|
Chris PeBenito |
b16c6b |
## <summary>Policy controlling access to storage devices</summary>
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to get the attributes of fixed disk
|
|
Chris PeBenito |
414e41 |
## device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_getattr_fixed_disk_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts made by the caller to get
|
|
Chris PeBenito |
414e41 |
## the attributes of fixed disk device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_dontaudit_getattr_fixed_disk_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
|
Chris PeBenito |
d9845a |
dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to set the attributes of fixed disk
|
|
Chris PeBenito |
414e41 |
## device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_setattr_fixed_disk_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file setattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
d35c62 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts made by the caller to set
|
|
Chris PeBenito |
414e41 |
## the attributes of fixed disk device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
d35c62 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_dontaudit_setattr_fixed_disk_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
2e0a88 |
dontaudit $1 fixed_disk_device_t:blk_file setattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly read from a fixed disk.
|
|
Chris PeBenito |
414e41 |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
414e41 |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
414e41 |
## should only be used by trusted domains.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`storage_raw_read_fixed_disk',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
attribute fixed_disk_raw_read;
|
|
Chris PeBenito |
d35c62 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
|
|
Chris PeBenito |
939a42 |
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_read;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
25c674 |
## <summary>
|
|
Chris PeBenito |
25c674 |
## Do not audit attempts made by the caller to read
|
|
Chris PeBenito |
25c674 |
## fixed disk device nodes.
|
|
Chris PeBenito |
25c674 |
## </summary>
|
|
Chris PeBenito |
25c674 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
25c674 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
25c674 |
## </param>
|
|
Chris PeBenito |
25c674 |
#
|
|
Chris PeBenito |
25c674 |
interface(`storage_dontaudit_read_fixed_disk',`
|
|
Chris PeBenito |
25c674 |
gen_require(`
|
|
Chris PeBenito |
25c674 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
6073ea |
|
|
Chris PeBenito |
25c674 |
')
|
|
Chris PeBenito |
25c674 |
|
|
Chris PeBenito |
7aabe3 |
dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
|
|
Chris PeBenito |
7aabe3 |
dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
|
|
Chris PeBenito |
25c674 |
')
|
|
Chris PeBenito |
25c674 |
|
|
Chris PeBenito |
25c674 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly write to a fixed disk.
|
|
Chris PeBenito |
414e41 |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
414e41 |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
414e41 |
## should only be used by trusted domains.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`storage_raw_write_fixed_disk',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
attribute fixed_disk_raw_write;
|
|
Chris PeBenito |
d35c62 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
|
|
Chris PeBenito |
939a42 |
allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_write;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Do not audit attempts made by the caller to write
|
|
Chris PeBenito |
07620c |
## fixed disk device nodes.
|
|
Chris PeBenito |
07620c |
## </summary>
|
|
Chris PeBenito |
07620c |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
07620c |
## </param>
|
|
Chris PeBenito |
07620c |
#
|
|
Chris PeBenito |
07620c |
interface(`storage_dontaudit_write_fixed_disk',`
|
|
Chris PeBenito |
07620c |
gen_require(`
|
|
Chris PeBenito |
07620c |
type fixed_disk_device_t;
|
|
Chris PeBenito |
6073ea |
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
c0868a |
dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
07620c |
########################################
|
|
Chris PeBenito |
07620c |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Allow the caller to directly read and write to a fixed disk.
