Chris PeBenito b16c6b
## <summary>Policy controlling access to storage devices</summary>
Chris PeBenito b16c6b
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to get the attributes of fixed disk
Chris PeBenito 414e41
##	device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 1815ba
interface(`storage_getattr_fixed_disk_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type fixed_disk_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito 0c73cd
	allow $1 fixed_disk_device_t:blk_file getattr;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts made by the caller to get
Chris PeBenito 414e41
##	the attributes of fixed disk device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 1815ba
interface(`storage_dontaudit_getattr_fixed_disk_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type fixed_disk_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	dontaudit $1 fixed_disk_device_t:blk_file getattr;
Chris PeBenito d9845a
	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to set the attributes of fixed disk
Chris PeBenito 414e41
##	device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 1815ba
interface(`storage_setattr_fixed_disk_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type fixed_disk_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito 0c73cd
	allow $1 fixed_disk_device_t:blk_file setattr;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito d35c62
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts made by the caller to set
Chris PeBenito 414e41
##	the attributes of fixed disk device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito d35c62
#
Chris PeBenito 1815ba
interface(`storage_dontaudit_setattr_fixed_disk_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type fixed_disk_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 2e0a88
	dontaudit $1 fixed_disk_device_t:blk_file setattr;
Chris PeBenito b16c6b
')
Chris PeBenito e181fe
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly read from a fixed disk.
Chris PeBenito 414e41
##	This is extremly dangerous as it can bypass the
Chris PeBenito 414e41
##	SELinux protections for filesystem objects, and
Chris PeBenito 414e41
##	should only be used by trusted domains.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`storage_raw_read_fixed_disk',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		attribute fixed_disk_raw_read;
Chris PeBenito d35c62
		type fixed_disk_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
Chris PeBenito 939a42
	allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
Chris PeBenito 0c73cd
	typeattribute $1 fixed_disk_raw_read;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito 494e98
########################################
Chris PeBenito 25c674
## <summary>
Chris PeBenito 25c674
##	Do not audit attempts made by the caller to read
Chris PeBenito 25c674
##	fixed disk device nodes.
Chris PeBenito 25c674
## </summary>
Chris PeBenito 25c674
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 25c674
##	The type of the process to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 25c674
## </param>
Chris PeBenito 25c674
#
Chris PeBenito 25c674
interface(`storage_dontaudit_read_fixed_disk',`
Chris PeBenito 25c674
	gen_require(`
Chris PeBenito 25c674
		type fixed_disk_device_t;
Chris PeBenito 6073ea
Chris PeBenito 25c674
	')
Chris PeBenito 25c674
Chris PeBenito 7aabe3
	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
Chris PeBenito 7aabe3
	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
Chris PeBenito 25c674
')
Chris PeBenito 25c674
Chris PeBenito 25c674
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly write to a fixed disk.
Chris PeBenito 414e41
##	This is extremly dangerous as it can bypass the
Chris PeBenito 414e41
##	SELinux protections for filesystem objects, and
Chris PeBenito 414e41
##	should only be used by trusted domains.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`storage_raw_write_fixed_disk',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		attribute fixed_disk_raw_write;
Chris PeBenito d35c62
		type fixed_disk_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
Chris PeBenito 939a42
	allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
Chris PeBenito 0c73cd
	typeattribute $1 fixed_disk_raw_write;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 07620c
##	Do not audit attempts made by the caller to write
Chris PeBenito 07620c
##	fixed disk device nodes.
Chris PeBenito 07620c
## </summary>
Chris PeBenito 07620c
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 07620c
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 07620c
## </param>
Chris PeBenito 07620c
#
Chris PeBenito 07620c
interface(`storage_dontaudit_write_fixed_disk',`
Chris PeBenito 07620c
	gen_require(`
Chris PeBenito 07620c
		type fixed_disk_device_t;
Chris PeBenito 6073ea
Chris PeBenito 07620c
	')
Chris PeBenito 07620c
Chris PeBenito c0868a
	dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
Chris PeBenito 07620c
')
