RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
selinux-refpolicy/policy/modules/kernel/devices.if

5202 lines
100 KiB
Plaintext
Raw Normal View History

Updates to documentation.
2005-06-13 19:22:00 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Device nodes and interfaces for many basic system devices.
Updates to documentation.
2005-06-13 19:22:00 +00:00
## </summary>
shorten some xml tags
2005-06-23 16:00:05 +00:00
## <desc>
update for new documentation method
2005-06-23 21:30:57 +00:00
## <p>
## This module creates the device node concept and provides
## the policy for many of the device files. Notable exceptions are
## the mass storage and terminal devices that are covered by other
## modules.
## </p>
## <p>
## This module creates the concept of a device node. That is a
## char or block device file, usually in /dev. All types that
## are used to label device nodes should use the dev_node macro.
## </p>
## <p>
## Additionally, this module controls access to three things:
## <ul>
## <li>the device directories containing device nodes</li>
## <li>device nodes as a group</li>
## <li>individual access to specific device nodes covered by
## this module.</li>
## </ul>
## </p>
shorten some xml tags
2005-06-23 16:00:05 +00:00
## </desc>
initial support for compiling loadable modules
2005-08-18 21:27:20 +00:00
## <required val="true">
## Depended on by other required modules.
## </required>
Devices rename.
2005-06-13 16:22:32 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## Make the specified type usable for device
## nodes in a filesystem.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <desc>
## <p>
## Make the specified type usable for device nodes
## in a filesystem. Types used for device nodes that
## do not use this interface, or an interface that
## calls this one, will have unexpected behaviors
## while the system is running.
## </p>
## <p>
## Example:
## </p>
## <p>
## type mydev_t;
## dev_node(mydev_t)
## allow mydomain_t mydev_t:chr_file read_chr_file_perms;
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>term_tty()</li>
## <li>term_pty()</li>
## </ul>
## </desc>
## <param name="type">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## Type to be used for device nodes.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <infoflow type="none"/>
initial commit
2005-04-14 20:18:17 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_node',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
attribute device_node;
')
add some indentation
2005-06-02 20:26:48 +00:00
typeattribute $1 device_node;
initial commit
2005-04-14 20:18:17 +00:00
')
Move devtmpfs to devices from filesystem Move devtmpfs to devices module (remove from filesystem module) Make device_t a filesystem Add interface for associating types with device_t filesystem (dev_associate) Call dev_associate from dev_filetrans Allow all device nodes associate with device_t filesystem Remove dev_tmpfs_filetrans_dev from kernel_t Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate Mounton interface, to allow the kernel to mounton device_t Signed-off-by: Jeremy Solt <jsolt@tresys.com>
2010-08-18 15:36:34 +00:00
########################################
## <summary>
## Associate the specified file type with device filesystem.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be associated.
## </summary>
## </param>
#
interface(`dev_associate',`
gen_require(`
type device_t;
')
allow $1 device_t:filesystem associate;
fs_associate_tmpfs($1) #For backwards compatibility
')
sudo: wants to get attributes of device_t filesystems. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-04 18:23:48 +00:00
########################################
## <summary>
## Get attributes of device filesystems.
## </summary>
Two insignificant fixes that i stumbled on when merging dev_getattr_fs() Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-08 20:40:58 +00:00
## <param name="domain">
sudo: wants to get attributes of device_t filesystems. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-04 18:23:48 +00:00
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
Module version bump for Dominick's sudo cleanup.
2010-10-08 18:33:04 +00:00
interface(`dev_getattr_fs',`
sudo: wants to get attributes of device_t filesystems. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-10-04 18:23:48 +00:00
gen_require(`
type device_t;
')
allow $1 device_t:filesystem getattr;
')
Move devtmpfs to devices from filesystem Move devtmpfs to devices module (remove from filesystem module) Make device_t a filesystem Add interface for associating types with device_t filesystem (dev_associate) Call dev_associate from dev_filetrans Allow all device nodes associate with device_t filesystem Remove dev_tmpfs_filetrans_dev from kernel_t Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate Mounton interface, to allow the kernel to mounton device_t Signed-off-by: Jeremy Solt <jsolt@tresys.com>
2010-08-18 15:36:34 +00:00
########################################
## <summary>
## Mount a filesystem on /dev
## </summary>
## <param name="domain">
## <summary>
## Domain allow access.
## </summary>
## </param>
#
interface(`dev_mounton',`
gen_require(`
type device_t;
')
allow $1 device_t:dir mounton;
')
add bulk of selinux module policy, and add required interfaces
2005-04-28 18:59:01 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Allow full relabeling (to and from) of all device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
add bulk of selinux module policy, and add required interfaces
2005-04-28 18:59:01 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_relabel_all_dev_nodes',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
attribute device_node;
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
Add supporting rules for domains tightly-coupled with systemd.
2015-10-20 18:48:38 +00:00
relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
relabelfrom_files_pattern($1, device_t, { device_t device_node })
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
Add supporting rules for domains tightly-coupled with systemd.
2015-10-20 18:48:38 +00:00
relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
add bulk of selinux module policy, and add required interfaces
2005-04-28 18:59:01 +00:00
')
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## Allow full relabeling (to and from) of all device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_relabel_all_dev_files',`
gen_require(`
type device_t;
')
relabel_files_pattern($1, device_t, device_t)
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## List all of the device nodes in a device directory.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_list_all_dev_nodes',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
list_dirs_pattern($1, device_t, device_t)
read_lnk_files_pattern($1, device_t, device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
########################################
## <summary>
## Set the attributes of /dev directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_generic_dirs',`
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
gen_require(`
type device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_dirs_pattern($1, device_t, device_t)
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit attempts to list all device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_dontaudit_list_all_dev_nodes',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
dontaudit $1 device_t:dir list_dir_perms;
')
########################################
## <summary>
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
## </summary>
## </param>
#
interface(`dev_add_entry_generic_dirs',`
gen_require(`
type device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
initial commit
2005-04-14 20:18:17 +00:00
')
smartmon patch from Dan Walsh.
2009-12-18 15:33:50 +00:00
########################################
## <summary>
Fix interface descriptions when duplicate ones are found Distinct interfaces should have different comments
2016-01-18 23:01:10 +00:00
## Remove entries from directories in /dev.
smartmon patch from Dan Walsh.
2009-12-18 15:33:50 +00:00
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
smartmon patch from Dan Walsh.
2009-12-18 15:33:50 +00:00
## </summary>
## </param>
#
interface(`dev_remove_entry_generic_dirs',`
gen_require(`
type device_t;
')
allow $1 device_t:dir del_entry_dir_perms;
')
last fixes for cab
2005-06-01 13:51:54 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Create a directory in the device directory.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
last fixes for cab
2005-06-01 13:51:54 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_create_generic_dirs',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
trunk: 11 patches from dan.
2007-10-29 18:35:32 +00:00
allow $1 device_t:dir list_dir_perms;
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
create_dirs_pattern($1, device_t, device_t)
last fixes for cab
2005-06-01 13:51:54 +00:00
')
gentoo testing fixes
2006-09-19 17:02:29 +00:00
########################################
## <summary>
## Delete a directory in the device directory.
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
gentoo testing fixes
2006-09-19 17:02:29 +00:00
## </summary>
## </param>
#
interface(`dev_delete_generic_dirs',`
gen_require(`
type device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
delete_dirs_pattern($1, device_t, device_t)
gentoo testing fixes
2006-09-19 17:02:29 +00:00
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Manage of directories in /dev.
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
## </summary>
## </param>
#
interface(`dev_manage_generic_dirs',`
gen_require(`
type device_t;
')
manage_dirs_pattern($1, device_t, device_t)
')
renaming insanity
2005-06-13 17:35:46 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Allow full relabeling (to and from) of directories in /dev.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
renaming insanity
2005-06-13 17:35:46 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_relabel_generic_dev_dirs',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
renaming insanity
2005-06-13 17:35:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
relabel_dirs_pattern($1, device_t, device_t)
renaming insanity
2005-06-13 17:35:46 +00:00
')
fix dontaudit interface that was allowing instead of dontauditing; thanks to karl for pointing this out.
