Blob Blame History Raw
## <summary>Policy controlling access to storage devices</summary>

########################################
## <summary>
##	Allow the caller to get the attributes of fixed disk
##	device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_getattr_fixed_disk_dev',`
	gen_require(`
		type fixed_disk_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file getattr;
')

########################################
## <summary>
##	Do not audit attempts made by the caller to get
##	the attributes of fixed disk device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_getattr_fixed_disk_dev',`
	gen_require(`
		type fixed_disk_device_t;
	')

	dontaudit $1 fixed_disk_device_t:blk_file getattr;
	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
')

########################################
## <summary>
##	Allow the caller to set the attributes of fixed disk
##	device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_setattr_fixed_disk_dev',`
	gen_require(`
		type fixed_disk_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file setattr;
')

########################################
## <summary>
##	Do not audit attempts made by the caller to set
##	the attributes of fixed disk device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_setattr_fixed_disk_dev',`
	gen_require(`
		type fixed_disk_device_t;
	')

	dontaudit $1 fixed_disk_device_t:blk_file setattr;
')

########################################
## <summary>
##	Allow the caller to directly read from a fixed disk.
##	This is extremly dangerous as it can bypass the
##	SELinux protections for filesystem objects, and
##	should only be used by trusted domains.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_raw_read_fixed_disk',`
	gen_require(`
		attribute fixed_disk_raw_read;
		type fixed_disk_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
	allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
	typeattribute $1 fixed_disk_raw_read;
')

########################################
## <summary>
##	Do not audit attempts made by the caller to read
##	fixed disk device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_read_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
		
	')

	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };
')

########################################
## <summary>
##	Allow the caller to directly write to a fixed disk.
##	This is extremly dangerous as it can bypass the
##	SELinux protections for filesystem objects, and
##	should only be used by trusted domains.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_raw_write_fixed_disk',`
	gen_require(`
		attribute fixed_disk_raw_write;
		type fixed_disk_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
	allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
	typeattribute $1 fixed_disk_raw_write;
')

########################################
## <summary>
##	Do not audit attempts made by the caller to write
##	fixed disk device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_write_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
		
	')

	dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
')

########################################
## <summary>
##      Allow the caller to directly read and write to a fixed disk.
##      This is extremly dangerous as it can bypass the
##      SELinux protections for filesystem objects, and
##      should only be used by trusted domains.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`storage_raw_rw_fixed_disk',`
	storage_raw_read_fixed_disk($1)
	storage_raw_write_fixed_disk($1)
')

########################################
## <summary>
##	Create, read, write, and delete fixed disk device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_manage_fixed_disk',`
	gen_require(`
		attribute fixed_disk_raw_read, fixed_disk_raw_write;
		type fixed_disk_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 self:capability mknod;
	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')

########################################
## <summary>
##	Create block devices in /dev with the fixed disk type
##	via an automatic type transition.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_dev_filetrans_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
	')

	dev_filetrans($1,fixed_disk_device_t,blk_file)
')

########################################
## <summary>
##	Create block devices in on a tmpfs filesystem with the
##	fixed disk type via an automatic type transition.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_tmpfs_filetrans_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
	')

	fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)
')

########################################
## <summary>
##	Relabel fixed disk device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_relabel_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
')

########################################
## <summary>
##	Enable a fixed disk device as swap space
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_swapon_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file { getattr swapon };
')

########################################
## <summary>
##	Allow the caller to get the attributes
##	of device nodes of fuse devices.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_getattr_fuse_dev',`
	gen_require(`
		type fuse_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fuse_device_t:chr_file getattr;
')

########################################
## <summary>
##	read or write fuse device interfaces.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`storage_rw_fuse',`
	gen_require(`
		type fuse_device_t;
	')

	allow $1 fuse_device_t:chr_file rw_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	fuse device interfaces.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_rw_fuse',`
	gen_require(`
		type fuse_device_t;
	')

	dontaudit $1 fuse_device_t:chr_file rw_file_perms;
')

########################################
## <summary>
##	Allow the caller to get the attributes of
##	the generic SCSI interface device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_getattr_scsi_generic_dev',`
	gen_require(`
		type scsi_generic_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:chr_file getattr;
')

########################################
## <summary>
##	Allow the caller to set the attributes of
##	the generic SCSI interface device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_setattr_scsi_generic_dev',`
	gen_require(`
		type scsi_generic_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:chr_file setattr;
')

