rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity
f0c985ca80
selinux-policy/refpolicy/policy/modules/kernel/devices.if
Karl MacMillan f0c985ca80 Devices rename.
2005-06-13 16:22:32 +00:00

1600 lines
38 KiB
Plaintext
Raw Blame History

## <module name="devices" layer="kernel">
## <description>
## <p>
## This module creates the device node concept and provides
## the policy for many of the device files. Notable exceptions are
## the mass storage and terminal devices that are covered by other
## modules.
## </p>
## <p>
## This module creates the concept of a device node. That is a
## char or block device file, usually in /dev. All types that
## are used to label device nodes should use the dev_node macro.
## </p>
## <p>
## Additionally, this module controls access to three things:
## <ul>
## <li>the device directories containing device nodes</li>
## <li>device nodes as a group</li>
## <li>individual access to specific device nodes covered by
## this module.</li>
## </ul>
## </p>
## </description>
########################################
## <interface name="dev_node">
## <description>
## Make the passed in type a type appropriate for
## use on device nodes (usually files in /dev).
## </description>
## <parameter name="object_type">
## The object type that will be used on device nodes.
## </parameter>
## </interface>
#
define(`dev_node',`
requires_block_template(`$0'_depend)
typeattribute $1 device_node;
fs_associate($1)
optional_policy(`distro_redhat',`
fs_tmpfs_associate($1)
')
')
define(`dev_node_depend',`
attribute device_node;
')
########################################
## <interface name="dev_relabel_all_dev_nodes">
## <description>
## Allow full relabeling (to and from) of all device nodes.
## </description>
## <parameter name="domain">
## Domain allowed to relabel.
## </parameter>
## </interface>
#
define(`dev_relabel_all_dev_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_node:dir { getattr relabelfrom };
allow $1 device_node:file { getattr relabelfrom };
allow $1 device_node:lnk_file { getattr relabelfrom };
allow $1 device_node:fifo_file { getattr relabelfrom };
allow $1 device_node:sock_file { getattr relabelfrom };
allow $1 { device_t device_node }:blk_file { getattr relabelfrom relabelto };
allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto };
')
define(`dev_relabel_all_dev_nodes_depend',`
attribute device_node;
type device_t;
class dir { getattr relabelfrom };
class file { getattr relabelfrom };
class lnk_file { getattr relabelfrom };
class fifo_file { getattr relabelfrom };
class sock_file { getattr relabelfrom };
class blk_file { getattr relabelfrom relabelto };
class chr_file { getattr relabelfrom relabelto };
')
########################################
## <interface name="dev_list_all_dev_nodes">
## <description>
## List all of the device nodes in a device directory.
## </description>
## <parameter name="domain">
## Domain allowed to list device nodes.
## </parameter>
## </interface>
#
define(`dev_list_all_dev_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:lnk_file { getattr read };
')
define(`dev_list_all_dev_nodes_depend',`
type device_t;
class dir r_dir_perms;
class lnk_file { getattr read };
')
########################################
## <interface name="dev_dontaudit_list_all_dev_nodes">
## <description>
## Dontaudit attempts to list all device nodes.
## </description>
## <parameter name="domain">
## Domain to dontaudit listing of device nodes.
## </parameter>
## </interface>
#
define(`dev_dontaudit_list_all_dev_nodes',`
requires_block_template(`$0'_depend)
dontaudit $1 device_t:dir r_dir_perms;
')
define(`dev_dontaudit_list_all_dev_nodes_depend',`
type device_t;
class dir r_dir_perms;
')
########################################
## <interface name="dev_create_dir">
## <description>
## Create a directory in the device directory.
## </description>
## <parameter name="domain">
## Domain allowed to create the directory.
## </parameter>
## </interface>
#
define(`dev_create_dir',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { ra_dir_perms create };
')
define(`dev_create_dir_depend',`
type device_t;
class dir { ra_dir_perms create };
')
