diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 0ed2866..db2d108 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -434,6 +434,9 @@ clean: rm -f $(FC) bare: clean + find . -name *~ -exec rm -f {} \; + find . -name "*#*" -exec rm -f {} \; + find . -name ".*#*" -exec rm -f {} \; rm -f $(POLXML) rm -f $(SUPPORT)/*.pyc rm -f $(FCSORT) diff --git a/refpolicy/policy/modules/admin/netutils.te b/refpolicy/policy/modules/admin/netutils.te index cbd43f2..166d8bf 100644 --- a/refpolicy/policy/modules/admin/netutils.te +++ b/refpolicy/policy/modules/admin/netutils.te @@ -188,8 +188,8 @@ logging_send_system_log_message(traceroute_t) miscfiles_read_localization(traceroute_t) #rules needed for nmap -devices_get_random_data(traceroute_t) -devices_get_pseudorandom_data(traceroute_t) +dev_read_rand(traceroute_t) +dev_read_urand(traceroute_t) files_read_general_application_resources(traceroute_t) if (user_ping) { diff --git a/refpolicy/policy/modules/admin/rpm.if b/refpolicy/policy/modules/admin/rpm.if index 90038ec..77832cb 100644 --- a/refpolicy/policy/modules/admin/rpm.if +++ b/refpolicy/policy/modules/admin/rpm.if @@ -1,4 +1,4 @@ -## +## ## Policy for the RPM package manager. ######################################## diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index cab1d85..14e8ce2 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -113,7 +113,7 @@ corenet_udp_sendrecv_all_ports(rpm_t) corenet_tcp_bind_all_nodes(rpm_t) corenet_udp_bind_all_nodes(rpm_t) -devices_get_pseudorandom_data(rpm_t) +dev_read_urand(rpm_t) #devices_manage_all_device_types(rpm_t) #fs_manage_nfs_dir(rpm_t) @@ -254,10 +254,10 @@ kernel_compute_reachable_user_contexts(rpm_script_t) kernel_read_system_state(rpm_script_t) # ideally we would not need this -devices_manage_generic_block_devices(rpm_script_t) -devices_manage_generic_character_devices(rpm_script_t) -devices_manage_all_block_devices(rpm_script_t) -devices_manage_all_character_devices(rpm_script_t) +dev_manage_generic_blk_file(rpm_script_t) +dev_manage_generic_chr_file(rpm_script_t) +dev_manage_all_blk_files(rpm_script_t) +dev_manage_all_chr_files(rpm_script_t) fs_manage_nfs_files(rpm_script_t) fs_getattr_nfs(rpm_script_t) diff --git a/refpolicy/policy/modules/admin/usermanage.if b/refpolicy/policy/modules/admin/usermanage.if index e556252..1ebfcdb 100644 --- a/refpolicy/policy/modules/admin/usermanage.if +++ b/refpolicy/policy/modules/admin/usermanage.if @@ -1,4 +1,4 @@ -## +## ## Policy for managing user accounts. ######################################## diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index b5b77d7..5da06a4 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -90,7 +90,7 @@ term_use_all_user_ptys(chfn_t) fs_getattr_xattr_fs(chfn_t) # for SSP -devices_get_pseudorandom_data(chfn_t) +dev_read_urand(chfn_t) # /usr/bin/passwd asks for w access to utmp, but it will operate # correctly without it. Do not audit write denials to utmp. @@ -161,7 +161,7 @@ files_create_private_tmp_data(crack_t, crack_tmp_t, { file dir }) kernel_read_system_state(crack_t) # for SSP -devices_get_pseudorandom_data(crack_t) +dev_read_urand(crack_t) fs_getattr_xattr_fs(crack_t) @@ -293,7 +293,7 @@ kernel_compute_relabel_context(passwd_t) kernel_compute_reachable_user_contexts(passwd_t) # for SSP -devices_get_pseudorandom_data(passwd_t) +dev_read_urand(passwd_t) fs_getattr_xattr_fs(passwd_t) @@ -392,7 +392,7 @@ kernel_compute_reachable_user_contexts(sysadm_passwd_t) kernel_read_system_state(sysadm_passwd_t) # for SSP -devices_get_pseudorandom_data(sysadm_passwd_t) +dev_read_urand(sysadm_passwd_t) fs_getattr_xattr_fs(sysadm_passwd_t) diff --git a/refpolicy/policy/modules/apps/gpg.if b/refpolicy/policy/modules/apps/gpg.if index 9999d8c..3aec203 100644 --- a/refpolicy/policy/modules/apps/gpg.if +++ b/refpolicy/policy/modules/apps/gpg.if @@ -76,8 +76,8 @@ define(`gpg_per_userdomain_template',` corenet_tcp_bind_all_nodes($1_gpg_t) corenet_udp_bind_all_nodes($1_gpg_t) - devices_get_random_data($1_gpg_t) - devices_get_pseudorandom_data($1_gpg_t) + dev_read_rand($1_gpg_t) + dev_read_urand($1_gpg_t) fs_getattr_xattr_fs($1_gpg_t) @@ -186,7 +186,7 @@ define(`gpg_per_userdomain_template',` corenet_tcp_bind_all_nodes($1_gpg_helper_t) corenet_udp_bind_all_nodes($1_gpg_helper_t) - devices_get_pseudorandom_data($1_gpg_helper_t) + dev_read_urand($1_gpg_helper_t) files_read_general_system_config($1_gpg_helper_t) # for nscd diff --git a/refpolicy/policy/modules/kernel/bootloader.te b/refpolicy/policy/modules/kernel/bootloader.te index 7134613..4abffc5 100644 --- a/refpolicy/policy/modules/kernel/bootloader.te +++ b/refpolicy/policy/modules/kernel/bootloader.te @@ -43,7 +43,7 @@ files_make_file(bootloader_etc_t) # type bootloader_tmp_t; files_make_temporary_file(bootloader_tmp_t) -devices_make_device_node(bootloader_tmp_t) +dev_node(bootloader_tmp_t) # kernel modules type modules_object_t; @@ -98,13 +98,13 @@ storage_raw_write_fixed_disk(bootloader_t) storage_raw_read_removable_device(bootloader_t) storage_raw_write_removable_device(bootloader_t) -devices_get_all_character_device_attributes(bootloader_t) -devices_set_all_block_device_attributes(bootloader_t) -devices_ignore_modify_generic_devices(bootloader_t) -devices_get_random_data(bootloader_t) -devices_get_pseudorandom_data(bootloader_t) +dev_getattr_all_chr_files(bootloader_t) +dev_setattr_all_blk_files(bootloader_t) +dev_dontaudit_rw_generic_dev_nodes(bootloader_t) +dev_read_rand(bootloader_t) +dev_read_urand(bootloader_t) # for reading BIOS data -devices_raw_read_memory(bootloader_t) +dev_read_raw_memory(bootloader_t) fs_getattr_xattr_fs(bootloader_t) @@ -166,7 +166,7 @@ optional_policy(`filesystemtools.te', ` # LVM2 / Device Mapper's /dev/mapper/control # maybe we should change the labeling for this optional_policy(`lvm.te', ` - devices_use_lvm_control_channel(bootloader_t) + dev_rw_lvm_control(bootloader_t) lvm_transition(bootloader_t) lvm_read_config(bootloader_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 542954c..4678fe3 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1,13 +1,39 @@ ## -## -## Policy for all devices except mass storage and terminal devices. -## - -######################################## -# -# devices_make_device_node(type) +## +##

+## This module creates the device node concept and provides +## the policy for many of the device files. Notable exceptions are +## the mass storage and terminal devices that are covered by other +## modules. +##

+##

+## This module creates the concept of a device node. That is a +## char or block device file, usually in /dev. All types that +## are used to label device nodes should use the dev_node macro. +##

+##

+## Additionally, this module controls access to three things: +##

    +##
  • the device directories containing device nodes
    • +##
  • device nodes as a group
    • +##
  • individual access to specific device nodes covered by +## this module.