########################################
## <summary>
##	Allow the caller to directly read, in a
##	generic fashion, from any SCSI device.
##	This is extremly dangerous as it can bypass the
##	SELinux protections for filesystem objects, and
##	should only be used by trusted domains.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_read_scsi_generic',`
	gen_require(`
		attribute scsi_generic_read;
		type scsi_generic_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
	typeattribute $1 scsi_generic_read;
')

########################################
## <summary>
##	Allow the caller to directly write, in a
##	generic fashion, from any SCSI device.
##	This is extremly dangerous as it can bypass the
##	SELinux protections for filesystem objects, and
##	should only be used by trusted domains.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_write_scsi_generic',`
	gen_require(`
		attribute scsi_generic_write;
		type scsi_generic_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
	typeattribute $1 scsi_generic_write;
')

########################################
## <summary>
##	Set attributes of the device nodes
##	for the SCSI generic inerface.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_setattr_scsi_generic_dev_dev',`
	gen_require(`
		type scsi_generic_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:chr_file setattr;
')

########################################
## <summary>
##	Do not audit attempts to read or write
##	SCSI generic device interfaces.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_rw_scsi_generic',`
	gen_require(`
		type scsi_generic_device_t;
	')

	dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
')

########################################
## <summary>
##	Allow the caller to get the attributes of removable
##	devices device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_getattr_removable_dev',`
	gen_require(`
		type removable_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file getattr;
')

########################################
## <summary>
##	Do not audit attempts made by the caller to get
##	the attributes of removable devices device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_getattr_removable_dev',`
	gen_require(`
		type removable_device_t;
	')

	dontaudit $1 removable_device_t:blk_file getattr;
')

########################################
## <summary>
##	Do not audit attempts made by the caller to read
##	removable devices device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_read_removable_device',`
	gen_require(`
		type removable_device_t;
		
	')

	dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
')

########################################
## <summary>
##	Allow the caller to set the attributes of removable
##	devices device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_setattr_removable_dev',`
	gen_require(`
		type removable_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file setattr;
')

########################################
## <summary>
##	Do not audit attempts made by the caller to set
##	the attributes of removable devices device nodes.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_setattr_removable_dev',`
	gen_require(`
		type removable_device_t;
	')

	dontaudit $1 removable_device_t:blk_file setattr;
')

########################################
## <summary>
##	Allow the caller to directly read from
##	a removable device.
##	This is extremly dangerous as it can bypass the
##	SELinux protections for filesystem objects, and
##	should only be used by trusted domains.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_raw_read_removable_device',`
	gen_require(`
		type removable_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file read_blk_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to directly read removable devices.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_raw_read_removable_device',`
	gen_require(`
		type removable_device_t;
	')

	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
')

########################################
## <summary>
##	Allow the caller to directly write to
##	a removable device.
##	This is extremly dangerous as it can bypass the
##	SELinux protections for filesystem objects, and
##	should only be used by trusted domains.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_raw_write_removable_device',`
	gen_require(`
		type removable_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file write_blk_file_perms;
')

########################################
## <summary>
##	Do not audit attempts to directly write removable devices.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`storage_dontaudit_raw_write_removable_device',`
	gen_require(`
		type removable_device_t;
	')

	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
')

########################################
## <summary>
##	Allow the caller to directly read
##	a tape device.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_read_tape',`
	gen_require(`
		type tape_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:chr_file read_chr_file_perms;
')

########################################
## <summary>
##	Allow the caller to directly read
##	a tape device.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_write_tape',`
	gen_require(`
		type tape_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:chr_file write_chr_file_perms;
')

########################################
## <summary>
##	Allow the caller to get the attributes
##	of device nodes of tape devices.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_getattr_tape_dev',`
	gen_require(`
		type tape_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:chr_file getattr;
')

########################################
## <summary>
##	Allow the caller to set the attributes
##	of device nodes of tape devices.
## </summary>
## <param name="domain">
##	<summary>
##	The type of the process performing this action.
##	</summary>
## </param>
#
interface(`storage_setattr_tape_dev',`
	gen_require(`
		type tape_device_t;
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:chr_file setattr;
')

########################################
## <summary>
##	Unconfined access to storage devices.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`storage_unconfined',`
	gen_require(`
		attribute storage_unconfined_type;
	')

	typeattribute $1 storage_unconfined_type;
')