2006-11-28 15:57:22 +00:00
########################################
## <summary>
## dontaudit getattr generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_generic_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:file getattr;
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Read generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_read_generic_files',`
gen_require(`
type device_t;
')
read_files_pattern($1, device_t, device_t)
')
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
########################################
## <summary>
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_rw_generic_files',`
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
gen_require(`
type device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_files_pattern($1, device_t, device_t)
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
')
more updates
2005-09-15 21:03:29 +00:00
########################################
## <summary>
## Delete generic files in /dev.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more updates
2005-09-15 21:03:29 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more updates
2005-09-15 21:03:29 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_delete_generic_files',`
more updates
2005-09-15 21:03:29 +00:00
gen_require(`
type device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
delete_files_pattern($1, device_t, device_t)
more updates
2005-09-15 21:03:29 +00:00
')
renaming insanity
2005-06-10 01:01:13 +00:00
########################################
patch from dan Sun, 19 Feb 2006 08:16:18 -0500
2006-02-20 16:31:54 +00:00
## <summary>
## Create a file in the device directory.
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
patch from dan Sun, 19 Feb 2006 08:16:18 -0500
2006-02-20 16:31:54 +00:00
## </summary>
## </param>
#
interface(`dev_manage_generic_files',`
gen_require(`
type device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_files_pattern($1, device_t, device_t)
patch from dan Sun, 19 Feb 2006 08:16:18 -0500
2006-02-20 16:31:54 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit getattr on generic pipes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
renaming insanity
2005-06-10 01:01:13 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_getattr_generic_pipes',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
dontaudit $1 device_t:fifo_file getattr;
many fixes from cab work
2005-05-30 21:17:20 +00:00
')
Start pulling in kernel layer pieces from Fedora.
2011-03-29 14:33:43 +00:00
########################################
## <summary>
## Write generic socket files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_write_generic_sockets',`
gen_require(`
type device_t;
')
write_sock_files_pattern($1, device_t, device_t)
')
add device_node:{ chr_file blk_file } getattr;
2005-05-18 13:19:51 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Allow getattr on generic block devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
add device_node:{ chr_file blk_file } getattr;
2005-05-18 13:19:51 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_generic_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_blk_files_pattern($1, device_t, device_t)
add device_node:{ chr_file blk_file } getattr;
2005-05-18 13:19:51 +00:00
')
pile of updates
2005-05-13 14:37:13 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
pile of updates
2005-05-13 14:37:13 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_getattr_generic_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
dontaudit $1 device_t:blk_file getattr;
pile of updates
2005-05-13 14:37:13 +00:00
')
kernel: missing permissions for confined execution This patch adds missing permissions in the kernel module that prevent to run it without the unconfined module. This second version improves the comment section of new interfaces: "Domain" is replaced by "Domain allowed access". Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-18 20:58:44 +00:00
########################################
## <summary>
## Set the attributes on generic
## block devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_generic_blk_files',`
gen_require(`
type device_t;
')
allow $1 device_t:blk_file setattr;
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_setattr_generic_blk_files',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t;
')
dontaudit $1 device_t:blk_file setattr;
')
many fixes from cab work
2005-05-30 21:17:20 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 15:17:16 +00:00
## Create generic block device files.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
many fixes from cab work
2005-05-30 21:17:20 +00:00
#
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 15:17:16 +00:00
interface(`dev_create_generic_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 15:17:16 +00:00
create_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete generic block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_blk_files',`
gen_require(`
type device_t;
')
delete_blk_files_pattern($1, device_t, device_t)
many fixes from cab work
2005-05-30 21:17:20 +00:00
')
add device_node:{ chr_file blk_file } getattr;
2005-05-18 13:19:51 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Allow getattr for generic character device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
add device_node:{ chr_file blk_file } getattr;
2005-05-18 13:19:51 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_generic_chr_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, device_t)
add device_node:{ chr_file blk_file } getattr;
2005-05-18 13:19:51 +00:00
')
pile of updates
2005-05-13 14:37:13 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
pile of updates
2005-05-13 14:37:13 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_getattr_generic_chr_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
dontaudit $1 device_t:chr_file getattr;
pile of updates
2005-05-13 14:37:13 +00:00
')
kernel: missing permissions for confined execution This patch adds missing permissions in the kernel module that prevent to run it without the unconfined module. This second version improves the comment section of new interfaces: "Domain" is replaced by "Domain allowed access". Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-18 20:58:44 +00:00
########################################
## <summary>
## Set the attributes for generic
## character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_generic_chr_files',`
gen_require(`
type device_t;
')
allow $1 device_t:chr_file setattr;
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_setattr_generic_chr_files',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file setattr;
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Read generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_generic_chr_files',`
gen_require(`
type device_t;
')
allow $1 device_t:chr_file read_chr_file_perms;
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
########################################
## <summary>
## Read and write generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_generic_chr_files',`
gen_require(`
type device_t;
')
allow $1 device_t:chr_file rw_chr_file_perms;
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Read and write generic block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_generic_blk_files',`
gen_require(`
type device_t;
')
allow $1 device_t:blk_file rw_chr_file_perms;
')
Early devtmpfs access dontaudit attempts to read/write device_t chr files occurring before udev relabel allow init_t and initrc_t read/write on device_t chr files (necessary to boot without unconfined) Signed-off-by: Jeremy Solt <jsolt@tresys.com>
2010-08-18 15:36:35 +00:00
########################################
## <summary>
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain to dontaudit access.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_generic_chr_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file rw_chr_file_perms;
')
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 15:17:16 +00:00
########################################
## <summary>
## Create generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_generic_chr_files',`
gen_require(`
type device_t;
')
create_chr_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_chr_files',`
gen_require(`
type device_t;
')
delete_chr_files_pattern($1, device_t, device_t)
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Relabel from generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabelfrom_generic_chr_files',`
gen_require(`
type device_t;
')
Add supporting rules for domains tightly-coupled with systemd.
2015-10-20 18:48:38 +00:00
allow $1 device_t:chr_file relabelfrom_chr_file_perms;
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
')
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
########################################
## <summary>
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_setattr_generic_symlinks',`
fix more TODOs. fix selinux.te to selinuxutil.te in optionals
2005-07-11 19:02:50 +00:00
gen_require(`
type device_t;
')
dontaudit $1 device_t:lnk_file setattr;
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Read symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_generic_symlinks',`
gen_require(`
type device_t;
')
allow $1 device_t:lnk_file read_lnk_file_perms;
')
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
########################################
## <summary>
## Create symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_generic_symlinks',`
gen_require(`
type device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
create_lnk_files_pattern($1, device_t, device_t)
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
')
another cleanup pass
2005-05-24 15:55:57 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Delete symbolic links in device directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
another cleanup pass
2005-05-24 15:55:57 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_delete_generic_symlinks',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
delete_lnk_files_pattern($1, device_t, device_t)
another cleanup pass
2005-05-24 15:55:57 +00:00
')
pile of updates
2005-05-13 14:37:13 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
pile of updates
2005-05-13 14:37:13 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_manage_generic_symlinks',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t;
')
add some indentation
2005-06-02 20:26:48 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_lnk_files_pattern($1, device_t, device_t)
pile of updates
2005-05-13 14:37:13 +00:00
')
more low hanging fruit cleanup
2005-06-28 17:32:57 +00:00
########################################
## <summary>
## Relabel symbolic links in device directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more low hanging fruit cleanup
2005-06-28 17:32:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more low hanging fruit cleanup
2005-06-28 17:32:57 +00:00
## </param>
#
interface(`dev_relabel_generic_symlinks',`
gen_require(`
type device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
relabel_lnk_files_pattern($1, device_t, device_t)
more low hanging fruit cleanup
2005-06-28 17:32:57 +00:00
')
systemd: Further revisions from Russell Coker.
2017-02-25 14:35:10 +00:00
########################################
## <summary>
devices: Fix docs for dev_write_generic_sock_files().
2017-02-25 16:50:31 +00:00
## Write generic sock files in /dev.
systemd: Further revisions from Russell Coker.
2017-02-25 14:35:10 +00:00
## </summary>
## <param name="domain">
## <summary>
devices: Fix docs for dev_write_generic_sock_files().
2017-02-25 16:50:31 +00:00
## Domain allowed access.
systemd: Further revisions from Russell Coker.
