Devices patch from Dan Walsh.

vhost_device_t added for libvirt/qemu

/dev/usbmon device added

lots of new interfaces.
This commit is contained in:
Chris PeBenito 2010-06-07 09:20:18 -04:00
parent 46c0e57acf
commit fb7caddb4f
3 changed files with 74 additions and 1 deletions

View File

@ -70,6 +70,7 @@
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/net/vhost -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0) /dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
@ -109,9 +110,11 @@
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usbmon.+ -c gen_context(system_u:object_r:usbmon_device_t,s0)
ifdef(`distro_suse', ` ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
') ')
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@ -152,6 +155,8 @@ ifdef(`distro_suse', `
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/pts(/.*)? <<none>> /dev/pts(/.*)? <<none>>

View File

@ -2121,6 +2121,24 @@ interface(`dev_filetrans_lirc',`
filetrans_pattern($1, device_t, lirc_device_t, chr_file) filetrans_pattern($1, device_t, lirc_device_t, chr_file)
') ')
########################################
## <summary>
## Get the attributes of the lvm comtrol device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
getattr_chr_files_pattern($1, device_t, lvm_control_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read the lvm comtrol device. ## Read the lvm comtrol device.
@ -2678,6 +2696,7 @@ interface(`dev_dontaudit_write_mtrr',`
type mtrr_device_t; type mtrr_device_t;
') ')
dontaudit $1 mtrr_device_t:file write;
dontaudit $1 mtrr_device_t:chr_file write; dontaudit $1 mtrr_device_t:chr_file write;
') ')
@ -3812,6 +3831,24 @@ interface(`dev_rw_generic_usb_dev',`
rw_chr_files_pattern($1, device_t, usb_device_t) rw_chr_files_pattern($1, device_t, usb_device_t)
') ')
########################################
## <summary>
## Read USB monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_usbmon_dev',`
gen_require(`
type device_t, usbmon_device_t;
')
read_chr_files_pattern($1, device_t, usbmon_device_t)
')
######################################## ########################################
## <summary> ## <summary>
## Mount a usbfs filesystem. ## Mount a usbfs filesystem.
@ -4112,6 +4149,25 @@ interface(`dev_write_video_dev',`
write_chr_files_pattern($1, device_t, v4l_device_t) write_chr_files_pattern($1, device_t, v4l_device_t)
') ')
########################################
## <summary>
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_vhost',`
gen_require(`
type vhost_device_t;
')
list_dirs_pattern($1, vhost_device_t, vhost_device_t)
rw_files_pattern($1, vhost_device_t, vhost_device_t)
')
######################################## ########################################
## <summary> ## <summary>
## Read and write VMWare devices. ## Read and write VMWare devices.

View File

@ -1,5 +1,5 @@
policy_module(devices, 1.10.0) policy_module(devices, 1.10.1)
######################################## ########################################
# #
@ -238,6 +238,12 @@ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
type usb_device_t; type usb_device_t;
dev_node(usb_device_t) dev_node(usb_device_t)
#
# usb_device_t is the type for /dev/usbmon
#
type usbmon_device_t;
dev_node(usbmon_device_t)
# #
# userio_device_t is the type for /dev/uio[0-9]+ # userio_device_t is the type for /dev/uio[0-9]+
# #
@ -247,6 +253,12 @@ dev_node(userio_device_t)
type v4l_device_t; type v4l_device_t;
dev_node(v4l_device_t) dev_node(v4l_device_t)
#
# vhost_device_t is the type for /dev/vhost-net
#
type vhost_device_t;
dev_node(vhost_device_t)
# Type for vmware devices. # Type for vmware devices.
type vmware_device_t; type vmware_device_t;
dev_node(vmware_device_t) dev_node(vmware_device_t)