# Copyright (C) 2005 Tresys Technology, LLC ######################################## # # devices_make_device_node(type) # define(`devices_make_device_node',` requires_block_template(`$0'_depend) typeattribute $1 device_node; filesystem_associate($1,optional) filesystem_tmpfs_associate($1,optional) ') define(`devices_make_device_node_depend',` attribute device_node; filesystem_associate_depend filesystem_tmpfs_associate_depend ') ######################################## # # devices_manage_all_devices_labels(domain) # define(`devices_manage_all_devices_labels',` requires_block_template(`$0'_depend) allow $1 device_node:dir { getattr relabelfrom }; allow $1 device_node:file { getattr relabelfrom }; allow $1 device_node:lnk_file { getattr relabelfrom }; allow $1 device_node:fifo_file { getattr relabelfrom }; allow $1 device_node:sock_file { getattr relabelfrom }; allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto }; allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto }; ') define(`devices_manage_all_devices_labels_depend',` attribute device_node; type device_t; class dir { getattr relabelfrom }; class file { getattr relabelfrom }; class lnk_file { getattr relabelfrom }; class fifo_file { getattr relabelfrom }; class sock_file { getattr relabelfrom }; class blk_file { getattr relabelfrom relabelto }; class chr_file { getattr relabelfrom relabelto }; ') ######################################## # # devices_list_device_nodes(domain) # define(`devices_list_device_nodes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 device_t:lnk_file { getattr read }; ') define(`devices_list_device_nodes_depend',` type device_t; class dir { getattr read search }; class lnk_file { getattr read }; ') ######################################## # # devices_ignore_list_device_nodes(domain) # define(`devices_ignore_list_device_nodes',` requires_block_template(`$0'_depend) dontaudit $1 device_t:dir { getattr read search }; ') define(`devices_ignore_list_device_nodes_depend',` type device_t; class dir { getattr read search }; ') ######################################## # # devices_get_generic_block_device_attributes(domain) # define(`devices_get_generic_block_device_attributes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr search read }; allow $1 device_t:blk_file getattr; ') define(`devices_get_generic_block_device_attributes_depend',` type device_t; class blk_file getattr; ') ######################################## # # devices_ignore_get_generic_block_device_attributes(domain) # define(`devices_ignore_get_generic_block_device_attributes',` requires_block_template(`$0'_depend) dontaudit $1 device_t:blk_file getattr; ') define(`devices_ignore_get_generic_block_device_attributes_depend',` type device_t; class blk_file getattr; ') ######################################## # # devices_get_generic_character_device_attributes(domain) # define(`devices_get_generic_character_device_attributes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr search read }; allow $1 device_t:chr_file getattr; ') define(`devices_get_generic_character_device_attributes_depend',` type device_t; class chr_file getattr; ') ######################################## # # devices_ignore_get_generic_character_device_attributes(domain) # define(`devices_ignore_get_generic_character_device_attributes',` requires_block_template(`$0'_depend) dontaudit $1 device_t:chr_file getattr; ') define(`devices_ignore_get_generic_character_device_attributes_depend',` type device_t; class chr_file getattr; ') ######################################## ## ## ## Delete symbolic links in /dev. ## ## ## The type of the process performing this action. ## ## ## # define(`devices_remove_dev_symbolic_links',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read write remove_name }; allow $1 device_t:lnk_file unlink; ') define(`devices_remove_dev_symbolic_links_depend',` attribute device_node, memory_raw_read, memory_raw_write; type device_t; class dir { getattr read write remove_name }; class lnk_file unlink; ') ######################################## # # devices_manage_dev_symbolic_links(domain) # define(`devices_manage_dev_symbolic_links',` requires_block_template(`$0'_depend) allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; ') define(`devices_manage_dev_symbolic_links_depend',` type device_t; class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; class lnk_file { create read getattr setattr link unlink rename }; ') ######################################## # # devices_manage_device_nodes(domain) # define(`devices_manage_device_nodes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; # these next rules are to satisfy assertions broken by the above lines. # the permissions hopefully can be cut back a lot storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) storage_read_scsi_generic($1) storage_write_scsi_generic($1) typeattribute $1 memory_raw_read; typeattribute $1 memory_raw_write; ') define(`devices_manage_device_nodes_depend',` attribute device_node, memory_raw_read, memory_raw_write; type device_t; class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; class lnk_file { create read getattr setattr link unlink rename }; class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; ') ######################################## # # devices_ignore_modify_generic_devices(domain) # define(`devices_ignore_modify_generic_devices',` requires_block_template(`$0'_depend) dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') define(`devices_ignore_modify_generic_devices_depend',` type device_t; class chr_file { getattr read write ioctl }; class blk_file { getattr read write ioctl }; ') ######################################## # # devices_create_dev_entry(domain,file,objectclass(es)) # define(`devices_create_dev_entry',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr search read write add_name remove_name }; type_transition $1 device_t:$3 $2; ') define(`devices_set_dev_entry_depend',` type device_t; class dir { getattr search read write add_name remove_name }; ') ######################################## # # devices_get_all_block_device_attributes(domain) # define(`devices_get_all_block_device_attributes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 device_node:blk_file getattr; ') define(`devices_get_all_block_device_attributes_depend',` attribute device_node; class blk_file getattr; class dir { getattr read search }; ') ######################################## # # devices_ignore_get_all_block_device_attributes(domain) # define(`devices_ignore_get_all_block_device_attributes',` requires_block_template(`$0'_depend) allow $1 device_node:blk_file getattr; ') define(`devices_ignore_get_all_block_device_attributes_depend',` attribute device_node; class blk_file getattr; ') ######################################## # # devices_get_all_character_device_attributes(domain) # define(`devices_get_all_character_device_attributes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 device_node:chr_file getattr; ') define(`devices_get_all_character_device_attributes_depend',` attribute device_node; class chr_file getattr; class dir { getattr read search }; ') ######################################## # # devices_ignore_get_all_character_device_attributes(domain) # define(`devices_ignore_get_all_character_device_attributes',` requires_block_template(`$0'_depend) dontaudit $1 device_node:chr_file getattr; ') define(`devices_ignore_get_all_character_device_attributes_depend',` attribute device_node; class chr_file getattr; ') ######################################## # # devices_set_all_block_device_attributes(domain) # define(`devices_set_all_block_device_attributes',` requires_block_template(`$0'_depend) allow $1 device_node:blk_file setattr; ') define(`devices_set_all_block_device_attributes_depend',` attribute device_node; class blk_file setattr; ') ######################################## # # devices_set_all_character_device_attributes(domain) # define(`devices_set_all_character_device_attributes',` requires_block_template(`$0'_depend) allow $1 device_node:chr_file setattr; ') define(`devices_set_all_character_device_attributes_depend',` attribute device_node; class chr_file setattr; ') ######################################## # # devices_raw_read_memory(domain) # define(`devices_raw_read_memory',` requires_block_template(`$0'_depend) typeattribute $1 memory_raw_read; allow $1 device_t:dir { getattr read search }; allow $1 memory_device_t:chr_file { getattr read ioctl }; allow $1 self:capability sys_rawio; ') define(`devices_raw_read_memory_depend',` type device_t, memory_device_t; attribute memory_raw_read; class dir { getattr read search }; class chr_file { getattr read ioctl }; class capability sys_rawio; ') ######################################## # # devices_raw_write_memory(domain) # define(`devices_raw_write_memory',` requires_block_template(`$0'_depend) typeattribute $1 memory_raw_write allow $1 device_t:dir { getattr read search }; allow $1 memory_device_t:chr_file write; allow $1 self:capability sys_rawio; ') define(`devices_raw_write_memory_depend',` type device_t, memory_device_t; attribute memory_raw_write; class dir { getattr read search }; class chr_file write; class capability sys_rawio; ') ######################################## # # devices_get_random_data(domain) # define(`devices_get_random_data',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 random_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_random_data_depend',` type device_t, random_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_get_pseudorandom_data(domain) # define(`devices_get_pseudorandom_data',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 urandom_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_pseudorandom_data_depend',` type device_t, urandom_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_add_entropy(domain) # define(`devices_add_entropy',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 random_device_t:chr_file { getattr write ioctl }; ') define(`devices_add_entropy_depend',` type device_t, random_device_t; class dir { getattr read search }; class chr_file { getattr write ioctl }; ') ######################################## # # devices_set_pseudorandom_seed(domain) # define(`devices_set_pseudorandom_seed',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 urandom_device_t:chr_file { getattr write ioctl }; ') define(`devices_set_pseudorandom_seed_depend',` type device_t, urandom_device_t; class dir { getattr read search }; class chr_file { getattr write ioctl }; ') ######################################## # # devices_use_dev_null(domain) # define(`devices_use_dev_null',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 null_device_t:chr_file { getattr read write append ioctl }; ') define(`devices_use_dev_null_depend',` type device_t, null_device_t; class device_t:dir { getattr read search }; class chr_file { getattr read write append ioctl }; ') ######################################## # # devices_use_dev_zero(domain) # define(`devices_use_dev_zero',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 zero_device_t:chr_file { getattr read write append ioctl }; ') define(`devices_use_dev_zero_depend',` type device_t, zero_device_t; class device_t:dir { getattr read search }; class chr_file { getattr read write append ioctl }; ') ######################################## # # devices_read_realtime_clock(domain) # define(`devices_read_realtime_clock',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 clock_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_realtime_clock_depend',` type device_t, clock_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_write_realtime_clock(domain) # define(`devices_write_realtime_clock',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 clock_device_t:chr_file { setattr lock write append ioctl }; ') define(`devices_write_realtime_clock_depend',` type device_t, clock_device_t; class dir { getattr read search }; class chr_file { setattr lock write append ioctl }; ') ######################################## # # devices_modify_realtime_clock(domain) # define(`devices_modify_realtime_clock',` devices_read_realtime_clock($1) devices_write_realtime_clock($1) ') ######################################## # # devices_record_sound_input(domain) # define(`devices_record_sound_input',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr read ioctl }; ') define(`devices_record_sound_input_depend',` type device_t, sound_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_play_sound(domain) # define(`devices_play_sound',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') define(`devices_play_sound_depend',` type device_t, sound_device_t; class dir { getattr read search }; class chr_file { getattr write ioctl }; ') ######################################## # # devices_read_sound_mixer_levels(domain) # define(`devices_read_sound_mixer_levels',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_sound_mixer_levels_depend',` type device_t, sound_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_write_sound_mixer_levels(domain) # define(`devices_write_sound_mixer_levels',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_sound_mixer_levels_depend',` type device_t, sound_device_t; class dir { getattr read search }; class chr_file { getattr write ioctl }; ') ######################################## # # devices_direct_agp_access(domain) # define(`devices_direct_agp_access',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 agp_device_t:chr_file { getattr read write ioctl }; ') define(`devices_direct_agp_access_depend',` type device_t, agp_device_t; class dir { getattr read search }; class chr_file { getattr read write ioctl }; ') ######################################## # # devices_get_direct_rendering_interface_attributes(domain) # define(`devices_get_direct_rendering_interface_attributes',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 dri_device_t:chr_file getattr; ') define(`devices_get_direct_rendering_interface_attributes_depend',` type device_t, dri_device_t; class dir { getattr read search }; class chr_file getattr; ') ######################################## # # devices_use_direct_rendering_interface(domain) # define(`devices_use_direct_rendering_interface',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 dri_device_t:chr_file { getattr read write ioctl }; ') define(`devices_use_direct_rendering_interface_depend',` type device_t, dri_device_t; class dir { getattr read search }; class chr_file { getattr read write ioctl }; ') ######################################## # # devices_ignore_use_direct_rendering_interface(domain) # define(`devices_ignore_use_direct_rendering_interface',` requires_block_template(`$0'_depend) dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; ') define(`devices_ignore_use_direct_rendering_interface_depend',` type dri_device_t; class chr_file { getattr read write ioctl }; ') ######################################## # # devices_read_mtrr(domain) # define(`devices_read_mtrr',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 mtrr_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_mtrr_depend',` type device_t, mtrr_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_write_mtrr(domain) # define(`devices_write_mtrr',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 mtrr_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_mtrr_depend',` type device_t, mtrr_device_t; class chr_file { getattr write ioctl }; ') ######################################## # # devices_read_framebuffer(domain) # define(`devices_read_framebuffer',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 framebuf_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_framebuffer_depend',` type framebuf_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_write_framebuffer(domain) # define(`devices_write_framebuffer',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 framebuf_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_framebuffer_depend',` type device_t, framebuf_device_t; class dir { getattr read search }; class chr_file { getattr write ioctl }; ') ######################################## # # devices_use_lvm_control_channel(domain) # define(`devices_use_lvm_control_channel',` requires_block_template(`$0'_depend) allow $1 lvm_control_t:chr_file { ioctl read getattr lock write append }; ') define(`devices_use_lvm_control_channel_depend',` type lvm_control_t; class chr_file { ioctl read getattr lock write append }; ') ######################################## # # devices_read_misc(domain) # define(`devices_read_misc',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 misc_device_t:chr_file { getattr read ioctl }; ') define(`devices_read_misc_depend',` type device_t, misc_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_write_misc(domain) # define(`devices_write_misc',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 misc_device_t:chr_file { getattr write ioctl }; ') define(`devices_write_misc_depend',` type device_t, misc_device_t; class dir { getattr read search }; class chr_file { getattr write ioctl }; ') ######################################## # # devices_get_mouse_input(domain) # define(`devices_get_mouse_input',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 mouse_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_mouse_input_depend',` type device_t, mouse_device_t; allow $1 device_t:dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_get_input_event(domain) # define(`devices_get_input_event',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 event_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_input_event_depend',` type device_t, event_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_get_cpuid(domain) # define(`devices_get_cpuid',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 cpu_device_t:chr_file { getattr read ioctl }; ') define(`devices_get_cpuid_depend',` type device_t, cpu_device_t; class dir { getattr read search }; class chr_file { getattr read ioctl }; ') ######################################## # # devices_load_cpu_microcode(domain) # define(`devices_load_cpu_microcode',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 cpu_device_t:chr_file { getattr read write ioctl }; ') define(`devices_load_cpu_microcode_depend',` type device_t, cpu_device_t; class dir { getattr read search }; class chr_file { getattr read write ioctl }; ') ######################################## # # devices_use_scanner(domain) # define(`devices_use_scanner',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 scanner_device_t:chr_file { getattr read write ioctl }; ') define(`devices_use_scanner_depend',` type device_t, scanner_device_t; class dir { getattr read search }; class chr_file { getattr read write ioctl }; ') ######################################## # # devices_control_system_powermanagement(domain) # define(`devices_control_system_powermanagement',` requires_block_template(`$0'_depend) allow $1 device_t:dir { getattr read search }; allow $1 power_device_t:chr_file { getattr read write ioctl }; ') define(`devices_control_system_powermanagement_depend',` type device_t, power_device_t; class dir { getattr read search }; class chr_file { getattr read write ioctl }; ')