diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index ea971c4..1f69d35 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -38,18 +38,51 @@ devices_list_device_nodes_depend ######################################## # +# storage_raw_read_lvm_volume(domain) +# +define(`storage_raw_read_lvm_volume',` +requires_block_template(`$0'_depend) +typeattribute $1 fixed_disk_raw_read; +devices_list_device_nodes($1) +allow $1 lvm_vg_t:blk_file { getattr read ioctl }; +') + +define(`storage_raw_read_lvm_volume_depend',` +type lvm_vg_t; +attribute fixed_disk_raw_read; +class blk_file { getattr read ioctl }; +') + +######################################## +# +# storage_raw_write_lvm_volume(domain) +# +define(`storage_raw_write_lvm_volume',` +requires_block_template(`$0'_depend) +typeattribute $1 fixed_disk_raw_write; +devices_list_device_nodes($1) +allow $1 lvm_vg_t:blk_file { getattr write ioctl }; +') + +define(`storage_raw_write_lvm_volume_depend',` +type lvm_vg_t; +attribute fixed_disk_raw_write; +class blk_file { getattr write ioctl }; +') + +######################################## +# # storage_get_fixed_disk_attributes(domain) # define(`storage_get_fixed_disk_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; ') define(`storage_get_fixed_disk_attributes_depend',` type fixed_disk_device_t; class blk_file getattr; -devices_list_device_nodes_depend ') ######################################## @@ -58,14 +91,13 @@ devices_list_device_nodes_depend # define(`storage_set_fixed_disk_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; ') define(`storage_set_fixed_disk_attributes_depend',` type fixed_disk_device_t; class blk_file setattr; -devices_list_device_nodes_depend ') ######################################## @@ -75,7 +107,7 @@ devices_list_device_nodes_depend define(`storage_read_scsi_generic',` requires_block_template(`$0'_depend) typeattribute $1 scsi_generic_read; -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 scsi_generic_device_t:blk_file { getattr read ioctl }; ') @@ -83,7 +115,6 @@ define(`storage_read_scsi_generic_depend',` type scsi_generic_device_t; attribute scsi_generic_read; class blk_file { getattr read ioctl }; -devices_list_device_nodes_depend ') ######################################## @@ -93,15 +124,14 @@ devices_list_device_nodes_depend define(`storage_write_scsi_generic',` requires_block_template(`$0'_depend) typeattribute $1 scsi_generic_write; -devices_list_device_nodes($1,optional) -allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; +devices_list_device_nodes($1) +allow $1 scsi_generic_device_t:blk_file { getattr write ioctl }; ') define(`storage_write_scsi_generic_depend',` type scsi_generic_device_t; attribute scsi_generic_write; class blk_file { getattr write ioctl }; -devices_list_device_nodes_depend ') ######################################## @@ -110,14 +140,13 @@ devices_list_device_nodes_depend # define(`storage_get_scsi_generic_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 scsi_generic_device_t:blk_file getattr; ') define(`storage_get_scsi_generic_attributes_depend',` type scsi_generic_device_t; class blk_file getattr; -devices_list_device_nodes_depend ') ######################################## @@ -126,14 +155,13 @@ devices_list_device_nodes_depend # define(`storage_set_scsi_generic_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 scsi_generic_device_t:blk_file setattr; ') define(`storage_set_scsi_generic_attributes_depend',` type scsi_generic_device_t; class blk_file setattr; -devices_list_device_nodes_depend ') ######################################## @@ -142,14 +170,13 @@ devices_list_device_nodes_depend # define(`storage_raw_read_removable_device',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 removable_device_t:blk_file { getattr read ioctl }; ') define(`storage_raw_read_removable_device_depend',` type removable_device_t; class blk_file { getattr read ioctl }; -devices_list_device_nodes_depend ') ######################################## @@ -158,14 +185,13 @@ devices_list_device_nodes_depend # define(`storage_raw_write_removable_device',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 removable_device_t:blk_file { getattr write ioctl }; ') define(`storage_raw_write_removable_device_depend',` type removable_device_t; class blk_file { getattr write ioctl }; -devices_list_device_nodes_depend ') ######################################## @@ -174,14 +200,13 @@ devices_list_device_nodes_depend # define(`storage_get_removable_device_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 removable_device_t:blk_file getattr; ') define(`storage_get_removable_device_attributes_depend',` type removable_device_t; class blk_file getattr; -devices_list_device_nodes_depend ') ######################################## @@ -190,14 +215,13 @@ devices_list_device_nodes_depend # define(`storage_set_removable_device_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 removable_device_t:blk_file setattr; ') define(`storage_set_removable_device_attributes_depend',` type removable_device_t; class blk_file setattr; -devices_list_device_nodes_depend ') ######################################## @@ -206,14 +230,13 @@ devices_list_device_nodes_depend # define(`storage_read_tape_device',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 tape_device_t:blk_file { getattr read ioctl }; ') define(`storage_read_tape_device_depend',` type tape_device_t; class blk_file { getattr read ioctl }; -devices_list_device_nodes_depend ') ######################################## @@ -222,14 +245,13 @@ devices_list_device_nodes_depend # define(`storage_write_tape_device',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 tape_device_t:blk_file { getattr write ioctl }; ') define(`storage_write_tape_device_depend',` type tape_device_t; class blk_file { getattr write ioctl }; -devices_list_device_nodes_depend ') ######################################## @@ -238,14 +260,13 @@ devices_list_device_nodes_depend # define(`storage_get_tape_device_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 tape_device_t:blk_file getattr; ') define(`storage_get_tape_device_attributes_depend',` type tape_device_t; class blk_file getattr; -devices_list_device_nodes_depend ') ######################################## @@ -254,12 +275,11 @@ devices_list_device_nodes_depend # define(`storage_set_tape_device_attributes',` requires_block_template(`$0'_depend) -devices_list_device_nodes($1,optional) +devices_list_device_nodes($1) allow $1 tape_device_t:blk_file setattr; ') define(`storage_set_tape_device_attributes_depend',` type tape_device_t; class blk_file setattr; -devices_list_device_nodes_depend ') diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te index eb53b76..e664245 100644 --- a/refpolicy/policy/modules/kernel/storage.te +++ b/refpolicy/policy/modules/kernel/storage.te @@ -2,44 +2,51 @@ policy_module(storage,1.0) +attribute fixed_disk_raw_read; +attribute fixed_disk_raw_write; +attribute scsi_generic_read; +attribute scsi_generic_write; + # # fixed_disk_device_t is the type of # /dev/hd* and /dev/sd*. # type fixed_disk_device_t; +devices_make_device_node(fixed_disk_device_t) -attribute fixed_disk_raw_read; -attribute fixed_disk_raw_write; neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read; neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write }; -devices_make_device_node(fixed_disk_device_t) +# +# lvm_vg_t is the type of logical volume groups +# type lvm_vg_t; devices_make_device_node(lvm_vg_t) +# from the subject's point of view, same as read/writing a regular +# fixed disk, so use the same assertions as above +neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read; +neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write }; + # # scsi_generic_device_t is the type of /dev/sg* # it gives access to ALL SCSI devices (both fixed and removable) # type scsi_generic_device_t; +devices_make_device_node(scsi_generic_device_t) -attribute scsi_generic_read; -attribute scsi_generic_write; neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read; neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write }; -devices_make_device_node(scsi_generic_device_t) # # removable_device_t is the type of # /dev/scd* and /dev/fd*. # type removable_device_t; - devices_make_device_node(removable_device_t) # # tape_device_t is the type of # type tape_device_t; - devices_make_device_node(tape_device_t)