diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if
index e0d8951d..41119c66 100644
--- a/refpolicy/policy/modules/kernel/storage.if
+++ b/refpolicy/policy/modules/kernel/storage.if
@@ -2,7 +2,7 @@
## Policy controlling access to storage devices
########################################
-##
+##
##
## Allow the caller to get the attributes of fixed disk
## device nodes.
@@ -12,21 +12,21 @@
##
##
#
-define(`storage_get_fixed_disk_attributes',`
+define(`storage_getattr_fixed_disk',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
')
-define(`storage_get_fixed_disk_attributes_depend',`
+define(`storage_getattr_fixed_disk_depend',`
type fixed_disk_device_t;
class blk_file getattr;
')
########################################
-##
+##
##
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
@@ -36,20 +36,20 @@ define(`storage_get_fixed_disk_attributes_depend',`
##
##
#
-define(`storage_ignore_get_fixed_disk_attributes',`
+define(`storage_dontaudit_getattr_fixed_disk',`
requires_block_template(`$0'_depend)
dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
-define(`storage_ignore_get_fixed_disk_attributes_depend',`
+define(`storage_dontaudit_getattr_fixed_disk_depend',`
type fixed_disk_device_t;
class blk_file getattr;
')
########################################
-##
+##
##
## Allow the caller to set the attributes of fixed disk
## device nodes.
@@ -59,14 +59,14 @@ define(`storage_ignore_get_fixed_disk_attributes_depend',`
##
##
#
-define(`storage_set_fixed_disk_attributes',`
+define(`storage_setattr_fixed_disk',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
')
-define(`storage_set_fixed_disk_attributes_depend',`
+define(`storage_setattr_fixed_disk_depend',`
type fixed_disk_device_t;
class blk_file setattr;
@@ -131,7 +131,7 @@ define(`storage_raw_write_fixed_disk_depend',`
')
########################################
-##
+##
##
## Create block devices in /dev with the fixed disk type.
##
@@ -157,7 +157,7 @@ define(`storage_create_fixed_disk_dev_entry_depend',`
########################################
##
##
-## Manage fixed disk device nodes.
+## Create, read, write, and delete fixed disk device nodes.
##
##
## The type of the process performing this action.
@@ -299,25 +299,39 @@ define(`storage_write_scsi_generic_depend',`
')
########################################
+##
+##
+## Get attributes of the device nodes
+## for the SCSI generic inerface.
+##
+##
+## The type of the process performing this action.
+##
+##
#
-# storage_get_scsi_generic_attributes(domain)
-#
-define(`storage_get_scsi_generic_attributes',`
+define(`storage_getattr_scsi_generic',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 scsi_generic_device_t:blk_file getattr;
')
-define(`storage_get_scsi_generic_attributes_depend',`
+define(`storage_getattr_scsi_generic_depend',`
type scsi_generic_device_t;
class blk_file getattr;
')
########################################
-#
-# storage_set_scsi_generic_attributes(domain)
+##
+##
+## Set attributes of the device nodes
+## for the SCSI generic inerface.
+##
+##
+## The type of the process performing this action.
+##
+##
#
define(`storage_set_scsi_generic_attributes',`
requires_block_template(`$0'_depend)
@@ -333,7 +347,7 @@ define(`storage_set_scsi_generic_attributes_depend',`
')
########################################
-##
+##
##
## Allow the caller to get the attributes of removable
## devices device nodes.
@@ -343,21 +357,21 @@ define(`storage_set_scsi_generic_attributes_depend',`
##
##
#
-define(`storage_get_removable_device_attributes',`
+define(`storage_getattr_removable_device',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 removable_device_t:blk_file getattr;
')
-define(`storage_get_removable_device_attributes_depend',`
+define(`storage_getattr_removable_device_depend',`
type removable_device_t;
class blk_file getattr;
')
########################################
-##
+##
##
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
@@ -367,21 +381,28 @@ define(`storage_get_removable_device_attributes_depend',`
##
##
#
-define(`storage_ignore_get_removable_device_attributes',`
+define(`storage_dontaudit_getattr_removable_device',`
requires_block_template(`$0'_depend)
dontaudit $1 removable_device_t:blk_file getattr;
')
-define(`storage_ignore_get_removable_device_attributes_depend',`
+define(`storage_dontaudit_getattr_removable_device_depend',`
type removable_device_t;
class blk_file getattr;
')
########################################
-#
-# storage_set_removable_device_attributes(domain)
+##
+##
+## Allow the caller to set the attributes of removable
+## devices device nodes.
+##
+##
+## The type of the process performing this action.
+##
+##
#
define(`storage_set_removable_device_attributes',`
requires_block_template(`$0'_depend)
@@ -397,8 +418,18 @@ define(`storage_set_removable_device_attributes_depend',`
')
########################################
-#
-# storage_raw_read_removable_device(domain)
+##
+##
+## Allow the caller to directly read from
+## a removable device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+##
+##
+## The type of the process performing this action.
+##
+##
#
define(`storage_raw_read_removable_device',`
requires_block_template(`$0'_depend)
@@ -414,8 +445,18 @@ define(`storage_raw_read_removable_device_depend',`
')
########################################
-#
-# storage_raw_write_removable_device(domain)
+##
+##
+## Allow the caller to directly write to
+## a removable device.
+## This is extremly dangerous as it can bypass the
+## SELinux protections for filesystem objects, and
+## should only be used by trusted domains.
+##
+##
+## The type of the process performing this action.
+##
+##
#
define(`storage_raw_write_removable_device',`
requires_block_template(`$0'_depend)
@@ -431,8 +472,15 @@ define(`storage_raw_write_removable_device_depend',`
')
########################################
-#
-# storage_read_tape_device(domain)
+##
+##
+## Allow the caller to directly read
+## a tape device.
+##
+##
+## The type of the process performing this action.
+##
+##
#
define(`storage_read_tape_device',`
requires_block_template(`$0'_depend)
@@ -448,8 +496,15 @@ define(`storage_read_tape_device_depend',`
')
########################################
-#
-# storage_write_tape_device(domain)
+##
+##
+## Allow the caller to directly read
+## a tape device.
+##
+##
+## The type of the process performing this action.
+##
+##
#
define(`storage_write_tape_device',`
requires_block_template(`$0'_depend)
@@ -465,34 +520,48 @@ define(`storage_write_tape_device_depend',`
')
########################################
+##
+##
+## Allow the caller to get the attributes
+## of device nodes of tape devices.
+##
+##
+## The type of the process performing this action.
+##
+##
#
-# storage_get_tape_device_attributes(domain)
-#
-define(`storage_get_tape_device_attributes',`
+define(`storage_getattr_tape_device',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tape_device_t:blk_file getattr;
')
-define(`storage_get_tape_device_attributes_depend',`
+define(`storage_getattr_tape_device_depend',`
type tape_device_t;
class blk_file getattr;
')
########################################
+##
+##
+## Allow the caller to set the attributes
+## of device nodes of tape devices.
+##
+##
+## The type of the process performing this action.
+##
+##
#
-# storage_set_tape_device_attributes(domain)
-#
-define(`storage_set_tape_device_attributes',`
+define(`storage_setattr_tape_device',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tape_device_t:blk_file setattr;
')
-define(`storage_set_tape_device_attributes_depend',`
+define(`storage_setattr_tape_device_depend',`
type tape_device_t;
class blk_file setattr;
')