add lvm_vg interfaces and do a little cleanup

2005-05-06 21:36:11 +00:00 · 2005-05-06 21:36:11 +00:00 · 8e02803ce3
commit 8e02803ce3
parent b2b38c78d4
2 changed files with 66 additions and 39 deletions
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@ -36,20 +36,53 @@ class blk_file { getattr write ioctl };
 devices_list_device_nodes_depend
 ')
 ########################################
 #
 # storage_raw_read_lvm_volume(domain)
 #
 define(`storage_raw_read_lvm_volume',`
 requires_block_template(`$0'_depend)
 typeattribute $1 fixed_disk_raw_read;
 devices_list_device_nodes($1)
 allow $1 lvm_vg_t:blk_file { getattr read ioctl };
 ')
 define(`storage_raw_read_lvm_volume_depend',`
 type lvm_vg_t;
 attribute fixed_disk_raw_read;
 class blk_file { getattr read ioctl };
 ')
 ########################################
 #
 # storage_raw_write_lvm_volume(domain)
 #
 define(`storage_raw_write_lvm_volume',`
 requires_block_template(`$0'_depend)
 typeattribute $1 fixed_disk_raw_write;
 devices_list_device_nodes($1)
 allow $1 lvm_vg_t:blk_file { getattr write ioctl };
 ')
 define(`storage_raw_write_lvm_volume_depend',`
 type lvm_vg_t;
 attribute fixed_disk_raw_write;
 class blk_file { getattr write ioctl };
 ')
 ########################################
 #
 # storage_get_fixed_disk_attributes(domain)
 #
 define(`storage_get_fixed_disk_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 define(`storage_get_fixed_disk_attributes_depend',`
 type fixed_disk_device_t;
 class blk_file getattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -58,14 +91,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_set_fixed_disk_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 fixed_disk_device_t:blk_file setattr;
 ')
 define(`storage_set_fixed_disk_attributes_depend',`
 type fixed_disk_device_t;
 class blk_file setattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -75,7 +107,7 @@ devices_list_device_nodes_depend
 define(`storage_read_scsi_generic',`
 requires_block_template(`$0'_depend)
 typeattribute $1 scsi_generic_read;
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
 ')
@ -83,7 +115,6 @@ define(`storage_read_scsi_generic_depend',`
 type scsi_generic_device_t;
 attribute scsi_generic_read;
 class blk_file { getattr read ioctl };
 devices_list_device_nodes_depend
 ')
 ########################################
@ -93,15 +124,14 @@ devices_list_device_nodes_depend
 define(`storage_write_scsi_generic',`
 requires_block_template(`$0'_depend)
 typeattribute $1 scsi_generic_write;
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
-allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
+allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
 ')
 define(`storage_write_scsi_generic_depend',`
 type scsi_generic_device_t;
 attribute scsi_generic_write;
 class blk_file { getattr write ioctl };
 devices_list_device_nodes_depend
 ')
 ########################################
@ -110,14 +140,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_get_scsi_generic_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 scsi_generic_device_t:blk_file getattr;
 ')
 define(`storage_get_scsi_generic_attributes_depend',`
 type scsi_generic_device_t;
 class blk_file getattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -126,14 +155,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_set_scsi_generic_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 scsi_generic_device_t:blk_file setattr;
 ')
 define(`storage_set_scsi_generic_attributes_depend',`
 type scsi_generic_device_t;
 class blk_file setattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -142,14 +170,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_raw_read_removable_device',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 removable_device_t:blk_file { getattr read ioctl };
 ')
 define(`storage_raw_read_removable_device_depend',`
 type removable_device_t;
 class blk_file { getattr read ioctl };
 devices_list_device_nodes_depend
 ')
 ########################################
@ -158,14 +185,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_raw_write_removable_device',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 removable_device_t:blk_file { getattr write ioctl };
 ')
 define(`storage_raw_write_removable_device_depend',`
 type removable_device_t;
 class blk_file { getattr write ioctl };
 devices_list_device_nodes_depend
 ')
 ########################################
@ -174,14 +200,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_get_removable_device_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 removable_device_t:blk_file getattr;
 ')
 define(`storage_get_removable_device_attributes_depend',`
 type removable_device_t;
 class blk_file getattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -190,14 +215,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_set_removable_device_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 removable_device_t:blk_file setattr;
 ')
 define(`storage_set_removable_device_attributes_depend',`
 type removable_device_t;
 class blk_file setattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -206,14 +230,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_read_tape_device',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 tape_device_t:blk_file { getattr read ioctl };
 ')
 define(`storage_read_tape_device_depend',`
 type tape_device_t;
 class blk_file { getattr read ioctl };
 devices_list_device_nodes_depend
 ')
 ########################################
@ -222,14 +245,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_write_tape_device',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 tape_device_t:blk_file { getattr write ioctl };
 ')
 define(`storage_write_tape_device_depend',`
 type tape_device_t;
 class blk_file { getattr write ioctl };
 devices_list_device_nodes_depend
 ')
 ########################################
@ -238,14 +260,13 @@ devices_list_device_nodes_depend
 #
 define(`storage_get_tape_device_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 tape_device_t:blk_file getattr;
 ')
 define(`storage_get_tape_device_attributes_depend',`
 type tape_device_t;
 class blk_file getattr;
 devices_list_device_nodes_depend
 ')
 ########################################
@ -254,12 +275,11 @@ devices_list_device_nodes_depend
 #
 define(`storage_set_tape_device_attributes',`
 requires_block_template(`$0'_depend)
-devices_list_device_nodes($1,optional)
+devices_list_device_nodes($1)
 allow $1 tape_device_t:blk_file setattr;
 ')
 define(`storage_set_tape_device_attributes_depend',`
 type tape_device_t;
 class blk_file setattr;
 devices_list_device_nodes_depend
 ')
--- a/refpolicy/policy/modules/kernel/storage.te
+++ b/refpolicy/policy/modules/kernel/storage.te
@ -2,44 +2,51 @@
 policy_module(storage,1.0)
 attribute fixed_disk_raw_read;
 attribute fixed_disk_raw_write;
 attribute scsi_generic_read;
 attribute scsi_generic_write;
 #
 # fixed_disk_device_t is the type of 
 # /dev/hd* and /dev/sd*.
 #
 type fixed_disk_device_t;
 attribute fixed_disk_raw_read;
 attribute fixed_disk_raw_write;
 neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
 neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
 devices_make_device_node(fixed_disk_device_t)
 neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
 neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
 #
 # lvm_vg_t is the type of logical volume groups
 #
 type lvm_vg_t;
 devices_make_device_node(lvm_vg_t)
 # from the subject's point of view, same as read/writing a regular
 # fixed disk, so use the same assertions as above
 neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
 neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };
 #
 # scsi_generic_device_t is the type of /dev/sg*
 # it gives access to ALL SCSI devices (both fixed and removable)
 #
 type scsi_generic_device_t;
 devices_make_device_node(scsi_generic_device_t)
 attribute scsi_generic_read;
 attribute scsi_generic_write;
 neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
 neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
 devices_make_device_node(scsi_generic_device_t)
 #
 # removable_device_t is the type of
 # /dev/scd* and /dev/fd*.
 #
 type removable_device_t;
 devices_make_device_node(removable_device_t)
 #
 # tape_device_t is the type of
 #
 type tape_device_t;
 devices_make_device_node(tape_device_t)