# Copyright (C) 2005 Tresys Technology, LLC
## <module name="storage" layer="kernel">
## <summary>Policy controlling access to storage devices</summary>

########################################
## <interface name="storage_get_fixed_disk_attributes">
##	<description>
##		Allow the caller to get the attributes of fixed disk
##		device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="read" weight="7"/>
## </interface>
#
define(`storage_get_fixed_disk_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
')

define(`storage_get_fixed_disk_attributes_depend',`
type fixed_disk_device_t;
class blk_file getattr;
')

########################################
## <interface name="storage_ignore_get_fixed_disk_attributes">
##	<description>
##		Do not audit attempts made by the caller to get
##		the attributes of fixed disk device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process to not audit.
##	</parameter>
##	<infoflow type="none"/>
## </interface>
#
define(`storage_ignore_get_fixed_disk_attributes',`
requires_block_template(`$0'_depend)
dontaudit $1 fixed_disk_device_t:blk_file getattr;
')

define(`storage_ignore_get_fixed_disk_attributes_depend',`
type fixed_disk_device_t;
class blk_file getattr;
')

########################################
## <interface name="storage_set_fixed_disk_attributes">
##	<description>
##		Allow the caller to set the attributes of fixed disk
##		device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="7"/>
## </interface>
#
define(`storage_set_fixed_disk_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
')

define(`storage_set_fixed_disk_attributes_depend',`
type fixed_disk_device_t;
class blk_file setattr;
')

########################################
## <interface name="storage_raw_read_fixed_disk">
##	<description>
##		Allow the caller to directly read from a fixed disk.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="read" weight="10"/>
## </interface>
#
define(`storage_raw_read_fixed_disk',`
requires_block_template(`$0'_depend)
typeattribute $1 fixed_disk_raw_read;
devices_list_device_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr read ioctl };
')

define(`storage_raw_read_fixed_disk_depend',`
type fixed_disk_device_t;
attribute fixed_disk_raw_read;
class blk_file { getattr read ioctl };
')

########################################
## <interface name="storage_write_read_fixed_disk">
##	<description>
##		Allow the caller to directly write to a fixed disk.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`storage_raw_write_fixed_disk',`
requires_block_template(`$0'_depend)
typeattribute $1 fixed_disk_raw_write;
devices_list_device_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
')

define(`storage_raw_write_fixed_disk_depend',`
type fixed_disk_device_t;
attribute fixed_disk_raw_write;
class blk_file { getattr write ioctl };
')

########################################
## <interface name="storage_raw_read_lvm_volume">
##	<description>
##		Allow the caller to directly read from a logical volume.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="read" weight="10"/>
## </interface>
#
define(`storage_raw_read_lvm_volume',`
requires_block_template(`$0'_depend)
typeattribute $1 fixed_disk_raw_read;
devices_list_device_nodes($1)
allow $1 lvm_vg_t:blk_file { getattr read ioctl };
')

define(`storage_raw_read_lvm_volume_depend',`
type lvm_vg_t;
attribute fixed_disk_raw_read;
class blk_file { getattr read ioctl };
')

########################################
## <interface name="storage_raw_write_lvm_volume">
##	<description>
##		Allow the caller to directly read from a logical volume.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`storage_raw_write_lvm_volume',`
requires_block_template(`$0'_depend)
typeattribute $1 fixed_disk_raw_write;
devices_list_device_nodes($1)
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
')

define(`storage_raw_write_lvm_volume_depend',`
type lvm_vg_t;
attribute fixed_disk_raw_write;
class blk_file { getattr write ioctl };
')

########################################
## <interface name="storage_read_scsi_generic">
##	<description>
##		Allow the caller to directly read, in a
##		generic fashion, from any SCSI device.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="read" weight="10"/>
## </interface>
#
define(`storage_read_scsi_generic',`
requires_block_template(`$0'_depend)
typeattribute $1 scsi_generic_read;
devices_list_device_nodes($1)
allow $1 scsi_generic_device_t:blk_file { getattr read ioctl };
')

define(`storage_read_scsi_generic_depend',`
type scsi_generic_device_t;
attribute scsi_generic_read;
class blk_file { getattr read ioctl };
')

