 ########################################
 ## <summary>
 ##	Create all block device files.
@@ -1405,6 +1459,42 @@ interface(`dev_rw_crypto',`
 	rw_chr_files_pattern($1, device_t, crypt_device_t)
 ')
 
+#######################################
+## <summary>
+##	Set the attributes of the dlm control devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_dlm_control',`
+	gen_require(`
+	type device_t, kvm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+## <summary>
+##	Read and write the the dlm control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_dlm_control',`
+	gen_require(`
+		type device_t, dlm_control_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
 ########################################
 ## <summary>
 ##	getattr the dri devices.
@@ -1733,6 +1823,24 @@ interface(`dev_read_kmsg',`
 	read_chr_files_pattern($1, device_t, kmsg_device_t)
 ')
 
+########################################
+## <summary>
+##	Write to the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Get the attributes of the ksm devices.
@@ -2044,6 +2152,25 @@ interface(`dev_read_raw_memory',`
 	typeattribute $1 memory_raw_read;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read raw memory devices
+##	(e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_raw_memory',`
+	gen_require(`
+		type memory_device_t;
+	')
+
+	dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write raw memory devices (e.g. /dev/mem).
@@ -2454,6 +2581,25 @@ interface(`dev_write_mtrr',`
 	dev_rw_mtrr($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write the memory type
+##	range registers (MTRR).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_mtrr',`
+	gen_require(`
+		type mtrr_device_t;
+	')
+
+	dontaudit $1 mtrr_device_t:chr_file write;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the memory type range registers (MTRR).
@@ -3775,6 +3921,24 @@ interface(`dev_getattr_video_dev',`
 	getattr_chr_files_pattern($1, device_t, v4l_device_t)
 ')
 
+######################################
+## <summary>
+##	Read and write userio device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+	gen_require(`
+		type device_t, userio_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes

policy/modules/kernel/devices.te

@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.9.2)
+policy_module(devices, 1.9.3)
 
 ########################################
 #
@@ -59,6 +59,12 @@ dev_node(cpu_device_t)
 type crypt_device_t;
 dev_node(crypt_device_t)
 
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
 type dri_device_t;
 dev_node(dri_device_t)
 
@@ -232,6 +238,12 @@ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 type usb_device_t;
 dev_node(usb_device_t)
 
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)