From 8f0de5df684fadd8c71b657a490090a409c8e2eb Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 4 Jun 2010 09:47:45 -0400 Subject: [PATCH] Storage patch from Dan Walsh. Add /dev/hwcdrom --- policy/modules/kernel/storage.fc | 1 + policy/modules/kernel/storage.if | 19 +++++++++++++++++++ policy/modules/kernel/storage.te | 2 +- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 63e86d1d..d819311d 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -20,6 +20,7 @@ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/hitcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/ht[0-1] -b gen_context(system_u:object_r:tape_device_t,s0) +/dev/hwcdrom -b gen_context(system_u:object_r:removable_device_t,s0) /dev/initrd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/jsfd -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/jsflash -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index f37c6589..bb0effdd 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -570,6 +570,25 @@ interface(`storage_dontaudit_read_removable_device',` dontaudit $1 removable_device_t:blk_file read_blk_file_perms; ') +######################################## +## +## Do not audit attempts made by the caller to write +## removable devices device nodes. +## +## +## +## The type of the process to not audit. +## +## +# +interface(`storage_dontaudit_write_removable_device',` + gen_require(` + type removable_device_t; + ') + + dontaudit $1 removable_device_t:blk_file write_blk_file_perms; +') + ######################################## ## ## Allow the caller to set the attributes of removable diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 43635dda..bbe024ee 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,5 +1,5 @@ -policy_module(storage, 1.8.0) +policy_module(storage, 1.8.1) ######################################## #