Chris PeBenito 07620c
Chris PeBenito 07620c
########################################
Chris PeBenito 07620c
## <summary>
Chris PeBenito ff8f0a
##	Allow the caller to directly read and write to a fixed disk.
Chris PeBenito ff8f0a
##	This is extremly dangerous as it can bypass the
Chris PeBenito ff8f0a
##	SELinux protections for filesystem objects, and
Chris PeBenito ff8f0a
##	should only be used by trusted domains.
Chris PeBenito 90c3c5
## </summary>
Chris PeBenito 90c3c5
## <param name="domain">
Chris PeBenito ff8f0a
##	<summary>
Chris PeBenito ff8f0a
##	Domain allowed access.
Chris PeBenito ff8f0a
##	</summary>
Chris PeBenito 90c3c5
## </param>
Chris PeBenito 90c3c5
#
Chris PeBenito 90c3c5
interface(`storage_raw_rw_fixed_disk',`
Chris PeBenito 90c3c5
	storage_raw_read_fixed_disk($1)
Chris PeBenito 90c3c5
	storage_raw_write_fixed_disk($1)
Chris PeBenito 90c3c5
')
Chris PeBenito 90c3c5
Chris PeBenito 90c3c5
########################################
Chris PeBenito 90c3c5
## <summary>
Chris PeBenito b84d6e
##	Allow the caller to create fixed disk device nodes.
Chris PeBenito b84d6e
## </summary>
Chris PeBenito b84d6e
## <param name="domain">
Chris PeBenito b84d6e
##	<summary>
Chris PeBenito b84d6e
##	Domain allowed access.
Chris PeBenito b84d6e
##	</summary>
Chris PeBenito b84d6e
## </param>
Chris PeBenito b84d6e
#
Chris PeBenito b84d6e
interface(`storage_create_fixed_disk_dev',`
Chris PeBenito b84d6e
	gen_require(`
Chris PeBenito b84d6e
		type fixed_disk_device_t;
Chris PeBenito b84d6e
	')
Chris PeBenito b84d6e
Chris PeBenito b84d6e
	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
Chris PeBenito b84d6e
	dev_add_entry_generic_dirs($1)
Chris PeBenito b84d6e
')
Chris PeBenito b84d6e
Chris PeBenito b84d6e
########################################
Chris PeBenito b84d6e
## <summary>
Chris PeBenito b84d6e
##	Allow the caller to create fixed disk device nodes.
Chris PeBenito b84d6e
## </summary>
Chris PeBenito b84d6e
## <param name="domain">
Chris PeBenito b84d6e
##	<summary>
Chris PeBenito b84d6e
##	Domain allowed access.
Chris PeBenito b84d6e
##	</summary>
Chris PeBenito b84d6e
## </param>
Chris PeBenito b84d6e
#
Chris PeBenito b84d6e
interface(`storage_delete_fixed_disk_dev',`
Chris PeBenito b84d6e
	gen_require(`
Chris PeBenito b84d6e
		type fixed_disk_device_t;
Chris PeBenito b84d6e
	')
Chris PeBenito b84d6e
Chris PeBenito b84d6e
	allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms;
Chris PeBenito b84d6e
	dev_remove_entry_generic_dirs($1)
Chris PeBenito b84d6e
')
