diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index a1d95553..2497b208 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1,4 +1,7 @@ ## +## +## Device nodes and interfaces for many basic system devices. +## ## ##

## This module creates the device node concept and provides @@ -24,10 +27,10 @@ ######################################## ## -## +##

## Make the passed in type a type appropriate for ## use on device nodes (usually files in /dev). -## +## ## ## The object type that will be used on device nodes. ## @@ -51,9 +54,9 @@ define(`dev_node_depend',` ######################################## ## -## +## ## Allow full relabeling (to and from) of all device nodes. -## +## ## ## Domain allowed to relabel. ## @@ -87,9 +90,9 @@ define(`dev_relabel_all_dev_nodes_depend',` ######################################## ## -## +## ## List all of the device nodes in a device directory. -## +## ## ## Domain allowed to list device nodes. ## @@ -111,9 +114,9 @@ define(`dev_list_all_dev_nodes_depend',` ######################################## ## -## +## ## Dontaudit attempts to list all device nodes. -## +## ## ## Domain to dontaudit listing of device nodes. ## @@ -133,9 +136,9 @@ define(`dev_dontaudit_list_all_dev_nodes_depend',` ######################################## ## -## +## ## Create a directory in the device directory. -## +## ## ## Domain allowed to create the directory. ## @@ -155,9 +158,9 @@ define(`dev_create_dir_depend',` ######################################## ## -## +## ## Allow full relabeling (to and from) of directories in /dev. -## +## ## ## Domain allowed to relabel. ## @@ -177,9 +180,9 @@ define(`dev_relabel_dev_dirs_depend',` ######################################## ## -## +## ## Dontaudit getattr on generic pipes. -## +## ## ## Domain to dontaudit. ## @@ -199,9 +202,9 @@ define(`dev_dontaudit_getattr_generic_pipe_depend',` ######################################## ## -## +## ## Allow getattr on generic block devices. -## +## ## ## Domain allowed access. ## @@ -223,9 +226,9 @@ define(`ddev_getattr_generic_blk_file_depend',` ######################################## ## -## +## ## Dontaudit getattr on generic block devices. -## +## ## ## Domain to dontaudit access. ## @@ -245,10 +248,10 @@ define(`dev_dontaudit_getattr_generic_blk_file_depend',` ######################################## ## -## +## ## Allow read, write, create, and delete for generic ## block files. -## +## ## ## Domain allowed access. ## @@ -269,9 +272,9 @@ define(`dev_manage_generic_blk_file_depend',` ######################################## ## -## +## ## Allow read, write, and create for generic character device files. -## +## ## ## Domain allowed access. ## @@ -296,9 +299,9 @@ define(`dev_create_generic_chr_file_depend',` ######################################## ## -## +## ## Allow getattr for generic character device files. -## +## ## ## Domain allowed access. ## @@ -320,9 +323,9 @@ define(`dev_getattr_generic_chr_file_depend',` ######################################## ## -## +## ## Dontaudit getattr for generic character device files. -## +## ## ## Domain to dontaudit access. ## @@ -342,9 +345,9 @@ define(`dev_dontaudit_getattr_generic_chr_file_depend',` ######################################## ## -## +## ## Delete symbolic links in device directories. -## +## ## ## Domain allowed access. ## @@ -368,9 +371,9 @@ define(`dev_del_generic_symlinks_depend',` ######################################## ## -## +## ## Create, delete, read, and write symbolic links in device directories. -## +## ## ## Domain allowed access. ## @@ -392,9 +395,9 @@ define(`dev_manage_generic_symlinks_depend',` ######################################## ## -## +## ## Create, delete, read, and write device nodes in device directories. -## +## ## ## Domain allowed access. ## @@ -434,9 +437,9 @@ define(`dev_manage_dev_nodes_depend',` ######################################## ## -## +## ## Dontaudit getattr for generic device files. -## +## ## ## Domain to dontaudit access. ## @@ -457,9 +460,9 @@ define(`dev_dontaudit_rw_generic_dev_nodes_depend',` ######################################## ## -## +## ## Create, delete, read, and write block device files. -## +## ## ## Domain allowed access. ## @@ -481,9 +484,9 @@ define(`dev_manage_generic_blk_file_depend',` ######################################## ## -## +## ## Create, delete, read, and write character device files. -## +## ## ## Domain allowed access. ## @@ -505,10 +508,10 @@ define(`dev_manage_generic_chr_file_depend',` ######################################## ## -## +## ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. -## +## ## ## Domain allowed access. ## @@ -540,9 +543,9 @@ define(`dev_create_dev_node_depend',` ######################################## ## -## +## ## Getattr