########################################
## <interface name="storage_write_scsi_generic">
##	<description>
##		Allow the caller to directly write, in a
##		generic fashion, from any SCSI device.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="write" weight="10"/>
## </interface>
#
define(`storage_write_scsi_generic',`
requires_block_template(`$0'_depend)
typeattribute $1 scsi_generic_write;
devices_list_device_nodes($1)
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
')

define(`storage_write_scsi_generic_depend',`
type scsi_generic_device_t;
attribute scsi_generic_write;
class blk_file { getattr write ioctl };
')

########################################
#
# storage_get_scsi_generic_attributes(domain)
#
define(`storage_get_scsi_generic_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 scsi_generic_device_t:blk_file getattr;
')

define(`storage_get_scsi_generic_attributes_depend',`
type scsi_generic_device_t;
class blk_file getattr;
')

########################################
#
# storage_set_scsi_generic_attributes(domain)
#
define(`storage_set_scsi_generic_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 scsi_generic_device_t:blk_file setattr;
')

define(`storage_set_scsi_generic_attributes_depend',`
type scsi_generic_device_t;
class blk_file setattr;
')

########################################
## <interface name="storage_get_removable_device_attributes">
##	<description>
##		Allow the caller to get the attributes of removable
##		devices device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
##	<infoflow type="read" weight="7"/>
## </interface>
#
define(`storage_get_removable_device_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 removable_device_t:blk_file getattr;
')

define(`storage_get_removable_device_attributes_depend',`
type removable_device_t;
class blk_file getattr;
')

########################################
## <interface name="storage_ignore_get_removable_device_attributes">
##	<description>
##		Do not audit attempts made by the caller to get
##		the attributes of removable devices device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process to not audit.
##	</parameter>
##	<infoflow type="none"/>
## </interface>
#
define(`storage_ignore_get_removable_device_attributes',`
requires_block_template(`$0'_depend)
dontaudit $1 removable_device_t:blk_file getattr;
')

define(`storage_ignore_get_removable_device_attributes_depend',`
type removable_device_t;
class blk_file getattr;
')

########################################
#
# storage_set_removable_device_attributes(domain)
#
define(`storage_set_removable_device_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 removable_device_t:blk_file setattr;
')

define(`storage_set_removable_device_attributes_depend',`
type removable_device_t;
class blk_file setattr;
')

########################################
#
# storage_raw_read_removable_device(domain)
#
define(`storage_raw_read_removable_device',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 removable_device_t:blk_file { getattr read ioctl };
')

define(`storage_raw_read_removable_device_depend',`
type removable_device_t;
class blk_file { getattr read ioctl };
')

########################################
#
# storage_raw_write_removable_device(domain)
#
define(`storage_raw_write_removable_device',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 removable_device_t:blk_file { getattr write ioctl };
')

define(`storage_raw_write_removable_device_depend',`
type removable_device_t;
class blk_file { getattr write ioctl };
')

########################################
#
# storage_read_tape_device(domain)
#
define(`storage_read_tape_device',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tape_device_t:blk_file { getattr read ioctl };
')

define(`storage_read_tape_device_depend',`
type tape_device_t;
class blk_file { getattr read ioctl };
')

########################################
#
# storage_write_tape_device(domain)
#
define(`storage_write_tape_device',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tape_device_t:blk_file { getattr write ioctl };
')

define(`storage_write_tape_device_depend',`
type tape_device_t;
class blk_file { getattr write ioctl };
')

########################################
#
# storage_get_tape_device_attributes(domain)
#
define(`storage_get_tape_device_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tape_device_t:blk_file getattr;
')

define(`storage_get_tape_device_attributes_depend',`
type tape_device_t;
class blk_file getattr;
')

########################################
#
# storage_set_tape_device_attributes(domain)
#
define(`storage_set_tape_device_attributes',`
requires_block_template(`$0'_depend)
devices_list_device_nodes($1)
allow $1 tape_device_t:blk_file setattr;
')

define(`storage_set_tape_device_attributes_depend',`
type tape_device_t;
class blk_file setattr;
')

## </module>