2017-02-25 14:35:10 +00:00
## </summary>
## </param>
#
interface(`dev_write_generic_sock_files',`
gen_require(`
type device_t;
')
write_sock_files_pattern($1, device_t, device_t)
')
reorg run_init a little, and add a convert to a few new interfaces
2005-05-02 21:02:14 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Create, delete, read, and write device nodes in device directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
reorg run_init a little, and add a convert to a few new interfaces
2005-05-02 21:02:14 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_manage_all_dev_nodes',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_dirs_pattern($1, device_t, device_t)
manage_sock_files_pattern($1, device_t, device_t)
manage_lnk_files_pattern($1, device_t, device_t)
manage_chr_files_pattern($1, device_t, { device_t device_node })
manage_blk_files_pattern($1, device_t, { device_t device_node })
relabel_dirs_pattern($1, device_t, device_t)
relabel_chr_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
typeattribute $1 memory_raw_read;
typeattribute $1 memory_raw_write;
reorg run_init a little, and add a convert to a few new interfaces
2005-05-02 21:02:14 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit getattr for generic device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_dontaudit_rw_generic_dev_nodes',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
initial commit
2005-04-14 20:18:17 +00:00
')
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Create, delete, read, and write block device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_manage_generic_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_blk_files_pattern($1, device_t, device_t)
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Create, delete, read, and write character device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_manage_generic_chr_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_chr_files_pattern($1, device_t, device_t)
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Create, read, and write device nodes. The node
## will be transitioned to the type provided.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
## <param name="file">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Type to which the created node will be transitioned.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
## <param name="objectclass(es)">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Object class(es) (single or set including {}) for which this
## the transition will occur.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
another round of renaming
2006-02-21 18:40:44 +00:00
interface(`dev_filetrans',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
type device_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
filetrans_pattern($1, device_t, $2, $3, $4)
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
Move devtmpfs to devices from filesystem Move devtmpfs to devices module (remove from filesystem module) Make device_t a filesystem Add interface for associating types with device_t filesystem (dev_associate) Call dev_associate from dev_filetrans Allow all device nodes associate with device_t filesystem Remove dev_tmpfs_filetrans_dev from kernel_t Remove fs_associate_tmpfs(initctl_t) - redundant, it was in dev_filetrans, now in dev_associate Mounton interface, to allow the kernel to mounton device_t Signed-off-by: Jeremy Solt <jsolt@tresys.com>
2010-08-18 15:36:34 +00:00
dev_associate($2)
fix filesystem associations
2005-11-01 15:45:00 +00:00
files_associate_tmp($2)
initial commit
2005-04-14 20:18:17 +00:00
')
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
########################################
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 15:17:16 +00:00
## <summary>
## Create, read, and write device nodes. The node
## will be transitioned to the type provided. This is
## a temporary interface until devtmpfs functionality
## fixed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="objectclass(es)">
## <summary>
## Object class(es) (single or set including {}) for which this
## the transition will occur.
## </summary>
## </param>
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 15:17:16 +00:00
#
interface(`dev_tmpfs_filetrans_dev',`
gen_require(`
type device_t;
')
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
fs_tmpfs_filetrans($1, device_t, $2, $3)
Add kernel access to devtmpfs. Also add workround while devtmpfs is tmpfs_t instead of device_t.
2010-05-03 15:17:16 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Getattr on all block file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_getattr_all_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node;
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
type device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_blk_files_pattern($1, device_t, device_node)
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
')
pile of updates
2005-05-13 14:37:13 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit getattr on all block file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
pile of updates
2005-05-13 14:37:13 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_dontaudit_getattr_all_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node;
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
type device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
dontaudit $1 { device_t device_node }:blk_file getattr;
pile of updates
2005-05-13 14:37:13 +00:00
')
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Getattr on all character file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_getattr_all_chr_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, device_node)
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
')
pile of updates
2005-05-13 14:37:13 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Dontaudit getattr on all character file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
pile of updates
2005-05-13 14:37:13 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_dontaudit_getattr_all_chr_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node;
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
type device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
dontaudit $1 { device_t device_node }:chr_file getattr;
pile of updates
2005-05-13 14:37:13 +00:00
')
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Setattr on all block file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_setattr_all_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_blk_files_pattern($1, device_t, device_node)
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Setattr on all character file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
## <rolecap/>
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_setattr_all_chr_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, device_node)
make getattr and setattr interfaces and make naming consistent
2005-04-22 19:31:32 +00:00
')
more upstream merging
2005-09-16 21:20:37 +00:00
########################################
## <summary>
## Dontaudit read on all block file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## </param>
#
interface(`dev_dontaudit_read_all_blk_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file { getattr read };
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
########################################
## <summary>
## Dontaudit write on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_all_blk_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file write;
')
more upstream merging
2005-09-16 21:20:37 +00:00
########################################
## <summary>
## Dontaudit read on all character file device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## </param>
#
interface(`dev_dontaudit_read_all_chr_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file { getattr read };
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
########################################
## <summary>
## Dontaudit write on all character file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_all_chr_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file write;
')
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
########################################
## <summary>
## Create all block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_all_blk_files',`
gen_require(`
attribute device_node;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
create_blk_files_pattern($1, device_t, device_node)
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
')
########################################
## <summary>
## Create all character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_all_chr_files',`
gen_require(`
attribute device_node;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
create_chr_files_pattern($1, device_t, device_node)
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
')
########################################
## <summary>
## Delete all block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_all_blk_files',`
gen_require(`
attribute device_node;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
delete_blk_files_pattern($1, device_t, device_node)
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
')
########################################
## <summary>
## Delete all character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_all_chr_files',`
gen_require(`
attribute device_node;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
delete_chr_files_pattern($1, device_t, device_node)
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
')
########################################
## <summary>
## Rename all block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rename_all_blk_files',`
gen_require(`
attribute device_node;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rename_blk_files_pattern($1, device_t, device_node)
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
')
########################################
## <summary>
## Rename all character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rename_all_chr_files',`
gen_require(`
attribute device_node;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rename_chr_files_pattern($1, device_t, device_node)
add main part of role-o-matic
2006-09-06 22:07:25 +00:00
')
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Read, write, create, and delete all block device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_manage_all_blk_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_blk_files_pattern($1, device_t, device_node)
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
# these next rules are to satisfy assertions broken by the above lines.
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Read, write, create, and delete all character device files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_manage_all_chr_files',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_chr_files_pattern($1, device_t, device_node)
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
typeattribute $1 memory_raw_read, memory_raw_write;
cleanup inspired by sediff
2005-05-27 21:56:01 +00:00
')
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
########################################
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Get the attributes of the apm bios device node.
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </param>
#
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
interface(`dev_getattr_acpi_bios_dev',`
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
gen_require(`
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
type device_t, acpi_bios_t;
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
getattr_chr_files_pattern($1, device_t, acpi_bios_t)
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
')
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
########################################
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Do not audit attempts to get the attributes of
## the apm bios device node.
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## </param>
#
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
interface(`dev_dontaudit_getattr_acpi_bios_dev',`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
gen_require(`
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
type acpi_bios_t;
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
dontaudit $1 acpi_bios_t:chr_file getattr;
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
')
more work on current modules
2005-06-30 18:54:08 +00:00
########################################
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Set the attributes of the apm bios device node.
more work on current modules
2005-06-30 18:54:08 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## </param>
#
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
interface(`dev_setattr_acpi_bios_dev',`
more work on current modules
2005-06-30 18:54:08 +00:00
gen_require(`
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
type device_t, acpi_bios_t;
more work on current modules
2005-06-30 18:54:08 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
setattr_chr_files_pattern($1, device_t, acpi_bios_t)
more work on current modules
2005-06-30 18:54:08 +00:00
')
########################################
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Do not audit attempts to set the attributes of
more work on current modules
2005-06-30 18:54:08 +00:00
## the apm bios device node.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## </param>
#
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
interface(`dev_dontaudit_setattr_acpi_bios_dev',`
more work on current modules
2005-06-30 18:54:08 +00:00
gen_require(`
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
type acpi_bios_t;
more work on current modules
2005-06-30 18:54:08 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
dontaudit $1 acpi_bios_t:chr_file setattr;
more work on current modules
2005-06-30 18:54:08 +00:00
')
########################################
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Read and write the apm bios.
more work on current modules
2005-06-30 18:54:08 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## </param>
#
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
interface(`dev_rw_acpi_bios',`
more work on current modules
2005-06-30 18:54:08 +00:00
gen_require(`
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
type device_t, acpi_bios_t;
more work on current modules
2005-06-30 18:54:08 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
rw_chr_files_pattern($1, device_t, acpi_bios_t)
more work on current modules
2005-06-30 18:54:08 +00:00
')
########################################
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Getattr the agp devices.
more work on current modules
2005-06-30 18:54:08 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## </param>
#
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
interface(`dev_getattr_agp_dev',`
more work on current modules
2005-06-30 18:54:08 +00:00
gen_require(`
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
type device_t, agp_device_t;
more work on current modules
2005-06-30 18:54:08 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
getattr_chr_files_pattern($1, device_t, agp_device_t)
more work on current modules
2005-06-30 18:54:08 +00:00
')
clean up more todos
2005-06-29 20:53:53 +00:00
########################################
## <summary>
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
## Read and write the agp devices.
clean up more todos
2005-06-29 20:53:53 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
clean up more todos
2005-06-29 20:53:53 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
clean up more todos
2005-06-29 20:53:53 +00:00
## </param>
#
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
interface(`dev_rw_agp',`
clean up more todos
2005-06-29 20:53:53 +00:00
gen_require(`
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
type device_t, agp_device_t;
clean up more todos
2005-06-29 20:53:53 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
rw_chr_files_pattern($1, device_t, agp_device_t)
clean up more todos
2005-06-29 20:53:53 +00:00
')
Rename apm to acpi from Russell Coker. This patch is slightly more involved than just running sed. It also adds typealias rules and doesn't change the FC entries. The /dev/apm_bios device doesn't exist on modern systems. I have left that policy in for the moment on the principle of making one change per patch. But I might send another patch to remove that as it won't exist with modern kernels.