########################################
## <interface name="dev_dontaudit_getattr_generic_pipe">
## <description>
## Dontaudit getattr on generic pipes.
## </description>
## <parameter name="domain">
## Domain to dontaudit.
## </parameter>
## </interface>
#
define(`dev_dontaudit_getattr_generic_pipe',`
requires_block_template(`$0'_depend)
dontaudit $1 device_t:fifo_file getattr;
')
define(`dev_dontaudit_getattr_generic_pipe_depend',`
type device_t;
class fifo_file getattr;
')
########################################
## <interface name="dev_getattr_generic_blk_file">
## <description>
## Allow getattr on generic block devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_getattr_generic_blk_file',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:blk_file getattr;
')
define(`ddev_getattr_generic_blk_file_depend',`
type device_t;
class dir r_dir_perms;
class blk_file getattr;
')
########################################
## <interface name="dev_dontaudit_getattr_generic_blk_file">
## <description>
## Dontaudit getattr on generic block devices.
## </description>
## <parameter name="domain">
## Domain to dontaudit access.
## </parameter>
## </interface>
#
define(`ddev_dontaudit_getattr_generic_blk_files',`
requires_block_template(`$0'_depend)
dontaudit $1 device_t:blk_file getattr;
')
define(`dev_dontaudit_getattr_generic_blk_files_depend',`
type device_t;
class blk_file getattr;
')
########################################
## <interface name="dev_manage_generic_blk_file">
## <description>
## Allow read, write, create, and delete for generic
## block files.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_manage_generic_blk_file',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:blk_file create_file_perms;
')
define(`dev_manage_generic_blk_file_depend',`
type device_t;
class blk_file create_file_perms;
')
########################################
## <interface name="dev_create_generic_chr_file">
## <description>
## Allow read, write, and create for generic character device files.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_create_generic_chr_file',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write add_name };
allow $1 device_t:chr_file create;
allow $1 self:capability mknod;
')
define(`dev_create_generic_chr_file_depend',`
type device_t;
class dir { getattr search read write add_name };
class chr_file create;
class capability mknod;
')
########################################
## <interface name="dev_getattr_generic_chr_file">
## <description>
## Allow getattr for generic character device files.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_getattr_generic_chr_file',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_t:chr_file getattr;
')
define(`dev_getattr_generic_chr_file_depend',`
type device_t;
class dir r_dir_perms;
class chr_file getattr;
')
########################################
## <interface name="dev_dontaudit_getattr_generic_chr_file">
## <description>
## Dontaudit getattr for generic character device files.
## </description>
## <parameter name="domain">
## Domain to dontaudit access.
## </parameter>
## </interface>
#
define(`dev_dontaudit_getattr_generic_chr_file',`
requires_block_template(`$0'_depend)
dontaudit $1 device_t:chr_file getattr;
')
define(`dev_dontaudit_getattr_generic_chr_file',`
type device_t;
class chr_file getattr;
')
########################################
## <interface name="dev_del_generic_symlinks">
## <description>
## Delete symbolic links in device directories.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_del_generic_symlinks',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr read write remove_name };
allow $1 device_t:lnk_file unlink;
')
define(`dev_del_generic_symlinks_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
class dir { getattr read write remove_name };
class lnk_file unlink;
')
########################################
## <interface name="dev_manage_generic_symlinks">
## <description>
## Create, delete, read, and write symbolic links in device directories.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_manage_generic_symlinks',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
')
define(`dev_manage_generic_symlinks_depend',`
type device_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
class lnk_file { create read getattr setattr link unlink rename };
')
########################################
## <interface name="dev_manage_all_dev_nodes">
## <description>
## Create, delete, read, and write device nodes in device directories.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_manage_all_dev_nodes',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1 device_t:lnk_file { create read getattr setattr link unlink rename };
allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
typeattribute $1 memory_raw_read;
typeattribute $1 memory_raw_write;
')
define(`dev_manage_all_dev_nodes_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto };
class sock_file { create ioctl read getattr lock write setattr append link unlink rename };
class lnk_file { create read getattr setattr link unlink rename };
class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto };
')
