rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

reorder in alpha order of type, for sanity purposes

Browse Source
This commit is contained in:
Chris PeBenito 2005-07-15 14:30:19 +00:00
parent 316553a275
commit f136a944c5
1 changed files with 410 additions and 410 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

820
refpolicy/policy/modules/kernel/devices.if
View File

@ -700,6 +700,25 @@ interface(`dev_manage_all_chr_files',`
typeattribute $1 memory_raw_read, memory_raw_write;
')
########################################
## <summary>
## Read and write the agp devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_agp_dev',`
gen_require(`
type device_t, agp_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 agp_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Get the attributes of the apm bios device node.
@ -795,405 +814,41 @@ interface(`dev_rw_apm_bios',`
########################################
## <summary>
## Read raw memory devices (e.g. /dev/mem).
## Read the CPU identity.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_raw_memory',`
interface(`dev_read_cpuid',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_read;
class dir r_dir_perms;
class chr_file r_file_perms;
class capability sys_rawio;
')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file r_file_perms;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
')
########################################
## <summary>
## Write raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_raw_memory',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_write;
class dir r_dir_perms;
class chr_file write;
class capability sys_rawio;
')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file write;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
')
########################################
## <summary>
## Read and execute raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
class chr_file execute;
')
dev_read_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
########################################
## <summary>
## Write and execute raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_wx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
class chr_file execute;
')
dev_write_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
########################################
## <summary>
## Read from random devices (e.g., /dev/random)
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_rand',`
gen_require(`
type device_t, random_device_t;
type device_t, cpu_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file r_file_perms;
allow $1 cpu_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Read from pseudo random devices (e.g., /dev/urandom)
## Read and write the the CPU microcode device. This
## is required to load CPU microcode.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_urand',`
interface(`dev_rw_cpu_microcode',`
gen_require(`
type device_t, urandom_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_rand',`
gen_require(`
type device_t, random_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Write to the pseudo random device (e.g., /dev/urandom). This
## sets the random number generator seed.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_urand',`
gen_require(`
type device_t, urandom_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_null_dev',`
gen_require(`
type device_t, null_device_t;
class device_t:dir r_dir_perms;
class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 null_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_zero_dev',`
gen_require(`
type device_t, zero_device_t;
class device_t:dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 zero_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Read, write, and execute the zero device (/dev/zero).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rwx_zero_dev',`
gen_require(`
type zero_device_t;
class chr_file execute;
')
dev_rw_zero_dev($1)
allow $1 zero_device_t:chr_file execute;
')
########################################
## <summary>
## Read the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_realtime_clock',`
gen_require(`
type device_t, clock_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Read the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_realtime_clock',`
gen_require(`
type device_t, clock_device_t;
class dir r_dir_perms;
class chr_file { setattr lock write append ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
')
########################################
## <summary>
## Read the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_realtime_clock',`
dev_read_realtime_clock($1)
dev_write_realtime_clock($1)
')
########################################
## <summary>
## Get the attributes of the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_getattr_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_setattr_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file setattr;
')
########################################
## <summary>
## Read the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Write the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Read the sound mixer devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_snd_mixer_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
')
########################################
## <summary>
## Write the sound mixer devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_snd_mixer_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Read and write the agp devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_agp_dev',`
gen_require(`
type device_t, agp_device_t;
type device_t, cpu_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 agp_device_t:chr_file rw_file_perms;
allow $1 cpu_device_t:chr_file rw_file_perms;
')
########################################
@ -1253,40 +908,21 @@ interface(`dev_dontaudit_rw_dri_dev',`
########################################
## <summary>
## Read the mtrr device.
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_mtrr',`
interface(`dev_read_input',`
gen_require(`
type device_t, mtrr_device_t;
type device_t, event_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Write the mtrr device.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_mtrr',`
gen_require(`
type device_t, mtrr_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file { getattr write ioctl };
allow $1 event_device_t:chr_file r_file_perms;
')
########################################
@ -1457,6 +1093,90 @@ interface(`dev_delete_lvm_control',`
allow $1 lvm_control_t:chr_file unlink;