2017-04-26 10:36:20 +00:00
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Get the attributes of the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_autofs_dev',`
gen_require(`
type device_t, autofs_device_t;
')
getattr_chr_files_pattern($1, device_t, autofs_device_t)
')
########################################
## <summary>
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_autofs_dev',`
gen_require(`
type autofs_device_t;
')
dontaudit $1 autofs_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_autofs_dev',`
gen_require(`
type device_t, autofs_device_t;
')
setattr_chr_files_pattern($1, device_t, autofs_device_t)
')
########################################
## <summary>
## Do not audit attempts to set the attributes of
## the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_autofs_dev',`
gen_require(`
type autofs_device_t;
')
dontaudit $1 autofs_device_t:chr_file setattr;
')
########################################
## <summary>
## Read and write the autofs device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_autofs',`
gen_require(`
type device_t, autofs_device_t;
')
rw_chr_files_pattern($1, device_t, autofs_device_t)
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Relabel the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_autofs_dev',`
gen_require(`
type autofs_device_t;
')
allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
')
Declare a cachfiles device node type Used by kernel to communicate with user space (cachefilesd) Label the character file accordingly Create a dev_rw_cachefiles_dev() for cachefilesd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-09-23 15:15:39 +00:00
########################################
## <summary>
## Read and write cachefiles character
## device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_cachefiles',`
gen_require(`
Rename cachefiles_dev_t to cachefiles_device_t.
2012-10-04 12:24:57 +00:00
type device_t, cachefiles_device_t;
Declare a cachfiles device node type Used by kernel to communicate with user space (cachefilesd) Label the character file accordingly Create a dev_rw_cachefiles_dev() for cachefilesd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-09-23 15:15:39 +00:00
')
Rename cachefiles_dev_t to cachefiles_device_t.
2012-10-04 12:24:57 +00:00
rw_chr_files_pattern($1, device_t, cachefiles_device_t)
Declare a cachfiles device node type Used by kernel to communicate with user space (cachefilesd) Label the character file accordingly Create a dev_rw_cachefiles_dev() for cachefilesd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-09-23 15:15:39 +00:00
')
pile of sediff fixes
2005-11-08 22:00:30 +00:00
########################################
## <summary>
## Read and write the PCMCIA card manager device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
pile of sediff fixes
2005-11-08 22:00:30 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
pile of sediff fixes
2005-11-08 22:00:30 +00:00
## </param>
#
interface(`dev_rw_cardmgr',`
gen_require(`
type cardmgr_dev_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, cardmgr_dev_t)
pile of sediff fixes
2005-11-08 22:00:30 +00:00
')
* break up files_getattr_all_files into correct interfaces * move stuff out of pcmcia into the appropriate modules
2005-07-15 15:17:57 +00:00
########################################
## <summary>
## Do not audit attempts to read and
## write the PCMCIA card manager device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
* break up files_getattr_all_files into correct interfaces * move stuff out of pcmcia into the appropriate modules
2005-07-15 15:17:57 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
* break up files_getattr_all_files into correct interfaces * move stuff out of pcmcia into the appropriate modules
2005-07-15 15:17:57 +00:00
## </param>
#
interface(`dev_dontaudit_rw_cardmgr',`
gen_require(`
type cardmgr_dev_t;
')
dontaudit $1 cardmgr_dev_t:chr_file { read write };
')
split dev_create_cardmgr_dev() into a create and a filetrans interface.
2009-08-25 13:56:56 +00:00
########################################
## <summary>
## Create, read, write, and delete
## the PCMCIA card manager device
## with the correct type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_cardmgr_dev',`
gen_require(`
type device_t, cardmgr_dev_t;
')
create_chr_files_pattern($1, device_t, cardmgr_dev_t)
create_blk_files_pattern($1, device_t, cardmgr_dev_t)
')
fix several modular build problems
2005-11-29 21:27:15 +00:00
########################################
## <summary>
## Create, read, write, and delete
## the PCMCIA card manager device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
fix several modular build problems
2005-11-29 21:27:15 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
fix several modular build problems
2005-11-29 21:27:15 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_manage_cardmgr_dev',`
fix several modular build problems
2005-11-29 21:27:15 +00:00
gen_require(`
type device_t, cardmgr_dev_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_chr_files_pattern($1, device_t, cardmgr_dev_t)
manage_blk_files_pattern($1, device_t, cardmgr_dev_t)
fix several modular build problems
2005-11-29 21:27:15 +00:00
')
########################################
## <summary>
split dev_create_cardmgr_dev() into a create and a filetrans interface.
2009-08-25 13:56:56 +00:00
## Automatic type transition to the type
## for PCMCIA card manager device nodes when
## created in /dev.
fix several modular build problems
2005-11-29 21:27:15 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
fix several modular build problems
2005-11-29 21:27:15 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
fix several modular build problems
2005-11-29 21:27:15 +00:00
## </param>
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
fix several modular build problems
2005-11-29 21:27:15 +00:00
#
split dev_create_cardmgr_dev() into a create and a filetrans interface.
2009-08-25 13:56:56 +00:00
interface(`dev_filetrans_cardmgr',`
fix several modular build problems
2005-11-29 21:27:15 +00:00
gen_require(`
type device_t, cardmgr_dev_t;
')
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2)
fix several modular build problems
2005-11-29 21:27:15 +00:00
')
add cpucontrol
2005-09-20 18:15:35 +00:00
########################################
## <summary>
## Get the attributes of the CPU
## microcode and id interfaces.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add cpucontrol
2005-09-20 18:15:35 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add cpucontrol
2005-09-20 18:15:35 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_cpu_dev',`
add cpucontrol
2005-09-20 18:15:35 +00:00
gen_require(`
type device_t, cpu_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, cpu_device_t)
add cpucontrol
2005-09-20 18:15:35 +00:00
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Set the attributes of the CPU
## microcode and id interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_cpu_dev',`
gen_require(`
type device_t, cpu_device_t;
')
setattr_chr_files_pattern($1, device_t, cpu_device_t)
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read the CPU identity.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_cpuid',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, cpu_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, cpu_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read and write the the CPU microcode device. This
## is required to load CPU microcode.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_rw_cpu_microcode',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, cpu_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, cpu_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Read the kernel crash device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_crash',`
gen_require(`
type device_t, crash_device_t;
')
read_chr_files_pattern($1, device_t, crash_device_t)
')
more apache work
2005-10-12 16:23:22 +00:00
########################################
## <summary>
## Read and write the the hardware SSL accelerator.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more apache work
2005-10-12 16:23:22 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more apache work
2005-10-12 16:23:22 +00:00
## </param>
#
interface(`dev_rw_crypto',`
gen_require(`
type device_t, crypt_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, crypt_device_t)
more apache work
2005-10-12 16:23:22 +00:00
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
#######################################
## <summary>
## Set the attributes of the dlm control devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_dlm_control',`
gen_require(`
Fix typo in dev_setattr_dlm_control interface requirements
2016-01-20 11:36:02 +00:00
type device_t, dlm_control_device_t;
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
')
setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
')
#######################################
## <summary>
## Read and write the the dlm control device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_dlm_control',`
gen_require(`
type device_t, dlm_control_device_t;
')
rw_chr_files_pattern($1, device_t, dlm_control_device_t)
')
patch from dan Mon, 20 Feb 2006 17:19:34 -0500
2006-02-22 21:21:26 +00:00
########################################
## <summary>
## getattr the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_dri_dev',`
gen_require(`
type device_t, dri_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, dri_device_t)
patch from dan Mon, 20 Feb 2006 17:19:34 -0500
2006-02-22 21:21:26 +00:00
')
########################################
## <summary>
## Setattr the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_dri_dev',`
gen_require(`
type device_t, dri_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, dri_device_t)
patch from dan Mon, 20 Feb 2006 17:19:34 -0500
2006-02-22 21:21:26 +00:00
')
many fixes from cab work
2005-05-30 21:17:20 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Read and write the dri devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
many fixes from cab work
2005-05-30 21:17:20 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_rw_dri',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, dri_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, dri_device_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 dri_device_t:chr_file map;
many fixes from cab work
2005-05-30 21:17:20 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Dontaudit read and write on the dri devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
many fixes from cab work
2005-05-30 21:17:20 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_rw_dri',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
type dri_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
many fixes from cab work
2005-05-30 21:17:20 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Create, read, write, and delete the dri devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
interface(`dev_manage_dri_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
type device_t, dri_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_chr_files_pattern($1, device_t, dri_device_t)
Grant all permissions neccessary for Xorg and basic X clients Note that dev_rw_dri already has the permission, it was just forgotten to add it to dev_manage_dri, too.