|
|
Chris PeBenito |
ff8f0a |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
ff8f0a |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
ff8f0a |
## should only be used by trusted domains.
|
|
Chris PeBenito |
90c3c5 |
## </summary>
|
|
Chris PeBenito |
90c3c5 |
## <param name="domain">
|
|
Chris PeBenito |
ff8f0a |
## <summary>
|
|
Chris PeBenito |
ff8f0a |
## Domain allowed access.
|
|
Chris PeBenito |
ff8f0a |
## </summary>
|
|
Chris PeBenito |
90c3c5 |
## </param>
|
|
Chris PeBenito |
90c3c5 |
#
|
|
Chris PeBenito |
90c3c5 |
interface(`storage_raw_rw_fixed_disk',`
|
|
Chris PeBenito |
90c3c5 |
storage_raw_read_fixed_disk($1)
|
|
Chris PeBenito |
90c3c5 |
storage_raw_write_fixed_disk($1)
|
|
Chris PeBenito |
90c3c5 |
')
|
|
Chris PeBenito |
90c3c5 |
|
|
Chris PeBenito |
90c3c5 |
########################################
|
|
Chris PeBenito |
90c3c5 |
## <summary>
|
|
Chris PeBenito |
b84d6e |
## Allow the caller to create fixed disk device nodes.
|
|
Chris PeBenito |
b84d6e |
## </summary>
|
|
Chris PeBenito |
b84d6e |
## <param name="domain">
|
|
Chris PeBenito |
b84d6e |
## <summary>
|
|
Chris PeBenito |
b84d6e |
## Domain allowed access.
|
|
Chris PeBenito |
b84d6e |
## </summary>
|
|
Chris PeBenito |
b84d6e |
## </param>
|
|
Chris PeBenito |
b84d6e |
#
|
|
Chris PeBenito |
b84d6e |
interface(`storage_create_fixed_disk_dev',`
|
|
Chris PeBenito |
b84d6e |
gen_require(`
|
|
Chris PeBenito |
b84d6e |
type fixed_disk_device_t;
|
|
Chris PeBenito |
b84d6e |
')
|
|
Chris PeBenito |
b84d6e |
|
|
Chris PeBenito |
b84d6e |
allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
|
|
Chris PeBenito |
b84d6e |
dev_add_entry_generic_dirs($1)
|
|
Chris PeBenito |
b84d6e |
')
|
|
Chris PeBenito |
b84d6e |
|
|
Chris PeBenito |
b84d6e |
########################################
|
|
Chris PeBenito |
b84d6e |
## <summary>
|
|
Chris PeBenito |
b84d6e |
## Allow the caller to create fixed disk device nodes.
|
|
Chris PeBenito |
b84d6e |
## </summary>
|
|
Chris PeBenito |
b84d6e |
## <param name="domain">
|
|
Chris PeBenito |
b84d6e |
## <summary>
|
|
Chris PeBenito |
b84d6e |
## Domain allowed access.
|
|
Chris PeBenito |
b84d6e |
## </summary>
|
|
Chris PeBenito |
b84d6e |
## </param>
|
|
Chris PeBenito |
b84d6e |
#
|
|
Chris PeBenito |
b84d6e |
interface(`storage_delete_fixed_disk_dev',`
|
|
Chris PeBenito |
b84d6e |
gen_require(`
|
|
Chris PeBenito |
b84d6e |
type fixed_disk_device_t;
|
|
Chris PeBenito |
b84d6e |
')
|
|
Chris PeBenito |
b84d6e |
|
|
Chris PeBenito |
b84d6e |
allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms;
|
|
Chris PeBenito |
b84d6e |
dev_remove_entry_generic_dirs($1)
|
|
Chris PeBenito |
b84d6e |
')
|
|
Chris PeBenito |
b84d6e |
|
|
Chris PeBenito |
b84d6e |
########################################
|
|
Chris PeBenito |
b84d6e |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Create, read, write, and delete fixed disk device nodes.
|
|
Chris PeBenito |
783b38 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
f5c42b |
#
|
|
Chris PeBenito |
199895 |
interface(`storage_manage_fixed_disk',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
|
Chris PeBenito |
d35c62 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
d534d3 |
allow $1 self:capability mknod;
|
|
Chris PeBenito |
c0868a |
allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
|
|
Chris PeBenito |
2c664e |
allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
|
Chris PeBenito |
a42ca7 |
')