Chris PeBenito b84d6e
Chris PeBenito b84d6e
########################################
Chris PeBenito b84d6e
## <summary>
Chris PeBenito 414e41
##	Create, read, write, and delete fixed disk device nodes.
Chris PeBenito 783b38
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito f5c42b
#
Chris PeBenito 199895
interface(`storage_manage_fixed_disk',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		attribute fixed_disk_raw_read, fixed_disk_raw_write;
Chris PeBenito d35c62
		type fixed_disk_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito d534d3
	allow $1 self:capability mknod;
Chris PeBenito c0868a
	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
Chris PeBenito 2c664e
	allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
Chris PeBenito 0c73cd
	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
Chris PeBenito a42ca7
')
Chris PeBenito a42ca7
Chris PeBenito a42ca7
########################################
Chris PeBenito a42ca7
## <summary>
Chris PeBenito 675a0e
##	Create block devices in /dev with the fixed disk type
Chris PeBenito 675a0e
##	via an automatic type transition.
Chris PeBenito 675a0e
## </summary>
Chris PeBenito 675a0e
## <param name="domain">
Chris PeBenito 675a0e
##	<summary>
Chris PeBenito 675a0e
##	The type of the process performing this action.
Chris PeBenito 675a0e
##	</summary>
Chris PeBenito 675a0e
## </param>
Chris PeBenito 675a0e
#
Chris PeBenito 675a0e
interface(`storage_dev_filetrans_fixed_disk',`
Chris PeBenito 675a0e
	gen_require(`
Chris PeBenito 675a0e
		type fixed_disk_device_t;
Chris PeBenito 675a0e
	')
Chris PeBenito 675a0e
Chris PeBenito 0bfccd
	dev_filetrans($1, fixed_disk_device_t, blk_file)
Chris PeBenito 675a0e
')
Chris PeBenito 675a0e
Chris PeBenito 675a0e
########################################
Chris PeBenito 675a0e
## <summary>
Chris PeBenito 675a0e
##	Create block devices in on a tmpfs filesystem with the
Chris PeBenito 675a0e
##	fixed disk type via an automatic type transition.
Chris PeBenito 675a0e
## </summary>
Chris PeBenito 675a0e
## <param name="domain">
Chris PeBenito 675a0e
##	<summary>
Chris PeBenito 675a0e
##	The type of the process performing this action.
Chris PeBenito 675a0e
##	</summary>
Chris PeBenito 675a0e
## </param>
Chris PeBenito 675a0e
#
Chris PeBenito 675a0e
interface(`storage_tmpfs_filetrans_fixed_disk',`
Chris PeBenito 675a0e
	gen_require(`
Chris PeBenito 675a0e
		type fixed_disk_device_t;
Chris PeBenito 675a0e
	')
Chris PeBenito 675a0e
Chris PeBenito 0bfccd
	fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
Chris PeBenito 675a0e
')
Chris PeBenito 675a0e
Chris PeBenito 675a0e
########################################
Chris PeBenito 675a0e
## <summary>
Chris PeBenito 783b38
##	Relabel fixed disk device nodes.
Chris PeBenito 783b38
## </summary>
Chris PeBenito 783b38
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 783b38
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 783b38
## </param>
Chris PeBenito 783b38
#
Chris PeBenito 783b38
interface(`storage_relabel_fixed_disk',`
Chris PeBenito 783b38
	gen_require(`
Chris PeBenito 783b38
		type fixed_disk_device_t;
Chris PeBenito 783b38
	')
Chris PeBenito 783b38
Chris PeBenito 783b38
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
Chris PeBenito 783b38
')
Chris PeBenito 783b38
Chris PeBenito 783b38
########################################
Chris PeBenito 783b38
## <summary>
Chris PeBenito 783b38
##	Enable a fixed disk device as swap space
Chris PeBenito 783b38
## </summary>
Chris PeBenito 783b38
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 783b38
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 783b38
## </param>
Chris PeBenito 783b38
#
Chris PeBenito 783b38
interface(`storage_swapon_fixed_disk',`
Chris PeBenito 783b38
	gen_require(`
Chris PeBenito 783b38
		type fixed_disk_device_t;
Chris PeBenito 783b38
	')
Chris PeBenito 783b38
Chris PeBenito 783b38
	dev_list_all_dev_nodes($1)
Chris PeBenito 783b38
	allow $1 fixed_disk_device_t:blk_file { getattr swapon };
Chris PeBenito 783b38
')
