diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index a241ea1..2268319 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -16,13 +16,16 @@ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0) /dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0) /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) @@ -61,6 +64,7 @@ /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/modem -c gen_context(system_u:object_r:modem_device_t,s0) @@ -80,6 +84,7 @@ /dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) /dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0) @@ -98,6 +103,8 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0) +/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0) +/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) /dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index a3796f8..1b72daa 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -479,6 +479,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` ######################################## ## +## Read and write generic character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file rw_chr_file_perms; +') + +######################################## +## ## Do not audit attempts to set the attributes ## of symbolic links in device directories (/dev). ## @@ -826,6 +844,24 @@ interface(`dev_dontaudit_read_all_blk_files',` ######################################## ## +## Dontaudit write on all block file device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_write_all_blk_files',` + gen_require(` + attribute device_node; + ') + + dontaudit $1 device_node:blk_file write; +') + +######################################## +## ## Dontaudit read on all character file device nodes. ## ## @@ -844,6 +880,24 @@ interface(`dev_dontaudit_read_all_chr_files',` ######################################## ## +## Dontaudit write on all character file device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_write_all_chr_files',` + gen_require(` + attribute device_node; + ') + + dontaudit $1 device_node:chr_file write; +') + +######################################## +## ## Create all block device files. ## ## @@ -1405,6 +1459,42 @@ interface(`dev_rw_crypto',` rw_chr_files_pattern($1, device_t, crypt_device_t) ') +####################################### +## +## Set the attributes of the dlm control devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_dlm_control',` + gen_require(` + type device_t, kvm_device_t; + ') + + setattr_chr_files_pattern($1, device_t, dlm_control_device_t) +') + +####################################### +## +## Read and write the the dlm control device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_dlm_control',` + gen_require(` + type device_t, dlm_control_device_t; + ') + + rw_chr_files_pattern($1, device_t, dlm_control_device_t) +') + ######################################## ## ## getattr the dri devices. @@ -1735,6 +1825,24 @@ interface(`dev_read_kmsg',` ######################################## ## +## Write to the kernel messages device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_kmsg',` + gen_require(` + type device_t, kmsg_device_t; + ') + + write_chr_files_pattern($1, device_t, kmsg_device_t) +') + +######################################## +## ## Get the attributes of the ksm devices. ## ## @@ -2046,6 +2154,25 @@ interface(`dev_read_raw_memory',` ######################################## ## +## Do not audit attempts to read raw memory devices +## (e.g. /dev/mem). +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_read_raw_memory',` + gen_require(` + type memory_device_t; + ') + + dontaudit $1 memory_device_t:chr_file read_chr_file_perms; +') + +######################################## +## ## Write raw memory devices (e.g. /dev/mem). ## ## @@ -2456,6 +2583,25 @@ interface(`dev_write_mtrr',` ######################################## ## +## Do not audit attempts to write the memory type +## range registers (MTRR). +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_write_mtrr',` + gen_require(` + type mtrr_device_t; + ') + + dontaudit $1 mtrr_device_t:chr_file write; +') + +######################################## +## ## Read and write the memory type range registers (MTRR). ## ## @@ -3775,6 +3921,24 @@ interface(`dev_getattr_video_dev',` getattr_chr_files_pattern($1, device_t, v4l_device_t) ') +###################################### +## +## Read and write userio device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_userio_dev',` + gen_require(` + type device_t, userio_device_t; + ') + + rw_chr_files_pattern($1, device_t, userio_device_t) +') + ######################################## ## ## Do not audit attempts to get the attributes diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index b3107fa..1586fbb 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,5 +1,5 @@ -policy_module(devices, 1.9.2) +policy_module(devices, 1.9.3) ######################################## # @@ -59,6 +59,12 @@ dev_node(cpu_device_t) type crypt_device_t; dev_node(crypt_device_t) +# +# dlm_misc_device_t is the type of /dev/misc/dlm.* +# +type dlm_control_device_t; +dev_node(dlm_control_device_t) + type dri_device_t; dev_node(dri_device_t) @@ -232,6 +238,12 @@ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) type usb_device_t; dev_node(usb_device_t) +# +# userio_device_t is the type for /dev/uio[0-9]+ +# +type userio_device_t; +dev_node(userio_device_t) + type v4l_device_t; dev_node(v4l_device_t)