2017-09-12 02:11:15 +00:00
allow $1 dri_device_t:chr_file map;
split dev_manage_dri_dev() into a manage and a filetrans interface.
2009-08-25 13:43:38 +00:00
')
########################################
## <summary>
## Automatic type transition to the type
## for DRI device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
split dev_manage_dri_dev() into a manage and a filetrans interface.
2009-08-25 13:43:38 +00:00
#
interface(`dev_filetrans_dri',`
gen_require(`
type device_t, dri_device_t;
')
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
filetrans_pattern($1, device_t, dri_device_t, chr_file, $2)
initial commit
2005-04-14 20:18:17 +00:00
')
Add supporting rules for domains tightly-coupled with systemd.
2015-10-20 18:48:38 +00:00
########################################
## <summary>
## Automatic type transition to the type
## for event device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_filetrans_input_dev',`
gen_require(`
type device_t, event_device_t;
')
filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
')
trunk: 11 patches from dan.
2007-10-29 18:35:32 +00:00
########################################
## <summary>
## Get the attributes of the event devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_input_dev',`
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 event_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the event devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_input_dev',`
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 event_device_t:chr_file setattr;
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read input event devices (/dev/input).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_input',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, event_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, event_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
########################################
## <summary>
Fix interface descriptions when duplicate ones are found Distinct interfaces should have different comments
2016-01-18 23:01:10 +00:00
## Read and write input event devices (/dev/input).
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </param>
#
interface(`dev_rw_input_dev',`
gen_require(`
type device_t, event_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, event_device_t)
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
')
Add supporting rules for domains tightly-coupled with systemd.
2015-10-20 18:48:38 +00:00
########################################
## <summary>
## Create, read, write, and delete input event devices (/dev/input).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_input_dev',`
gen_require(`
type device_t, event_device_t;
')
manage_chr_files_pattern($1, device_t, event_device_t)
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Get the attributes of the framebuffer device node.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_framebuffer_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, framebuf_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, framebuf_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Set the attributes of the framebuffer device node.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_framebuffer_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, framebuf_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, framebuf_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Dot not audit attempts to set the attributes
## of the framebuffer device node.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_setattr_framebuffer_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type framebuf_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dontaudit $1 framebuf_device_t:chr_file setattr;
initial commit
2005-04-14 20:18:17 +00:00
')
allow all domains to use /dev/{zero,null,tty}
2005-05-09 19:55:01 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read the framebuffer.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
allow all domains to use /dev/{zero,null,tty}
2005-05-09 19:55:01 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_framebuffer',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type framebuf_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, framebuf_device_t)
allow all domains to use /dev/{zero,null,tty}
2005-05-09 19:55:01 +00:00
')
many fixes from cab work
2005-05-30 21:17:20 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Do not audit attempts to read the framebuffer.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
many fixes from cab work
2005-05-30 21:17:20 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_dontaudit_read_framebuffer',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type framebuf_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dontaudit $1 framebuf_device_t:chr_file { getattr read };
many fixes from cab work
2005-05-30 21:17:20 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Write the framebuffer.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_write_framebuffer',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, framebuf_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, framebuf_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
########################################
## <summary>
## Read and write the framebuffer.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </param>
#
interface(`dev_rw_framebuffer',`
gen_require(`
type device_t, framebuf_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, framebuf_device_t)
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Read the kernel messages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_kmsg',`
gen_require(`
type device_t, kmsg_device_t;
')
read_chr_files_pattern($1, device_t, kmsg_device_t)
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Do not audit attempts to read the kernel messages
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_kmsg',`
gen_require(`
type kmsg_device_t;
')
dontaudit $1 kmsg_device_t:chr_file read;
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
########################################
## <summary>
## Write to the kernel messages device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_kmsg',`
gen_require(`
type device_t, kmsg_device_t;
')
write_chr_files_pattern($1, device_t, kmsg_device_t)
')
Allow journald to read the kernel ring buffer and to use /dev/kmsg audit.log shows that journald needs to read the kernel read buffer: avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 Moreover journald uses RW access to /dev/kmsg, according to its code: http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
2014-09-07 21:28:14 +00:00
########################################
## <summary>
## Read and write to the kernel messages device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_kmsg',`
gen_require(`
type device_t, kmsg_device_t;
')
rw_chr_files_pattern($1, device_t, kmsg_device_t)
')
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
########################################
## <summary>
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_ksm_dev',`
gen_require(`
type device_t, ksm_device_t;
')
getattr_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Set the attributes of the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_ksm_dev',`
gen_require(`
type device_t, ksm_device_t;
')
setattr_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Read the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_ksm',`
gen_require(`
type device_t, ksm_device_t;
')
read_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Read and write to ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_ksm',`
gen_require(`
type device_t, ksm_device_t;
')
rw_chr_files_pattern($1, device_t, ksm_device_t)
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Get the attributes of the kvm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_kvm_dev',`
gen_require(`
type device_t, kvm_device_t;
')
getattr_chr_files_pattern($1, device_t, kvm_device_t)
')
########################################
## <summary>
## Set the attributes of the kvm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_kvm_dev',`
gen_require(`
type device_t, kvm_device_t;
')
setattr_chr_files_pattern($1, device_t, kvm_device_t)
')
########################################
## <summary>
## Read the kvm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_kvm',`
gen_require(`
type device_t, kvm_device_t;
')
read_chr_files_pattern($1, device_t, kvm_device_t)
')
########################################
## <summary>
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
## Read and write to kvm devices.
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
## </summary>
## <param name="domain">
## <summary>
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
## Domain allowed access.
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
## </summary>
## </param>
#
interface(`dev_rw_kvm',`
gen_require(`
type device_t, kvm_device_t;
')
rw_chr_files_pattern($1, device_t, kvm_device_t)
')
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
######################################
## <summary>
## Read the lirc device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
read_chr_files_pattern($1, device_t, lirc_device_t)
')
######################################
## <summary>
## Read and write the lirc device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
rw_chr_files_pattern($1, device_t, lirc_device_t)
')
kernel/devices.if: Add dev_rw_loop_control interface
2014-02-01 13:50:21 +00:00
######################################
## <summary>
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
## Automatic type transition to the type
## for lirc device nodes when created in /dev.
kernel/devices.if: Add dev_rw_loop_control interface
2014-02-01 13:50:21 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
kernel/devices.if: Add dev_rw_loop_control interface
2014-02-01 13:50:21 +00:00
#
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
interface(`dev_filetrans_lirc',`
kernel/devices.if: Add dev_rw_loop_control interface
2014-02-01 13:50:21 +00:00
gen_require(`
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
type device_t, lirc_device_t;
kernel/devices.if: Add dev_rw_loop_control interface
2014-02-01 13:50:21 +00:00
')
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2)
kernel/devices.if: Add dev_rw_loop_control interface
2014-02-01 13:50:21 +00:00
')
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
######################################
## <summary>
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
## Read and write the loop-control device.
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
interface(`dev_rw_loop_control',`
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
gen_require(`
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
type device_t, loop_control_device_t;
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
')
Move loop control interface definition.
2014-02-08 15:48:50 +00:00
rw_chr_files_pattern($1, device_t, loop_control_device_t)
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
')
Devices patch from Dan Walsh. vhost_device_t added for libvirt/qemu /dev/usbmon device added lots of new interfaces.
