|
Chris PeBenito |
494e98 |
## <module name="storage" layer="kernel">
|
|
Chris PeBenito |
b16c6b |
## <summary>Policy controlling access to storage devices</summary>
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_get_fixed_disk_attributes">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to get the attributes of fixed disk
|
|
Chris PeBenito |
b16c6b |
## device nodes.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="read" weight="7"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_get_fixed_disk_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
define(`storage_get_fixed_disk_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type fixed_disk_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_ignore_get_fixed_disk_attributes">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Do not audit attempts made by the caller to get
|
|
Chris PeBenito |
b16c6b |
## the attributes of fixed disk device nodes.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process to not audit.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="none"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_ignore_get_fixed_disk_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 fixed_disk_device_t:blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
define(`storage_ignore_get_fixed_disk_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type fixed_disk_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_set_fixed_disk_attributes">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to set the attributes of fixed disk
|
|
Chris PeBenito |
b16c6b |
## device nodes.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="write" weight="7"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_set_fixed_disk_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file setattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
define(`storage_set_fixed_disk_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type fixed_disk_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file setattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
e181fe |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_raw_read_fixed_disk">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to directly read from a fixed disk.
|
|
Chris PeBenito |
b16c6b |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
b16c6b |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
b16c6b |
## should only be used by trusted domains.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="read" weight="10"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
define(`storage_raw_read_fixed_disk',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file r_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_read;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
define(`storage_raw_read_fixed_disk_depend',`
|
|
Chris PeBenito |
0c73cd |
attribute fixed_disk_raw_read;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
type fixed_disk_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file r_file_perms;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
f5c42b |
## <interface name="storage_raw_write_fixed_disk">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to directly write to a fixed disk.
|
|
Chris PeBenito |
b16c6b |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
b16c6b |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
b16c6b |
## should only be used by trusted domains.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="write" weight="10"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
define(`storage_raw_write_fixed_disk',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_write;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
define(`storage_raw_write_fixed_disk_depend',`
|
|
Chris PeBenito |
0c73cd |
attribute fixed_disk_raw_write;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
type fixed_disk_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file { getattr write ioctl };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
f5c42b |
## <interface name="storage_create_fixed_disk_dev_entry">
|
|
Chris PeBenito |
f5c42b |
## <description>
|
|
Chris PeBenito |
f5c42b |
## Create block devices in /dev with the fixed disk type.
|
|
Chris PeBenito |
f5c42b |
## </description>
|
|
Chris PeBenito |
f5c42b |
## <parameter name="domain">
|
|
Chris PeBenito |
f5c42b |
## The type of the process performing this action.
|
|
Chris PeBenito |
f5c42b |
## </parameter>
|
|
Chris PeBenito |
f5c42b |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
f5c42b |
## </interface>
|
|
Chris PeBenito |
f5c42b |
#
|
|
Chris PeBenito |
f5c42b |
define(`storage_create_fixed_disk_dev_entry',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
|
Chris PeBenito |
0c73cd |
devices_create_dev_entry($1,fixed_disk_device_t,blk_file)
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
define(`storage_create_fixed_disk_dev_entry_depend',`
|
|
Chris PeBenito |
0c73cd |
type fixed_disk_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file create_file_perms;
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
########################################
|
|
Chris PeBenito |
f5c42b |
## <interface name="storage_manage_fixed_disk">
|
|
Chris PeBenito |
f5c42b |
## <description>
|
|
Chris PeBenito |
f5c42b |
## Manage fixed disk device nodes.
|
|
Chris PeBenito |
f5c42b |
## </description>
|
|
Chris PeBenito |
f5c42b |
## <parameter name="domain">
|
|
Chris PeBenito |
f5c42b |
## The type of the process performing this action.
|
|
Chris PeBenito |
f5c42b |
## </parameter>
|
|
Chris PeBenito |
f5c42b |
## <infoflow type="both" weight="10"/>
|
|
Chris PeBenito |
f5c42b |
## </interface>
|
|
Chris PeBenito |
f5c42b |
#
|
|
Chris PeBenito |
f5c42b |
define(`storage_manage_fixed_disk',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 fixed_disk_device_t:blk_file create_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
define(`storage_manage_fixed_disk_depend',`
|
|
Chris PeBenito |
0c73cd |
attribute fixed_disk_raw_read, fixed_disk_raw_write;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
type fixed_disk_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file create_file_perms;
|
|
Chris PeBenito |
f5c42b |
')
|
|
Chris PeBenito |
f5c42b |
|
|
Chris PeBenito |
f5c42b |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_raw_read_lvm_volume">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to directly read from a logical volume.