Chris PeBenito 783b38
Chris PeBenito 783b38
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 495df4
##	Allow the caller to get the attributes
Chris PeBenito 495df4
##	of device nodes of fuse devices.
Chris PeBenito 495df4
## </summary>
Chris PeBenito 495df4
## <param name="domain">
Chris PeBenito 495df4
##	<summary>
Chris PeBenito 495df4
##	The type of the process performing this action.
Chris PeBenito 495df4
##	</summary>
Chris PeBenito 495df4
## </param>
Chris PeBenito 495df4
#
Chris PeBenito 495df4
interface(`storage_getattr_fuse_dev',`
Chris PeBenito 495df4
	gen_require(`
Chris PeBenito 495df4
		type fuse_device_t;
Chris PeBenito 495df4
	')
Chris PeBenito 495df4
Chris PeBenito 495df4
	dev_list_all_dev_nodes($1)
Chris PeBenito 495df4
	allow $1 fuse_device_t:chr_file getattr;
Chris PeBenito 495df4
')
Chris PeBenito 495df4
Chris PeBenito 495df4
########################################
Chris PeBenito 495df4
## <summary>
Chris PeBenito 495df4
##	read or write fuse device interfaces.
Chris PeBenito 495df4
## </summary>
Chris PeBenito 495df4
## <param name="domain">
Chris PeBenito 495df4
##	<summary>
Chris PeBenito 495df4
##	Domain to not audit.
Chris PeBenito 495df4
##	</summary>
Chris PeBenito 495df4
## </param>
Chris PeBenito 495df4
#
Chris PeBenito 495df4
interface(`storage_rw_fuse',`
Chris PeBenito 495df4
	gen_require(`
Chris PeBenito 495df4
		type fuse_device_t;
Chris PeBenito 495df4
	')
Chris PeBenito 495df4
Chris PeBenito 495df4
	allow $1 fuse_device_t:chr_file rw_file_perms;
Chris PeBenito 495df4
')
Chris PeBenito 495df4
Chris PeBenito 495df4
########################################
Chris PeBenito 495df4
## <summary>
Chris PeBenito 495df4
##	Do not audit attempts to read or write
Chris PeBenito 495df4
##	fuse device interfaces.
Chris PeBenito 495df4
## </summary>
Chris PeBenito 495df4
## <param name="domain">
Chris PeBenito 495df4
##	<summary>
Chris PeBenito 495df4
##	Domain to not audit.
Chris PeBenito 495df4
##	</summary>
Chris PeBenito 495df4
## </param>
Chris PeBenito 495df4
#
Chris PeBenito 495df4
interface(`storage_dontaudit_rw_fuse',`
Chris PeBenito 495df4
	gen_require(`
Chris PeBenito 495df4
		type fuse_device_t;
Chris PeBenito 495df4
	')
Chris PeBenito 495df4
Chris PeBenito 495df4
	dontaudit $1 fuse_device_t:chr_file rw_file_perms;
Chris PeBenito 495df4
')
Chris PeBenito 495df4
Chris PeBenito 495df4
########################################
Chris PeBenito 495df4
## <summary>
Chris PeBenito 414e41
##	Allow the caller to get the attributes of
Chris PeBenito 414e41
##	the generic SCSI interface device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 7a2f20
#
Chris PeBenito 1815ba
interface(`storage_getattr_scsi_generic_dev',`
Chris PeBenito 7a2f20
	gen_require(`
Chris PeBenito 7a2f20
		type scsi_generic_device_t;
Chris PeBenito 7a2f20
	')
Chris PeBenito 7a2f20
Chris PeBenito 7a2f20
	dev_list_all_dev_nodes($1)
Chris PeBenito a5ec7c
	allow $1 scsi_generic_device_t:chr_file getattr;
Chris PeBenito 7a2f20
')
Chris PeBenito 7a2f20
Chris PeBenito 7a2f20
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to set the attributes of
Chris PeBenito 414e41
##	the generic SCSI interface device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 7a2f20
#
Chris PeBenito 1815ba
interface(`storage_setattr_scsi_generic_dev',`
Chris PeBenito 7a2f20
	gen_require(`
Chris PeBenito 7a2f20
		type scsi_generic_device_t;
Chris PeBenito 7a2f20
	')
Chris PeBenito 7a2f20
Chris PeBenito 7a2f20
	dev_list_all_dev_nodes($1)
Chris PeBenito a5ec7c
	allow $1 scsi_generic_device_t:chr_file setattr;
Chris PeBenito 7a2f20
')
