## Policy controlling access to storage devices ######################################## ## ## Allow the caller to get the attributes of fixed disk ## device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_getattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file getattr; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; ') ######################################## ## ## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. ## ## ## The type of the process to not audit. ## # interface(`storage_dontaudit_getattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file getattr; ') dontaudit $1 fixed_disk_device_t:blk_file getattr; ') ######################################## ## ## Allow the caller to set the attributes of fixed disk ## device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_setattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file setattr; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; ') ######################################## ## ## Do not audit attempts made by the caller to set ## the attributes of fixed disk device nodes. ## ## ## The type of the process to not audit. ## # interface(`storage_dontaudit_setattr_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file getattr; ') dontaudit $1 fixed_disk_device_t:blk_file getattr; ') ######################################## ## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_raw_read_fixed_disk',` gen_require(` attribute fixed_disk_raw_read; type fixed_disk_device_t; class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file r_file_perms; typeattribute $1 fixed_disk_raw_read; ') ######################################## ## ## Allow the caller to directly write to a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_raw_write_fixed_disk',` gen_require(` attribute fixed_disk_raw_write; type fixed_disk_device_t; class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; typeattribute $1 fixed_disk_raw_write; ') ######################################## ## ## Create block devices in /dev with the fixed disk type. ## ## ## The type of the process performing this action. ## # interface(`storage_create_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; class blk_file create_file_perms; ') allow $1 fixed_disk_device_t:blk_file create_file_perms; dev_create_dev_node($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') ######################################## ## ## Create, read, write, and delete fixed disk device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_manage_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; class blk_file create_file_perms; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file create_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') ######################################## ## ## Relabel fixed disk device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_relabel_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file { relabelfrom relabelto }; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file { relabelfrom relabelto }; ') ######################################## ## ## Enable a fixed disk device as swap space ## ## ## The type of the process performing this action. ## # interface(`storage_swapon_fixed_disk',` gen_require(` type fixed_disk_device_t; class blk_file { getattr swapon }; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file { getattr swapon }; ') ######################################## ## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_raw_read_lvm_volume',` gen_require(` attribute fixed_disk_raw_read; type lvm_vg_t; class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) allow $1 lvm_vg_t:blk_file r_file_perms; typeattribute $1 fixed_disk_raw_read; ') ######################################## ## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_raw_write_lvm_volume',` gen_require(` attribute fixed_disk_raw_write; type lvm_vg_t; class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) allow $1 lvm_vg_t:blk_file { getattr write ioctl }; typeattribute $1 fixed_disk_raw_write; ') ######################################## ## ## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_getattr_scsi_generic',` gen_require(` type scsi_generic_device_t; class blk_file getattr; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file getattr; ') ######################################## ## ## Allow the caller to set the attributes of ## the generic SCSI interface device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_setattr_scsi_generic',` gen_require(` type scsi_generic_device_t; class blk_file setattr; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file setattr; ') ######################################## ## ## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_read_scsi_generic',` gen_require(` attribute scsi_generic_read; type scsi_generic_device_t; class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file r_file_perms; typeattribute $1 scsi_generic_read; ') ######################################## ## ## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_write_scsi_generic',` gen_require(` attribute scsi_generic_write; type scsi_generic_device_t; class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file { getattr write ioctl }; typeattribute $1 scsi_generic_write; ') ######################################## ## ## Get attributes of the device nodes ## for the SCSI generic inerface. ## ## ## The type of the process performing this action. ## # interface(`storage_getattr_scsi_generic',` gen_require(` type scsi_generic_device_t; class blk_file getattr; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file getattr; ') ######################################## ## ## Set attributes of the device nodes ## for the SCSI generic inerface. ## ## ## The type of the process performing this action. ## # interface(`storage_set_scsi_generic_attributes',` gen_require(` type scsi_generic_device_t; class blk_file setattr; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file setattr; ') ######################################## ## ## Allow the caller to get the attributes of removable ## devices device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_getattr_removable_device',` gen_require(` type removable_device_t; class blk_file getattr; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file getattr; ') ######################################## ## ## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes. ## ## ## The type of the process to not audit. ## # interface(`storage_dontaudit_getattr_removable_device',` gen_require(` type removable_device_t; class blk_file getattr; ') dontaudit $1 removable_device_t:blk_file getattr; ') ######################################## ## ## Allow the caller to set the attributes of removable ## devices device nodes. ## ## ## The type of the process performing this action. ## # interface(`storage_setattr_removable_device',` gen_require(` type removable_device_t; class blk_file setattr; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file setattr; ') ######################################## ## ## Do not audit attempts made by the caller to set ## the attributes of removable devices device nodes. ## ## ## The type of the process to not audit. ## # interface(`storage_dontaudit_setattr_removable_device',` gen_require(` type removable_device_t; class blk_file setattr; ') dontaudit $1 removable_device_t:blk_file setattr; ') ######################################## ## ## Allow the caller to directly read from ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_raw_read_removable_device',` gen_require(` type removable_device_t; class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file r_file_perms; ') ######################################## ## ## Allow the caller to directly write to ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## # interface(`storage_raw_write_removable_device',` gen_require(` type removable_device_t; class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file { getattr write ioctl }; ') ######################################## ## ## Allow the caller to directly read ## a tape device. ## ## ## The type of the process performing this action. ## # interface(`storage_read_tape_device',` gen_require(` type tape_device_t; class blk_file r_file_perms; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file r_file_perms; ') ######################################## ## ## Allow the caller to directly read ## a tape device. ## ## ## The type of the process performing this action. ## # interface(`storage_write_tape_device',` gen_require(` type tape_device_t; class blk_file { getattr write ioctl }; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file { getattr write ioctl }; ') ######################################## ## ## Allow the caller to get the attributes ## of device nodes of tape devices. ## ## ## The type of the process performing this action. ## # interface(`storage_getattr_tape_device',` gen_require(` type tape_device_t; class blk_file getattr; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file getattr; ') ######################################## ## ## Allow the caller to set the attributes ## of device nodes of tape devices. ## ## ## The type of the process performing this action. ## # interface(`storage_setattr_tape_device',` gen_require(` type tape_device_t; class blk_file setattr; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file setattr; ') ######################################## ## ## Unconfined access to storage devices. ## ## ## Domain allowed access. ## # interface(`storage_unconfined',` gen_require(` type fixed_disk_device_t, removable_device_t; type lvm_vg_t, scsi_generic_device_t, tape_device_t; ') allow $1 { fixed_disk_device_t removable_device_t }:blk_file *; allow $1 { lvm_vg_t scsi_generic_device_t tape_device_t }:blk_file *; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; typeattribute $1 scsi_generic_read, scsi_generic_write; ')