########################################
## <interface name="dev_dontaudit_rw_generic_dev_nodes">
## <description>
## Dontaudit getattr for generic device files.
## </description>
## <parameter name="domain">
## Domain to dontaudit access.
## </parameter>
## </interface>
#
define(`dev_dontaudit_rw_generic_dev_nodes',`
requires_block_template(`$0'_depend)
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
')
define(`dev_dontaudit_rw_generic_dev_nodes_depend',`
type device_t;
class chr_file { getattr read write ioctl };
class blk_file { getattr read write ioctl };
')
########################################
## <interface name="dev_manage_generic_blk_file">
## <description>
## Create, delete, read, and write block device files.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_manage_generic_blk_file',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:blk_file create_file_perms;
')
define(`dev_manage_generic_blk_file_depend',`
type device_t;
class dir rw_dir_perms;
class blk_file create_file_perms;
')
########################################
## <interface name="dev_manage_generic_chr_file">
## <description>
## Create, delete, read, and write character device files.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_manage_generic_chr_file',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir rw_dir_perms;
allow $1 device_t:chr_file create_file_perms;
')
define(`dev_manage_generic_chr_file_depend',`
type device_t;
class dir rw_dir_perms;
class chr_file create_file_perms;
')
########################################
## <interface name="dev_create_dev_node">
## <description>
## Create, read, and write device nodes. The node
## will be transitioned to the type provided.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## <parameter name="file">
## Type to which the created node will be transitioned.
## </parameter>
## <parameter name="objectclass(es)">
## Object class(es) (single or set including {}) for which this
## the transition will occur.
## </parameter>
## </interface>
#
define(`dev_create_dev_node',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir rw_dir_perms;
type_transition $1 device_t:$3 $2;
optional_policy(`distro_redhat',`
fs_tmpfs_associate($2)
')
')
define(`dev_create_dev_node_depend',`
type device_t;
class dir rw_dir_perms;
')
########################################
## <interface name="dev_getattr_all_blk_files">
## <description>
## Getattr on all block file device nodes.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_getattr_all_blk_files',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:blk_file getattr;
')
define(`dev_getattr_all_blk_files_depend',`
attribute device_node;
class blk_file getattr;
class dir r_dir_perms;
')
########################################
## <interface name="dev_dontaudit_getattr_all_blk_files">
## <description>
## Dontaudit getattr on all block file device nodes.
## </description>
## <parameter name="domain">
## Domain to dontaudit access.
## </parameter>
## </interface>
#
define(`dev_dontaudit_getattr_all_blk_files',`
requires_block_template(`$0'_depend)
allow $1 device_node:blk_file getattr;
')
define(`dev_dontaudit_getattr_all_blk_files_depend',`
attribute device_node;
class blk_file getattr;
')
########################################
## <interface name="dev_getattr_all_chr_files">
## <description>
## Getattr on all character file device nodes.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_getattr_all_chr_files',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:chr_file getattr;
')
define(`dev_getattr_all_chr_files_depend',`
attribute device_node;
class chr_file getattr;
class dir r_dir_perms;
')