on all block file device nodes. -## +## ## ## Domain allowed access. ## @@ -564,9 +567,9 @@ define(`dev_getattr_all_blk_files_depend',` ######################################## ## -## +## ## Dontaudit getattr on all block file device nodes. -## +## ## ## Domain to dontaudit access. ## @@ -586,9 +589,9 @@ define(`dev_dontaudit_getattr_all_blk_files_depend',` ######################################## ## -## +## ## Getattr on all character file device nodes. -## +## ## ## Domain allowed access. ## @@ -610,9 +613,9 @@ define(`dev_getattr_all_chr_files_depend',` ######################################## ## -## +## ## Dontaudit getattr on all character file device nodes. -## +## ## ## Domain to dontaudit access. ## @@ -632,9 +635,9 @@ define(`dev_dontaudit_getattr_all_chr_files_depend',` ######################################## ## -## +## ## Setattr on all block file device nodes. -## +## ## ## Domain allowed access. ## @@ -656,9 +659,9 @@ define(`dev_setattr_all_blk_files_depend',` ######################################## ## -## +## ## Setattr on all character file device nodes. -## +## ## ## Domain allowed access. ## @@ -680,9 +683,9 @@ define(`dev_setattr_all_chr_files_depend',` ######################################## ## -## +## ## Read, write, create, and delete all block device files. -## +## ## ## Domain allowed access. ## @@ -710,9 +713,9 @@ define(`dev_manage_all_blk_files_depend',` ######################################## ## -## +## ## Read, write, create, and delete all character device files. -## +## ## ## Domain allowed access. ## @@ -736,9 +739,9 @@ define(`dev_manage_all_chr_files_depend',` ######################################## ## -## +## ## Read raw memory devices (e.g. /dev/mem). -## +## ## ## Domain allowed access. ## @@ -764,9 +767,9 @@ define(`dev_read_raw_memory_depend',` ######################################## ## -## +## ## Write raw memory devices (e.g. /dev/mem). -## +## ## ## Domain allowed access. ## @@ -792,9 +795,9 @@ define(`dev_write_raw_memory_depend',` ######################################## ## -## +## ## Read and execute raw memory devices (e.g. /dev/mem). -## +## ## ## Domain allowed access. ## @@ -815,9 +818,9 @@ define(`dev_rx_raw_memory_depend',` ######################################## ## -## +## ## Write and execute raw memory devices (e.g. /dev/mem). -## +## ## ## Domain allowed access. ## @@ -838,9 +841,9 @@ define(`dev_wx_raw_memory_depend',` ######################################## ## -## +## ## Read from random devices (e.g., /dev/random) -## +## ## ## Domain allowed access. ## @@ -862,9 +865,9 @@ define(`dev_read_rand_depend',` ######################################## ## -## +## ## Read from pseudo random devices (e.g., /dev/urandom) -## +## ## ## Domain allowed access. ## @@ -886,11 +889,11 @@ define(`dev_read_urand_depend',` ######################################## ## -## +## ## Write to the random device (e.g., /dev/random). This adds ## entropy used to generate the random data read from the ## random device. -## +## ## ## Domain allowed access. ## @@ -912,10 +915,10 @@ define(`dev_write_rand_depend',` ######################################## ## -## +## ## Write to the pseudo random device (e.g., /dev/urandom). This ## sets the random number generator seed. -## +## ## ## Domain allowed access. ## @@ -937,9 +940,9 @@ define(`dev_write_urand_depend',` ######################################## ## -## +## ## Read and write to the null device (/dev/null). -## +## ## ## Domain allowed access. ## @@ -961,9 +964,9 @@ define(`dev_rw_null_dev_depend',` ######################################## ## -## +## ## Read and write to the zero device (/dev/zero). -## +## ## ## Domain allowed access. ## @@ -985,9 +988,9 @@ define(`dev_rw_zero_dev_depend',` ######################################## ## -## +## ## Read, write, and execute the zero device (/dev/zero). -## +## ## ## Domain allowed access. ## @@ -1008,9 +1011,9 @@ define(`dev_rwx_zero_dev_depend',` ######################################## ## -## +## ## Read the realtime clock (/dev/rtc). -## +## ## ## Domain allowed access. ## @@ -1031,9 +1034,9 @@ class chr_file r_file_perms; ######################################## ## -## +## ## Read the realtime clock (/dev/rtc). -## +## ## ## Domain allowed access. ## @@ -1055,9 +1058,9 @@ define(`dev_write_realtime_clock_depend',` ######################################## ## -## +## ## Read the realtime clock (/dev/rtc). -## +## ## ## Domain allowed access. ## @@ -1070,9 +1073,9 @@ define(`dev_rw_realtime_clock',` ######################################## ## -## +## ## Read the sound devices. -## +## ## ## Domain allowed access. ## @@ -1093,9 +1096,9 @@ define(`dev_read_snd_dev_depend',` ######################################## ## -## +## ## Write