## ## Policy controlling access to storage devices ######################################## ## ## ## Allow the caller to get the attributes of fixed disk ## device nodes. ## ## ## The type of the process performing this action. ## ## # define(`storage_getattr_fixed_disk',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; ') define(`storage_getattr_fixed_disk_depend',` type fixed_disk_device_t; class blk_file getattr; ') ######################################## ## ## ## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. ## ## ## The type of the process to not audit. ## ## # define(`storage_dontaudit_getattr_fixed_disk',` requires_block_template(`$0'_depend) dontaudit $1 fixed_disk_device_t:blk_file getattr; ') define(`storage_dontaudit_getattr_fixed_disk_depend',` type fixed_disk_device_t; class blk_file getattr; ') ######################################## ## ## ## Allow the caller to set the attributes of fixed disk ## device nodes. ## ## ## The type of the process performing this action. ## ## # define(`storage_setattr_fixed_disk',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; ') define(`storage_setattr_fixed_disk_depend',` type fixed_disk_device_t; class blk_file setattr; ') ######################################## ## ## ## Allow the caller to directly read from a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_raw_read_fixed_disk',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 fixed_disk_device_t:blk_file r_file_perms; typeattribute $1 fixed_disk_raw_read; ') define(`storage_raw_read_fixed_disk_depend',` attribute fixed_disk_raw_read; type fixed_disk_device_t; class blk_file r_file_perms; ') ######################################## ## ## ## Allow the caller to directly write to a fixed disk. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_raw_write_fixed_disk',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; typeattribute $1 fixed_disk_raw_write; ') define(`storage_raw_write_fixed_disk_depend',` attribute fixed_disk_raw_write; type fixed_disk_device_t; class blk_file { getattr write ioctl }; ') ######################################## ## ## ## Create block devices in /dev with the fixed disk type. ## ## ## The type of the process performing this action. ## ## # define(`storage_create_fixed_disk_dev_entry',` requires_block_template(`$0'_depend) allow $1 fixed_disk_device_t:blk_file create_file_perms; devices_create_dev_entry($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') define(`storage_create_fixed_disk_dev_entry_depend',` type fixed_disk_device_t; class blk_file create_file_perms; ') ######################################## ## ## ## Create, read, write, and delete fixed disk device nodes. ## ## ## The type of the process performing this action. ## ## # define(`storage_manage_fixed_disk',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 fixed_disk_device_t:blk_file create_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') define(`storage_manage_fixed_disk_depend',` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; class blk_file create_file_perms; ') ######################################## ## ## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_raw_read_lvm_volume',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 lvm_vg_t:blk_file r_file_perms; typeattribute $1 fixed_disk_raw_read; ') define(`storage_raw_read_lvm_volume_depend',` attribute fixed_disk_raw_read; type lvm_vg_t; class blk_file r_file_perms; ') ######################################## ## ## ## Allow the caller to directly read from a logical volume. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_raw_write_lvm_volume',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 lvm_vg_t:blk_file { getattr write ioctl }; typeattribute $1 fixed_disk_raw_write; ') define(`storage_raw_write_lvm_volume_depend',` attribute fixed_disk_raw_write; type lvm_vg_t; class blk_file { getattr write ioctl }; ') ######################################## ## ## ## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_read_scsi_generic',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 scsi_generic_device_t:blk_file r_file_perms; typeattribute $1 scsi_generic_read; ') define(`storage_read_scsi_generic_depend',` attribute scsi_generic_read; type scsi_generic_device_t; class blk_file r_file_perms; ') ######################################## ## ## ## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_write_scsi_generic',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 scsi_generic_device_t:blk_file { getattr write ioctl }; typeattribute $1 scsi_generic_write; ') define(`storage_write_scsi_generic_depend',` attribute scsi_generic_write; type scsi_generic_device_t; class blk_file { getattr write ioctl }; ') ######################################## ## ## ## Get attributes of the device nodes ## for the SCSI generic inerface. ## ## ## The type of the process performing this action. ## ## # define(`storage_getattr_scsi_generic',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 scsi_generic_device_t:blk_file getattr; ') define(`storage_getattr_scsi_generic_depend',` type scsi_generic_device_t; class blk_file getattr; ') ######################################## ## ## ## Set attributes of the device nodes ## for the SCSI generic inerface. ## ## ## The type of the process performing this action. ## ## # define(`storage_set_scsi_generic_attributes',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 scsi_generic_device_t:blk_file setattr; ') define(`storage_set_scsi_generic_attributes_depend',` type scsi_generic_device_t; class blk_file setattr; ') ######################################## ## ## ## Allow the caller to get the attributes of removable ## devices device nodes. ## ## ## The type of the process performing this action. ## ## # define(`storage_getattr_removable_device',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 removable_device_t:blk_file getattr; ') define(`storage_getattr_removable_device_depend',` type removable_device_t; class blk_file getattr; ') ######################################## ## ## ## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes. ## ## ## The type of the process to not audit. ## ## # define(`storage_dontaudit_getattr_removable_device',` requires_block_template(`$0'_depend) dontaudit $1 removable_device_t:blk_file getattr; ') define(`storage_dontaudit_getattr_removable_device_depend',` type removable_device_t; class blk_file getattr; ') ######################################## ## ## ## Allow the caller to set the attributes of removable ## devices device nodes. ## ## ## The type of the process performing this action. ## ## # define(`storage_set_removable_device_attributes',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 removable_device_t:blk_file setattr; ') define(`storage_set_removable_device_attributes_depend',` type removable_device_t; class blk_file setattr; ') ######################################## ## ## ## Allow the caller to directly read from ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_raw_read_removable_device',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 removable_device_t:blk_file r_file_perms; ') define(`storage_raw_read_removable_device_depend',` type removable_device_t; class blk_file r_file_perms; ') ######################################## ## ## ## Allow the caller to directly write to ## a removable device. ## This is extremly dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## The type of the process performing this action. ## ## # define(`storage_raw_write_removable_device',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 removable_device_t:blk_file { getattr write ioctl }; ') define(`storage_raw_write_removable_device_depend',` type removable_device_t; class blk_file { getattr write ioctl }; ') ######################################## ## ## ## Allow the caller to directly read ## a tape device. ## ## ## The type of the process performing this action. ## ## # define(`storage_read_tape_device',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tape_device_t:blk_file r_file_perms; ') define(`storage_read_tape_device_depend',` type tape_device_t; class blk_file r_file_perms; ') ######################################## ## ## ## Allow the caller to directly read ## a tape device. ## ## ## The type of the process performing this action. ## ## # define(`storage_write_tape_device',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tape_device_t:blk_file { getattr write ioctl }; ') define(`storage_write_tape_device_depend',` type tape_device_t; class blk_file { getattr write ioctl }; ') ######################################## ## ## ## Allow the caller to get the attributes ## of device nodes of tape devices. ## ## ## The type of the process performing this action. ## ## # define(`storage_getattr_tape_device',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tape_device_t:blk_file getattr; ') define(`storage_getattr_tape_device_depend',` type tape_device_t; class blk_file getattr; ') ######################################## ## ## ## Allow the caller to set the attributes ## of device nodes of tape devices. ## ## ## The type of the process performing this action. ## ## # define(`storage_setattr_tape_device',` requires_block_template(`$0'_depend) devices_list_device_nodes($1) allow $1 tape_device_t:blk_file setattr; ') define(`storage_setattr_tape_device_depend',` type tape_device_t; class blk_file setattr; ') ##