Layer: kernel

Module: devices

Description:

This module creates the device node concept and provides the policy for many of the device files. Notable exceptions are the mass storage and terminal devices that are covered by other modules.

This module creates the concept of a device node. That is a char or block device file, usually in /dev. All types that are used to label device nodes should use the dev_node macro.

Additionally, this module controls access to three things:

This module is required to be included in all policies.

Interfaces:

dev_create_dev_node( domain , file , objectclass(es) )
Summary

Create, read, and write device nodes. The node will be transitioned to the type provided.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
file Type to which the created node will be transitioned. No
objectclass(es) Object class(es) (single or set including {}) for which this the transition will occur. No
dev_create_dir( domain )
Summary

Create a directory in the device directory.

Parameters
Parameter:Description:Optional:
domain Domain allowed to create the directory. No
dev_create_generic_chr_file( domain )
Summary

Allow read, write, and create for generic character device files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_del_generic_symlinks( domain )
Summary

Delete symbolic links in device directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_delete_generic_file( domain )
Summary

Delete generic files in /dev.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_delete_lvm_control( domain )
Summary

Delete the lvm control device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_dontaudit_getattr_all_blk_files( domain )
Summary

Dontaudit getattr on all block file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_getattr_all_chr_files( domain )
Summary

Dontaudit getattr on all character file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_getattr_apm_bios( domain )
Summary

Do not audit attempts to get the attributes of the apm bios device node.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_getattr_generic_blk_file( domain )
Summary

Dontaudit getattr on generic block devices.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_getattr_generic_chr_file( domain )
Summary

Dontaudit getattr for generic character device files.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_getattr_generic_pipe( domain )
Summary

Dontaudit getattr on generic pipes.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit. No
dev_dontaudit_getattr_misc( domain )
Summary

Do not audit attempts to get the attributes of miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_dontaudit_getattr_scanner( domain )
Summary

Do not audit attempts to get the attributes of the scanner device.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_getattr_video_dev( domain )
Summary

Do not audit attempts to get the attributes of video4linux device nodes.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_list_all_dev_nodes( domain )
Summary

Dontaudit attempts to list all device nodes.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit listing of device nodes. No
dev_dontaudit_read_all_blk_files( domain )
Summary

Dontaudit read on all block file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_read_all_chr_files( domain )
Summary

Dontaudit read on all character file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_read_framebuffer( domain )
Summary

Do not audit attempts to read the framebuffer.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_dontaudit_rw_cardmgr( domain )
Summary

Do not audit attempts to read and write the PCMCIA card manager device.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_rw_dri_dev( domain )
Summary

Dontaudit read and write on the dri devices.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_rw_generic_dev_nodes( domain )
Summary

Dontaudit getattr for generic device files.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_search_sysfs( domain )
Summary

Do not audit attempts to search sysfs.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
dev_dontaudit_setattr_apm_bios( domain )
Summary

Do not audit attempts to set the attributes of the apm bios device node.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_setattr_framebuffer( domain )
Summary

Dot not audit attempts to set the attributes of the framebuffer device node.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_setattr_generic_blk_file( domain )
Summary

Dontaudit setattr on generic block devices.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_setattr_generic_chr_file( domain )
Summary

Dontaudit setattr for generic character device files.

Parameters
Parameter:Description:Optional:
domain Domain to dontaudit access. No
dev_dontaudit_setattr_generic_symlink( domain )
Summary

Do not audit attempts to set the attributes of symbolic links in device directories (/dev).

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_setattr_misc( domain )
Summary

Do not audit attempts to set the attributes of miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_dontaudit_setattr_scanner( domain )
Summary

Do not audit attempts to set the attributes of the scanner device.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_dontaudit_setattr_video_dev( domain )
Summary

Do not audit attempts to set the attributes of video4linux device nodes.

Parameters
Parameter:Description:Optional:
domain Domain to not audit. No
dev_getattr_agp_dev( domain )
Summary

Getattr the agp devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_all_blk_files( domain )
Summary

Getattr on all block file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_all_chr_files( domain )
Summary

Getattr on all character file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_apm_bios( domain )
Summary

Get the attributes of the apm bios device node.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_cpu( domain )
Summary

Get the attributes of the CPU microcode and id interfaces.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_framebuffer( domain )
Summary

Get the attributes of the framebuffer device node.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_generic_blk_file( domain )
Summary

Allow getattr on generic block devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_generic_chr_file( domain )
Summary

Allow getattr for generic character device files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_misc( domain )
Summary

Get the attributes of miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_mouse( domain )
Summary

Get the attributes of the mouse devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_power_management( domain )
Summary

Get the attributes of the the power management device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_scanner( domain )
Summary

Get the attributes of the scanner device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_snd_dev( domain )
Summary

Get the attributes of the sound devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_sysfs_dir( domain )
Summary

Get the attributes of sysfs directories.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
dev_getattr_usbfs_dir( domain )
Summary

Get the attributes of a directory in the usb filesystem.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_video_dev( domain )
Summary

Get the attributes of video4linux devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_getattr_xserver_misc_dev( domain )
Summary

Get the attributes of X server miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_list_all_dev_nodes( domain )
Summary

List all of the device nodes in a device directory.

Parameters
Parameter:Description:Optional:
domain Domain allowed to list device nodes. No
dev_list_sysfs( domain )
Summary

List the contents of the sysfs directories.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
dev_list_usbfs( domain )
Summary

Allow caller to get a list of usb hardware.