')
########################################
## <summary>
## Read raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_raw_memory',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_read;
class dir r_dir_perms;
class chr_file r_file_perms;
class capability sys_rawio;
')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file r_file_perms;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
')
########################################
## <summary>
## Write raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_raw_memory',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_write;
class dir r_dir_perms;
class chr_file write;
class capability sys_rawio;
')
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file write;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
')
########################################
## <summary>
## Read and execute raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
class chr_file execute;
')
dev_read_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
########################################
## <summary>
## Write and execute raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_wx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
class chr_file execute;
')
dev_write_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
########################################
## <summary>
## Get the attributes of miscellaneous devices.
@ -1626,6 +1346,63 @@ interface(`dev_read_mouse',`
allow $1 mouse_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Read the mtrr device.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_mtrr',`
gen_require(`
type device_t, mtrr_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Write the mtrr device.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_mtrr',`
gen_require(`
type device_t, mtrr_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_null_dev',`
gen_require(`
type device_t, null_device_t;
class device_t:dir r_dir_perms;
class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 null_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Set the attributes of the printer device nodes.
@ -1647,60 +1424,93 @@ interface(`dev_setattr_printer',`
########################################
## <summary>
## Read input event devices (/dev/input).
## Read from random devices (e.g., /dev/random)
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_input',`
interface(`dev_read_rand',`
gen_require(`
type device_t, event_device_t;
type device_t, random_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file r_file_perms;
allow $1 random_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Read the multiplexed input device (/dev/input).
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_cpuid',`
interface(`dev_write_rand',`
gen_require(`
type device_t, cpu_device_t;
type device_t, random_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Read the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_realtime_clock',`
gen_require(`
type device_t, clock_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file r_file_perms;
allow $1 clock_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Read and write the the cpu microcode device. This
## is required to load cpu microcode.
## Set the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_cpu_microcode',`
interface(`dev_write_realtime_clock',`
gen_require(`
type device_t, cpu_device_t;
type device_t, clock_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
class chr_file { setattr lock write append ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file rw_file_perms;
allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
')
########################################
## <summary>
## Read and set the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_realtime_clock',`
dev_read_realtime_clock($1)
dev_write_realtime_clock($1)
')
########################################
@ -1796,6 +1606,120 @@ interface(`dev_rw_scanner',`
allow $1 scanner_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Get the attributes of the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_getattr_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file getattr;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_setattr_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file setattr;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file setattr;
')
########################################
## <summary>
## Read the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Write the sound devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_snd_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Read the sound mixer devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_snd_mixer_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
')
########################################
## <summary>
## Write the sound mixer devices.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_snd_mixer_dev',`
gen_require(`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Get the attributes of the the power management device.
@ -1962,6 +1886,45 @@ interface(`dev_rw_sysfs',`
allow $1 sysfs_t:file rw_file_perms;
')
########################################
## <summary>
## Read from pseudo random devices (e.g., /dev/urandom)
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_read_urand',`
gen_require(`
type device_t, urandom_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Write to the pseudo random device (e.g., /dev/urandom). This
## sets the random number generator seed.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_write_urand',`
gen_require(`
type device_t, urandom_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file { getattr write ioctl };
')
########################################
## <summary>
## Mount a usbfs filesystem.
@ -2150,6 +2113,43 @@ interface(`dev_dontaudit_setattr_video_dev',`
dontaudit $1 v4l_device_t:chr_file setattr;
')
########################################
## <summary>
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rw_zero_dev',`
gen_require(`
type device_t, zero_device_t;
class device_t:dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
allow $1 zero_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Read, write, and execute the zero device (/dev/zero).
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_rwx_zero_dev',`
gen_require(`
type zero_device_t;
class chr_file execute;
')
dev_rw_zero_dev($1)
allow $1 zero_device_t:chr_file execute;
')
########################################
## <summary>
## Unconfined access to devices.