########################################
## <interface name="dev_dontaudit_getattr_all_chr_files">
## <description>
## Dontaudit getattr on all character file device nodes.
## </description>
## <parameter name="domain">
## Domain to dontaudit access.
## </parameter>
## </interface>
#
define(`dev_dontaudit_getattr_all_chr_files',`
requires_block_template(`$0'_depend)
dontaudit $1 device_node:chr_file getattr;
')
define(`dev_dontaudit_getattr_all_chr_files_depend',`
attribute device_node;
class chr_file getattr;
')
########################################
## <interface name="dev_setattr_all_blk_files">
## <description>
## Setattr on all block file device nodes.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_setattr_all_blk_files',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:blk_file setattr;
')
define(`dev_setattr_all_blk_files_depend',`
attribute device_node;
class dir r_dir_perms;
class blk_file setattr;
')
########################################
## <interface name="dev_setattr_all_chr_files">
## <description>
## Setattr on all character file device nodes.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_setattr_all_chr_files',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 device_node:chr_file setattr;
')
define(`dev_setattr_all_chr_files_depend',`
attribute device_node;
class dir r_dir_perms;
class chr_file setattr;
')
########################################
## <interface name="dev_manage_all_blk_files">
## <description>
## Read, write, create, and delete all block device files.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_manage_all_blk_files',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:blk_file create_file_perms;
# these next rules are to satisfy assertions broken by the above lines.
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
')
define(`dev_manage_all_blk_files_depend',`
attribute device_node;
class dir rw_dir_perms;
class blk_file create_file_perms;
')
########################################
## <interface name="dev_manage_all_chr_files">
## <description>
## Read, write, create, and delete all character device files.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_manage_all_chr_files',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir rw_dir_perms;
allow $1 device_node:chr_file create_file_perms;
typeattribute $1 memory_raw_read, memory_raw_write;
')
define(`dev_manage_all_chr_files_depend',`
attribute device_node, memory_raw_read, memory_raw_write;
class dir rw_dir_perms;
class chr_file create_file_perms;
')
########################################
## <interface name="dev_read_raw_memory">
## <description>
## Read raw memory devices (e.g. /dev/mem).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_raw_memory',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file r_file_perms;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
')
define(`dev_read_raw_memory_depend',`
type device_t, memory_device_t;
attribute memory_raw_read;
class dir r_dir_perms;
class chr_file r_file_perms;
class capability sys_rawio;
')
########################################
## <interface name="dev_write_raw_memory">
## <description>
## Write raw memory devices (e.g. /dev/mem).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_raw_memory',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 memory_device_t:chr_file write;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
')
define(`dev_write_raw_memory_depend',`
type device_t, memory_device_t;
attribute memory_raw_write;
class dir r_dir_perms;
class chr_file write;
class capability sys_rawio;
')
########################################
## <interface name="dev_rx_raw_memory">
## <description>
## Read and execute raw memory devices (e.g. /dev/mem).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rx_raw_memory',`
requires_block_template(`$0'_depend)
dev_read_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
define(`dev_rx_raw_memory_depend',`
type device_t, memory_device_t;
class chr_file execute;
')
########################################
## <interface name="dev_wx_raw_memory">
## <description>
## Write and execute raw memory devices (e.g. /dev/mem).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_wx_raw_memory',`
requires_block_template(`$0'_depend)
dev_write_raw_memory($1)
allow $1 memory_device_t:chr_file execute;
')
define(`dev_wx_raw_memory_depend',`
type device_t, memory_device_t;
class chr_file execute;
')
########################################
## <interface name="dev_read_rand">
## <description>
## Read from random devices (e.g., /dev/random)
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_rand',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file r_file_perms;
')
define(`dev_read_rand_depend',`
type device_t, random_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_read_urand">
## <description>
## Read from pseudo random devices (e.g., /dev/urandom)
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_urand',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file r_file_perms;
')
define(`dev_read_urand_depend',`
type device_t, urandom_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_write_rand">
## <description>
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_rand',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 random_device_t:chr_file { getattr write ioctl };
