rename
This commit is contained in:
parent
d90b274e40
commit
c6ebefd2f2
@ -2,7 +2,7 @@
|
|||||||
## <summary>Policy controlling access to storage devices</summary>
|
## <summary>Policy controlling access to storage devices</summary>
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="storage_get_fixed_disk_attributes">
|
## <interface name="storage_getattr_fixed_disk">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow the caller to get the attributes of fixed disk
|
## Allow the caller to get the attributes of fixed disk
|
||||||
## device nodes.
|
## device nodes.
|
||||||
@ -12,21 +12,21 @@
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_get_fixed_disk_attributes',`
|
define(`storage_getattr_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file getattr;
|
allow $1 fixed_disk_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_fixed_disk_attributes_depend',`
|
define(`storage_getattr_fixed_disk_depend',`
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
|
|
||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="storage_ignore_get_fixed_disk_attributes">
|
## <interface name="storage_dontaudit_getattr_fixed_disk">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts made by the caller to get
|
## Do not audit attempts made by the caller to get
|
||||||
## the attributes of fixed disk device nodes.
|
## the attributes of fixed disk device nodes.
|
||||||
@ -36,20 +36,20 @@ define(`storage_get_fixed_disk_attributes_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_ignore_get_fixed_disk_attributes',`
|
define(`storage_dontaudit_getattr_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_ignore_get_fixed_disk_attributes_depend',`
|
define(`storage_dontaudit_getattr_fixed_disk_depend',`
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
|
|
||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="storage_set_fixed_disk_attributes">
|
## <interface name="storage_setattr_fixed_disk">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow the caller to set the attributes of fixed disk
|
## Allow the caller to set the attributes of fixed disk
|
||||||
## device nodes.
|
## device nodes.
|
||||||
@ -59,14 +59,14 @@ define(`storage_ignore_get_fixed_disk_attributes_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_set_fixed_disk_attributes',`
|
define(`storage_setattr_fixed_disk',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 fixed_disk_device_t:blk_file setattr;
|
allow $1 fixed_disk_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_set_fixed_disk_attributes_depend',`
|
define(`storage_setattr_fixed_disk_depend',`
|
||||||
type fixed_disk_device_t;
|
type fixed_disk_device_t;
|
||||||
|
|
||||||
class blk_file setattr;
|
class blk_file setattr;
|
||||||
@ -131,7 +131,7 @@ define(`storage_raw_write_fixed_disk_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="storage_create_fixed_disk_dev_entry">
|
## <interface name="storage_create_fixed_disk">
|
||||||
## <description>
|
## <description>
|
||||||
## Create block devices in /dev with the fixed disk type.
|
## Create block devices in /dev with the fixed disk type.
|
||||||
## </description>
|
## </description>
|
||||||
@ -157,7 +157,7 @@ define(`storage_create_fixed_disk_dev_entry_depend',`
|
|||||||
########################################
|
########################################
|
||||||
## <interface name="storage_manage_fixed_disk">
|
## <interface name="storage_manage_fixed_disk">
|
||||||
## <description>
|
## <description>
|
||||||
## Manage fixed disk device nodes.
|
## Create, read, write, and delete fixed disk device nodes.
|
||||||
## </description>
|
## </description>
|
||||||
## <parameter name="domain">
|
## <parameter name="domain">
|
||||||
## The type of the process performing this action.
|
## The type of the process performing this action.
|
||||||
@ -299,25 +299,39 @@ define(`storage_write_scsi_generic_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <interface name="storage_getattr_scsi_generic">
|
||||||
|
## <description>
|
||||||
|
## Get attributes of the device nodes
|
||||||
|
## for the SCSI generic inerface.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
# storage_get_scsi_generic_attributes(domain)
|
define(`storage_getattr_scsi_generic',`
|
||||||
#
|
|
||||||
define(`storage_get_scsi_generic_attributes',`
|
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 scsi_generic_device_t:blk_file getattr;
|
allow $1 scsi_generic_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_scsi_generic_attributes_depend',`
|
define(`storage_getattr_scsi_generic_depend',`
|
||||||
type scsi_generic_device_t;
|
type scsi_generic_device_t;
|
||||||
|
|
||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="storage_setattr_scsi_generic">
|
||||||
# storage_set_scsi_generic_attributes(domain)
|
## <description>
|
||||||
|
## Set attributes of the device nodes
|
||||||
|
## for the SCSI generic inerface.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_set_scsi_generic_attributes',`
|
define(`storage_set_scsi_generic_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -333,7 +347,7 @@ define(`storage_set_scsi_generic_attributes_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="storage_get_removable_device_attributes">