|
|
Chris PeBenito |
a42ca7 |
|
|
Chris PeBenito |
a42ca7 |
########################################
|
|
Chris PeBenito |
a42ca7 |
## <summary>
|
|
Chris PeBenito |
675a0e |
## Create block devices in /dev with the fixed disk type
|
|
Chris PeBenito |
675a0e |
## via an automatic type transition.
|
|
Chris PeBenito |
675a0e |
## </summary>
|
|
Chris PeBenito |
675a0e |
## <param name="domain">
|
|
Chris PeBenito |
675a0e |
## <summary>
|
|
Chris PeBenito |
675a0e |
## The type of the process performing this action.
|
|
Chris PeBenito |
675a0e |
## </summary>
|
|
Chris PeBenito |
675a0e |
## </param>
|
|
Chris PeBenito |
675a0e |
#
|
|
Chris PeBenito |
675a0e |
interface(`storage_dev_filetrans_fixed_disk',`
|
|
Chris PeBenito |
675a0e |
gen_require(`
|
|
Chris PeBenito |
675a0e |
type fixed_disk_device_t;
|
|
Chris PeBenito |
675a0e |
')
|
|
Chris PeBenito |
675a0e |
|
|
Chris PeBenito |
0bfccd |
dev_filetrans($1, fixed_disk_device_t, blk_file)
|
|
Chris PeBenito |
675a0e |
')
|
|
Chris PeBenito |
675a0e |
|
|
Chris PeBenito |
675a0e |
########################################
|
|
Chris PeBenito |
675a0e |
## <summary>
|
|
Chris PeBenito |
675a0e |
## Create block devices in on a tmpfs filesystem with the
|
|
Chris PeBenito |
675a0e |
## fixed disk type via an automatic type transition.
|
|
Chris PeBenito |
675a0e |
## </summary>
|
|
Chris PeBenito |
675a0e |
## <param name="domain">
|
|
Chris PeBenito |
675a0e |
## <summary>
|
|
Chris PeBenito |
675a0e |
## The type of the process performing this action.
|
|
Chris PeBenito |
675a0e |
## </summary>
|
|
Chris PeBenito |
675a0e |
## </param>
|
|
Chris PeBenito |
675a0e |
#
|
|
Chris PeBenito |
675a0e |
interface(`storage_tmpfs_filetrans_fixed_disk',`
|
|
Chris PeBenito |
675a0e |
gen_require(`
|
|
Chris PeBenito |
675a0e |
type fixed_disk_device_t;
|
|
Chris PeBenito |
675a0e |
')
|
|
Chris PeBenito |
675a0e |
|
|
Chris PeBenito |
0bfccd |
fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
|
|
Chris PeBenito |
675a0e |
')
|
|
Chris PeBenito |
675a0e |
|
|
Chris PeBenito |
675a0e |
########################################
|
|
Chris PeBenito |
675a0e |
## <summary>
|
|
Chris PeBenito |
783b38 |
## Relabel fixed disk device nodes.
|
|
Chris PeBenito |
783b38 |
## </summary>
|
|
Chris PeBenito |
783b38 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
783b38 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
783b38 |
## </param>
|
|
Chris PeBenito |
783b38 |
#
|
|
Chris PeBenito |
783b38 |
interface(`storage_relabel_fixed_disk',`
|
|
Chris PeBenito |
783b38 |
gen_require(`
|
|
Chris PeBenito |
783b38 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
783b38 |
')
|
|
Chris PeBenito |
783b38 |
|
|
Chris PeBenito |
783b38 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
|
|
Chris PeBenito |
783b38 |
')
|
|
Chris PeBenito |
783b38 |
|
|
Chris PeBenito |
783b38 |
########################################
|
|
Chris PeBenito |
783b38 |
## <summary>
|
|
Chris PeBenito |
783b38 |
## Enable a fixed disk device as swap space
|
|
Chris PeBenito |
783b38 |
## </summary>
|
|
Chris PeBenito |
783b38 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
783b38 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
783b38 |
## </param>
|
|
Chris PeBenito |
783b38 |
#
|
|
Chris PeBenito |
783b38 |
interface(`storage_swapon_fixed_disk',`
|
|
Chris PeBenito |
783b38 |
gen_require(`
|
|
Chris PeBenito |
783b38 |
type fixed_disk_device_t;
|
|
Chris PeBenito |
783b38 |
')
|
|
Chris PeBenito |
783b38 |
|
|
Chris PeBenito |
783b38 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
783b38 |
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
|
|
Chris PeBenito |
783b38 |
')
|
|
Chris PeBenito |
783b38 |
|
|
Chris PeBenito |
783b38 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## Allow the caller to get the attributes
|
|
Chris PeBenito |
495df4 |
## of device nodes of fuse devices.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## <param name="domain">
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## The type of the process performing this action.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## </param>
|
|
Chris PeBenito |
495df4 |
#
|
|
Chris PeBenito |
495df4 |
interface(`storage_getattr_fuse_dev',`
|
|
Chris PeBenito |
495df4 |
gen_require(`
|
|
Chris PeBenito |
495df4 |
type fuse_device_t;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
495df4 |
allow $1 fuse_device_t:chr_file getattr;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
########################################
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## read or write fuse device interfaces.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## <param name="domain">
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## Domain to not audit.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## </param>
