trunk: devices patch from dan.

2009-03-05 15:36:41 +00:00 · 2009-03-05 15:36:41 +00:00 · 7b76207e37
commit 7b76207e37
parent be5aaebfd6
3 changed files with 515 additions and 9 deletions
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@ -3,6 +3,8 @@
 /dev/.*				gen_context(system_u:object_r:device_t,s0)

 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/(misc/)?agpgart	-c	gen_context(system_u:object_r:agp_device_t,s0)
@ -12,44 +14,65 @@
 /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
+/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
@ -69,17 +92,18 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
-/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@ -91,14 +115,20 @@ ifdef(`distro_suse', `

 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)

-/dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)

+/dev/bometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+
 /dev/dri/.+		-c	gen_context(system_u:object_r:dri_device_t,s0)

 /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)

+/dev/input/.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/m.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@ -106,10 +136,15 @@ ifdef(`distro_suse', `

 /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)

+/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
 /dev/pts(/.*)?			<<none>>

 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)

+/dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+
 /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -65,7 +65,7 @@ interface(`dev_relabel_all_dev_nodes',`

 	relabelfrom_dirs_pattern($1, device_t, device_node)
 	relabelfrom_files_pattern($1, device_t, device_node)
-	relabelfrom_lnk_files_pattern($1, device_t, device_node)
+	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
 	relabelfrom_sock_files_pattern($1, device_t, device_node)
 	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@ -182,6 +182,24 @@ interface(`dev_delete_generic_dirs',`
 	delete_dirs_pattern($1, device_t, device_t)
 ')

+########################################
+## <summary>
+##	Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to relabel.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_dirs_pattern($1, device_t, device_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow full relabeling (to and from) of directories in /dev.
@ -663,9 +681,10 @@ interface(`dev_getattr_all_blk_files',`
 interface(`dev_dontaudit_getattr_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')

-	dontaudit $1 device_node:blk_file getattr;
+	dontaudit $1 { device_t device_node }:blk_file getattr;
 ')

 ########################################
@ -700,9 +719,10 @@ interface(`dev_getattr_all_chr_files',`
 interface(`dev_dontaudit_getattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')

-	dontaudit $1 device_node:chr_file getattr;
+	dontaudit $1 { device_t device_node }:chr_file getattr;
 ')

 ########################################
@ -1059,6 +1079,98 @@ interface(`dev_rw_apm_bios',`
 	rw_chr_files_pattern($1, device_t, apm_bios_t)
 ')

+########################################
+## <summary>
+##	Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the autofs device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_autofs',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write the PCMCIA card manager device.
@ -1157,6 +1269,25 @@ interface(`dev_getattr_cpu_dev',`
 	getattr_chr_files_pattern($1, device_t, cpu_device_t)
 ')

+########################################
+## <summary>
+##	Set the attributes of the CPU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_cpu_dev',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the CPU identity.
@ -1281,7 +1412,7 @@ interface(`dev_dontaudit_rw_dri',`
 		type dri_device_t;
 	')

-	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+	dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
 ')

 ########################################
@ -1504,6 +1635,96 @@ interface(`dev_rw_framebuffer',`
 	rw_chr_files_pattern($1, device_t, framebuf_device_t)
 ')

+########################################
+## <summary>
+##	Read the kernel messages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##      Read and write to kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read the lvm comtrol device.
@ -1955,6 +2176,96 @@ interface(`dev_rw_mtrr',`
 	rw_chr_files_pattern($1, device_t, mtrr_device_t)
 ')

+########################################
+## <summary>
+##	Get the attributes of the network control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_netcontrol_dev',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read the network control identity.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the network control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write to the null device (/dev/null).
@ -2101,6 +2412,98 @@ interface(`dev_rw_printer',`
 	rw_chr_files_pattern($1, device_t, printer_device_t)
 ')

+########################################
+## <summary>
+##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_printk',`
+	gen_require(`
+		type device_t, printk_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, printk_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read the QEMU device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the QEMU device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read from random number generator
@ -2139,6 +2542,25 @@ interface(`dev_dontaudit_read_rand',`
 	dontaudit $1 random_device_t:chr_file { getattr read };
 ')

+########################################
+## <summary>
+##	Do not audit attempts to append to random
+##	number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_append_rand',`
+	gen_require(`
+		type random_device_t;
+	')
+
+	dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write to the random device (e.g., /dev/random). This adds
@ -2765,6 +3187,24 @@ interface(`dev_setattr_generic_usb_dev',`
 	setattr_chr_files_pattern($1, device_t, usb_device_t)
 ')

+########################################
+## <summary>
+##	Read generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, usb_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic the USB devices.
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@ -1,5 +1,5 @@

-policy_module(devices, 1.7.0)
+policy_module(devices, 1.7.1)

 ########################################
 #
@ -32,6 +32,12 @@ dev_node(agp_device_t)
 type apm_bios_t;
 dev_node(apm_bios_t)

+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
 type cardmgr_dev_t;
 dev_node(cardmgr_dev_t)
 files_tmp_file(cardmgr_dev_t)
@ -65,12 +71,25 @@ dev_node(event_device_t)
 type framebuf_device_t;
 dev_node(framebuf_device_t)

+#
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
 #
 # Type for /dev/kmsg
 #
 type kmsg_device_t;
 dev_node(kmsg_device_t)

+#
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+
 #
 # Type for /dev/mapper/control
 #
@ -103,6 +122,12 @@ type mtrr_device_t;
 dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)

+#
+# network control devices 
+#
+type netcontrol_device_t;
+dev_node(netcontrol_device_t)
+
 #
 # null_device_t is the type of /dev/null.
 #
@ -127,6 +152,12 @@ type printer_device_t;
 dev_node(printer_device_t)
 mls_file_write_within_range(printer_device_t)

+#
+# qemu control devices 
+#
+type qemu_device_t;
+dev_node(qemu_device_t)
+
 #
 # random_device_t is the type of /dev/random
 #