2010-06-07 13:20:18 +00:00
########################################
## <summary>
## Get the attributes of the lvm comtrol device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
getattr_chr_files_pattern($1, device_t, lvm_control_t)
')
interfaces needed for clock
2005-05-05 21:19:18 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read the lvm comtrol device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
interfaces needed for clock
2005-05-05 21:19:18 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_lvm_control',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, lvm_control_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, lvm_control_t)
interfaces needed for clock
2005-05-05 21:19:18 +00:00
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read and write the lvm control device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_rw_lvm_control',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, lvm_control_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, lvm_control_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
########################################
## <summary>
## Do not audit attempts to read and write lvm control device.
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_lvm_control',`
gen_require(`
type lvm_control_t;
')
dontaudit $1 lvm_control_t:chr_file rw_file_perms;
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Delete the lvm control device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_delete_lvm_control_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, lvm_control_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
delete_chr_files_pattern($1, device_t, lvm_control_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
patch from dan 1/16/06
2006-01-17 17:50:10 +00:00
########################################
## <summary>
## dontaudit getattr raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
patch from dan 1/16/06
2006-01-17 17:50:10 +00:00
## </param>
#
interface(`dev_dontaudit_getattr_memory_dev',`
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file getattr;
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read raw memory devices (e.g. /dev/mem).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_raw_memory',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, memory_device_t;
attribute memory_raw_read;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, memory_device_t)
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
initial commit
2005-04-14 20:18:17 +00:00
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
########################################
## <summary>
## Do not audit attempts to read raw memory devices
## (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_raw_memory',`
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Write raw memory devices (e.g. /dev/mem).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_write_raw_memory',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, memory_device_t;
attribute memory_raw_write;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, memory_device_t)
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read and execute raw memory devices (e.g. /dev/mem).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_rx_raw_memory',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, memory_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dev_read_raw_memory($1)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 memory_device_t:chr_file { map execute };
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Write and execute raw memory devices (e.g. /dev/mem).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_wx_raw_memory',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, memory_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dev_write_raw_memory($1)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 memory_device_t:chr_file { map execute };
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Get the attributes of miscellaneous devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_misc_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, misc_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, misc_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
start adding user domains. fix ttynode and ptynode handling, as they're more then user terminals (at least ptynode is). start adding XML comments
2005-05-16 21:10:33 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Do not audit attempts to get the attributes
## of miscellaneous devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
start adding user domains. fix ttynode and ptynode handling, as they're more then user terminals (at least ptynode is). start adding XML comments
2005-05-16 21:10:33 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_getattr_misc_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type misc_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dontaudit $1 misc_device_t:chr_file getattr;
start adding user domains. fix ttynode and ptynode handling, as they're more then user terminals (at least ptynode is). start adding XML comments
2005-05-16 21:10:33 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Set the attributes of miscellaneous devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_misc_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, misc_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, misc_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
start adding user domains. fix ttynode and ptynode handling, as they're more then user terminals (at least ptynode is). start adding XML comments
2005-05-16 21:10:33 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Do not audit attempts to set the attributes
## of miscellaneous devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
start adding user domains. fix ttynode and ptynode handling, as they're more then user terminals (at least ptynode is). start adding XML comments
2005-05-16 21:10:33 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_setattr_misc_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type misc_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dontaudit $1 misc_device_t:chr_file setattr;
start adding user domains. fix ttynode and ptynode handling, as they're more then user terminals (at least ptynode is). start adding XML comments
2005-05-16 21:10:33 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read miscellaneous devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_misc',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, misc_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, misc_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Write miscellaneous devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_write_misc',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, misc_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, misc_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
more xdm work
2006-01-20 22:02:24 +00:00
########################################
## <summary>
## Do not audit attempts to read and write miscellaneous devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more xdm work
2006-01-20 22:02:24 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more xdm work
2006-01-20 22:02:24 +00:00
## </param>
#
interface(`dev_dontaudit_rw_misc',`
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file rw_file_perms;
')
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
########################################
## <summary>
## Get the attributes of the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_modem_dev',`
gen_require(`
type device_t, modem_device_t;
')
getattr_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Set the attributes of the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_modem_dev',`
gen_require(`
type device_t, modem_device_t;
')
setattr_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Read the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_modem',`
gen_require(`
type device_t, modem_device_t;
')
read_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Read and write to modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_modem',`
gen_require(`
type device_t, modem_device_t;
')
rw_chr_files_pattern($1, device_t, modem_device_t)
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Get the attributes of the mouse devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_mouse_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, mouse_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, mouse_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Set the attributes of the mouse devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_mouse_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, mouse_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, mouse_device_t)
more work on current modules
2005-06-30 18:54:08 +00:00
')
########################################
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read the mouse devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_mouse',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, mouse_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, mouse_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
add kudzu
2005-09-23 19:38:34 +00:00
########################################
## <summary>
trunk: whitespace fixes in xml blocks.
2008-12-03 19:16:20 +00:00
## Read and write to mouse devices.
add kudzu
2005-09-23 19:38:34 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
trunk: whitespace fixes in xml blocks.
2008-12-03 19:16:20 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add kudzu
2005-09-23 19:38:34 +00:00
## </param>
#
interface(`dev_rw_mouse',`
gen_require(`
type device_t, mouse_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, mouse_device_t)
add kudzu
2005-09-23 19:38:34 +00:00
')
more fixes
2005-10-31 22:19:16 +00:00
########################################
## <summary>
fix up mtrr interfaces. missing the file class on a few interfaces, and read and write cannot be split.
2006-08-01 14:43:10 +00:00
## Get the attributes of the memory type range
## registers (MTRR) device.
more fixes
2005-10-31 22:19:16 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more fixes
2005-10-31 22:19:16 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more fixes
2005-10-31 22:19:16 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_mtrr_dev',`
more fixes
2005-10-31 22:19:16 +00:00
gen_require(`
type device_t, mtrr_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_files_pattern($1, device_t, mtrr_device_t)
getattr_chr_files_pattern($1, device_t, mtrr_device_t)
more fixes
2005-10-31 22:19:16 +00:00
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
########################################
## <summary>
## Do not audit attempts to write the memory type
## range registers (MTRR).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_mtrr',`
gen_require(`
type mtrr_device_t;
')
Devices patch from Dan Walsh. vhost_device_t added for libvirt/qemu /dev/usbmon device added lots of new interfaces.
2010-06-07 13:20:18 +00:00
dontaudit $1 mtrr_device_t:file write;
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
dontaudit $1 mtrr_device_t:chr_file write;
')
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
########################################
## <summary>
fix up mtrr interfaces. missing the file class on a few interfaces, and read and write cannot be split.
2006-08-01 14:43:10 +00:00
## Read and write the memory type range registers (MTRR).
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </param>
#
interface(`dev_rw_mtrr',`
fix up mtrr interfaces. missing the file class on a few interfaces, and read and write cannot be split.
2006-08-01 14:43:10 +00:00
gen_require(`
type device_t, mtrr_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_files_pattern($1, device_t, mtrr_device_t)
rw_chr_files_pattern($1, device_t, mtrr_device_t)
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Get the attributes of the network control device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_netcontrol_dev',`
gen_require(`
type device_t, netcontrol_device_t;
')
getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
')
########################################
## <summary>
## Read the network control identity.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_netcontrol',`
gen_require(`
type device_t, netcontrol_device_t;
')
read_chr_files_pattern($1, device_t, netcontrol_device_t)
')
########################################
## <summary>
## Read and write the the network control device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_netcontrol',`
gen_require(`
type device_t, netcontrol_device_t;
')
rw_chr_files_pattern($1, device_t, netcontrol_device_t)
')
########################################
## <summary>
## Get the attributes of the null device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_null_dev',`
gen_require(`
type device_t, null_device_t;
')
getattr_chr_files_pattern($1, device_t, null_device_t)
')
########################################
## <summary>
## Set the attributes of the null device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_null_dev',`
gen_require(`
type device_t, null_device_t;
')
setattr_chr_files_pattern($1, device_t, null_device_t)
')
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
########################################
## <summary>
## Delete the null device (/dev/null).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_null',`
gen_require(`
type device_t, null_device_t;
')
delete_chr_files_pattern($1, device_t, null_device_t)
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read and write to the null device (/dev/null).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_rw_null',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, null_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, null_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
more testing fixes
2006-08-23 03:47:39 +00:00
########################################
## <summary>
## Create the null device (/dev/null).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_null_dev',`
gen_require(`
type device_t, null_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
create_chr_files_pattern($1, device_t, null_device_t)
more testing fixes
2006-08-23 03:47:39 +00:00
')
dpkg: Updates from Russell Coker.
