## <summary>Policy controlling access to storage devices</summary>

########################################

## <summary>

##	Allow the caller to get the attributes of fixed disk

##	device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_getattr_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

		class blk_file getattr;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file getattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to get

##	the attributes of fixed disk device nodes.

## </summary>

## <param name="domain">

##	The type of the process to not audit.

## </param>

#

interface(`storage_dontaudit_getattr_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

		class blk_file getattr;

	')

	dontaudit $1 fixed_disk_device_t:blk_file getattr;

')

########################################

## <summary>

##	Allow the caller to set the attributes of fixed disk

##	device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_setattr_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

		class blk_file setattr;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file setattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to set

##	the attributes of fixed disk device nodes.

## </summary>

## <param name="domain">

##	The type of the process to not audit.

## </param>

#

interface(`storage_dontaudit_setattr_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dontaudit $1 fixed_disk_device_t:blk_file setattr;

')

########################################

## <summary>

##	Allow the caller to directly read from a fixed disk.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_raw_read_fixed_disk',`

	gen_require(`

		attribute fixed_disk_raw_read;

		type fixed_disk_device_t;

		class blk_file r_file_perms;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file r_file_perms;

	typeattribute $1 fixed_disk_raw_read;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to read

##	fixed disk device nodes.

## </summary>

## <param name="domain">

##	The type of the process to not audit.

## </param>

#

interface(`storage_dontaudit_read_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };

')

########################################

## <summary>

##	Allow the caller to directly write to a fixed disk.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_raw_write_fixed_disk',`

	gen_require(`

		attribute fixed_disk_raw_write;

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file { getattr write append ioctl };

	typeattribute $1 fixed_disk_raw_write;

')

########################################

## <summary>

##	Create block devices in /dev with the fixed disk type.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_create_fixed_disk',`

	gen_require(`

		attribute fixed_disk_raw_read, fixed_disk_raw_write;

		type fixed_disk_device_t;

		class blk_file create_file_perms;

	')

	allow $1 fixed_disk_device_t:blk_file create_file_perms;

	dev_filetrans_dev_node($1,fixed_disk_device_t,blk_file)

	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;

')

########################################

## <summary>

##	Create, read, write, and delete fixed disk device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_manage_fixed_disk',`

	gen_require(`

		attribute fixed_disk_raw_read, fixed_disk_raw_write;

		type fixed_disk_device_t;

		class blk_file create_file_perms;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file create_file_perms;

	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;

')

########################################

## <summary>

##	Create fixed disk device nodes on a tmpfs filesystem.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_create_fixed_disk_tmpfs',`

	gen_require(`

		attribute fixed_disk_raw_read, fixed_disk_raw_write;

		type fixed_disk_device_t;

		class blk_file create_file_perms;

	')

	allow $1 fixed_disk_device_t:blk_file create_file_perms;

	fs_filetrans_tmpfs($1,fixed_disk_device_t,blk_file)

	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;

')

########################################

## <summary>

##	Relabel fixed disk device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_relabel_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

		class blk_file { relabelfrom relabelto };

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto };

')

########################################

## <summary>

##	Enable a fixed disk device as swap space

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_swapon_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

		class blk_file { getattr swapon };

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file { getattr swapon };

')

########################################

## <summary>

##	Allow the caller to directly read from a logical volume.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_raw_read_lvm_volume',`

	gen_require(`

		attribute fixed_disk_raw_read;

		type lvm_vg_t;

		class blk_file r_file_perms;

	')

	dev_list_all_dev_nodes($1)

	allow $1 lvm_vg_t:blk_file r_file_perms;

	typeattribute $1 fixed_disk_raw_read;

')

########################################

## <summary>

##	Allow the caller to directly read from a logical volume.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_raw_write_lvm_volume',`

	gen_require(`

		attribute fixed_disk_raw_write;

		type lvm_vg_t;

		class blk_file { getattr write ioctl };

	')

	dev_list_all_dev_nodes($1)

	allow $1 lvm_vg_t:blk_file { getattr write ioctl };

	typeattribute $1 fixed_disk_raw_write;

')

########################################

## <summary>

##	Allow the caller to get the attributes of

##	the generic SCSI interface device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_getattr_scsi_generic',`

	gen_require(`

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file getattr;