|
|
Chris PeBenito |
b16c6b |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
b16c6b |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
b16c6b |
## should only be used by trusted domains.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="read" weight="10"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
8e0280 |
#
|
|
Chris PeBenito |
8e0280 |
define(`storage_raw_read_lvm_volume',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 lvm_vg_t:blk_file r_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_read;
|
|
Chris PeBenito |
8e0280 |
')
|
|
Chris PeBenito |
8e0280 |
|
|
Chris PeBenito |
8e0280 |
define(`storage_raw_read_lvm_volume_depend',`
|
|
Chris PeBenito |
0c73cd |
attribute fixed_disk_raw_read;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
type lvm_vg_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file r_file_perms;
|
|
Chris PeBenito |
8e0280 |
')
|
|
Chris PeBenito |
8e0280 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_raw_write_lvm_volume">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to directly read from a logical volume.
|
|
Chris PeBenito |
b16c6b |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
b16c6b |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
b16c6b |
## should only be used by trusted domains.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="write" weight="10"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
8e0280 |
#
|
|
Chris PeBenito |
8e0280 |
define(`storage_raw_write_lvm_volume',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 lvm_vg_t:blk_file { getattr write ioctl };
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 fixed_disk_raw_write;
|
|
Chris PeBenito |
8e0280 |
')
|
|
Chris PeBenito |
8e0280 |
|
|
Chris PeBenito |
8e0280 |
define(`storage_raw_write_lvm_volume_depend',`
|
|
Chris PeBenito |
0c73cd |
attribute fixed_disk_raw_write;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
type lvm_vg_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file { getattr write ioctl };
|
|
Chris PeBenito |
8e0280 |
')
|
|
Chris PeBenito |
8e0280 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_read_scsi_generic">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to directly read, in a
|
|
Chris PeBenito |
b16c6b |
## generic fashion, from any SCSI device.
|
|
Chris PeBenito |
b16c6b |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
b16c6b |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
b16c6b |
## should only be used by trusted domains.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="read" weight="10"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
define(`storage_read_scsi_generic',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 scsi_generic_device_t:blk_file r_file_perms;
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 scsi_generic_read;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
define(`storage_read_scsi_generic_depend',`
|
|
Chris PeBenito |
0c73cd |
attribute scsi_generic_read;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
type scsi_generic_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file r_file_perms;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_write_scsi_generic">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to directly write, in a
|
|
Chris PeBenito |
b16c6b |
## generic fashion, from any SCSI device.
|
|
Chris PeBenito |
b16c6b |
## This is extremly dangerous as it can bypass the
|
|
Chris PeBenito |
b16c6b |
## SELinux protections for filesystem objects, and
|
|
Chris PeBenito |
b16c6b |
## should only be used by trusted domains.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="write" weight="10"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
define(`storage_write_scsi_generic',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
|
|
Chris PeBenito |
0c73cd |
typeattribute $1 scsi_generic_write;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
define(`storage_write_scsi_generic_depend',`
|
|
Chris PeBenito |
0c73cd |
attribute scsi_generic_write;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
type scsi_generic_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file { getattr write ioctl };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
bd202f |
# storage_get_scsi_generic_attributes(domain)
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
8a0da1 |
define(`storage_get_scsi_generic_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 scsi_generic_device_t:blk_file getattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
define(`storage_get_scsi_generic_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type scsi_generic_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file getattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
bd202f |
# storage_set_scsi_generic_attributes(domain)
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
8a0da1 |
define(`storage_set_scsi_generic_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 scsi_generic_device_t:blk_file setattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
define(`storage_set_scsi_generic_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type scsi_generic_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file setattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_get_removable_device_attributes">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Allow the caller to get the attributes of removable
|
|
Chris PeBenito |
b16c6b |
## devices device nodes.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process performing this action.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="read" weight="7"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_get_removable_device_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 removable_device_t:blk_file getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b16c6b |
define(`storage_get_removable_device_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type removable_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