Chris PeBenito 7a2f20
Chris PeBenito 7a2f20
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly read, in a
Chris PeBenito 414e41
##	generic fashion, from any SCSI device.
Chris PeBenito 414e41
##	This is extremly dangerous as it can bypass the
Chris PeBenito 414e41
##	SELinux protections for filesystem objects, and
Chris PeBenito 414e41
##	should only be used by trusted domains.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`storage_read_scsi_generic',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		attribute scsi_generic_read;
Chris PeBenito d35c62
		type scsi_generic_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
Chris PeBenito 0c73cd
	typeattribute $1 scsi_generic_read;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly write, in a
Chris PeBenito 414e41
##	generic fashion, from any SCSI device.
Chris PeBenito 414e41
##	This is extremly dangerous as it can bypass the
Chris PeBenito 414e41
##	SELinux protections for filesystem objects, and
Chris PeBenito 414e41
##	should only be used by trusted domains.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 199895
interface(`storage_write_scsi_generic',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		attribute scsi_generic_write;
Chris PeBenito d35c62
		type scsi_generic_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
Chris PeBenito 0c73cd
	typeattribute $1 scsi_generic_write;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Set attributes of the device nodes
Chris PeBenito 414e41
##	for the SCSI generic inerface.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 8a0da1
#
Chris PeBenito 1815ba
interface(`storage_setattr_scsi_generic_dev_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type scsi_generic_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito a5ec7c
	allow $1 scsi_generic_device_t:chr_file setattr;
Chris PeBenito 8a0da1
')
Chris PeBenito 8a0da1
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 07620c
##	Do not audit attempts to read or write
Chris PeBenito 07620c
##	SCSI generic device interfaces.
Chris PeBenito 07620c
## </summary>
Chris PeBenito 07620c
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 07620c
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 07620c
## </param>
Chris PeBenito 07620c
#
Chris PeBenito 07620c
interface(`storage_dontaudit_rw_scsi_generic',`
Chris PeBenito 07620c
	gen_require(`
Chris PeBenito 07620c
		type scsi_generic_device_t;
Chris PeBenito 07620c
	')
Chris PeBenito 07620c
Chris PeBenito 07620c
	dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
Chris PeBenito 07620c
')
Chris PeBenito 07620c
Chris PeBenito 07620c
########################################
Chris PeBenito 07620c
## <summary>
Chris PeBenito 414e41
##	Allow the caller to get the attributes of removable
Chris PeBenito 414e41
##	devices device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 1815ba
interface(`storage_getattr_removable_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type removable_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito 0c73cd
	allow $1 removable_device_t:blk_file getattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito 494e98
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts made by the caller to get
Chris PeBenito 414e41
##	the attributes of removable devices device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b16c6b
#
Chris PeBenito 1815ba
interface(`storage_dontaudit_getattr_removable_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type removable_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Chris PeBenito 0c73cd
	dontaudit $1 removable_device_t:blk_file getattr;
Chris PeBenito b16c6b
')