')

########################################

## <summary>

##	Allow the caller to set the attributes of

##	the generic SCSI interface device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_setattr_scsi_generic',`

	gen_require(`

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file setattr;

')

########################################

## <summary>

##	Allow the caller to directly read, in a

##	generic fashion, from any SCSI device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_read_scsi_generic',`

	gen_require(`

		attribute scsi_generic_read;

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file r_file_perms;

	typeattribute $1 scsi_generic_read;

')

########################################

## <summary>

##	Allow the caller to directly write, in a

##	generic fashion, from any SCSI device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_write_scsi_generic',`

	gen_require(`

		attribute scsi_generic_write;

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file { getattr write ioctl };

	typeattribute $1 scsi_generic_write;

')

########################################

## <summary>

##	Set attributes of the device nodes

##	for the SCSI generic inerface.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_set_scsi_generic_attributes',`

	gen_require(`

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file setattr;

')

########################################

## <summary>

##	Allow the caller to get the attributes of removable

##	devices device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_getattr_removable_device',`

	gen_require(`

		type removable_device_t;

		class blk_file getattr;

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file getattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to get

##	the attributes of removable devices device nodes.

## </summary>

## <param name="domain">

##	The type of the process to not audit.

## </param>

#

interface(`storage_dontaudit_getattr_removable_device',`

	gen_require(`

		type removable_device_t;

		class blk_file getattr;

	')

	dontaudit $1 removable_device_t:blk_file getattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to read

##	removable devices device nodes.

## </summary>

## <param name="domain">

##	The type of the process to not audit.

## </param>

#

interface(`storage_dontaudit_read_removable_device',`

	gen_require(`

		type removable_device_t;

		class blk_file { getattr ioctl read };

	')

	dontaudit $1 removable_device_t:blk_file { getattr ioctl read };

')

########################################

## <summary>

##	Allow the caller to set the attributes of removable

##	devices device nodes.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_setattr_removable_device',`

	gen_require(`

		type removable_device_t;

		class blk_file setattr;

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file setattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to set

##	the attributes of removable devices device nodes.

## </summary>

## <param name="domain">

##	The type of the process to not audit.

## </param>

#

interface(`storage_dontaudit_setattr_removable_device',`

	gen_require(`

		type removable_device_t;

		class blk_file setattr;

	')

	dontaudit $1 removable_device_t:blk_file setattr;

')

########################################

## <summary>

##	Allow the caller to directly read from

##	a removable device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_raw_read_removable_device',`

	gen_require(`

		type removable_device_t;

		class blk_file r_file_perms;

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file r_file_perms;

')

########################################

## <summary>

##	Allow the caller to directly write to

##	a removable device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_raw_write_removable_device',`

	gen_require(`

		type removable_device_t;

		class blk_file { getattr write ioctl };

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file { getattr write ioctl };

')

########################################

## <summary>

##	Allow the caller to directly read

##	a tape device.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_read_tape_device',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file r_file_perms;

')

########################################

## <summary>

##	Allow the caller to directly read

##	a tape device.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_write_tape_device',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file { getattr write ioctl };

')

########################################

## <summary>

##	Allow the caller to get the attributes

##	of device nodes of tape devices.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_getattr_tape_device',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file getattr;

')

########################################

## <summary>

##	Allow the caller to set the attributes

##	of device nodes of tape devices.

## </summary>

## <param name="domain">

##	The type of the process performing this action.

## </param>

#

interface(`storage_setattr_tape_device',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file setattr;

')

########################################

## <summary>

##	Unconfined access to storage devices.

## </summary>

## <param name="domain">

##	Domain allowed access.

## </param>

#

interface(`storage_unconfined',`

	gen_require(`

		type fixed_disk_device_t, removable_device_t;

		type lvm_vg_t, scsi_generic_device_t, tape_device_t;

		attribute fixed_disk_raw_read, fixed_disk_raw_write;

		attribute scsi_generic_read, scsi_generic_write;

	')

	allow $1 { fixed_disk_device_t removable_device_t lvm_vg_t }:blk_file *;

	allow $1 { scsi_generic_device_t tape_device_t }:chr_file *;

	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;

	typeattribute $1 scsi_generic_read, scsi_generic_write;

')