Parameters
Parameter:Description:Optional:
domain The process type getting the list. No
dev_manage_all_blk_files( domain )
Summary

Read, write, create, and delete all block device files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_manage_all_chr_files( domain )
Summary

Read, write, create, and delete all character device files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_manage_dev_nodes( domain )
Summary

Create, delete, read, and write device nodes in device directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_manage_generic_blk_file( domain )
Summary

Allow read, write, create, and delete for generic block files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_manage_generic_blk_file( domain )
Summary

Create, delete, read, and write block device files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_manage_generic_chr_file( domain )
Summary

Create, delete, read, and write character device files.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_manage_generic_symlinks( domain )
Summary

Create, delete, read, and write symbolic links in device directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_mount_usbfs( domain )
Summary

Mount a usbfs filesystem.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
dev_node( object_type )
Summary

Make the passed in type a type appropriate for use on device nodes (usually files in /dev).

Parameters
Parameter:Description:Optional:
object_type The object type that will be used on device nodes. No
dev_read_cpuid( domain )
Summary

Read the CPU identity.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_framebuffer( domain )
Summary

Read the framebuffer.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_input( domain )
Summary

Read input event devices (/dev/input).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_lvm_control( domain )
Summary

Read the lvm comtrol device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_misc( domain )
Summary

Read miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_mouse( domain )
Summary

Read the mouse devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_mtrr( domain )
Summary

Read the mtrr device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_rand( domain )
Summary

Read from random devices (e.g., /dev/random)

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_raw_memory( domain )
Summary

Read raw memory devices (e.g. /dev/mem).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_realtime_clock( domain )
Summary

Read the realtime clock (/dev/rtc).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_snd_dev( domain )
Summary

Read the sound devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_snd_mixer_dev( domain )
Summary

Read the sound mixer devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_sysfs( domain )
Summary

Allow caller to read hardware state information.

Parameters
Parameter:Description:Optional:
domain The process type reading hardware state information. No
dev_read_urand( domain )
Summary

Read from pseudo random devices (e.g., /dev/urandom)

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_read_usbfs( domain )
Summary

Read USB hardware information using the usbfs filesystem interface.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
dev_relabel_all_dev_nodes( domain )
Summary

Allow full relabeling (to and from) of all device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed to relabel. No
dev_relabel_dev_dirs( domain )
Summary

Allow full relabeling (to and from) of directories in /dev.

Parameters
Parameter:Description:Optional:
domain Domain allowed to relabel. No
dev_relabel_generic_symlinks( domain )
Summary

Relabel symbolic links in device directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_agp_dev( domain )
Summary

Read and write the agp devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_apm_bios( domain )
Summary

Read and write the apm bios.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_cpu_microcode( domain )
Summary

Read and write the the CPU microcode device. This is required to load CPU microcode.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_dri_dev( domain )
Summary

Read and write the dri devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_generic_file( domain )
Summary

Read and write generic files in /dev.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_lvm_control( domain )
Summary

Read and write the lvm control device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_null_dev( domain )
Summary

Read and write to the null device (/dev/null).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_power_management( domain )
Summary

Read and write the the power management device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_printer( domain )
Summary

Read and write the printer device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_realtime_clock( domain )
Summary

Read and set the realtime clock (/dev/rtc).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_scanner( domain )
Summary

Read and write the scanner device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rw_sysfs( domain )
Summary

Allow caller to modify hardware state information.

Parameters
Parameter:Description:Optional:
domain The process type modifying hardware state information. No
dev_rw_usbfs( domain )
Summary

Allow caller to modify usb hardware configuration files.

Parameters
Parameter:Description:Optional:
domain The process type modifying the options. No
dev_rw_zero_dev( domain )
Summary

Read and write to the zero device (/dev/zero).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rwx_zero_dev( domain )
Summary

Read, write, and execute the zero device (/dev/zero).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_rx_raw_memory( domain )
Summary

Read and execute raw memory devices (e.g. /dev/mem).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_search_sysfs( domain )
Summary

Search the sysfs directories.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
dev_search_usbfs( domain )
Summary

Search the directory containing USB hardware information.

Parameters
Parameter:Description:Optional:
domain The type of the process performing this action. No
dev_setattr_all_blk_files( domain )
Summary

Setattr on all block file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_all_chr_files( domain )
Summary

Setattr on all character file device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_apm_bios( domain )
Summary

Set the attributes of the apm bios device node.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_dev_dir( domain )
Summary

Set the attributes of /dev directories.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_framebuffer( domain )
Summary

Set the attributes of the framebuffer device node.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_misc( domain )
Summary

Set the attributes of miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_mouse( domain )
Summary

Set the attributes of the mouse devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_power_management( domain )
Summary

Set the attributes of the the power management device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_printer( domain )
Summary

Set the attributes of the printer device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_scanner( domain )
Summary

Set the attributes of the scanner device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_snd_dev( domain )
Summary

Set the attributes of the sound devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_video_dev( domain )
Summary

Set the attributes of video4linux device nodes.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_setattr_xserver_misc_dev( domain )
Summary

Set the attributes of X server miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_unconfined( domain )
Summary

Unconfined access to devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_framebuffer( domain )
Summary

Write the framebuffer.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_misc( domain )
Summary

Write miscellaneous devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_mtrr( domain )
Summary

Write the mtrr device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_rand( domain )
Summary

Write to the random device (e.g., /dev/random). This adds entropy used to generate the random data read from the random device.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_raw_memory( domain )
Summary

Write raw memory devices (e.g. /dev/mem).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_realtime_clock( domain )
Summary

Set the realtime clock (/dev/rtc).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_snd_dev( domain )
Summary

Write the sound devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_snd_mixer_dev( domain )
Summary

Write the sound mixer devices.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_write_urand( domain )
Summary

Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed.

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
dev_wx_raw_memory( domain )
Summary

Write and execute raw memory devices (e.g. /dev/mem).

Parameters
Parameter:Description:Optional:
domain Domain allowed access. No
Return