Chris PeBenito b16c6b
Chris PeBenito b4cd15
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito ccc597
##	Do not audit attempts made by the caller to read
Chris PeBenito ccc597
##	removable devices device nodes.
Chris PeBenito ccc597
## </summary>
Chris PeBenito ccc597
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito ccc597
##	The type of the process to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito ccc597
## </param>
Chris PeBenito ccc597
#
Chris PeBenito ccc597
interface(`storage_dontaudit_read_removable_device',`
Chris PeBenito ccc597
	gen_require(`
Chris PeBenito ccc597
		type removable_device_t;
Chris PeBenito 6073ea
Chris PeBenito ccc597
	')
Chris PeBenito ccc597
Chris PeBenito 53c73d
	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
Chris PeBenito ccc597
')
Chris PeBenito ccc597
Chris PeBenito ccc597
########################################
Chris PeBenito ccc597
## <summary>
Chris PeBenito 8f0de5
##	Do not audit attempts made by the caller to write
Chris PeBenito 8f0de5
##	removable devices device nodes.
Chris PeBenito 8f0de5
## </summary>
Chris PeBenito 8f0de5
## <param name="domain">
Chris PeBenito 8f0de5
##	<summary>
Chris PeBenito 8f0de5
##	The type of the process to not audit.
Chris PeBenito 8f0de5
##	</summary>
Chris PeBenito 8f0de5
## </param>
Chris PeBenito 8f0de5
#
Chris PeBenito 8f0de5
interface(`storage_dontaudit_write_removable_device',`
Chris PeBenito 8f0de5
	gen_require(`
Chris PeBenito 8f0de5
		type removable_device_t;
Chris PeBenito 8f0de5
	')
Chris PeBenito 8f0de5
Chris PeBenito 8f0de5
	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
Chris PeBenito 8f0de5
')
Chris PeBenito 8f0de5
Chris PeBenito 8f0de5
########################################
Chris PeBenito 8f0de5
## <summary>
Chris PeBenito 414e41
##	Allow the caller to set the attributes of removable
Chris PeBenito 414e41
##	devices device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 1815ba
interface(`storage_setattr_removable_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type removable_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito 0c73cd
	allow $1 removable_device_t:blk_file setattr;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Do not audit attempts made by the caller to set
Chris PeBenito 414e41
##	the attributes of removable devices device nodes.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 7a2f20
#
Chris PeBenito 1815ba
interface(`storage_dontaudit_setattr_removable_dev',`
Chris PeBenito 7a2f20
	gen_require(`
Chris PeBenito 7a2f20
		type removable_device_t;
Chris PeBenito 7a2f20
	')
Chris PeBenito 7a2f20
Chris PeBenito 7a2f20
	dontaudit $1 removable_device_t:blk_file setattr;
Chris PeBenito 7a2f20
')
Chris PeBenito 7a2f20
Chris PeBenito 7a2f20
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly read from
Chris PeBenito 414e41
##	a removable device.
Chris PeBenito 414e41
##	This is extremly dangerous as it can bypass the
Chris PeBenito 414e41
##	SELinux protections for filesystem objects, and
Chris PeBenito 414e41
##	should only be used by trusted domains.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 8a0da1
#
Chris PeBenito 199895
interface(`storage_raw_read_removable_device',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type removable_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 removable_device_t:blk_file read_blk_file_perms;
Chris PeBenito 8a0da1
')
Chris PeBenito 8a0da1
Chris PeBenito 8a0da1
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 07620c
##	Do not audit attempts to directly read removable devices.
Chris PeBenito 07620c
## </summary>
Chris PeBenito 07620c
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 07620c
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 07620c
## </param>
Chris PeBenito 07620c
#
Chris PeBenito 07620c
interface(`storage_dontaudit_raw_read_removable_device',`
Chris PeBenito 07620c
	gen_require(`
Chris PeBenito 07620c
		type removable_device_t;
Chris PeBenito 07620c
	')
Chris PeBenito 07620c
Chris PeBenito c0868a
	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
Chris PeBenito 07620c
')
