Policy controlling access to storage devices

######################################## ##

## Allow the caller to get the attributes of fixed disk ## device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_getattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; ') ######################################## ##

## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. ##

## ##

## The type of the process to not audit. ##

## # interface(`storage_dontaudit_getattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file getattr; dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl ') ######################################## ##

## Allow the caller to set the attributes of fixed disk ## device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_setattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; ') ######################################## ##

## Do not audit attempts made by the caller to set ## the attributes of fixed disk device nodes. ##

## ##

## The type of the process to not audit. ##

## # interface(`storage_dontaudit_setattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file setattr; ') ######################################## ##

## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_raw_read_fixed_disk',` gen_require(` attribute fixed_disk_raw_read; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; typeattribute $1 fixed_disk_raw_read; ') ######################################## ##

## Do not audit attempts made by the caller to read ## fixed disk device nodes. ##

## ##

## The type of the process to not audit. ##

## # interface(`storage_dontaudit_read_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read }; ') ######################################## ##

## Allow the caller to directly write to a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_raw_write_fixed_disk',` gen_require(` attribute fixed_disk_raw_write; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; allow $1 fixed_disk_device_t:chr_file write_chr_file_perms; typeattribute $1 fixed_disk_raw_write; ') ######################################## ##

## Do not audit attempts made by the caller to write ## fixed disk device nodes. ##

## ##

## Domain to not audit. ##

## # interface(`storage_dontaudit_write_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; ') ######################################## ##

## Create, read, write, and delete fixed disk device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_manage_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') ######################################## ##

## Create block devices in /dev with the fixed disk type ## via an automatic type transition. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_dev_filetrans_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dev_filetrans($1,fixed_disk_device_t,blk_file) ') ######################################## ##

## Create block devices in on a tmpfs filesystem with the ## fixed disk type via an automatic type transition. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_tmpfs_filetrans_fixed_disk',` gen_require(` type fixed_disk_device_t; ') fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file) ') ######################################## ##

## Relabel fixed disk device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_relabel_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; ') ######################################## ##

## Enable a fixed disk device as swap space ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_swapon_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file { getattr swapon }; ') ######################################## ##

## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_getattr_scsi_generic_dev',` gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file getattr; ') ######################################## ##

## Allow the caller to set the attributes of ## the generic SCSI interface device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_setattr_scsi_generic_dev',` gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file setattr; ') ######################################## ##

## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_read_scsi_generic',` gen_require(` attribute scsi_generic_read; type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file read_chr_file_perms; typeattribute $1 scsi_generic_read; ') ######################################## ##

## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_write_scsi_generic',` gen_require(` attribute scsi_generic_write; type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file write_chr_file_perms; typeattribute $1 scsi_generic_write; ') ######################################## ##

## Set attributes of the device nodes ## for the SCSI generic inerface. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_setattr_scsi_generic_dev_dev',` gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file setattr; ') ######################################## ##

## Do not audit attempts to read or write ## SCSI generic device interfaces. ##

## ##

## Domain to not audit. ##

## # interface(`storage_dontaudit_rw_scsi_generic',` gen_require(` type scsi_generic_device_t; ') dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms; ') ######################################## ##

## Allow the caller to get the attributes of removable ## devices device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_getattr_removable_dev',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file getattr; ') ######################################## ##

## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes. ##

## ##

## The type of the process to not audit. ##

## # interface(`storage_dontaudit_getattr_removable_dev',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file getattr; ') ######################################## ##

## Do not audit attempts made by the caller to read ## removable devices device nodes. ##

## ##

## The type of the process to not audit. ##

## # interface(`storage_dontaudit_read_removable_device',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file { getattr ioctl read }; ') ######################################## ##

## Allow the caller to set the attributes of removable ## devices device nodes. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_setattr_removable_dev',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file setattr; ') ######################################## ##

## Do not audit attempts made by the caller to set ## the attributes of removable devices device nodes. ##

## ##

## The type of the process to not audit. ##

## # interface(`storage_dontaudit_setattr_removable_dev',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file setattr; ') ######################################## ##

## Allow the caller to directly read from ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_raw_read_removable_device',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## ##

## Do not audit attempts to directly read removable devices. ##

## ##

## Domain to not audit. ##

## # interface(`storage_dontaudit_raw_read_removable_device',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## ##

## Allow the caller to directly write to ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_raw_write_removable_device',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file write_blk_file_perms; ') ######################################## ##

## Do not audit attempts to directly write removable devices. ##

## ##

## Domain to not audit. ##

## # interface(`storage_dontaudit_raw_write_removable_device',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') ######################################## ##

## Allow the caller to directly read ## a tape device. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_read_tape',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file read_chr_file_perms; ') ######################################## ##

## Allow the caller to directly read ## a tape device. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_write_tape',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file write_chr_file_perms; ') ######################################## ##

## Allow the caller to get the attributes ## of device nodes of tape devices. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_getattr_tape_dev',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file getattr; ') ######################################## ##

## Allow the caller to set the attributes ## of device nodes of tape devices. ##

## ##

## The type of the process performing this action. ##

## # interface(`storage_setattr_tape_dev',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file setattr; ') ######################################## ##

## Unconfined access to storage devices. ##

## ##

## Domain allowed access. ##

## # interface(`storage_unconfined',` gen_require(` attribute storage_unconfined_type; ') typeattribute $1 storage_unconfined_type; ')