This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are the mass storage and terminal devices that are covered by other modules.
This module creates the concept of a device node. That is a char or block device file, usually in /dev. All types that are used to label device nodes should use the dev_node macro.
Additionally, this module controls access to three things:
the device directories containing device nodes
device nodes as a group
individual access to specific device nodes covered by this module.
This module is required to be included in all policies.
Create, read, and write device nodes. The node will be transitioned to the type provided.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
file | Type to which the created node will be transitioned. | No |
objectclass(es) | Object class(es) (single or set including {}) for which this the transition will occur. | No |
Create a directory in the device directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed to create the directory. | No |
Allow read, write, and create for generic character device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Delete symbolic links in device directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Delete generic files in /dev.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Delete the lvm control device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Dontaudit getattr on all block file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Dontaudit getattr on all character file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Do not audit attempts to get the attributes of the apm bios device node.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Dontaudit getattr on generic block devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Dontaudit getattr for generic character device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Dontaudit getattr on generic pipes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit. | No |
Do not audit attempts to get the attributes of miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to get the attributes of the scanner device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to get the attributes of video4linux device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Dontaudit attempts to list all device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit listing of device nodes. | No |
Dontaudit read on all block file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Dontaudit read on all character file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to read the framebuffer.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to read and write the PCMCIA card manager device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Dontaudit read and write on the dri devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Dontaudit getattr for generic device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Do not audit attempts to search sysfs.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Do not audit attempts to set the attributes of the apm bios device node.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Dot not audit attempts to set the attributes of the framebuffer device node.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Dontaudit setattr on generic block devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Dontaudit setattr for generic character device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to dontaudit access. | No |
Do not audit attempts to set the attributes of symbolic links in device directories (/dev).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to set the attributes of miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Do not audit attempts to set the attributes of the scanner device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Do not audit attempts to set the attributes of video4linux device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain to not audit. | No |
Getattr the agp devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Getattr on all block file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Getattr on all character file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the apm bios device node.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the CPU microcode and id interfaces.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the framebuffer device node.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow getattr on generic block devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow getattr for generic character device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the mouse devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the the power management device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the scanner device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of the sound devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of sysfs directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Get the attributes of a directory in the usb filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of video4linux devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Get the attributes of X server miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
List all of the device nodes in a device directory.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed to list device nodes. | No |
List the contents of the sysfs directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow caller to get a list of usb hardware.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type getting the list. | No |
Read, write, create, and delete all block device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read, write, create, and delete all character device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, delete, read, and write device nodes in device directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow read, write, create, and delete for generic block files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, delete, read, and write block device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, delete, read, and write character device files.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Create, delete, read, and write symbolic links in device directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Mount a usbfs filesystem.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Make the passed in type a type appropriate for use on device nodes (usually files in /dev).
Parameter: | Description: | Optional: |
---|---|---|
object_type | The object type that will be used on device nodes. | No |
Read the CPU identity.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the framebuffer.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read input event devices (/dev/input).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the lvm comtrol device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the mouse devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the mtrr device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read from random devices (e.g., /dev/random)
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read raw memory devices (e.g. /dev/mem).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the realtime clock (/dev/rtc).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the sound devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read the sound mixer devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow caller to read hardware state information.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type reading hardware state information. | No |
Read from pseudo random devices (e.g., /dev/urandom)
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read USB hardware information using the usbfs filesystem interface.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Allow full relabeling (to and from) of all device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed to relabel. | No |
Allow full relabeling (to and from) of directories in /dev.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed to relabel. | No |
Relabel symbolic links in device directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the agp devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the apm bios.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the the CPU microcode device. This is required to load CPU microcode.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the dri devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write generic files in /dev.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the lvm control device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write to the null device (/dev/null).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the the power management device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the printer device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and set the realtime clock (/dev/rtc).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and write the scanner device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Allow caller to modify hardware state information.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type modifying hardware state information. | No |
Allow caller to modify usb hardware configuration files.
Parameter: | Description: | Optional: |
---|---|---|
domain | The process type modifying the options. | No |
Read and write to the zero device (/dev/zero).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read, write, and execute the zero device (/dev/zero).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Read and execute raw memory devices (e.g. /dev/mem).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Search the sysfs directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Search the directory containing USB hardware information.
Parameter: | Description: | Optional: |
---|---|---|
domain | The type of the process performing this action. | No |
Setattr on all block file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Setattr on all character file device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of the apm bios device node.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of /dev directories.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of the framebuffer device node.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of the mouse devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of the the power management device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of the printer device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of the scanner device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of the sound devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of video4linux device nodes.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the attributes of X server miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Unconfined access to devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write the framebuffer.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write miscellaneous devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write the mtrr device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write to the random device (e.g., /dev/random). This adds entropy used to generate the random data read from the random device.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write raw memory devices (e.g. /dev/mem).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Set the realtime clock (/dev/rtc).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write the sound devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write the sound mixer devices.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed.
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |
Write and execute raw memory devices (e.g. /dev/mem).
Parameter: | Description: | Optional: |
---|---|---|
domain | Domain allowed access. | No |