2017-02-19 21:13:14 +00:00
########################################
## <summary>
## Manage services with script type null_device_t for when
## /lib/systemd/system/something.service is a link to /dev/null
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_null_service',`
gen_require(`
type null_device_t;
class service { status start stop reload };
')
allow $1 null_device_t:service { status start stop reload };
')
fix build error
2006-09-29 14:24:57 +00:00
########################################
## <summary>
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
fix build error
2006-09-29 14:24:57 +00:00
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_nvram_dev',`
gen_require(`
type nvram_device_t;
')
dontaudit $1 nvram_device_t:chr_file getattr;
')
patch from dan Wed, 23 Aug 2006 14:03:49 -0400
2006-08-29 02:41:00 +00:00
########################################
## <summary>
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_nvram',`
gen_require(`
type nvram_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, nvram_device_t)
patch from dan Wed, 23 Aug 2006 14:03:49 -0400
2006-08-29 02:41:00 +00:00
')
fix most bad rules in cups, bug 1771
2006-06-08 17:18:25 +00:00
########################################
## <summary>
## Get the attributes of the printer device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_printer_dev',`
gen_require(`
type device_t, printer_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, printer_device_t)
fix most bad rules in cups, bug 1771
2006-06-08 17:18:25 +00:00
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Set the attributes of the printer device nodes.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_printer_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, printer_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, printer_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
add lpd
2005-10-22 21:09:03 +00:00
########################################
## <summary>
## Append the printer device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add lpd
2005-10-22 21:09:03 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add lpd
2005-10-22 21:09:03 +00:00
## </param>
#
# cjp: added for lpd/checkpc_t
interface(`dev_append_printer',`
gen_require(`
type device_t, printer_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
append_chr_files_pattern($1, device_t, printer_device_t)
add lpd
2005-10-22 21:09:03 +00:00
')
add hal
2005-09-02 20:29:52 +00:00
########################################
## <summary>
## Read and write the printer device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add hal
2005-09-02 20:29:52 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add hal
2005-09-02 20:29:52 +00:00
## </param>
#
interface(`dev_rw_printer',`
gen_require(`
type device_t, printer_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, printer_device_t)
add hal
2005-09-02 20:29:52 +00:00
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Read printk devices (e.g., /dev/kmsg /dev/mcelog)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_printk',`
gen_require(`
type device_t, printk_device_t;
')
read_chr_files_pattern($1, device_t, printk_device_t)
')
########################################
## <summary>
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_qemu_dev',`
gen_require(`
type device_t, qemu_device_t;
')
getattr_chr_files_pattern($1, device_t, qemu_device_t)
')
########################################
## <summary>
## Set the attributes of the QEMU
## microcode and id interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_qemu_dev',`
gen_require(`
type device_t, qemu_device_t;
')
setattr_chr_files_pattern($1, device_t, qemu_device_t)
')
########################################
## <summary>
## Read the QEMU device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_qemu',`
gen_require(`
type device_t, qemu_device_t;
')
read_chr_files_pattern($1, device_t, qemu_device_t)
')
########################################
## <summary>
## Read and write the the QEMU device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_qemu',`
gen_require(`
type device_t, qemu_device_t;
')
rw_chr_files_pattern($1, device_t, qemu_device_t)
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
add portage from gentoo
2006-01-18 14:48:24 +00:00
## Read from random number generator
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## devices (e.g., /dev/random).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <desc>
## <p>
## Allow the specified domain to read from random number
## generator devices (e.g., /dev/random). Typically this is
## used in situations when a cryptographically secure random
## number is needed.
## </p>
## <p>
## Related interface:
## </p>
## <ul>
## <li>dev_read_urand()</li>
## </ul>
## </desc>
update for new documentation method
2005-06-23 21:30:57 +00:00
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <infoflow type="read" weight="10"/>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_rand',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, random_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, random_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
add portage from gentoo
2006-01-18 14:48:24 +00:00
########################################
## <summary>
## Do not audit attempts to read from random
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add portage from gentoo
2006-01-18 14:48:24 +00:00
## </param>
#
interface(`dev_dontaudit_read_rand',`
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file { getattr read };
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Do not audit attempts to append to random
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
## </summary>
## </param>
#
interface(`dev_dontaudit_append_rand',`
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file append_chr_file_perms;
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_write_rand',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, random_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, random_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
initial commit
2005-04-14 20:18:17 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read the realtime clock (/dev/rtc).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_read_realtime_clock',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, clock_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, clock_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Set the realtime clock (/dev/rtc).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_write_realtime_clock',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, clock_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, clock_device_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 clock_device_t:chr_file setattr;
initial commit
2005-04-14 20:18:17 +00:00
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read and set the realtime clock (/dev/rtc).
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_rw_realtime_clock',`
dev_read_realtime_clock($1)
dev_write_realtime_clock($1)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Get the attributes of the scanner device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_scanner_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, scanner_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, scanner_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Do not audit attempts to get the attributes of
## the scanner device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_getattr_scanner_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type scanner_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dontaudit $1 scanner_device_t:chr_file getattr;
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Set the attributes of the scanner device.
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_scanner_dev',`
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, scanner_device_t;
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, scanner_device_t)
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
')
########################################
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Do not audit attempts to set the attributes of
## the scanner device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_setattr_scanner_dev',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type scanner_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
dontaudit $1 scanner_device_t:chr_file setattr;
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read and write the scanner device.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
interface(`dev_rw_scanner',`
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, scanner_device_t;
remove remaining _depend macros to prep for switchover to interface declaration macro
2005-06-22 16:07:14 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, scanner_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Get the attributes of the sound devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_sound_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, sound_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, sound_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Set the attributes of the sound devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_sound_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, sound_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, sound_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read the sound devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_read_sound',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, sound_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, sound_device_t)
kernel: Add map permission to the dev_{read, write}_sound* interfaces sds already added it to dev_read_sound_mixer, but it's also needed in the other interfaces.
2017-09-12 02:11:16 +00:00
allow $1 sound_device_t:chr_file map;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Write the sound devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_write_sound',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, sound_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, sound_device_t)
kernel: Add map permission to the dev_{read, write}_sound* interfaces sds already added it to dev_read_sound_mixer, but it's also needed in the other interfaces.
2017-09-12 02:11:16 +00:00
allow $1 sound_device_t:chr_file map;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Read the sound mixer devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_read_sound_mixer',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, sound_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, sound_device_t)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 sound_device_t:chr_file map;
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Write the sound mixer devices.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_write_sound_mixer',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
type device_t, sound_device_t;
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, sound_device_t)
kernel: Add map permission to the dev_{read, write}_sound* interfaces sds already added it to dev_read_sound_mixer, but it's also needed in the other interfaces.
2017-09-12 02:11:16 +00:00
allow $1 sound_device_t:chr_file map;
initial commit
2005-04-14 20:18:17 +00:00
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Get the attributes of the the power management device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_power_mgmt_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t, power_device_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, power_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Set the attributes of the the power management device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_setattr_power_mgmt_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t, power_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, power_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Read and write the the power management device.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
initial commit
2005-04-14 20:18:17 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_rw_power_management',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t, power_device_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, power_device_t)
initial commit
2005-04-14 20:18:17 +00:00
')
trunk: 5 patches from dan
2007-06-11 15:01:10 +00:00
########################################
## <summary>
## Getattr on smartcard devices
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_smartcard_dev',`
gen_require(`
type smartcard_device_t;
')
allow $1 smartcard_device_t:chr_file getattr;
')
########################################
## <summary>
## dontaudit getattr on smartcard devices
## </summary>
## <param name="domain">
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
trunk: 5 patches from dan
2007-06-11 15:01:10 +00:00
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_smartcard_dev',`
gen_require(`
type smartcard_device_t;
')
dontaudit $1 smartcard_device_t:chr_file getattr;
')
########################################
## <summary>
## Read and write smartcard devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_smartcard',`
gen_require(`
type device_t, smartcard_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, smartcard_device_t)
trunk: 5 patches from dan
2007-06-11 15:01:10 +00:00
')
########################################
## <summary>
## Create, read, write, and delete smartcard devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_smartcard',`
gen_require(`
type device_t, smartcard_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_chr_files_pattern($1, device_t, smartcard_device_t)
trunk: 5 patches from dan
2007-06-11 15:01:10 +00:00
')
kernel: missing permissions for confined execution This patch adds missing permissions in the kernel module that prevent to run it without the unconfined module. This second version improves the comment section of new interfaces: "Domain" is replaced by "Domain allowed access". Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2016-12-18 20:58:44 +00:00
########################################
## <summary>
## Mount a filesystem on sysfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allow access.
## </summary>
## </param>
#
interface(`dev_mounton_sysfs',`
gen_require(`
type device_t;
')
allow $1 sysfs_t:dir mounton;
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be associated to sysfs.
## </summary>
## </param>
#
interface(`dev_associate_sysfs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem associate;
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Interface documentation standardization patch from Dan Walsh.
