<html> <head> <title> Security Enhanced Linux Reference Policy </title> <style type="text/css" media="all">@import "style.css";</style> </head> <body> <div id="Header">Security Enhanced Linux Reference Policy</div> <div id='Menu'> <a href="admin.html">+ admin</a></br/> <div id='subitem'> </div> <a href="apps.html">+ apps</a></br/> <div id='subitem'> </div> <a href="kernel.html">+ kernel</a></br/> <div id='subitem'> - <a href='kernel_bootloader.html'> bootloader</a><br/> - <a href='kernel_corenetwork.html'> corenetwork</a><br/> - <a href='kernel_devices.html'> devices</a><br/> - <a href='kernel_filesystem.html'> filesystem</a><br/> - <a href='kernel_kernel.html'> kernel</a><br/> - <a href='kernel_mls.html'> mls</a><br/> - <a href='kernel_selinux.html'> selinux</a><br/> - <a href='kernel_storage.html'> storage</a><br/> - <a href='kernel_terminal.html'> terminal</a><br/> </div> <a href="services.html">+ services</a></br/> <div id='subitem'> </div> <a href="system.html">+ system</a></br/> <div id='subitem'> </div> <br/><p/> <a href="global_booleans.html">* Global Booleans </a> <br/><p/> <a href="global_tunables.html">* Global Tunables </a> <p/><br/><p/> <a href="index.html">* Layer Index</a> <br/><p/> <a href="interfaces.html">* Interface Index</a> <br/><p/> <a href="templates.html">* Template Index</a> </div> <div id="Content"> <a name="top":></a> <h1>Layer: kernel</h1><p/> <h2>Module: storage</h2><p/> <h3>Description:</h3> <p><p>Policy controlling access to storage devices</p></p> <a name="interfaces"></a> <h3>Interfaces: </h3> <a name="link_storage_create_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_create_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Create block devices in /dev with the fixed disk type. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_create_fixed_disk_tmpfs"></a> <div id="interface"> <div id="codeblock"> <b>storage_create_fixed_disk_tmpfs</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Create fixed disk device nodes on a tmpfs filesystem. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_dontaudit_getattr_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_dontaudit_getattr_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts made by the caller to get the attributes of fixed disk device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process to not audit. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_dontaudit_getattr_removable_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_dontaudit_getattr_removable_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts made by the caller to get the attributes of removable devices device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process to not audit. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_dontaudit_read_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_dontaudit_read_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts made by the caller to read fixed disk device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process to not audit. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_dontaudit_read_removable_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_dontaudit_read_removable_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts made by the caller to read removable devices device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process to not audit. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_dontaudit_setattr_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_dontaudit_setattr_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts made by the caller to set the attributes of fixed disk device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process to not audit. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_dontaudit_setattr_removable_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_dontaudit_setattr_removable_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Do not audit attempts made by the caller to set the attributes of removable devices device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process to not audit. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_getattr_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_getattr_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to get the attributes of fixed disk device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_getattr_removable_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_getattr_removable_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to get the attributes of removable devices device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_getattr_scsi_generic"></a> <div id="interface"> <div id="codeblock"> <b>storage_getattr_scsi_generic</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to get the attributes of the generic SCSI interface device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_getattr_scsi_generic"></a> <div id="interface"> <div id="codeblock"> <b>storage_getattr_scsi_generic</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Get attributes of the device nodes for the SCSI generic inerface. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_getattr_tape_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_getattr_tape_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to get the attributes of device nodes of tape devices. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_manage_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_manage_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Create, read, write, and delete fixed disk device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_raw_read_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_raw_read_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly read from a fixed disk. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_raw_read_lvm_volume"></a> <div id="interface"> <div id="codeblock"> <b>storage_raw_read_lvm_volume</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly read from a logical volume. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_raw_read_removable_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_raw_read_removable_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly read from a removable device. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_raw_write_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_raw_write_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly write to a fixed disk. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_raw_write_lvm_volume"></a> <div id="interface"> <div id="codeblock"> <b>storage_raw_write_lvm_volume</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly read from a logical volume. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_raw_write_removable_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_raw_write_removable_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly write to a removable device. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_read_scsi_generic"></a> <div id="interface"> <div id="codeblock"> <b>storage_read_scsi_generic</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly read, in a generic fashion, from any SCSI device. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_read_tape_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_read_tape_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly read a tape device. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_relabel_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_relabel_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Relabel fixed disk device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_set_scsi_generic_attributes"></a> <div id="interface"> <div id="codeblock"> <b>storage_set_scsi_generic_attributes</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Set attributes of the device nodes for the SCSI generic inerface. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_setattr_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_setattr_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to set the attributes of fixed disk device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_setattr_removable_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_setattr_removable_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to set the attributes of removable devices device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_setattr_scsi_generic"></a> <div id="interface"> <div id="codeblock"> <b>storage_setattr_scsi_generic</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to set the attributes of the generic SCSI interface device nodes. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_setattr_tape_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_setattr_tape_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to set the attributes of device nodes of tape devices. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_swapon_fixed_disk"></a> <div id="interface"> <div id="codeblock"> <b>storage_swapon_fixed_disk</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Enable a fixed disk device as swap space </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_unconfined"></a> <div id="interface"> <div id="codeblock"> <b>storage_unconfined</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Unconfined access to storage devices. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> Domain allowed access. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_write_scsi_generic"></a> <div id="interface"> <div id="codeblock"> <b>storage_write_scsi_generic</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly write, in a generic fashion, from any SCSI device. This is extremly dangerous as it can bypass the SELinux protections for filesystem objects, and should only be used by trusted domains. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a name="link_storage_write_tape_device"></a> <div id="interface"> <div id="codeblock"> <b>storage_write_tape_device</b>( domain )<br> </div> <div id="description"> <h5>Summary</h5> <p> Allow the caller to directly read a tape device. </p> <h5>Parameters</h5> <table border="1" cellspacing="0" cellpadding="3" width="80%"> <tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr> <tr><td> domain </td><td> The type of the process performing this action. </td><td> No </td></tr> </table> </div> </div> <a href=#top>Return</a> </div> </body> </html>