the sound devices. -## +## ## ## Domain allowed access. ## @@ -1117,9 +1120,9 @@ define(`dev_write_snd_dev_depend',` ######################################## ## -## +## ## Read the sound mixer devices. -## +## ## ## Domain allowed access. ## @@ -1141,9 +1144,9 @@ define(`dev_read_snd_mixer_dev_depend',` ######################################## ## -## +## ## Write the sound mixer devices. -## +## ## ## Domain allowed access. ## @@ -1165,9 +1168,9 @@ define(`dev_write_snd_mixer_dev_depend',` ######################################## ## -## +## ## Read and write the agp devices. -## +## ## ## Domain allowed access. ## @@ -1189,9 +1192,9 @@ define(`dev_rw_agp_dev_depend',` ######################################## ## -## +## ## Getattr the agp devices. -## +## ## ## Domain allowed access. ## @@ -1213,9 +1216,9 @@ define(`dev_getattr_agp_dev_depend',` ######################################## ## -## +## ## Read and write the dri devices. -## +## ## ## Domain allowed access. ## @@ -1237,9 +1240,9 @@ define(`dev_rw_dri_dev_depend',` ######################################## ## -## +## ## Dontaudit read and write on the dri devices. -## +## ## ## Domain to dontaudit access. ## @@ -1259,9 +1262,9 @@ define(`dev_dontaudit_rw_dri_dev_depend',` ######################################## ## -## +## ## Read the mtrr device. -## +## ## ## Domain allowed access. ## @@ -1283,9 +1286,9 @@ define(`dev_read_mtrr_depend',` ######################################## ## -## +## ## Write the mtrr device. -## +## ## ## Domain allowed access. ## @@ -1307,9 +1310,9 @@ define(`dev_write_mtrr_depend',` ######################################## ## -## +## ## Read the framebuffer device. -## +## ## ## Domain allowed access. ## @@ -1331,9 +1334,9 @@ define(`dev_read_framebuffer_depend',` ######################################## ## -## +## ## Write the framebuffer device. -## +## ## ## Domain allowed access. ## @@ -1355,9 +1358,9 @@ define(`dev_write_framebuffer_depend',` ######################################## ## -## +## ## Read the lvm comtrol device. -## +## ## ## Domain allowed access. ## @@ -1379,9 +1382,9 @@ define(`dev_read_lvm_control_depend',` ######################################## ## -## +## ## Read and write the lvm control device. -## +## ## ## Domain allowed access. ## @@ -1403,9 +1406,9 @@ define(`dev_rw_lvm_control_depend',` ######################################## ## -## +## ## Delete the lvm control device. -## +## ## ## Domain allowed access. ## @@ -1427,9 +1430,9 @@ define(`dev_delete_lvm_control_depend',` ######################################## ## -## +## ## Read miscellaneous devices. -## +## ## ## Domain allowed access. ## @@ -1451,9 +1454,9 @@ define(`dev_read_misc_depend',` ######################################## ## -## +## ## Write miscellaneous devices. -## +## ## ## Domain allowed access. ## @@ -1475,9 +1478,9 @@ define(`dev_write_misc_depend',` ######################################## ## -## +## ## Read the mouse devices. -## +## ## ## Domain allowed access. ## @@ -1499,9 +1502,9 @@ define(`dev_read_mouse_depend',` ######################################## ## -## +## ## Read the multiplexed input device (/dev/input). -## +## ## ## Domain allowed access. ## @@ -1523,9 +1526,9 @@ define(`dev_read_input_depend',` ######################################## ## -## +## ## Read the multiplexed input device (/dev/input). -## +## ## ## Domain allowed access. ## @@ -1547,10 +1550,10 @@ define(`dev_read_cpuid_depend',` ######################################## ## -## +## ## Read and write the the cpu microcode device. This ## is required to load cpu microcode. -## +## ## ## Domain allowed access. ## @@ -1572,9 +1575,9 @@ define(`dev_rw_cpu_microcode_depend',` ######################################## ## -## +## ## Read and write the the scanner device. -## +## ## ## Domain allowed access. ## @@ -1596,9 +1599,9 @@ define(`dev_rw_scanner_depend',` ######################################## ## -## +## ## Read and write the the power management device. -## +## ## ## Domain allowed access. ## diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if index 6e8e6738..1eb8292a 100644 --- a/refpolicy/policy/modules/system/files.if +++ b/refpolicy/policy/modules/system/files.if @@ -1,5 +1,20 @@ ## -## Policy controlling access to general files +## +## Basic filesystem types and interfaces. +## +## +##

+## This module contains basic filesystem types and interfaces. This +## includes: +##

    +##
  • The concept of different file types including basic +## files, mount points, tmp files, etc.
    • +##
  • Access to groups of files and all files.
    • +##
  • Types and interfaces for the basic filesystem layout +## (/, /etc, /tmp, /usr, etc.).
    • +##
+##

+## ######################################## #