|
## <interface name="storage_getattr_removable_device">
|
||||||
## <description>
|
## <description>
|
||||||
## Allow the caller to get the attributes of removable
|
## Allow the caller to get the attributes of removable
|
||||||
## devices device nodes.
|
## devices device nodes.
|
||||||
@ -343,21 +357,21 @@ define(`storage_set_scsi_generic_attributes_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_get_removable_device_attributes',`
|
define(`storage_getattr_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 removable_device_t:blk_file getattr;
|
allow $1 removable_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_removable_device_attributes_depend',`
|
define(`storage_getattr_removable_device_depend',`
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
|
|
||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <interface name="storage_ignore_get_removable_device_attributes">
|
## <interface name="storage_dontaudit_getattr_removable_device">
|
||||||
## <description>
|
## <description>
|
||||||
## Do not audit attempts made by the caller to get
|
## Do not audit attempts made by the caller to get
|
||||||
## the attributes of removable devices device nodes.
|
## the attributes of removable devices device nodes.
|
||||||
@ -367,21 +381,28 @@ define(`storage_get_removable_device_attributes_depend',`
|
|||||||
## </parameter>
|
## </parameter>
|
||||||
## </interface>
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_ignore_get_removable_device_attributes',`
|
define(`storage_dontaudit_getattr_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
dontaudit $1 removable_device_t:blk_file getattr;
|
dontaudit $1 removable_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_ignore_get_removable_device_attributes_depend',`
|
define(`storage_dontaudit_getattr_removable_device_depend',`
|
||||||
type removable_device_t;
|
type removable_device_t;
|
||||||
|
|
||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="storage_setattr_removable_device">
|
||||||
# storage_set_removable_device_attributes(domain)
|
## <description>
|
||||||
|
## Allow the caller to set the attributes of removable
|
||||||
|
## devices device nodes.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_set_removable_device_attributes',`
|
define(`storage_set_removable_device_attributes',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -397,8 +418,18 @@ define(`storage_set_removable_device_attributes_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="storage_raw_read_removable_device">
|
||||||
# storage_raw_read_removable_device(domain)
|
## <description>
|
||||||
|
## Allow the caller to directly read from
|
||||||
|
## a removable device.
|
||||||
|
## This is extremly dangerous as it can bypass the
|
||||||
|
## SELinux protections for filesystem objects, and
|
||||||
|
## should only be used by trusted domains.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_raw_read_removable_device',`
|
define(`storage_raw_read_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -414,8 +445,18 @@ define(`storage_raw_read_removable_device_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="storage_raw_write_removable_device">
|
||||||
# storage_raw_write_removable_device(domain)
|
## <description>
|
||||||
|
## Allow the caller to directly write to
|
||||||
|
## a removable device.
|
||||||
|
## This is extremly dangerous as it can bypass the
|
||||||
|
## SELinux protections for filesystem objects, and
|
||||||
|
## should only be used by trusted domains.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_raw_write_removable_device',`
|
define(`storage_raw_write_removable_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -431,8 +472,15 @@ define(`storage_raw_write_removable_device_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="storage_read_tape_device">
|
||||||
# storage_read_tape_device(domain)
|
## <description>
|
||||||
|
## Allow the caller to directly read
|
||||||
|
## a tape device.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_read_tape_device',`
|
define(`storage_read_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -448,8 +496,15 @@ define(`storage_read_tape_device_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <interface name="storage_write_tape_device">
|
||||||
# storage_write_tape_device(domain)
|
## <description>
|
||||||
|
## Allow the caller to directly read
|
||||||
|
## a tape device.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
define(`storage_write_tape_device',`
|
define(`storage_write_tape_device',`
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
@ -465,34 +520,48 @@ define(`storage_write_tape_device_depend',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <interface name="storage_getattr_tape_device">
|
||||||
|
## <description>
|
||||||
|
## Allow the caller to get the attributes
|
||||||
|
## of device nodes of tape devices.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
# storage_get_tape_device_attributes(domain)
|
define(`storage_getattr_tape_device',`
|
||||||
#
|
|
||||||
define(`storage_get_tape_device_attributes',`
|
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 tape_device_t:blk_file getattr;
|
allow $1 tape_device_t:blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_get_tape_device_attributes_depend',`
|
define(`storage_getattr_tape_device_depend',`
|
||||||
type tape_device_t;
|
type tape_device_t;
|
||||||
|
|
||||||
class blk_file getattr;
|
class blk_file getattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
## <interface name="storage_setattr_tape_device">
|
||||||
|
## <description>
|
||||||
|
## Allow the caller to set the attributes
|
||||||
|
## of device nodes of tape devices.
|
||||||
|
## </description>
|
||||||
|
## <parameter name="domain">
|
||||||
|
## The type of the process performing this action.
|
||||||
|
## </parameter>
|
||||||
|
## </interface>
|
||||||
#
|
#
|
||||||
# storage_set_tape_device_attributes(domain)
|
define(`storage_setattr_tape_device',`
|
||||||
#
|
|
||||||
define(`storage_set_tape_device_attributes',`
|
|
||||||
requires_block_template(`$0'_depend)
|
requires_block_template(`$0'_depend)
|
||||||
|
|
||||||
devices_list_device_nodes($1)
|
devices_list_device_nodes($1)
|
||||||
allow $1 tape_device_t:blk_file setattr;
|
allow $1 tape_device_t:blk_file setattr;
|
||||||
')
|
')
|
||||||
|
|
||||||
define(`storage_set_tape_device_attributes_depend',`
|
define(`storage_setattr_tape_device_depend',`
|
||||||
type tape_device_t;
|
type tape_device_t;
|
||||||
class blk_file setattr;
|
class blk_file setattr;
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user