')
define(`dev_write_rand_depend',`
type device_t, random_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
########################################
## <interface name="dev_write_urand">
## <description>
## Write to the pseudo random device (e.g., /dev/urandom). This
## sets the random number generator seed.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_urand',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 urandom_device_t:chr_file { getattr write ioctl };
')
define(`dev_write_urand_depend',`
type device_t, urandom_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
########################################
## <interface name="dev_rw_null_dev">
## <description>
## Read and write to the null device (/dev/null).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_null_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 null_device_t:chr_file rw_file_perms;
')
define(`dev_rw_null_dev_depend',`
type device_t, null_device_t;
class device_t:dir r_dir_perms;
class chr_file rw_file_perms;
')
########################################
## <interface name="dev_rw_zero_dev">
## <description>
## Read and write to the zero device (/dev/zero).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_zero_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 zero_device_t:chr_file rw_file_perms;
')
define(`dev_rw_zero_dev_depend',`
type device_t, zero_device_t;
class device_t:dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_rwx_zero_dev">
## <description>
## Read, write, and execute the zero device (/dev/zero).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rwx_zero_dev',`
requires_block_template(`$0'_depend)
dev_rw_zero_dev($1)
allow $1 zero_device_t:chr_file execute;
')
define(`dev_rwx_zero_dev_depend',`
type zero_device_t;
class chr_file execute;
')
########################################
## <interface name="dev_read_realtime_clock">
## <description>
## Read the realtime clock (/dev/rtc).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_realtime_clock',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file r_file_perms;
')
define(`dev_read_realtime_clock_depend',`
type device_t, clock_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_write_realtime_clock">
## <description>
## Read the realtime clock (/dev/rtc).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_realtime_clock',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
')
define(`dev_write_realtime_clock_depend',`
type device_t, clock_device_t;
class dir r_dir_perms;
class chr_file { setattr lock write append ioctl };
')
########################################
## <interface name="dev_rw_realtime_clock">
## <description>
## Read the realtime clock (/dev/rtc).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_realtime_clock',`
dev_read_realtime_clock($1)
dev_write_realtime_clock($1)
')
########################################
## <interface name="dev_read_snd_dev">
## <description>
## Read the sound devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_snd_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file r_file_perms;
')
define(`dev_read_snd_dev_depend',`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_write_snd_dev">
## <description>
## Write the sound devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_snd_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
define(`dev_write_snd_dev_depend',`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
########################################
## <interface name="dev_read_snd_mixer_dev">
## <description>
## Read the sound mixer devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_snd_mixer_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr read ioctl };
')
define(`dev_read_snd_mixer_dev_depend',`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr read ioctl };
')
########################################
## <interface name="dev_write_snd_mixer_dev">
## <description>
## Write the sound mixer devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_snd_mixer_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 sound_device_t:chr_file { getattr write ioctl };
')
define(`dev_write_snd_mixer_dev_depend',`
type device_t, sound_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
########################################
## <interface name="dev_rw_agp_dev">
## <description>
## Read and write the agp devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_agp_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 agp_device_t:chr_file rw_file_perms;
')
define(`dev_rw_agp_dev_depend',`
type device_t, agp_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
########################################
## <interface name="dev_getattr_agp_dev">
## <description>
## Getattr the agp devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_getattr_agp_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file getattr;
')
define(`dev_getattr_agp_dev_depend',`
type device_t, dri_device_t;
class dir r_dir_perms;
class chr_file getattr;
')
########################################
## <interface name="dev_rw_dri_dev">
## <description>
## Read and write the dri devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_dri_dev',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 dri_device_t:chr_file rw_file_perms;
')
