policy_module(storage,1.0.0)

########################################
#
# Declarations
#

attribute fixed_disk_raw_read;
attribute fixed_disk_raw_write;
attribute scsi_generic_read;
attribute scsi_generic_write;

#
# fixed_disk_device_t is the type of 
# /dev/hd* and /dev/sd*.
#
type fixed_disk_device_t;
dev_node(fixed_disk_device_t)

neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };

#
# lvm_vg_t is the type of logical volume groups
#
type lvm_vg_t;
dev_node(lvm_vg_t)

# from the subject's point of view, same as read/writing a regular
# fixed disk, so use the same assertions as above
neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };

#
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
type scsi_generic_device_t;
dev_node(scsi_generic_device_t)

neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };

#
# removable_device_t is the type of
# /dev/scd* and /dev/fd*.
#
type removable_device_t;
dev_node(removable_device_t)

#
# tape_device_t is the type of
#
type tape_device_t;
dev_node(tape_device_t)