Chris PeBenito 17de1b
Chris PeBenito 3480f3
policy_module(storage,1.4.0)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Declarations
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
attribute fixed_disk_raw_read;
Chris PeBenito 17de1b
attribute fixed_disk_raw_write;
Chris PeBenito 17de1b
attribute scsi_generic_read;
Chris PeBenito 17de1b
attribute scsi_generic_write;
Chris PeBenito 17de1b
attribute storage_unconfined_type;
Chris PeBenito 17de1b
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# fixed_disk_device_t is the type of 
Chris PeBenito 17de1b
# /dev/hd* and /dev/sd*.
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
type fixed_disk_device_t;
Chris PeBenito 17de1b
dev_node(fixed_disk_device_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
Chris PeBenito 17de1b
neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# scsi_generic_device_t is the type of /dev/sg*
Chris PeBenito 17de1b
# it gives access to ALL SCSI devices (both fixed and removable)
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
type scsi_generic_device_t;
Chris PeBenito 17de1b
dev_node(scsi_generic_device_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
Chris PeBenito 17de1b
neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
Chris PeBenito 17de1b
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# removable_device_t is the type of
Chris PeBenito 17de1b
# /dev/scd* and /dev/fd*.
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
type removable_device_t;
Chris PeBenito 17de1b
dev_node(removable_device_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# tape_device_t is the type of
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
type tape_device_t;
Chris PeBenito 17de1b
dev_node(tape_device_t)
Chris PeBenito 17de1b
Chris PeBenito 17de1b
########################################
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
# Unconfined access to this module
Chris PeBenito 17de1b
#
Chris PeBenito 17de1b
Chris PeBenito 17de1b
allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
Chris PeBenito 17de1b
allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;