|
|
Chris PeBenito |
495df4 |
#
|
|
Chris PeBenito |
495df4 |
interface(`storage_rw_fuse',`
|
|
Chris PeBenito |
495df4 |
gen_require(`
|
|
Chris PeBenito |
495df4 |
type fuse_device_t;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
allow $1 fuse_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
########################################
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
495df4 |
## fuse device interfaces.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## <param name="domain">
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
495df4 |
## Domain to not audit.
|
|
Chris PeBenito |
495df4 |
## </summary>
|
|
Chris PeBenito |
495df4 |
## </param>
|
|
Chris PeBenito |
495df4 |
#
|
|
Chris PeBenito |
495df4 |
interface(`storage_dontaudit_rw_fuse',`
|
|
Chris PeBenito |
495df4 |
gen_require(`
|
|
Chris PeBenito |
495df4 |
type fuse_device_t;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
dontaudit $1 fuse_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
495df4 |
')
|
|
Chris PeBenito |
495df4 |
|
|
Chris PeBenito |
495df4 |
########################################
|
|
Chris PeBenito |
495df4 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to get the attributes of
|
|
Chris PeBenito |
414e41 |
## the generic SCSI interface device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
7a2f20 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_getattr_scsi_generic_dev',`
|
|
Chris PeBenito |
7a2f20 |
gen_require(`
|
|
Chris PeBenito |
7a2f20 |
type scsi_generic_device_t;
|
|
Chris PeBenito |
7a2f20 |
')
|
|
Chris PeBenito |
7a2f20 |
|
|
Chris PeBenito |
7a2f20 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
a5ec7c |
allow $1 scsi_generic_device_t:chr_file getattr;
|
|
Chris PeBenito |
7a2f20 |
')
|
|
Chris PeBenito |
7a2f20 |
|
|
Chris PeBenito |
7a2f20 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to set the attributes of
|
|
Chris PeBenito |
414e41 |
## the generic SCSI interface device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
7a2f20 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_setattr_scsi_generic_dev',`
|
|
Chris PeBenito |
7a2f20 |
gen_require(`
|
|
Chris PeBenito |
7a2f20 |
type scsi_generic_device_t;
|
|
Chris PeBenito |
7a2f20 |
')
|
|
Chris PeBenito |
7a2f20 |
|
|
Chris PeBenito |
7a2f20 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
a5ec7c |
allow $1 scsi_generic_device_t:chr_file setattr;
|
|
Chris PeBenito |
7a2f20 |
')
|
|
Chris PeBenito |
7a2f20 |
|
|
Chris PeBenito |
7a2f20 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly read, in a
|
|
Chris PeBenito |
414e41 |
## generic fashion, from any SCSI device.
|
|
Chris PeBenito |
414e41 |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
414e41 |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
414e41 |
## should only be used by trusted domains.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`storage_read_scsi_generic',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
attribute scsi_generic_read;
|
|
Chris PeBenito |
d35c62 |
type scsi_generic_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 scsi_generic_read;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly write, in a
|
|
Chris PeBenito |
414e41 |
## generic fashion, from any SCSI device.
|
|
Chris PeBenito |
414e41 |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
414e41 |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
414e41 |
## should only be used by trusted domains.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
199895 |
interface(`storage_write_scsi_generic',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
attribute scsi_generic_write;
|
|
Chris PeBenito |
d35c62 |
type scsi_generic_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 scsi_generic_write;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Set attributes of the device nodes
|
|
Chris PeBenito |
414e41 |
## for the SCSI generic inerface.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_setattr_scsi_generic_dev_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type scsi_generic_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
a5ec7c |
allow $1 scsi_generic_device_t:chr_file setattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Do not audit attempts to read or write