    • +##
+##

+## + +######################################## +## +## +## Make the passed in type a type appropriate for +## use on device nodes (usually files in /dev). +## +## +## The object type that will be used on device nodes. +## +## # -define(`devices_make_device_node',` +define(`dev_node',` requires_block_template(`$0'_depend) typeattribute $1 device_node; @@ -15,19 +41,25 @@ define(`devices_make_device_node',` fs_associate($1) optional_policy(`distro_redhat',` - fs_associate_tmpfs($1) + fs_tmpfs_associate($1) ') ') -define(`devices_make_device_node_depend',` +define(`dev_node_depend',` attribute device_node; ') ######################################## +## +## +## Allow full relabeling (to and from) of all device nodes. +## +## +## Domain allowed to relabel. +## +## # -# devices_manage_all_devices_labels(domain) -# -define(`devices_manage_all_devices_labels',` +define(`dev_relabel_all_dev_nodes',` requires_block_template(`$0'_depend) allow $1 device_node:dir { getattr relabelfrom }; @@ -39,7 +71,7 @@ define(`devices_manage_all_devices_labels',` allow $1 { device_t device_node }:chr_file { getattr relabelfrom relabelto }; ') -define(`devices_manage_all_devices_labels_depend',` +define(`dev_relabel_all_dev_nodes_depend',` attribute device_node; type device_t; @@ -54,99 +86,113 @@ define(`devices_manage_all_devices_labels_depend',` ') ######################################## +## +## +## List all of the device nodes in a device directory. +## +## +## Domain allowed to list device nodes. +## +## # -# devices_list_device_nodes(domain) -# -define(`devices_list_device_nodes',` +define(`dev_list_all_dev_nodes',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; - allow $1 device_t:lnk_file r_file_perms; + allow $1 device_t:lnk_file { getattr read }; ') -define(`devices_list_device_nodes_depend',` +define(`dev_list_all_dev_nodes_depend',` type device_t; class dir r_dir_perms; - class lnk_file r_file_perms; + class lnk_file { getattr read }; ') ######################################## +## +## +## Dontaudit attempts to list all device nodes. +## +## +## Domain to dontaudit listing of device nodes. +## +## # -# devices_ignore_list_device_nodes(domain) -# -define(`devices_ignore_list_device_nodes',` +define(`dev_dontaudit_list_all_dev_nodes',` requires_block_template(`$0'_depend) dontaudit $1 device_t:dir r_dir_perms; ') -define(`devices_ignore_list_device_nodes_depend',` +define(`dev_dontaudit_list_all_dev_nodes_depend',` type device_t; class dir r_dir_perms; ') ######################################## +## +## +## Create a directory in the device directory. +## +## +## Domain allowed to create the directory. +## +## # -# devices_add_dev_dir(domain) -# -define(`devices_add_dev_dir',` +define(`dev_create_dir',` requires_block_template(`$0'_depend) allow $1 device_t:dir { ra_dir_perms create }; ') -define(`devices_add_dev_dir_depend',` +define(`dev_create_dir_depend',` type device_t; class dir { ra_dir_perms create }; ') ######################################## +## +## +## Dontaudit getattr on generic pipes. +## +## +## Domain to dontaudit. +## +## # -# devices_relabel_dev_dirs(domain) -# -define(`devices_relabel_dev_dirs',` - requires_block_template(`$0'_depend) - - allow $1 device_t:dir { r_dir_perms relabelfrom relabelto }; -') - -define(`devices_relabel_dev_dirs_depend',` - type device_t; - - class dir { r_dir_perms relabelfrom relabelto }; -') - -######################################## -# -# devices_ignore_get_generic_pipe_attributes(domain) -# -define(`devices_ignore_get_generic_pipe_attributes',` +define(`dev_dontaudit_getattr_generic_pipe',` requires_block_template(`$0'_depend) dontaudit $1 device_t:fifo_file getattr; ') -define(`devices_ignore_get_generic_pipe_attributes_depend',` +define(`dev_dontaudit_getattr_generic_pipe_depend',` type device_t; class fifo_file getattr; ') ######################################## +## +## +## Allow getattr on generic block devices. +## +## +## Domain allowed access. +## +## # -# devices_get_generic_block_device_attributes(domain) -# -define(`devices_get_generic_block_device_attributes',` +define(`dev_getattr_generic_blk_file',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_t:blk_file getattr; ') -define(`devices_get_generic_block_device_attributes_depend',` +define(`ddev_getattr_generic_blk_file_depend',` type device_t; class dir r_dir_perms; @@ -154,71 +200,96 @@ define(`devices_get_generic_block_device_attributes_depend',` ') ######################################## +## +## +## Dontaudit getattr on generic block devices. +## +## +## Domain to dontaudit access. +## +## # -# devices_ignore_get_generic_block_device_attributes(domain) -# -define(`devices_ignore_get_generic_block_device_attributes',` +define(`ddev_dontaudit_getattr_generic_blk_files',` requires_block_template(`$0'_depend) dontaudit $1 device_t:blk_file getattr; ') -define(`devices_ignore_get_generic_block_device_attributes_depend',` +define(`dev_dontaudit_getattr_generic_blk_files_depend',` type device_t; class blk_file getattr; ') ######################################## +## +## +## Allow read, write, create, and delete for generic +## block files. +## +## +## Domain allowed access. +## +## # -# devices_manage_generic_block_device(domain) -# -define(`devices_manage_generic_block_device',` +define(`dev_manage_generic_blk_file',` requires_block_template(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_t:blk_file create_file_perms; ') -define(`devices_manage_generic_block_device_depend',` +define(`dev_manage_generic_blk_file_depend',` type device_t; class blk_file create_file_perms; ') ######################################## +## +## +## Allow read, write, and create for generic character device files. +## +## +## Domain allowed access. +## +## # -# devices_add_generic_character_device(domain) -# -define(`devices_add_generic_character_device',` +define(`dev_create_generic_chr_file',` requires_block_template(`$0'_depend) - allow $1 device_t:dir ra_dir_perms; + allow $1 device_t:dir { getattr search read write add_name }; allow $1 device_t:chr_file create; allow $1 self:capability mknod; ') -define(`devices_add_generic_character_device_depend',` +define(`dev_create_generic_chr_file_depend',` type device_t; - class dir ra_dir_perms; + class dir { getattr search read write add_name }; class chr_file create; class capability mknod; ') ######################################## +## +## +## Allow getattr for generic character device files. +## +## +## Domain allowed access. +## +## # -# devices_get_generic_character_device_attributes(domain) -# -define(`devices_get_generic_character_device_attributes',` +define(`dev_getattr_generic_chr_file',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_t:chr_file getattr; ') -define(`devices_get_generic_character_device_attributes_depend',` +define(`dev_getattr_generic_chr_file_depend',` type device_t; class dir r_dir_perms; @@ -226,77 +297,95 @@ define(`devices_get_generic_character_device_attributes_depend',` ') ######################################## +## +## +## Dontaudit getattr for generic character device files. +## +## +## Domain to dontaudit access. +## +## # -# devices_ignore_get_generic_character_device_attributes(domain) -# -define(`devices_ignore_get_generic_character_device_attributes',` +define(`dev_dontaudit_getattr_generic_chr_file',` requires_block_template(`$0'_depend) dontaudit $1 device_t:chr_file getattr; ') -define(`devices_ignore_get_generic_character_device_attributes_depend',` +define(`dev_dontaudit_getattr_generic_chr_file',` type device_t; class chr_file getattr; ') ######################################## -## +## ## -## Delete symbolic links in /dev. +## Delete symbolic links in device directories. ## ## -## The type of the process performing this action. +## Domain allowed access. ## ## # -define(`devices_remove_dev_symbolic_links',` +define(`dev_del_generic_symlinks',` requires_block_template(`$0'_depend) - allow $1 device_t:dir { r_dir_perms write remove_name }; + allow $1 device_t:dir { getattr read write remove_name }; allow $1 device_t:lnk_file unlink; ') -define(`devices_remove_dev_symbolic_links_depend',` +define(`dev_del_generic_symlinks_depend',` attribute device_node, memory_raw_read, memory_raw_write; type device_t; - class dir { r_dir_perms write remove_name }; + class dir { getattr read write remove_name }; class lnk_file unlink; ') ######################################## +## +## +## Create, delete, read, and write symbolic links in device directories. +## +## +## Domain allowed access. +## +## # -# devices_manage_dev_symbolic_links(domain) -# -define(`devices_manage_dev_symbolic_links',` +define(`dev_manage_generic_symlinks',` requires_block_template(`$0'_depend) - allow $1 device_t:dir create_dir_perms; - allow $1 device_t:lnk_file create_lnk_perms; + allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; + allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; ') -define(`devices_manage_dev_symbolic_links_depend',` +define(`dev_manage_generic_symlinks_depend',` type device_t; - class dir create_dir_perms; - class lnk_file create_lnk_perms; + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; + class lnk_file { create read getattr setattr link unlink rename }; ') ######################################## +## +## +## Create, delete, read, and write device nodes in device directories. +## +## +## Domain allowed access. +## +## # -# devices_manage_device_nodes(domain) -# -define(`devices_manage_device_nodes',` +define(`dev_manage_all_dev_nodes',` requires_block_template(`$0'_depend) - allow $1 device_t:dir { create_dir_perms relabelfrom relabelto }; - allow $1 device_t:sock_file create_file_perms; - allow $1 device_t:lnk_file create_lnk_perms; - allow $1 device_t:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; - allow $1 device_node:{ chr_file blk_file } { create_file_perms relabelfrom relabelto }; + allow $1 device_t:dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; + allow $1 device_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 device_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1 device_t:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + allow $1 device_node:{ chr_file blk_file } { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; # these next rules are to satisfy assertions broken by the above lines. # the permissions hopefully can be cut back a lot @@ -309,29 +398,35 @@ define(`devices_manage_device_nodes',` typeattribute $1 memory_raw_write; ') -define(`devices_manage_device_nodes_depend',` +define(`dev_manage_all_dev_nodes_depend',` attribute device_node, memory_raw_read, memory_raw_write; type device_t; - class dir { create_dir_perms relabelfrom relabelto }; - class sock_file create_file_perms; - class lnk_file create_lnk_perms; - class chr_file { create_file_perms relabelfrom relabelto }; - class blk_file { create_file_perms relabelfrom relabelto }; + class dir { create read getattr lock setattr ioctl link unlink rename search add_name remove_name reparent write rmdir relabelfrom relabelto }; + class sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + class lnk_file { create read getattr setattr link unlink rename }; + class chr_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; + class blk_file { create ioctl read getattr lock write setattr append link unlink rename relabelfrom relabelto }; ') ######################################## +## +## +## Dontaudit getattr for generic device files. +## +## +## Domain to dontaudit access. +## +## # -# devices_ignore_modify_generic_devices(domain) -# -define(`devices_ignore_modify_generic_devices',` +define(`dev_dontaudit_rw_generic_dev_nodes',` requires_block_template(`$0'_depend) dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') -define(`devices_ignore_modify_generic_devices_depend',` +define(`dev_dontaudit_rw_generic_dev_nodes_depend',` type device_t; class chr_file { getattr read write ioctl }; @@ -339,17 +434,23 @@ define(`devices_ignore_modify_generic_devices_depend',` ') ######################################## +## +## +## Create, delete, read, and write block device files. +## +## +## Domain allowed access. +## +## # -# devices_manage_generic_block_devices(domain) -# -define(`devices_manage_generic_block_devices',` +define(`dev_manage_generic_blk_file',` requires_block_template(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_t:blk_file create_file_perms; ') -define(`devices_manage_generic_block_devices_depend',` +define(`dev_manage_generic_blk_file_depend',` type device_t; class dir rw_dir_perms; @@ -357,17 +458,23 @@ define(`devices_manage_generic_block_devices_depend',` ') ######################################## +## +## +## Create, delete, read, and write character device files. +## +## +## Domain allowed access. +## +## # -# devices_manage_generic_character_devices(domain) -# -define(`devices_manage_generic_character_devices',` +define(`dev_manage_generic_chr_file',` requires_block_template(`$0'_depend) allow $1 device_t:dir rw_dir_perms; allow $1 device_t:chr_file create_file_perms; ') -define(`devices_manage_generic_character_devices_depend',` +define(`dev_manage_generic_chr_file_depend',` type device_t; class dir rw_dir_perms; @@ -375,38 +482,58 @@ define(`devices_manage_generic_character_devices_depend',` ') ######################################## +## +## +## Create, read, and write device nodes. The node +## will be transitioned to the type provided. +## +## +## Domain allowed access. +## +## +## Type to which the created node will be transitioned. +## +## +## Object class(es) (single or set including {}) for which this +## the transition will occur. +## +## # -# devices_create_dev_entry(domain,file,objectclass(es)) -# -define(`devices_create_dev_entry',` +define(`dev_create_dev_node',` requires_block_template(`$0'_depend) allow $1 device_t:dir rw_dir_perms; type_transition $1 device_t:$3 $2; optional_policy(`distro_redhat',` - fs_associate_tmpfs($2) + fs_tmpfs_associate($2) ') ') -define(`devices_set_dev_entry_depend',` +define(`dev_create_dev_node_depend',` type device_t; class dir rw_dir_perms; ') ######################################## +## +## +## Getattr on all block file device nodes. +## +## +## Domain allowed access. +## +## # -# devices_get_all_block_device_attributes(domain) -# -define(`devices_get_all_block_device_attributes',` +define(`dev_getattr_all_blk_files',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:blk_file getattr; ') -define(`devices_get_all_block_device_attributes_depend',` +define(`dev_getattr_all_blk_files_depend',` attribute device_node; class blk_file getattr; @@ -414,33 +541,45 @@ define(`devices_get_all_block_device_attributes_depend',` ') ######################################## +## +## +## Dontaudit getattr on all block file device nodes. +## +## +## Domain to dontaudit access. +## +## # -# devices_ignore_get_all_block_device_attributes(domain) -# -define(`devices_ignore_get_all_block_device_attributes',` +define(`dev_dontaudit_getattr_all_blk_files',` requires_block_template(`$0'_depend) allow $1 device_node:blk_file getattr; ') -define(`devices_ignore_get_all_block_device_attributes_depend',` +define(`dev_dontaudit_getattr_all_blk_files_depend',` attribute device_node; class blk_file getattr; ') ######################################## +## +## +## Getattr on all character file device nodes. +## +## +## Domain allowed access. +## +## # -# devices_get_all_character_device_attributes(domain) -# -define(`devices_get_all_character_device_attributes',` +define(`dev_getattr_all_chr_files',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:chr_file getattr; ') -define(`devices_get_all_character_device_attributes_depend',` +define(`dev_getattr_all_chr_files_depend',` attribute device_node; class chr_file getattr; @@ -448,33 +587,45 @@ define(`devices_get_all_character_device_attributes_depend',` ') ######################################## +## +## +## Dontaudit getattr on all character file device nodes. +## +## +## Domain to dontaudit access. +## +## # -# devices_ignore_get_all_character_device_attributes(domain) -# -define(`devices_ignore_get_all_character_device_attributes',` +define(`dev_dontaudit_getattr_all_chr_files',` requires_block_template(`$0'_depend) dontaudit $1 device_node:chr_file getattr; ') -define(`devices_ignore_get_all_character_device_attributes_depend',` +define(`dev_dontaudit_getattr_all_chr_files_depend',` attribute device_node; class chr_file getattr; ') ######################################## +## +## +## Setattr on all block file device nodes. +## +## +## Domain allowed access. +## +## # -# devices_set_all_block_device_attributes(domain) -# -define(`devices_set_all_block_device_attributes',` +define(`dev_setattr_all_blk_files',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:blk_file setattr; ') -define(`devices_set_all_block_device_attributes_depend',` +define(`dev_setattr_all_blk_files_depend',` attribute device_node; class dir r_dir_perms; @@ -482,17 +633,23 @@ define(`devices_set_all_block_device_attributes_depend',` ') ######################################## +## +## +## Setattr on all character file device nodes. +## +## +## Domain allowed access. +## +## # -# devices_set_all_character_device_attributes(domain) -# -define(`devices_set_all_character_device_attributes',` +define(`dev_setattr_all_chr_files',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 device_node:chr_file setattr; ') -define(`devices_set_all_character_device_attributes_depend',` +define(`dev_setattr_all_chr_files_depend',` attribute device_node; class dir r_dir_perms; @@ -500,10 +657,16 @@ define(`devices_set_all_character_device_attributes_depend',` ') ######################################## +## +## +## Read, write, create, and delete all block device files. +## +## +## Domain allowed access. +## +## # -# devices_manage_all_block_devices(domain) -# -define(`devices_manage_all_block_devices',` +define(`dev_manage_all_blk_files',` requires_block_template(`$0'_depend) allow $1 device_t:dir rw_dir_perms; @@ -516,7 +679,7 @@ define(`devices_manage_all_block_devices',` storage_write_scsi_generic($1) ') -define(`devices_manage_generic_block_devices_depend',` +define(`dev_manage_all_blk_files_depend',` attribute device_node; class dir rw_dir_perms; @@ -524,10 +687,16 @@ define(`devices_manage_generic_block_devices_depend',` ') ######################################## +## +## +## Read, write, create, and delete all character device files. +## +## +## Domain allowed access. +## +## # -# devices_manage_all_character_devices(domain) -# -define(`devices_manage_all_character_devices',` +define(`dev_manage_all_chr_files',` requires_block_template(`$0'_depend) allow $1 device_t:dir rw_dir_perms; @@ -536,7 +705,7 @@ define(`devices_manage_all_character_devices',` typeattribute $1 memory_raw_read, memory_raw_write; ') -define(`devices_manage_all_character_devices_depend',` +define(`dev_manage_all_chr_files_depend',` attribute device_node, memory_raw_read, memory_raw_write; class dir rw_dir_perms; @@ -544,10 +713,16 @@ define(`devices_manage_all_character_devices_depend',` ') ######################################## +## +## +## Read raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## +## # -# devices_raw_read_memory(domain) -# -define(`devices_raw_read_memory',` +define(`dev_read_raw_memory',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; @@ -557,19 +732,25 @@ define(`devices_raw_read_memory',` typeattribute $1 memory_raw_read; ') -define(`devices_raw_read_memory_depend',` -type device_t, memory_device_t; -attribute memory_raw_read; -class dir r_dir_perms; -class chr_file r_file_perms; -class capability sys_rawio; +define(`dev_read_raw_memory_depend',` + type device_t, memory_device_t; + attribute memory_raw_read; + class dir r_dir_perms; + class chr_file r_file_perms; + class capability sys_rawio; ') ######################################## +## +## +## Write raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## +## # -# devices_raw_write_memory(domain) -# -define(`devices_raw_write_memory',` +define(`dev_write_raw_memory',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; @@ -579,60 +760,78 @@ define(`devices_raw_write_memory',` typeattribute $1 memory_raw_write; ') -define(`devices_raw_write_memory_depend',` -type device_t, memory_device_t; -attribute memory_raw_write; -class dir r_dir_perms; -class chr_file write; -class capability sys_rawio; +define(`dev_write_raw_memory_depend',` + type device_t, memory_device_t; + attribute memory_raw_write; + class dir r_dir_perms; + class chr_file write; + class capability sys_rawio; ') ######################################## +## +## +## Read and execute raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## +## # -# devices_legacy_raw_read_memory(domain) -# -define(`devices_legacy_raw_read_memory',` +define(`dev_rx_raw_memory',` requires_block_template(`$0'_depend) - devices_raw_read_memory($1) + dev_read_raw_memory($1) allow $1 memory_device_t:chr_file execute; ') -define(`devices_legacy_raw_read_memory_depend',` +define(`dev_rx_raw_memory_depend',` type device_t, memory_device_t; class chr_file execute; ') ######################################## +## +## +## Write and execute raw memory devices (e.g. /dev/mem). +## +## +## Domain allowed access. +## +## # -# devices_legacy_raw_write_memory(domain) -# -define(`devices_legacy_raw_write_memory',` +define(`dev_wx_raw_memory',` requires_block_template(`$0'_depend) - devices_raw_write_memory($1) + dev_write_raw_memory($1) allow $1 memory_device_t:chr_file execute; ') -define(`devices_legacy_raw_write_memory_depend',` +define(`dev_wx_raw_memory_depend',` type device_t, memory_device_t; class chr_file execute; ') ######################################## +## +## +## Read from random devices (e.g., /dev/random) +## +## +## Domain allowed access. +## +## # -# devices_get_random_data(domain) -# -define(`devices_get_random_data',` +define(`dev_read_rand',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 random_device_t:chr_file r_file_perms; ') -define(`devices_get_random_data_depend',` +define(`dev_read_rand_depend',` type device_t, random_device_t; class dir r_dir_perms; @@ -640,17 +839,23 @@ define(`devices_get_random_data_depend',` ') ######################################## +## +## +## Read from pseudo random devices (e.g., /dev/urandom) +## +## +## Domain allowed access. +## +## # -# devices_get_pseudorandom_data(domain) -# -define(`devices_get_pseudorandom_data',` +define(`dev_read_urand',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 urandom_device_t:chr_file r_file_perms; ') -define(`devices_get_pseudorandom_data_depend',` +define(`dev_read_urand_depend',` type device_t, urandom_device_t; class dir r_dir_perms; @@ -658,17 +863,25 @@ define(`devices_get_pseudorandom_data_depend',` ') ######################################## +## +## +## Write to the random device (e.g., /dev/random). This adds +## entropy used to generate the random data read from the +## random device. +## +## +## Domain allowed access. +## +## # -# devices_add_entropy(domain) -# -define(`devices_add_entropy',` +define(`dev_write_rand',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 random_device_t:chr_file { getattr write ioctl }; ') -define(`devices_add_entropy_depend',` +define(`dev_write_rand_depend',` type device_t, random_device_t; class dir r_dir_perms; @@ -676,17 +889,24 @@ define(`devices_add_entropy_depend',` ') ######################################## +## +## +## Write to the pseudo random device (e.g., /dev/urandom). This +## sets the random number generator seed. +## +## +## Domain allowed access. +## +## # -# devices_set_pseudorandom_seed(domain) -# -define(`devices_set_pseudorandom_seed',` +define(`dev_write_urand',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 urandom_device_t:chr_file { getattr write ioctl }; ') -define(`devices_set_pseudorandom_seed_depend',` +define(`dev_write_urand_depend',` type device_t, urandom_device_t; class dir r_dir_perms; @@ -694,17 +914,23 @@ define(`devices_set_pseudorandom_seed_depend',` ') ######################################## +## +## +## Read and write to the null device (/dev/null). +## +## +## Domain allowed access. +## +## # -# devices_use_dev_null(domain) -# -define(`devices_use_dev_null',` +define(`dev_rw_null_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 null_device_t:chr_file rw_file_perms; ') -define(`devices_use_dev_null_depend',` +define(`dev_rw_null_dev_depend',` type device_t, null_device_t; class device_t:dir r_dir_perms; @@ -712,17 +938,23 @@ define(`devices_use_dev_null_depend',` ') ######################################## +## +## +## Read and write to the zero device (/dev/zero). +## +## +## Domain allowed access. +## +## # -# devices_use_dev_zero(domain) -# -define(`devices_use_dev_zero',` +define(`dev_rw_zero_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 zero_device_t:chr_file rw_file_perms; ') -define(`devices_use_dev_zero_depend',` +define(`dev_rw_zero_dev_depend',` type device_t, zero_device_t; class device_t:dir r_dir_perms; @@ -730,51 +962,69 @@ define(`devices_use_dev_zero_depend',` ') ######################################## +## +## +## Read, write, and execute the zero device (/dev/zero). +## +## +## Domain allowed access. +## +## # -# devices_legacy_use_dev_zero(domain) -# -define(`devices_legacy_use_dev_zero',` +define(`dev_rwx_zero_dev',` requires_block_template(`$0'_depend) - devices_use_dev_zero($1) + dev_rw_zero_dev($1) allow $1 zero_device_t:chr_file execute; ') -define(`devices_legacy_use_dev_zero_depend',` +define(`dev_rwx_zero_dev_depend',` type zero_device_t; class chr_file execute; ') ######################################## +## +## +## Read the realtime clock (/dev/rtc). +## +## +## Domain allowed access. +## +## # -# devices_read_realtime_clock(domain) -# -define(`devices_read_realtime_clock',` +define(`dev_read_realtime_clock',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 clock_device_t:chr_file r_file_perms; ') -define(`devices_read_realtime_clock_depend',` +define(`dev_read_realtime_clock_depend',` type device_t, clock_device_t; class dir r_dir_perms; class chr_file r_file_perms; ') ######################################## +## +## +## Read the realtime clock (/dev/rtc). +## +## +## Domain allowed access. +## +## # -# devices_write_realtime_clock(domain) -# -define(`devices_write_realtime_clock',` +define(`dev_write_realtime_clock',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 clock_device_t:chr_file { setattr lock write append ioctl }; ') -define(`devices_write_realtime_clock_depend',` +define(`dev_write_realtime_clock_depend',` type device_t, clock_device_t; class dir r_dir_perms; @@ -782,43 +1032,61 @@ define(`devices_write_realtime_clock_depend',` ') ######################################## +## +## +## Read the realtime clock (/dev/rtc). +## +## +## Domain allowed access. +## +## # -# devices_modify_realtime_clock(domain) -# -define(`devices_modify_realtime_clock',` - devices_read_realtime_clock($1) - devices_write_realtime_clock($1) +define(`dev_rw_realtime_clock',` + dev_read_realtime_clock($1) + dev_write_realtime_clock($1) ') ######################################## +## +## +## Read the sound devices. +## +## +## Domain allowed access. +## +## # -# devices_record_sound_input(domain) -# -define(`devices_record_sound_input',` +define(`dev_read_snd_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file r_file_perms; ') -define(`devices_record_sound_input_depend',` -type device_t, sound_device_t; -class dir r_dir_perms; -class chr_file r_file_perms; +define(`dev_read_snd_dev_depend',` + type device_t, sound_device_t; + class dir r_dir_perms; + class chr_file r_file_perms; ') ######################################## +## +## +## Write the sound devices. +## +## +## Domain allowed access. +## +## # -# devices_play_sound(domain) -# -define(`devices_play_sound',` +define(`dev_write_snd_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') -define(`devices_play_sound_depend',` +define(`dev_write_snd_dev_depend',` type device_t, sound_device_t; class dir r_dir_perms; @@ -826,35 +1094,47 @@ define(`devices_play_sound_depend',` ') ######################################## +## +## +## Read the sound mixer devices. +## +## +## Domain allowed access. +## +## # -# devices_read_sound_mixer_levels(domain) -# -define(`devices_read_sound_mixer_levels',` +define(`dev_read_snd_mixer_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; - allow $1 sound_device_t:chr_file r_file_perms; + allow $1 sound_device_t:chr_file { getattr read ioctl }; ') -define(`devices_read_sound_mixer_levels_depend',` +define(`dev_read_snd_mixer_dev_depend',` type device_t, sound_device_t; class dir r_dir_perms; - class chr_file r_file_perms; + class chr_file { getattr read ioctl }; ') ######################################## +## +## +## Write the sound mixer devices. +## +## +## Domain allowed access. +## +## # -# devices_write_sound_mixer_levels(domain) -# -define(`devices_write_sound_mixer_levels',` +define(`dev_write_snd_mixer_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 