########################################
|
|
Chris PeBenito |
b16c6b |
## <interface name="storage_ignore_get_removable_device_attributes">
|
|
Chris PeBenito |
b16c6b |
## <description>
|
|
Chris PeBenito |
b16c6b |
## Do not audit attempts made by the caller to get
|
|
Chris PeBenito |
b16c6b |
## the attributes of removable devices device nodes.
|
|
Chris PeBenito |
b16c6b |
## </description>
|
|
Chris PeBenito |
494e98 |
## <parameter name="domain">
|
|
Chris PeBenito |
b16c6b |
## The type of the process to not audit.
|
|
Chris PeBenito |
b16c6b |
## </parameter>
|
|
Chris PeBenito |
b16c6b |
## <infoflow type="none"/>
|
|
Chris PeBenito |
b16c6b |
## </interface>
|
|
Chris PeBenito |
b16c6b |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_ignore_get_removable_device_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
dontaudit $1 removable_device_t:blk_file getattr;
|
|
Chris PeBenito |
b16c6b |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
b16c6b |
define(`storage_ignore_get_removable_device_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type removable_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file getattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b16c6b |
# storage_set_removable_device_attributes(domain)
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_set_removable_device_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 removable_device_t:blk_file setattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b16c6b |
define(`storage_set_removable_device_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type removable_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file setattr;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b16c6b |
# storage_raw_read_removable_device(domain)
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_raw_read_removable_device',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 removable_device_t:blk_file r_file_perms;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
b16c6b |
define(`storage_raw_read_removable_device_depend',`
|
|
Chris PeBenito |
0c73cd |
type removable_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file r_file_perms;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
b16c6b |
# storage_raw_write_removable_device(domain)
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
b16c6b |
define(`storage_raw_write_removable_device',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 removable_device_t:blk_file { getattr write ioctl };
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
b16c6b |
define(`storage_raw_write_removable_device_depend',`
|
|
Chris PeBenito |
0c73cd |
type removable_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file { getattr write ioctl };
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
bd202f |
# storage_read_tape_device(domain)
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
define(`storage_read_tape_device',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 tape_device_t:blk_file r_file_perms;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
define(`storage_read_tape_device_depend',`
|
|
Chris PeBenito |
0c73cd |
type tape_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file r_file_perms;
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
########################################
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
bd202f |
# storage_write_tape_device(domain)
|
|
Chris PeBenito |
b4cd15 |
#
|
|
Chris PeBenito |
b4cd15 |
define(`storage_write_tape_device',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 tape_device_t:blk_file { getattr write ioctl };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
b4cd15 |
|
|
Chris PeBenito |
b4cd15 |
define(`storage_write_tape_device_depend',`
|
|
Chris PeBenito |
0c73cd |
type tape_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file { getattr write ioctl };
|
|
Chris PeBenito |
b4cd15 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
bd202f |
# storage_get_tape_device_attributes(domain)
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
8a0da1 |
define(`storage_get_tape_device_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 tape_device_t:blk_file getattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
define(`storage_get_tape_device_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type tape_device_t;
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
class blk_file getattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
########################################
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
bd202f |
# storage_set_tape_device_attributes(domain)
|
|
Chris PeBenito |
8a0da1 |
#
|
|
Chris PeBenito |
8a0da1 |
define(`storage_set_tape_device_attributes',`
|
|
Chris PeBenito |
0c73cd |
requires_block_template(`$0'_depend)
|
|
Chris PeBenito |
0c73cd |
|
|
Chris PeBenito |
0c73cd |
devices_list_device_nodes($1)
|
|
Chris PeBenito |
0c73cd |
allow $1 tape_device_t:blk_file setattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
8a0da1 |
|
|
Chris PeBenito |
8a0da1 |
define(`storage_set_tape_device_attributes_depend',`
|
|
Chris PeBenito |
0c73cd |
type tape_device_t;
|
|
Chris PeBenito |
0c73cd |
class blk_file setattr;
|
|
Chris PeBenito |
8a0da1 |
')
|
|
Chris PeBenito |
b16c6b |
|
|
Chris PeBenito |
494e98 |
## </module>
|