define(`dev_rw_dri_dev_depend',`
type device_t, dri_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
########################################
## <interface name="dev_dontaudit_rw_dri_dev">
## <description>
## Dontaudit read and write on the dri devices.
## </description>
## <parameter name="domain">
## Domain to dontaudit access.
## </parameter>
## </interface>
#
define(`dev_dontaudit_rw_dri_dev',`
requires_block_template(`$0'_depend)
dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
')
define(`dev_dontaudit_rw_dri_dev_depend',`
type dri_device_t;
class chr_file { getattr read write ioctl };
')
########################################
## <interface name="dev_read_mtrr">
## <description>
## Read the mtrr device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_mtrr',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file r_file_perms;
')
define(`dev_read_mtrr_depend',`
type device_t, mtrr_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_write_mtrr">
## <description>
## Write the mtrr device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_mtrr',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 mtrr_device_t:chr_file { getattr write ioctl };
')
define(`dev_write_mtrr_depend',`
type device_t, mtrr_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
########################################
## <interface name="dev_read_framebuffer">
## <description>
## Read the framebuffer device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_framebuffer',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file r_file_perms;
')
define(`dev_read_framebuffer_depend',`
type framebuf_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_write_framebuffer">
## <description>
## Write the framebuffer device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_framebuffer',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 framebuf_device_t:chr_file { getattr write ioctl };
')
define(`dev_write_framebuffer_depend',`
type device_t, framebuf_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
########################################
## <interface name="dev_read_lvm_control">
## <description>
## Read the lvm comtrol device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_lvm_control',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file r_file_perms;
')
define(`dev_read_lvm_control_depend',`
type device_t, lvm_control_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_rw_lvm_control">
## <description>
## Read and write the lvm control device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_lvm_control',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 lvm_control_t:chr_file rw_file_perms;
')
define(`dev_rw_lvm_control_depend',`
type device_t, lvm_control_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
########################################
## <interface name="dev_delete_lvm_control">
## <description>
## Delete the lvm control device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_delete_lvm_control',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir { getattr search read write remove_name };
allow $1 lvm_control_t:chr_file unlink;
')
define(`dev_delete_lvm_control_depend',`
type device_t, lvm_control_t;
class dir { getattr search read write remove_name };
class chr_file unlink;
')
########################################
## <interface name="dev_read_misc">
## <description>
## Read miscellaneous devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_misc',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file r_file_perms;
')
define(`dev_read_misc_depend',`
type device_t, misc_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_write_misc">
## <description>
## Write miscellaneous devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_write_misc',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 misc_device_t:chr_file { getattr write ioctl };
')
define(`dev_write_misc_depend',`
type device_t, misc_device_t;
class dir r_dir_perms;
class chr_file { getattr write ioctl };
')
########################################
## <interface name="dev_read_mouse">
## <description>
## Read the mouse devices.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_mouse',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 mouse_device_t:chr_file r_file_perms;
')
define(`dev_read_mouse_depend',`
type device_t, mouse_device_t;
allow $1 device_t:dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_read_input">
## <description>
## Read the multiplexed input device (/dev/input).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_input',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 event_device_t:chr_file r_file_perms;
')
define(`dev_read_input_depend',`
type device_t, event_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_read_cpuid">
## <description>
## Read the multiplexed input device (/dev/input).
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_read_cpuid',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file r_file_perms;
')
define(`dev_read_cpuid_depend',`
type device_t, cpu_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
########################################
## <interface name="dev_rw_cpu_microcode">
## <description>
## Read and write the the cpu microcode device. This
## is required to load cpu microcode.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_cpu_microcode',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 cpu_device_t:chr_file rw_file_perms;
')
define(`dev_rw_cpu_microcode_depend',`
type device_t, cpu_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
########################################
## <interface name="dev_rw_scanner">
## <description>
## Read and write the the scanner device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_scanner',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 scanner_device_t:chr_file rw_file_perms;
')
define(`dev_rw_scanner_depend',`
type device_t, scanner_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
########################################
## <interface name="dev_rw_power_management">
## <description>
## Read and write the the power management device.
## </description>
## <parameter name="domain">
## Domain allowed access.
## </parameter>
## </interface>
#
define(`dev_rw_power_management',`
requires_block_template(`$0'_depend)
allow $1 device_t:dir r_dir_perms;
allow $1 power_device_t:chr_file rw_file_perms;
')
define(`dev_rw_power_management_depend',`
type device_t, power_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
## </module>
Reference in New Issue View Git Blame Copy Permalink