sound_device_t:chr_file { getattr write ioctl }; ') -define(`devices_write_sound_mixer_levels_depend',` +define(`dev_write_snd_mixer_dev_depend',` type device_t, sound_device_t; class dir r_dir_perms; @@ -862,17 +1142,23 @@ define(`devices_write_sound_mixer_levels_depend',` ') ######################################## +## +## +## Read and write the agp devices. +## +## +## Domain allowed access. +## +## # -# devices_direct_agp_access(domain) -# -define(`devices_direct_agp_access',` +define(`dev_rw_agp_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 agp_device_t:chr_file rw_file_perms; ') -define(`devices_direct_agp_access_depend',` +define(`dev_rw_agp_dev_depend',` type device_t, agp_device_t; class dir r_dir_perms; @@ -880,17 +1166,23 @@ define(`devices_direct_agp_access_depend',` ') ######################################## +## +## +## Getattr the agp devices. +## +## +## Domain allowed access. +## +## # -# devices_get_direct_rendering_interface_attributes(domain) -# -define(`devices_get_direct_rendering_interface_attributes',` +define(`dev_getattr_agp_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 dri_device_t:chr_file getattr; ') -define(`devices_get_direct_rendering_interface_attributes_depend',` +define(`dev_getattr_agp_dev_depend',` type device_t, dri_device_t; class dir r_dir_perms; @@ -898,17 +1190,23 @@ define(`devices_get_direct_rendering_interface_attributes_depend',` ') ######################################## +## +## +## Read and write the dri devices. +## +## +## Domain allowed access. +## +## # -# devices_use_direct_rendering_interface(domain) -# -define(`devices_use_direct_rendering_interface',` +define(`dev_rw_dri_dev',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 dri_device_t:chr_file rw_file_perms; ') -define(`devices_use_direct_rendering_interface_depend',` +define(`dev_rw_dri_dev_depend',` type device_t, dri_device_t; class dir r_dir_perms; @@ -916,33 +1214,45 @@ define(`devices_use_direct_rendering_interface_depend',` ') ######################################## +## +## +## Dontaudit read and write on the dri devices. +## +## +## Domain to dontaudit access. +## +## # -# devices_ignore_use_direct_rendering_interface(domain) -# -define(`devices_ignore_use_direct_rendering_interface',` +define(`dev_dontaudit_rw_dri_dev',` requires_block_template(`$0'_depend) dontaudit $1 dri_device_t:chr_file { getattr read write ioctl }; ') -define(`devices_ignore_use_direct_rendering_interface_depend',` +define(`dev_dontaudit_rw_dri_dev_depend',` type dri_device_t; class chr_file { getattr read write ioctl }; ') ######################################## +## +## +## Read the mtrr device. +## +## +## Domain allowed access. +## +## # -# devices_read_mtrr(domain) -# -define(`devices_read_mtrr',` +define(`dev_read_mtrr',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 mtrr_device_t:chr_file r_file_perms; ') -define(`devices_read_mtrr_depend',` +define(`dev_read_mtrr_depend',` type device_t, mtrr_device_t; class dir r_dir_perms; @@ -950,17 +1260,23 @@ define(`devices_read_mtrr_depend',` ') ######################################## +## +## +## Write the mtrr device. +## +## +## Domain allowed access. +## +## # -# devices_write_mtrr(domain) -# -define(`devices_write_mtrr',` +define(`dev_write_mtrr',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 mtrr_device_t:chr_file { getattr write ioctl }; ') -define(`devices_write_mtrr_depend',` +define(`dev_write_mtrr_depend',` type device_t, mtrr_device_t; class dir r_dir_perms; @@ -968,17 +1284,23 @@ define(`devices_write_mtrr_depend',` ') ######################################## +## +## +## Read the framebuffer device. +## +## +## Domain allowed access. +## +## # -# devices_read_framebuffer(domain) -# -define(`devices_read_framebuffer',` +define(`dev_read_framebuffer',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 framebuf_device_t:chr_file r_file_perms; ') -define(`devices_read_framebuffer_depend',` +define(`dev_read_framebuffer_depend',` type framebuf_device_t; class dir r_dir_perms; @@ -986,17 +1308,23 @@ define(`devices_read_framebuffer_depend',` ') ######################################## +## +## +## Write the framebuffer device. +## +## +## Domain allowed access. +## +## # -# devices_write_framebuffer(domain) -# -define(`devices_write_framebuffer',` +define(`dev_write_framebuffer',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 framebuf_device_t:chr_file { getattr write ioctl }; ') -define(`devices_write_framebuffer_depend',` +define(`dev_write_framebuffer_depend',` type device_t, framebuf_device_t; class dir r_dir_perms; @@ -1004,17 +1332,23 @@ define(`devices_write_framebuffer_depend',` ') ######################################## +## +## +## Read the lvm comtrol device. +## +## +## Domain allowed access. +## +## # -# devices_read_lvm_control_channel(domain) -# -define(`devices_read_lvm_control_channel',` +define(`dev_read_lvm_control',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 lvm_control_t:chr_file r_file_perms; ') -define(`devices_read_lvm_control_channel_depend',` +define(`dev_read_lvm_control_depend',` type device_t, lvm_control_t; class dir r_dir_perms; @@ -1022,17 +1356,23 @@ define(`devices_read_lvm_control_channel_depend',` ') ######################################## +## +## +## Read and write the lvm control device. +## +## +## Domain allowed access. +## +## # -# devices_use_lvm_control_channel(domain) -# -define(`devices_use_lvm_control_channel',` +define(`dev_rw_lvm_control',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 lvm_control_t:chr_file rw_file_perms; ') -define(`devices_use_lvm_control_channel_depend',` +define(`dev_rw_lvm_control_depend',` type device_t, lvm_control_t; class dir r_dir_perms; @@ -1040,35 +1380,47 @@ define(`devices_use_lvm_control_channel_depend',` ') ######################################## +## +## +## Delete the lvm control device. +## +## +## Domain allowed access. +## +## # -# devices_remove_lvm_control_channel(domain) -# -define(`devices_remove_lvm_control_channel',` +define(`dev_delete_lvm_control',` requires_block_template(`$0'_depend) - allow $1 device_t:dir { r_dir_perms write remove_name }; + allow $1 device_t:dir { getattr search read write remove_name }; allow $1 lvm_control_t:chr_file unlink; ') -define(`devices_remove_lvm_control_channel_depend',` +define(`dev_delete_lvm_control_depend',` type device_t, lvm_control_t; - class dir { r_dir_perms write remove_name }; + class dir { getattr search read write remove_name }; class chr_file unlink; ') ######################################## +## +## +## Read miscellaneous devices. +## +## +## Domain allowed access. +## +## # -# devices_read_misc(domain) -# -define(`devices_read_misc',` +define(`dev_read_misc',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 misc_device_t:chr_file r_file_perms; ') -define(`devices_read_misc_depend',` +define(`dev_read_misc_depend',` type device_t, misc_device_t; class dir r_dir_perms; @@ -1076,17 +1428,23 @@ define(`devices_read_misc_depend',` ') ######################################## +## +## +## Write miscellaneous devices. +## +## +## Domain allowed access. +## +## # -# devices_write_misc(domain) -# -define(`devices_write_misc',` +define(`dev_write_misc',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 misc_device_t:chr_file { getattr write ioctl }; ') -define(`devices_write_misc_depend',` +define(`dev_write_misc_depend',` type device_t, misc_device_t; class dir r_dir_perms; @@ -1094,17 +1452,23 @@ define(`devices_write_misc_depend',` ') ######################################## +## +## +## Read the mouse devices. +## +## +## Domain allowed access. +## +## # -# devices_get_mouse_input(domain) -# -define(`devices_get_mouse_input',` +define(`dev_read_mouse',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 mouse_device_t:chr_file r_file_perms; ') -define(`devices_get_mouse_input_depend',` +define(`dev_read_mouse_depend',` type device_t, mouse_device_t; allow $1 device_t:dir r_dir_perms; @@ -1112,17 +1476,23 @@ define(`devices_get_mouse_input_depend',` ') ######################################## +## +## +## Read the multiplexed input device (/dev/input). +## +## +## Domain allowed access. +## +## # -# devices_get_input_event(domain) -# -define(`devices_get_input_event',` +define(`dev_read_input',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 event_device_t:chr_file r_file_perms; ') -define(`devices_get_input_event_depend',` +define(`dev_read_input_depend',` type device_t, event_device_t; class dir r_dir_perms; @@ -1130,17 +1500,23 @@ define(`devices_get_input_event_depend',` ') ######################################## +## +## +## Read the multiplexed input device (/dev/input). +## +## +## Domain allowed access. +## +## # -# devices_get_cpuid(domain) -# -define(`devices_get_cpuid',` +define(`dev_read_cpuid',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 cpu_device_t:chr_file r_file_perms; ') -define(`devices_get_cpuid_depend',` +define(`dev_read_cpuid_depend',` type device_t, cpu_device_t; class dir r_dir_perms; @@ -1148,17 +1524,24 @@ define(`devices_get_cpuid_depend',` ') ######################################## +## +## +## Read and write the the cpu microcode device. This +## is required to load cpu microcode. +## +## +## Domain allowed access. +## +## # -# devices_load_cpu_microcode(domain) -# -define(`devices_load_cpu_microcode',` +define(`dev_rw_cpu_microcode',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 cpu_device_t:chr_file rw_file_perms; ') -define(`devices_load_cpu_microcode_depend',` +define(`dev_rw_cpu_microcode_depend',` type device_t, cpu_device_t; class dir r_dir_perms; @@ -1166,17 +1549,23 @@ define(`devices_load_cpu_microcode_depend',` ') ######################################## +## +## +## Read and write the the scanner device. +## +## +## Domain allowed access. +## +## # -# devices_use_scanner(domain) -# -define(`devices_use_scanner',` +define(`dev_rw_scanner',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 scanner_device_t:chr_file rw_file_perms; ') -define(`devices_use_scanner_depend',` +define(`dev_rw_scanner_depend',` type device_t, scanner_device_t; class dir r_dir_perms; @@ -1184,17 +1573,23 @@ define(`devices_use_scanner_depend',` ') ######################################## +## +## +## Read and write the the power management device. +## +## +## Domain allowed access. +## +## # -# devices_control_system_powermanagement(domain) -# -define(`devices_control_system_powermanagement',` +define(`dev_rw_power_management',` requires_block_template(`$0'_depend) allow $1 device_t:dir r_dir_perms; allow $1 power_device_t:chr_file rw_file_perms; ') -define(`devices_control_system_powermanagement_depend',` +define(`dev_rw_power_management_depend',` type device_t, power_device_t; class dir r_dir_perms; diff --git a/refpolicy/policy/modules/kernel/storage.if b/refpolicy/policy/modules/kernel/storage.if index 41119c6..dd4ee09 100644 --- a/refpolicy/policy/modules/kernel/storage.if +++ b/refpolicy/policy/modules/kernel/storage.if @@ -15,7 +15,7 @@ define(`storage_getattr_fixed_disk',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; ') @@ -62,7 +62,7 @@ define(`storage_dontaudit_getattr_fixed_disk_depend',` define(`storage_setattr_fixed_disk',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; ') @@ -88,7 +88,7 @@ define(`storage_setattr_fixed_disk_depend',` define(`storage_raw_read_fixed_disk',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file r_file_perms; typeattribute $1 fixed_disk_raw_read; ') @@ -117,7 +117,7 @@ define(`storage_raw_read_fixed_disk_depend',` define(`storage_raw_write_fixed_disk',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file { getattr write ioctl }; typeattribute $1 fixed_disk_raw_write; ') @@ -144,7 +144,7 @@ define(`storage_create_fixed_disk_dev_entry',` requires_block_template(`$0'_depend) allow $1 fixed_disk_device_t:blk_file create_file_perms; - devices_create_dev_entry($1,fixed_disk_device_t,blk_file) + dev_create_dev_node($1,fixed_disk_device_t,blk_file) typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') @@ -167,7 +167,7 @@ define(`storage_create_fixed_disk_dev_entry_depend',` define(`storage_manage_fixed_disk',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file create_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') @@ -196,7 +196,7 @@ define(`storage_manage_fixed_disk_depend',` define(`storage_raw_read_lvm_volume',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 lvm_vg_t:blk_file r_file_perms; typeattribute $1 fixed_disk_raw_read; ') @@ -225,7 +225,7 @@ define(`storage_raw_read_lvm_volume_depend',` define(`storage_raw_write_lvm_volume',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 lvm_vg_t:blk_file { getattr write ioctl }; typeattribute $1 fixed_disk_raw_write; ') @@ -255,7 +255,7 @@ define(`storage_raw_write_lvm_volume_depend',` define(`storage_read_scsi_generic',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file r_file_perms; typeattribute $1 scsi_generic_read; ') @@ -285,7 +285,7 @@ define(`storage_read_scsi_generic_depend',` define(`storage_write_scsi_generic',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file { getattr write ioctl }; typeattribute $1 scsi_generic_write; ') @@ -312,7 +312,7 @@ define(`storage_write_scsi_generic_depend',` define(`storage_getattr_scsi_generic',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file getattr; ') @@ -336,7 +336,7 @@ define(`storage_getattr_scsi_generic_depend',` define(`storage_set_scsi_generic_attributes',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:blk_file setattr; ') @@ -360,7 +360,7 @@ define(`storage_set_scsi_generic_attributes_depend',` define(`storage_getattr_removable_device',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file getattr; ') @@ -407,7 +407,7 @@ define(`storage_dontaudit_getattr_removable_device_depend',` define(`storage_set_removable_device_attributes',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file setattr; ') @@ -434,7 +434,7 @@ define(`storage_set_removable_device_attributes_depend',` define(`storage_raw_read_removable_device',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file r_file_perms; ') @@ -461,7 +461,7 @@ define(`storage_raw_read_removable_device_depend',` define(`storage_raw_write_removable_device',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file { getattr write ioctl }; ') @@ -485,7 +485,7 @@ define(`storage_raw_write_removable_device_depend',` define(`storage_read_tape_device',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file r_file_perms; ') @@ -509,7 +509,7 @@ define(`storage_read_tape_device_depend',` define(`storage_write_tape_device',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file { getattr write ioctl }; ') @@ -533,7 +533,7 @@ define(`storage_write_tape_device_depend',` define(`storage_getattr_tape_device',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file getattr; ') @@ -557,7 +557,7 @@ define(`storage_getattr_tape_device_depend',` define(`storage_setattr_tape_device',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tape_device_t:blk_file setattr; ') diff --git a/refpolicy/policy/modules/kernel/storage.te b/refpolicy/policy/modules/kernel/storage.te index 1e59d1d..4fc8b66 100644 --- a/refpolicy/policy/modules/kernel/storage.te +++ b/refpolicy/policy/modules/kernel/storage.te @@ -11,7 +11,7 @@ attribute scsi_generic_write; # /dev/hd* and /dev/sd*. # type fixed_disk_device_t; -devices_make_device_node(fixed_disk_device_t) +dev_node(fixed_disk_device_t) neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read; neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write }; @@ -20,7 +20,7 @@ neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { app # lvm_vg_t is the type of logical volume groups # type lvm_vg_t; -devices_make_device_node(lvm_vg_t) +dev_node(lvm_vg_t) # from the subject's point of view, same as read/writing a regular # fixed disk, so use the same assertions as above @@ -32,7 +32,7 @@ neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write } # it gives access to ALL SCSI devices (both fixed and removable) # type scsi_generic_device_t; -devices_make_device_node(scsi_generic_device_t) +dev_node(scsi_generic_device_t) neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read; neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write }; @@ -42,10 +42,10 @@ neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { app # /dev/scd* and /dev/fd*. # type removable_device_t; -devices_make_device_node(removable_device_t) +dev_node(removable_device_t) # # tape_device_t is the type of # type tape_device_t; -devices_make_device_node(tape_device_t) +dev_node(tape_device_t) diff --git a/refpolicy/policy/modules/kernel/terminal.if b/refpolicy/policy/modules/kernel/terminal.if index d379432..7bc26ea 100644 --- a/refpolicy/policy/modules/kernel/terminal.if +++ b/refpolicy/policy/modules/kernel/terminal.if @@ -98,8 +98,10 @@ define(`term_tty_depend',` define(`term_create_pty',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + + dev_list_all_dev_nodes($1) allow $1 ptmx_t:chr_file rw_file_perms; + allow $1 devpts_t:dir r_dir_perms; allow $1 devpts_t:filesystem getattr; dontaudit $1 bsdpty_device_t:chr_file { getattr read write }; @@ -128,7 +130,7 @@ define(`term_create_pty_depend',` define(`term_use_all_terms',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_file_perms; ') @@ -155,7 +157,7 @@ define(`term_use_all_terms_depend',` define(`term_write_console',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file write; ') @@ -177,7 +179,7 @@ define(`term_use_console_depend',` define(`term_use_console',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file rw_file_perms; ') @@ -224,7 +226,7 @@ define(`term_dontaudit_use_console_depend',` define(`term_setattr_console',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 console_device_t:chr_file setattr; ') @@ -248,7 +250,7 @@ define(`term_setattr_console_depend',` define(`term_list_ptys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; ') @@ -296,7 +298,7 @@ define(`term_dontaudit_list_ptys_depend',` define(`term_use_generic_pty',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 devpts_t:chr_file { read write }; ') @@ -344,7 +346,7 @@ define(`term_dontaudit_use_generic_pty_depend',` define(`term_use_controlling_term',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 devtty_t:chr_file { getattr read write ioctl }; ') @@ -391,7 +393,7 @@ define(`term_dontaudit_use_ptmx_depend',` define(`term_getattr_all_user_ptys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file getattr; ') @@ -416,7 +418,7 @@ define(`term_getattr_all_ptys_depend',` define(`term_use_all_user_ptys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 devpts_t:dir r_dir_perms; allow $1 ptynode:chr_file { getattr read write ioctl }; ') @@ -465,7 +467,7 @@ define(`term_dontaudit_use_all_user_ptys_depend',` define(`term_getattr_unallocated_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file getattr; ') @@ -489,7 +491,7 @@ define(`term_getattr_unallocated_ttys_depend',` define(`term_setattr_unallocated_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file setattr; ') @@ -513,7 +515,7 @@ define(`term_setattr_unallocated_ttys_depend',` define(`term_relabel_unallocated_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { relabelfrom relabelto }; ') @@ -537,7 +539,7 @@ define(`term_relabel_unallocated_ttys_depend',` define(`term_reset_tty_labels',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file relabelfrom; allow $1 tty_device_t:chr_file relabelto; ') @@ -562,7 +564,7 @@ define(`term_reset_tty_labels_depend',` define(`term_write_unallocated_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { getattr write }; ') @@ -585,7 +587,7 @@ define(`term_write_unallocated_ttys_depend',` define(`term_use_unallocated_tty',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 tty_device_t:chr_file { getattr read write ioctl }; ') @@ -632,7 +634,7 @@ define(`term_dontaudit_use_unallocated_tty_depend',` define(`term_getattr_all_user_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file getattr; ') @@ -657,6 +659,7 @@ define(`term_getattr_all_user_ttys_depend',` define(`term_dontaudit_getattr_all_user_ttys',` requires_block_template(`$0'_depend) + dev_list_all_dev_nodes($1) dontaudit $1 ttynode:chr_file getattr; ') @@ -704,7 +707,7 @@ define(`term_setattr_all_user_ttys_depend',` define(`term_relabel_all_user_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { relabelfrom relabelto }; ') @@ -727,7 +730,7 @@ define(`term_relabel_all_user_ttys_depend',` define(`term_write_all_user_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { getattr write }; ') @@ -750,7 +753,7 @@ define(`term_write_all_user_ttys_depend',` define(`term_use_all_user_ttys',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 ttynode:chr_file { getattr read write ioctl }; ') diff --git a/refpolicy/policy/modules/kernel/terminal.te b/refpolicy/policy/modules/kernel/terminal.te index c2d69a3..5b94446 100644 --- a/refpolicy/policy/modules/kernel/terminal.te +++ b/refpolicy/policy/modules/kernel/terminal.te @@ -8,13 +8,13 @@ attribute server_ptynode; # # bsdpty_device_t is the type of /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] type bsdpty_device_t; -devices_make_device_node(bsdpty_device_t) +dev_node(bsdpty_device_t) # # console_device_t is the type of /dev/console. # type console_device_t; -devices_make_device_node(console_device_t) +dev_node(console_device_t) # # devpts_t is the type of the devpts file system and @@ -29,22 +29,22 @@ fs_use_trans devpts context_template(system_u:object_r:devpts_t,s0); # devtty_t is the type of /dev/tty. # type devtty_t; -devices_make_device_node(devtty_t) +dev_node(devtty_t) # # ptmx_t is the type for /dev/ptmx. # type ptmx_t; -devices_make_device_node(ptmx_t) +dev_node(ptmx_t) # # tty_device_t is the type of /dev/*tty* # type tty_device_t; -devices_make_device_node(tty_device_t) +dev_node(tty_device_t) # # usbtty_device_t is the type of /dev/usr/tty* # type usbtty_device_t; -devices_make_device_node(usbtty_device_t) +dev_node(usbtty_device_t) diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if index 3b22c2e..c4fa652 100644 --- a/refpolicy/policy/modules/services/cron.if +++ b/refpolicy/policy/modules/services/cron.if @@ -68,7 +68,7 @@ define(`cron_per_userdomain_template',` corenet_tcp_bind_all_nodes($1_crond_t) corenet_udp_bind_all_nodes($1_crond_t) - devices_get_pseudorandom_data($1_crond_t) + dev_read_urand($1_crond_t) fs_getattr_all_fs($1_crond_t) diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te index b32fc5d..e5e35fd 100644 --- a/refpolicy/policy/modules/services/cron.te +++ b/refpolicy/policy/modules/services/cron.te @@ -87,7 +87,7 @@ kernel_compute_create_context(crond_t) kernel_compute_relabel_context(crond_t) kernel_compute_reachable_user_contexts(crond_t) -devices_get_pseudorandom_data(crond_t) +dev_read_urand(crond_t) fs_getattr_all_fs(crond_t) @@ -248,9 +248,9 @@ corenet_udp_sendrecv_all_ports(system_crond_t) corenet_tcp_bind_all_nodes(system_crond_t) corenet_udp_bind_all_nodes(system_crond_t) -devices_get_all_block_device_attributes(system_crond_t) -devices_get_all_character_device_attributes(system_crond_t) -devices_get_pseudorandom_data(system_crond_t) +dev_getattr_all_blk_files(system_crond_t) +dev_getattr_all_chr_files(system_crond_t) +dev_read_urand(system_crond_t) fs_getattr_all_fs(system_crond_t) fs_getattr_all_files(system_crond_t) diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te index b269e18..bbd9cf2 100644 --- a/refpolicy/policy/modules/services/mta.te +++ b/refpolicy/policy/modules/services/mta.te @@ -60,7 +60,7 @@ corenet_raw_sendrecv_all_nodes(system_mail_t) corenet_tcp_bind_all_nodes(system_mail_t) corenet_tcp_sendrecv_all_ports(system_mail_t) -devices_get_pseudorandom_data(system_mail_t) +dev_read_urand(system_mail_t) fs_getattr_xattr_fs(system_mail_t) diff --git a/refpolicy/policy/modules/services/remotelogin.te b/refpolicy/policy/modules/services/remotelogin.te index 936d2e3..c99007c 100644 --- a/refpolicy/policy/modules/services/remotelogin.te +++ b/refpolicy/policy/modules/services/remotelogin.te @@ -51,7 +51,7 @@ kernel_compute_relabel_context(remote_login_t) kernel_compute_reachable_user_contexts(remote_login_t) # for SSP/ProPolice -devices_get_pseudorandom_data(remote_login_t) +dev_read_urand(remote_login_t) fs_getattr_xattr_fs(remote_login_t) diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te index e33d4da..03308e2 100644 --- a/refpolicy/policy/modules/services/sendmail.te +++ b/refpolicy/policy/modules/services/sendmail.te @@ -54,7 +54,7 @@ corenet_tcp_bind_all_nodes(sendmail_t) corenet_udp_bind_all_nodes(sendmail_t) corenet_tcp_bind_smtp_port(sendmail_t) -devices_get_pseudorandom_data(sendmail_t) +dev_read_urand(sendmail_t) fs_getattr_all_fs(sendmail_t) diff --git a/refpolicy/policy/modules/system/clock.te b/refpolicy/policy/modules/system/clock.te index 52373b0..96e4097 100644 --- a/refpolicy/policy/modules/system/clock.te +++ b/refpolicy/policy/modules/system/clock.te @@ -32,7 +32,7 @@ allow hwclock_t adjtime_t:file { setattr ioctl read getattr lock write append }; kernel_read_kernel_sysctl(hwclock_t) kernel_read_hardware_state(hwclock_t) -devices_modify_realtime_clock(hwclock_t) +dev_rw_realtime_clock(hwclock_t) fs_getattr_xattr_fs(hwclock_t) diff --git a/refpolicy/policy/modules/system/domain.if b/refpolicy/policy/modules/system/domain.if index 2a2cd31..e92f28d 100644 --- a/refpolicy/policy/modules/system/domain.if +++ b/refpolicy/policy/modules/system/domain.if @@ -36,8 +36,8 @@ define(`domain_make_domain',` domain_make_base_domain($1) # Use trusted objects in /dev - devices_use_dev_null($1) - devices_use_dev_zero($1) + dev_rw_null_dev($1) + dev_rw_zero_dev($1) term_use_controlling_term($1) # read the root directory diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te index d4fd7a7..50252fe 100644 --- a/refpolicy/policy/modules/system/hotplug.te +++ b/refpolicy/policy/modules/system/hotplug.te @@ -59,7 +59,7 @@ corenet_tcp_sendrecv_all_ports(hotplug_t) corenet_tcp_bind_all_nodes(hotplug_t) # for SSP -devices_get_pseudorandom_data(hotplug_t) +dev_read_urand(hotplug_t) fs_getattr_all_fs(hotplug_t) diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if index cce8df3..bf0b733 100644 --- a/refpolicy/policy/modules/system/init.if +++ b/refpolicy/policy/modules/system/init.if @@ -203,7 +203,7 @@ define(`init_get_control_channel_attributes_depend',` define(`init_use_control_channel',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) allow $1 initctl_t:fifo_file rw_file_perms; ') diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te index 62d0ce2..7bf5cef 100644 --- a/refpolicy/policy/modules/system/init.te +++ b/refpolicy/policy/modules/system/init.te @@ -80,7 +80,7 @@ files_create_daemon_runtime_data(init_t,init_var_run_t) allow init_t initctl_t:fifo_file { create getattr read append write setattr unlink }; fs_associate_tmpfs(initctl_t) -devices_create_dev_entry(init_t,initctl_t,fifo_file) +dev_create_dev_node(init_t,initctl_t,fifo_file) # Modify utmp. allow init_t initrc_var_run_t:file { rw_file_perms setattr }; @@ -202,19 +202,19 @@ corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_bind_all_nodes(initrc_t) corenet_udp_bind_all_nodes(initrc_t) -devices_get_random_data(initrc_t) -devices_get_pseudorandom_data(initrc_t) -devices_add_entropy(initrc_t) -devices_set_pseudorandom_seed(initrc_t) -devices_read_framebuffer(initrc_t) -devices_read_realtime_clock(initrc_t) -devices_read_sound_mixer_levels(initrc_t) -devices_write_sound_mixer_levels(initrc_t) -devices_set_all_character_device_attributes(initrc_t) -devices_read_lvm_control_channel(initrc_t) -devices_remove_lvm_control_channel(initrc_t) +dev_read_rand(initrc_t) +dev_read_urand(initrc_t) +dev_write_rand(initrc_t) +dev_write_urand(initrc_t) +dev_read_framebuffer(initrc_t) +dev_read_realtime_clock(initrc_t) +dev_read_snd_mixer_dev(initrc_t) +dev_write_snd_mixer_dev(initrc_t) +dev_setattr_all_chr_files(initrc_t) +dev_read_lvm_control(initrc_t) +dev_delete_lvm_control(initrc_t) # Wants to remove udev.tbl: -devices_remove_dev_symbolic_links(initrc_t) +dev_del_generic_symlinks(initrc_t) fs_register_binary_executable_type(initrc_t) # cjp: not sure why these are here; should use mount policy @@ -317,10 +317,10 @@ ifdef(`distro_redhat',` # These seem to be from the initrd # during device initialization: - devices_add_dev_dir(initrc_t) - devices_legacy_use_dev_zero(initrc_t) - devices_legacy_raw_read_memory(initrc_t) - devices_legacy_raw_write_memory(initrc_t) + dev_create_dir(initrc_t) + dev_rwx_zero_dev(initrc_t) + dev_rx_raw_memory(initrc_t) + dev_wx_raw_memory(initrc_t) storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -344,8 +344,8 @@ optional_policy(`hotplug.te',` optional_policy(`lvm.te',` #allow initrc_t lvm_control_t:chr_file unlink; - devices_read_lvm_control_channel(initrc_t) - devices_add_generic_character_device(initrc_t) + dev_read_lvm_control(initrc_t) + dev_create_generic_chr_file(initrc_t) ') optional_policy(`rhgb.te',` diff --git a/refpolicy/policy/modules/system/locallogin.te b/refpolicy/policy/modules/system/locallogin.te index 1abe407..6c41572 100644 --- a/refpolicy/policy/modules/system/locallogin.te +++ b/refpolicy/policy/modules/system/locallogin.te @@ -61,7 +61,7 @@ kernel_compute_relabel_context(local_login_t) kernel_compute_reachable_user_contexts(local_login_t) # for SSP/ProPolice -devices_get_pseudorandom_data(local_login_t) +dev_read_urand(local_login_t) term_use_all_user_ttys(local_login_t) term_use_unallocated_tty(local_login_t) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 23b11f4..954f184 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -130,7 +130,7 @@ kernel_change_ring_buffer_level(klogd_t) bootloader_read_kernel_symbol_table(klogd_t) -devices_raw_read_memory(klogd_t) +dev_read_raw_memory(klogd_t) fs_getattr_all_fs(klogd_t) @@ -189,7 +189,7 @@ files_create_daemon_runtime_data(syslogd_t,syslogd_var_run_t) kernel_read_hardware_state(syslogd_t) kernel_read_kernel_sysctl(syslogd_t) -devices_create_dev_entry(syslogd_t,devlog_t,sock_file) +dev_create_dev_node(syslogd_t,devlog_t,sock_file) term_dontaudit_use_console(syslogd_t) # Allow syslog to a terminal diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te index cce38a1..3c7a83a 100644 --- a/refpolicy/policy/modules/system/lvm.te +++ b/refpolicy/policy/modules/system/lvm.te @@ -84,20 +84,20 @@ kernel_read_kernel_sysctl(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core(lvm_t) -devices_add_generic_character_device(lvm_t) -devices_get_random_data(lvm_t) -devices_get_pseudorandom_data(lvm_t) -devices_use_lvm_control_channel(lvm_t) -devices_manage_dev_symbolic_links(lvm_t) +dev_create_generic_chr_file(lvm_t) +dev_read_rand(lvm_t) +dev_read_urand(lvm_t) +dev_rw_lvm_control(lvm_t) +dev_manage_generic_symlinks(lvm_t) devices_relabel_dev_dirs(lvm_t) devices_manage_generic_block_device(lvm_t) # LVM (vgscan) scans for devices by stating every file in /dev and applying a regex... -devices_ignore_get_all_character_device_attributes(lvm_t) -devices_ignore_get_all_block_device_attributes(lvm_t) -devices_ignore_get_generic_character_device_attributes(lvm_t) -devices_ignore_get_generic_block_device_attributes(lvm_t) -devices_ignore_get_generic_pipe_attributes(lvm_t) +dev_dontaudit_getattr_all_chr_files(lvm_t) +dev_dontaudit_getattr_all_blk_files(lvm_t) +dev_dontaudit_getattr_generic_chr_file(lvm_t) +dev_dontaudit_getattr_generic_blk_file(lvm_t) +dev_dontaudit_getattr_generic_pipe(lvm_t) term_dontaudit_getattr_all_user_ttys(lvm_t) fs_getattr_xattr_fs(lvm_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 9527268..cde351f 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -62,9 +62,9 @@ bootloader_read_kernel_modules(insmod_t) # for locking: (cjp: ????) bootloader_write_kernel_modules(insmod_t) -devices_write_mtrr(insmod_t) -devices_get_pseudorandom_data(insmod_t) -devices_direct_agp_access(insmod_t) +dev_write_mtrr(insmod_t) +dev_read_urand(insmod_t) +dev_rw_agp_dev(insmod_t) fs_getattr_xattr_fs(insmod_t) @@ -189,7 +189,7 @@ files_create_private_tmp_data(update_modules_t, update_modules_tmp_t, { file dir kernel_read_kernel_sysctl(update_modules_t) kernel_read_system_state(update_modules_t) -devices_get_pseudorandom_data(update_modules_t) +dev_read_urand(update_modules_t) fs_getattr_xattr_fs(update_modules_t) diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te index 3b4617d..aaa9565 100644 --- a/refpolicy/policy/modules/system/mount.te +++ b/refpolicy/policy/modules/system/mount.te @@ -24,8 +24,8 @@ kernel_dontaudit_use_fd(mount_t) corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t) corenet_dontaudit_udp_bind_all_reserved_ports(mount_t) -devices_get_all_block_device_attributes(mount_t) -devices_list_device_nodes(mount_t) +dev_getattr_all_blk_files(mount_t) +dev_list_all_dev_nodes(mount_t) storage_raw_read_fixed_disk(mount_t) storage_raw_write_fixed_disk(mount_t) diff --git a/refpolicy/policy/modules/system/selinux.te b/refpolicy/policy/modules/system/selinux.te index 9a9ceb5..ab8e283 100644 --- a/refpolicy/policy/modules/system/selinux.te +++ b/refpolicy/policy/modules/system/selinux.te @@ -203,7 +203,7 @@ kernel_compute_create_context(newrole_t) kernel_compute_relabel_context(newrole_t) kernel_compute_reachable_user_contexts(newrole_t) -devices_get_pseudorandom_data(newrole_t) +dev_read_urand(newrole_t) fs_getattr_xattr_fs(newrole_t) @@ -312,7 +312,8 @@ optional_policy(`hotplug.te',` # relabeling rules kernel_relabel_unlabeled(restorecon_t) -devices_manage_all_devices_labels(restorecon_t) +dev_relabel_all_dev_nodes(restorecon_t) + files_relabel_all_files(restorecon_t) files_read_all_directories(restorecon_t) # this is to satisfy the assertion: @@ -362,7 +363,7 @@ ifdef(`targeted_policy',`',` fs_getattr_xattr_fs(run_init_t) - devices_ignore_list_device_nodes(run_init_t) + dev_dontaudit_list_all_nodes(run_init_t) term_dontaudit_list_ptys(run_init_t) @@ -448,7 +449,8 @@ userdomain_read_all_users_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled(setfiles_t) -devices_manage_all_devices_labels(setfiles_t) +dev_relabel_all_dev_nodes(setfiles_t) + files_read_all_directories(setfiles_t) files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: diff --git a/refpolicy/policy/modules/system/selinuxutil.te b/refpolicy/policy/modules/system/selinuxutil.te index 9a9ceb5..ab8e283 100644 --- a/refpolicy/policy/modules/system/selinuxutil.te +++ b/refpolicy/policy/modules/system/selinuxutil.te @@ -203,7 +203,7 @@ kernel_compute_create_context(newrole_t) kernel_compute_relabel_context(newrole_t) kernel_compute_reachable_user_contexts(newrole_t) -devices_get_pseudorandom_data(newrole_t) +dev_read_urand(newrole_t) fs_getattr_xattr_fs(newrole_t) @@ -312,7 +312,8 @@ optional_policy(`hotplug.te',` # relabeling rules kernel_relabel_unlabeled(restorecon_t) -devices_manage_all_devices_labels(restorecon_t) +dev_relabel_all_dev_nodes(restorecon_t) + files_relabel_all_files(restorecon_t) files_read_all_directories(restorecon_t) # this is to satisfy the assertion: @@ -362,7 +363,7 @@ ifdef(`targeted_policy',`',` fs_getattr_xattr_fs(run_init_t) - devices_ignore_list_device_nodes(run_init_t) + dev_dontaudit_list_all_nodes(run_init_t) term_dontaudit_list_ptys(run_init_t) @@ -448,7 +449,8 @@ userdomain_read_all_users_data(setfiles_t) # relabeling rules kernel_relabel_unlabeled(setfiles_t) -devices_manage_all_devices_labels(setfiles_t) +dev_relabel_all_dev_nodes(setfiles_t) + files_read_all_directories(setfiles_t) files_relabel_all_files(setfiles_t) # this is to satisfy the assertion: diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 32211a6..13e5fb5 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -102,7 +102,7 @@ corenet_udp_bind_all_nodes(dhcpc_t) corenet_udp_bind_dhcpc_port(dhcpc_t) # for SSP -devices_get_pseudorandom_data(dhcpc_t) +dev_read_urand(dhcpc_t) fs_getattr_all_fs(dhcpc_t) diff --git a/refpolicy/policy/modules/system/udev.te b/refpolicy/policy/modules/system/udev.te index 98e80fc..e12d946 100644 --- a/refpolicy/policy/modules/system/udev.te +++ b/refpolicy/policy/modules/system/udev.te @@ -58,7 +58,7 @@ allow udev_t udev_etc_t:file r_file_perms; # create udev database in /dev/.udevdb allow udev_t udev_tbl_t:file create_file_perms; -devices_create_dev_entry(udev_t,udev_tbl_t,file) +dev_create_dev_node(udev_t,udev_tbl_t,file) allow udev_t udev_var_run_t:dir rw_dir_perms; allow udev_t udev_var_run_t:file create_file_perms; @@ -78,7 +78,7 @@ kernel_compute_create_context(udev_t) kernel_compute_relabel_context(udev_t) kernel_compute_reachable_user_contexts(udev_t) -devices_manage_device_nodes(udev_t) +dev_manage_dev_nodes(udev_t) fs_getattr_all_fs(udev_t) diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index d97db4b..43957db 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -123,18 +123,18 @@ define(`base_user_domain',` # allow port_t name binding for UDP because it is not very usable otherwise corenet_udp_bind_generic_port($1_t) - devices_get_input_event($1_t) - devices_read_misc($1_t) - devices_write_misc($1_t) - devices_play_sound($1_t) - devices_record_sound_input($1_t) - devices_read_sound_mixer_levels($1_t) - devices_write_sound_mixer_levels($1_t) - devices_get_random_data($1_t) - devices_get_pseudorandom_data($1_t) + dev_read_input($1_t) + dev_read_misc($1_t) + dev_write_misc($1_t) + dev_write_snd_dev($1_t) + dev_read_snd_dev($1_t) + dev_read_snd_mixer_dev($1_t) + dev_write_snd_mixer_dev($1_t) + dev_read_rand($1_t) + dev_read_urand($1_t) # open office is looking for the following - devices_get_direct_rendering_interface_attributes($1_t) - devices_ignore_use_direct_rendering_interface($1_t) + dev_getattr_agp_dev($1_t) + dev_dontaudit_rw_dri_dev($1_t) fs_get_all_fs_quotas($1_t) fs_getattr_all_fs($1_t) @@ -198,7 +198,7 @@ define(`base_user_domain',` } if (user_direct_mouse) { - devices_get_mouse_input($1_t) + dev_read_mouse($1_t) } if (user_ttyfile_stat) { @@ -681,10 +681,10 @@ define(`admin_domain_template',` corenet_tcp_bind_generic_port($1_t) - devices_get_generic_block_device_attributes($1_t) - devices_get_generic_character_device_attributes($1_t) - devices_get_all_block_device_attributes($1_t) - devices_get_all_character_device_attributes($1_t) + dev_getattr_generic_blk_file($1_t) + dev_getattr_generic_chr_file($1_t) + dev_getattr_all_blk_files($1_t) + dev_getattr_all_chr_files($1_t) fs_getattr_all_fs($1_t) fs_set_all_quotas($1_t) @@ -861,7 +861,7 @@ define(`userdomain_sysadm_shell_transition_depend',` define(`userdomain_use_admin_terminals',` requires_block_template(`$0'_depend) - devices_list_device_nodes($1) + dev_list_all_dev_nodes($1) term_list_ptys($1) allow $1 admin_terminal:chr_file { getattr read write ioctl }; ')