|
|
Chris PeBenito |
07620c |
## SCSI generic device interfaces.
|
|
Chris PeBenito |
07620c |
## </summary>
|
|
Chris PeBenito |
07620c |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
07620c |
## </param>
|
|
Chris PeBenito |
07620c |
#
|
|
Chris PeBenito |
07620c |
interface(`storage_dontaudit_rw_scsi_generic',`
|
|
Chris PeBenito |
07620c |
gen_require(`
|
|
Chris PeBenito |
07620c |
type scsi_generic_device_t;
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
07620c |
dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
07620c |
########################################
|
|
Chris PeBenito |
07620c |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to get the attributes of removable
|
|
Chris PeBenito |
414e41 |
## devices device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_getattr_removable_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type removable_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 removable_device_t:blk_file getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts made by the caller to get
|
|
Chris PeBenito |
414e41 |
## the attributes of removable devices device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_dontaudit_getattr_removable_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type removable_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 removable_device_t:blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## Do not audit attempts made by the caller to read
|
|
Chris PeBenito |
ccc597 |
## removable devices device nodes.
|
|
Chris PeBenito |
ccc597 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
ccc597 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
ccc597 |
## </param>
|
|
Chris PeBenito |
ccc597 |
#
|
|
Chris PeBenito |
ccc597 |
interface(`storage_dontaudit_read_removable_device',`
|
|
Chris PeBenito |
ccc597 |
gen_require(`
|
|
Chris PeBenito |
ccc597 |
type removable_device_t;
|
|
Chris PeBenito |
6073ea |
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
53c73d |
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
|
|
Chris PeBenito |
ccc597 |
')
|
|
Chris PeBenito |
ccc597 |
|
|
Chris PeBenito |
ccc597 |
########################################
|
|
Chris PeBenito |
ccc597 |
## <summary>
|
|
Chris PeBenito |
8f0de5 |
## Do not audit attempts made by the caller to write
|
|
Chris PeBenito |
8f0de5 |
## removable devices device nodes.
|
|
Chris PeBenito |
8f0de5 |
## </summary>
|
|
Chris PeBenito |
8f0de5 |
## <param name="domain">
|
|
Chris PeBenito |
8f0de5 |
## <summary>
|
|
Chris PeBenito |
8f0de5 |
## The type of the process to not audit.
|
|
Chris PeBenito |
8f0de5 |
## </summary>
|
|
Chris PeBenito |
8f0de5 |
## </param>
|
|
Chris PeBenito |
8f0de5 |
#
|
|
Chris PeBenito |
8f0de5 |
interface(`storage_dontaudit_write_removable_device',`
|
|
Chris PeBenito |
8f0de5 |
gen_require(`
|
|
Chris PeBenito |
8f0de5 |
type removable_device_t;
|
|
Chris PeBenito |
8f0de5 |
')
|
|
Chris PeBenito |
8f0de5 |
|
|
Chris PeBenito |
8f0de5 |
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
|
|
Chris PeBenito |
8f0de5 |
')
|
|
Chris PeBenito |
8f0de5 |
|
|
Chris PeBenito |
8f0de5 |
########################################
|
|
Chris PeBenito |
8f0de5 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to set the attributes of removable
|
|
Chris PeBenito |
414e41 |
## devices device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_setattr_removable_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type removable_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 removable_device_t:blk_file setattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Do not audit attempts made by the caller to set
|
|
Chris PeBenito |
414e41 |
## the attributes of removable devices device nodes.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
7a2f20 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_dontaudit_setattr_removable_dev',`
|
|
Chris PeBenito |
7a2f20 |
gen_require(`
|
|
Chris PeBenito |
7a2f20 |
type removable_device_t;
|
|
Chris PeBenito |
7a2f20 |
')
|
|
Chris PeBenito |
7a2f20 |
|
|
Chris PeBenito |
7a2f20 |
dontaudit $1 removable_device_t:blk_file setattr;
|
|
Chris PeBenito |
7a2f20 |
')
|
|
Chris PeBenito |
7a2f20 |
|
|
Chris PeBenito |
7a2f20 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly read from
|
|
Chris PeBenito |
414e41 |
## a removable device.
|
|
Chris PeBenito |
414e41 |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
414e41 |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
414e41 |
## should only be used by trusted domains.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
199895 |
interface(`storage_raw_read_removable_device',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type removable_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 removable_device_t:blk_file read_blk_file_perms;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Do not audit attempts to directly read removable devices.