Chris PeBenito 07620c
Chris PeBenito 07620c
########################################
Chris PeBenito 07620c
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly write to
Chris PeBenito 414e41
##	a removable device.
Chris PeBenito 414e41
##	This is extremly dangerous as it can bypass the
Chris PeBenito 414e41
##	SELinux protections for filesystem objects, and
Chris PeBenito 414e41
##	should only be used by trusted domains.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 8a0da1
#
Chris PeBenito 199895
interface(`storage_raw_write_removable_device',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type removable_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 removable_device_t:blk_file write_blk_file_perms;
Chris PeBenito 8a0da1
')
Chris PeBenito 8a0da1
Chris PeBenito 8a0da1
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 07620c
##	Do not audit attempts to directly write removable devices.
Chris PeBenito 07620c
## </summary>
Chris PeBenito 07620c
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 07620c
##	Domain to not audit.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 07620c
## </param>
Chris PeBenito 07620c
#
Chris PeBenito 07620c
interface(`storage_dontaudit_raw_write_removable_device',`
Chris PeBenito 07620c
	gen_require(`
Chris PeBenito 07620c
		type removable_device_t;
Chris PeBenito 07620c
	')
Chris PeBenito 07620c
Chris PeBenito c0868a
	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
Chris PeBenito 07620c
')
Chris PeBenito 07620c
Chris PeBenito 07620c
########################################
Chris PeBenito 07620c
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly read
Chris PeBenito 414e41
##	a tape device.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 1815ba
interface(`storage_read_tape',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type tape_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 tape_device_t:chr_file read_chr_file_perms;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito b4cd15
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to directly read
Chris PeBenito 414e41
##	a tape device.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito b4cd15
#
Chris PeBenito 1815ba
interface(`storage_write_tape',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type tape_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito c0868a
	allow $1 tape_device_t:chr_file write_chr_file_perms;
Chris PeBenito b4cd15
')
Chris PeBenito b4cd15
Chris PeBenito 8a0da1
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to get the attributes
Chris PeBenito 414e41
##	of device nodes of tape devices.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 8a0da1
#
Chris PeBenito 1815ba
interface(`storage_getattr_tape_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type tape_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito a5ec7c
	allow $1 tape_device_t:chr_file getattr;
Chris PeBenito 8a0da1
')
Chris PeBenito 8a0da1
Chris PeBenito 8a0da1
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 414e41
##	Allow the caller to set the attributes
Chris PeBenito 414e41
##	of device nodes of tape devices.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 414e41
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 414e41
##	The type of the process performing this action.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 414e41
## </param>
Chris PeBenito 8a0da1
#
Chris PeBenito 1815ba
interface(`storage_setattr_tape_dev',`
Chris PeBenito d35c62
	gen_require(`
Chris PeBenito d35c62
		type tape_device_t;
Chris PeBenito d35c62
	')
Chris PeBenito 0c73cd
Karl MacMillan f0c985
	dev_list_all_dev_nodes($1)
Chris PeBenito a5ec7c
	allow $1 tape_device_t:chr_file setattr;
Chris PeBenito 8a0da1
')
Chris PeBenito 8a0da1
Chris PeBenito 9726b3
########################################
Chris PeBenito 9726b3
## <summary>
Chris PeBenito 9726b3
##	Unconfined access to storage devices.
Chris PeBenito 9726b3
## </summary>
Chris PeBenito 9726b3
## <param name="domain">
Chris PeBenito 885b83
##	<summary>
Chris PeBenito 9726b3
##	Domain allowed access.
Chris PeBenito 885b83
##	</summary>
Chris PeBenito 9726b3
## </param>
Chris PeBenito 9726b3
#
Chris PeBenito 9726b3
interface(`storage_unconfined',`
Chris PeBenito 9726b3
	gen_require(`
Chris PeBenito b518fc
		attribute storage_unconfined_type;
Chris PeBenito 9726b3
	')
Chris PeBenito 9726b3
Chris PeBenito b518fc
	typeattribute $1 storage_unconfined_type;
Chris PeBenito 9726b3
')