selinux-policy/refpolicy/policy/modules/kernel/storage.if
2005-06-23 16:00:05 +00:00

581 lines
15 KiB
Plaintext

## <module name="storage">
## <summary>Policy controlling access to storage devices</summary>
########################################
## <interface name="storage_getattr_fixed_disk">
## <desc>
## Allow the caller to get the attributes of fixed disk
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_getattr_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file getattr;
')
########################################
## <interface name="storage_dontaudit_getattr_fixed_disk">
## <desc>
## Do not audit attempts made by the caller to get
## the attributes of fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
#
interface(`storage_dontaudit_getattr_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
class blk_file getattr;
')
dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
########################################
## <interface name="storage_setattr_fixed_disk">
## <desc>
## Allow the caller to set the attributes of fixed disk
## device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_setattr_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file setattr;
')
########################################
## <interface name="storage_dontaudit_setattr_fixed_disk">
## <desc>
## Do not audit attempts made by the caller to set
## the attributes of fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
#
interface(`storage_dontaudit_setattr_fixed_disk',`
gen_require(`
type fixed_disk_device_t;
class blk_file getattr;
')
dontaudit $1 fixed_disk_device_t:blk_file getattr;
')
########################################
## <interface name="storage_raw_read_fixed_disk">
## <desc>
## Allow the caller to directly read from a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_raw_read_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_read;
type fixed_disk_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file r_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
########################################
## <interface name="storage_raw_write_fixed_disk">
## <desc>
## Allow the caller to directly write to a fixed disk.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_raw_write_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
typeattribute $1 fixed_disk_raw_write;
')
########################################
## <interface name="storage_create_fixed_disk">
## <desc>
## Create block devices in /dev with the fixed disk type.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_create_fixed_disk_dev_entry',`
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file create_file_perms;
')
allow $1 fixed_disk_device_t:blk_file create_file_perms;
dev_create_dev_node($1,fixed_disk_device_t,blk_file)
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
########################################
## <interface name="storage_manage_fixed_disk">
## <desc>
## Create, read, write, and delete fixed disk device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_manage_fixed_disk',`
gen_require(`
attribute fixed_disk_raw_read, fixed_disk_raw_write;
type fixed_disk_device_t;
class blk_file create_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file create_file_perms;
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')
########################################
## <interface name="storage_raw_read_lvm_volume">
## <desc>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_raw_read_lvm_volume',`
gen_require(`
attribute fixed_disk_raw_read;
type lvm_vg_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 lvm_vg_t:blk_file r_file_perms;
typeattribute $1 fixed_disk_raw_read;
')
########################################
## <interface name="storage_raw_write_lvm_volume">
## <desc>
## Allow the caller to directly read from a logical volume.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_raw_write_lvm_volume',`
gen_require(`
attribute fixed_disk_raw_write;
type lvm_vg_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
typeattribute $1 fixed_disk_raw_write;
')
########################################
## <interface name="storage_getattr_scsi_generic">
## <desc>
## Allow the caller to get the attributes of
## the generic SCSI interface device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_getattr_scsi_generic',`
gen_require(`
type scsi_generic_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file getattr;
')
########################################
## <interface name="storage_setattr_scsi_generic">
## <desc>
## Allow the caller to set the attributes of
## the generic SCSI interface device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_setattr_scsi_generic',`
gen_require(`
type scsi_generic_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file setattr;
')
########################################
## <interface name="storage_read_scsi_generic">
## <desc>
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_read_scsi_generic',`
gen_require(`
attribute scsi_generic_read;
type scsi_generic_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file r_file_perms;
typeattribute $1 scsi_generic_read;
')
########################################
## <interface name="storage_write_scsi_generic">
## <desc>
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_write_scsi_generic',`
gen_require(`
attribute scsi_generic_write;
type scsi_generic_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
typeattribute $1 scsi_generic_write;
')
########################################
## <interface name="storage_getattr_scsi_generic">
## <desc>
## Get attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_getattr_scsi_generic',`
gen_require(`
type scsi_generic_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file getattr;
')
########################################
## <interface name="storage_setattr_scsi_generic">
## <desc>
## Set attributes of the device nodes
## for the SCSI generic inerface.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_set_scsi_generic_attributes',`
gen_require(`
type scsi_generic_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 scsi_generic_device_t:blk_file setattr;
')
########################################
## <interface name="storage_getattr_removable_device">
## <desc>
## Allow the caller to get the attributes of removable
## devices device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_getattr_removable_device',`
gen_require(`
type removable_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file getattr;
')
########################################
## <interface name="storage_dontaudit_getattr_removable_device">
## <desc>
## Do not audit attempts made by the caller to get
## the attributes of removable devices device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
#
interface(`storage_dontaudit_getattr_removable_device',`
gen_require(`
type removable_device_t;
class blk_file getattr;
')
dontaudit $1 removable_device_t:blk_file getattr;
')
########################################
## <interface name="storage_setattr_removable_device">
## <desc>
## Allow the caller to set the attributes of removable
## devices device nodes.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_setattr_removable_device',`
gen_require(`
type removable_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file setattr;
')
########################################
## <interface name="storage_dontaudit_setattr_removable_device">
## <desc>
## Do not audit attempts made by the caller to set
## the attributes of removable devices device nodes.
## </desc>
## <param name="domain">
## The type of the process to not audit.
## </param>
## </interface>
#
interface(`storage_dontaudit_setattr_removable_device',`
gen_require(`
type removable_device_t;
class blk_file setattr;
')
dontaudit $1 removable_device_t:blk_file setattr;
')
########################################
## <interface name="storage_raw_read_removable_device">
## <desc>
## Allow the caller to directly read from
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_raw_read_removable_device',`
gen_require(`
type removable_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file r_file_perms;
')
########################################
## <interface name="storage_raw_write_removable_device">
## <desc>
## Allow the caller to directly write to
## a removable device.
## This is extremly dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_raw_write_removable_device',`
gen_require(`
type removable_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 removable_device_t:blk_file { getattr write ioctl };
')
########################################
## <interface name="storage_read_tape_device">
## <desc>
## Allow the caller to directly read
## a tape device.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_read_tape_device',`
gen_require(`
type tape_device_t;
class blk_file r_file_perms;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file r_file_perms;
')
########################################
## <interface name="storage_write_tape_device">
## <desc>
## Allow the caller to directly read
## a tape device.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_write_tape_device',`
gen_require(`
type tape_device_t;
class blk_file { getattr write ioctl };
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file { getattr write ioctl };
')
########################################
## <interface name="storage_getattr_tape_device">
## <desc>
## Allow the caller to get the attributes
## of device nodes of tape devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_getattr_tape_device',`
gen_require(`
type tape_device_t;
class blk_file getattr;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file getattr;
')
########################################
## <interface name="storage_setattr_tape_device">
## <desc>
## Allow the caller to set the attributes
## of device nodes of tape devices.
## </desc>
## <param name="domain">
## The type of the process performing this action.
## </param>
## </interface>
#
interface(`storage_setattr_tape_device',`
gen_require(`
type tape_device_t;
class blk_file setattr;
')
dev_list_all_dev_nodes($1)
allow $1 tape_device_t:blk_file setattr;
')
## </module>