|
|
Chris PeBenito |
07620c |
## </summary>
|
|
Chris PeBenito |
07620c |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
07620c |
## </param>
|
|
Chris PeBenito |
07620c |
#
|
|
Chris PeBenito |
07620c |
interface(`storage_dontaudit_raw_read_removable_device',`
|
|
Chris PeBenito |
07620c |
gen_require(`
|
|
Chris PeBenito |
07620c |
type removable_device_t;
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
c0868a |
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
07620c |
########################################
|
|
Chris PeBenito |
07620c |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly write to
|
|
Chris PeBenito |
414e41 |
## a removable device.
|
|
Chris PeBenito |
414e41 |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
414e41 |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
414e41 |
## should only be used by trusted domains.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
199895 |
interface(`storage_raw_write_removable_device',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type removable_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 removable_device_t:blk_file write_blk_file_perms;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Do not audit attempts to directly write removable devices.
|
|
Chris PeBenito |
07620c |
## </summary>
|
|
Chris PeBenito |
07620c |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
07620c |
## Domain to not audit.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
07620c |
## </param>
|
|
Chris PeBenito |
07620c |
#
|
|
Chris PeBenito |
07620c |
interface(`storage_dontaudit_raw_write_removable_device',`
|
|
Chris PeBenito |
07620c |
gen_require(`
|
|
Chris PeBenito |
07620c |
type removable_device_t;
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
c0868a |
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
|
|
Chris PeBenito |
07620c |
')
|
|
Chris PeBenito |
07620c |
|
|
Chris PeBenito |
07620c |
########################################
|
|
Chris PeBenito |
07620c |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly read
|
|
Chris PeBenito |
414e41 |
## a tape device.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_read_tape',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type tape_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 tape_device_t:chr_file read_chr_file_perms;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to directly read
|
|
Chris PeBenito |
414e41 |
## a tape device.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_write_tape',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type tape_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
c0868a |
allow $1 tape_device_t:chr_file write_chr_file_perms;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to get the attributes
|
|
Chris PeBenito |
414e41 |
## of device nodes of tape devices.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_getattr_tape_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type tape_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
a5ec7c |
allow $1 tape_device_t:chr_file getattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## Allow the caller to set the attributes
|
|
Chris PeBenito |
414e41 |
## of device nodes of tape devices.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
414e41 |
## The type of the process performing this action.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
414e41 |
## </param>
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
1815ba |
interface(`storage_setattr_tape_dev',`
|
|
Chris PeBenito |
d35c62 |
gen_require(`
|
|
Chris PeBenito |
d35c62 |
type tape_device_t;
|
|
Chris PeBenito |
d35c62 |
')
|
|
Chris PeBenito |
0c73cd |
|
|
Karl MacMillan |
f0c985 |
dev_list_all_dev_nodes($1)
|
|
Chris PeBenito |
a5ec7c |
allow $1 tape_device_t:chr_file setattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
9726b3 |
########################################
|
|
Chris PeBenito |
9726b3 |
## <summary>
|
|
Chris PeBenito |
9726b3 |
## Unconfined access to storage devices.
|
|
Chris PeBenito |
9726b3 |
## </summary>
|
|
Chris PeBenito |
9726b3 |
## <param name="domain">
|
|
Chris PeBenito |
885b83 |
## <summary>
|
|
Chris PeBenito |
9726b3 |
## Domain allowed access.
|
|
Chris PeBenito |
885b83 |
## </summary>
|
|
Chris PeBenito |
9726b3 |
## </param>
|
|
Chris PeBenito |
9726b3 |
#
|
|
Chris PeBenito |
9726b3 |
interface(`storage_unconfined',`
|
|
Chris PeBenito |
9726b3 |
gen_require(`
|
|
Chris PeBenito |
b518fc |
attribute storage_unconfined_type;
|
|
Chris PeBenito |
9726b3 |
')
|
|
Chris PeBenito |
9726b3 |
|
|
Chris PeBenito |
b518fc |
typeattribute $1 storage_unconfined_type;
|
|
Chris PeBenito |
9726b3 |
')
|