2010-08-02 13:22:09 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_sysfs_dirs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type sysfs_t;
')
change over to some perm set macros. add indentation
2005-06-03 12:25:14 +00:00
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 sysfs_t:dir getattr_dir_perms;
initial commit
2005-04-14 20:18:17 +00:00
')
add some file_t interfaces, and console write
2005-05-31 21:25:45 +00:00
The security_t file system can be at /sys/fs/selinux Because it is no longer a top-level file system, we need to enhance some of the interfaces with the appropriate rights towards sysfs_t. First set to allow getattr rights on the file system, which now also means getattr on the sysfs_t file system as well as search privileges in sysfs_t. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-04-11 18:01:41 +00:00
########################################
## <summary>
## Get the attributes of sysfs filesystem
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_sysfs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem getattr;
')
systemd-nspawn again This patch doesn't do everything that is needed to have systemd-nspawn work. But it does everything that is needed and which I have written in a clear and uncontroversial way. I think it's best to get this upstream now and then either have a separate discussion about the more difficult issues, or wait until I devise a way of solving those problems that's not too hacky. Who knows, maybe someone else will devise a brilliant solution to the remaining issues after this is accepted upstream. Also there's a tiny patch for systemd_machined_t that is required by systemd_nspawn_t. Description: systemd-nspawn Author: Russell Coker <russell@coker.com.au> Last-Update: 2017-03-29
2017-04-01 16:08:42 +00:00
########################################
## <summary>
## mount a sysfs filesystem
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_mount_sysfs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem mount;
')
Dontaudit access on security_t file system at /sys/fs/selinux Second part of the support of security_t under /sys/fs/selinux - when asked not to audit getting attributes on the selinux file system, have this propagate to the sysfs parts as well. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-04-11 18:01:42 +00:00
########################################
## <summary>
## Do not audit getting the attributes of sysfs filesystem
## </summary>
## <param name="domain">
## <summary>
## Domain to dontaudit access from
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_sysfs',`
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:filesystem getattr;
')
systemd-nspawn again This patch doesn't do everything that is needed to have systemd-nspawn work. But it does everything that is needed and which I have written in a clear and uncontroversial way. I think it's best to get this upstream now and then either have a separate discussion about the more difficult issues, or wait until I devise a way of solving those problems that's not too hacky. Who knows, maybe someone else will devise a brilliant solution to the remaining issues after this is accepted upstream. Also there's a tiny patch for systemd_machined_t that is required by systemd_nspawn_t. Description: systemd-nspawn Author: Russell Coker <russell@coker.com.au> Last-Update: 2017-03-29
2017-04-01 16:08:42 +00:00
########################################
## <summary>
## mounton sysfs directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_mounton_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir mounton;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
more cleanup of current TODOs
2005-07-12 20:34:24 +00:00
## Search the sysfs directories.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Interface documentation standardization patch from Dan Walsh.
2010-08-02 13:22:09 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_search_sysfs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type sysfs_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
search_dirs_pattern($1, sysfs_t, sysfs_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
clean up more todos
2005-06-29 20:53:53 +00:00
########################################
## <summary>
## Do not audit attempts to search sysfs.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
clean up more todos
2005-06-29 20:53:53 +00:00
## </param>
#
interface(`dev_dontaudit_search_sysfs',`
gen_require(`
type sysfs_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
dontaudit $1 sysfs_t:dir search_dir_perms;
clean up more todos
2005-06-29 20:53:53 +00:00
')
more cleanup of current TODOs
2005-07-12 20:34:24 +00:00
########################################
## <summary>
## List the contents of the sysfs directories.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Interface documentation standardization patch from Dan Walsh.
2010-08-02 13:22:09 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more cleanup of current TODOs
2005-07-12 20:34:24 +00:00
## </param>
#
interface(`dev_list_sysfs',`
gen_require(`
type sysfs_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
list_dirs_pattern($1, sysfs_t, sysfs_t)
more cleanup of current TODOs
2005-07-12 20:34:24 +00:00
')
six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed
2007-03-26 20:47:29 +00:00
########################################
## <summary>
## Write in a sysfs directories.
## </summary>
## <param name="domain">
## <summary>
Interface documentation standardization patch from Dan Walsh.
2010-08-02 13:22:09 +00:00
## Domain allowed access.
six trivial patches from dan for iptables, netutils, ipsec, devices, filesystem and cpuspeed
2007-03-26 20:47:29 +00:00
## </summary>
## </param>
#
# cjp: added for cpuspeed
interface(`dev_write_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir write;
')
dontaudit mount writes to newly mounted filesystems As of util-linux-n 2.18, the mount utility now attempts to write to the root of newly mounted filesystems. It does this in an attempt to ensure that the r/w status of a filesystem as shown in mtab is correct. To detect whether a filesystem is r/w, mount calls access() with the W_OK argument. This results in an AVC denial with current policy. As a fallback, mount also attempts to modify the access time of the directory being mounted on if the call to access() fails. As mount already possesses the necessary privileges, the modification of the access time succeeds (at least on systems with the futimens() function, which has existed in linux since kernel 2.6.22 and glibc since version 2.6, or about July 2007). Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-11-09 01:25:31 +00:00
########################################
## <summary>
## Do not audit attempts to write in a sysfs directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir write;
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Create, read, write, and delete sysfs
## directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
manage_dirs_pattern($1, sysfs_t, sysfs_t)
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## Read hardware state information.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <desc>
## <p>
## Allow the specified domain to read the contents of
## the sysfs filesystem. This filesystem contains
## information, parameters, and other settings on the
## hardware installed on the system.
## </p>
## </desc>
update for new documentation method
2005-06-23 21:30:57 +00:00
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <infoflow type="read" weight="10"/>
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_read_sysfs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type sysfs_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, sysfs_t, sysfs_t)
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
list_dirs_pattern($1, sysfs_t, sysfs_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Allow caller to modify hardware state information.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_rw_sysfs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type sysfs_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_files_pattern($1, sysfs_t, sysfs_t)
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
list_dirs_pattern($1, sysfs_t, sysfs_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
kmod, lvm, brctl patches from Russell Coker Patches for modutils, at least one of which is needed to generate an initramfs on Debian. Patch to allow lvm to talk to fifos from dpkg_script_t for postinst scripts etc. Patch for brctl to allow it to create sysfs files.
2017-04-19 01:17:36 +00:00
########################################
## <summary>
## Add a sysfs file
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_sysfs_files',`
gen_require(`
type sysfs_t;
')
create_files_pattern($1, sysfs_t, sysfs_t)
')
Systemd fixes from Russell Coker.
2017-02-24 01:03:23 +00:00
########################################
## <summary>
## Relabel hardware state directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
relabel_dirs_pattern($1, sysfs_t, sysfs_t)
')
Add TSS Core Services (TCS) daemon (tcsd) policy Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2011-01-31 19:17:00 +00:00
########################################
## <summary>
Add sysfs_types attribute. Collect all types used to label sysfs entries.
2015-10-20 17:23:35 +00:00
## Relabel from/to all sysfs types.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_all_sysfs',`
gen_require(`
attribute sysfs_types;
')
allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
allow $1 sysfs_types:file relabel_file_perms;
allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
')
########################################
## <summary>
Add TSS Core Services (TCS) daemon (tcsd) policy Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2011-01-31 19:17:00 +00:00
## Read and write the TPM device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_tpm',`
gen_require(`
type device_t, tpm_device_t;
')
rw_chr_files_pattern($1, device_t, tpm_device_t)
')
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
########################################
## <summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## Read from pseudo random number generator devices (e.g., /dev/urandom).
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## </summary>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <desc>
## <p>
## Allow the specified domain to read from pseudo random number
## generator devices (e.g., /dev/urandom). Typically this is
## used in situations when a cryptographically secure random
## number is not necessarily needed. One example is the Stack
## Smashing Protector (SSP, formerly known as ProPolice) support
## that may be compiled into programs.
## </p>
## <p>
## Related interface:
## </p>
## <ul>
## <li>dev_read_rand()</li>
## </ul>
## <p>
## Related tunable:
## </p>
## <ul>
## <li>global_ssp</li>
## </ul>
## </desc>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## </param>
Improve the documentation of devices interfaces: dev_node() dev_read_rand() dev_read_urand() dev_read_sysfs()
2010-03-02 15:24:24 +00:00
## <infoflow type="read" weight="10"/>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
#
interface(`dev_read_urand',`
gen_require(`
type device_t, urandom_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, urandom_device_t)
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
')
add watchdog, bug 1662
2006-04-28 20:20:40 +00:00
########################################
## <summary>
## Do not audit attempts to read from pseudo
## random devices (e.g., /dev/urandom)
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_urand',`
gen_require(`
type urandom_device_t;
')
dontaudit $1 urandom_device_t:chr_file { getattr read };
')
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
########################################
## <summary>
## Write to the pseudo random device (e.g., /dev/urandom). This
## sets the random number generator seed.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## </param>
#
interface(`dev_write_urand',`
gen_require(`
type device_t, urandom_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, urandom_device_t)
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
')
patch from dan Wed, 29 Mar 2006 15:32:51 -0500
2006-03-30 15:59:39 +00:00
########################################
## <summary>
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
type usb_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, usb_device_t)
patch from dan Wed, 29 Mar 2006 15:32:51 -0500
2006-03-30 15:59:39 +00:00
')
########################################
## <summary>
## Setattr generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_generic_usb_dev',`
gen_require(`
type usb_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, usb_device_t)
patch from dan Wed, 29 Mar 2006 15:32:51 -0500
2006-03-30 15:59:39 +00:00
')
trunk: devices patch from dan.
2009-03-05 15:36:41 +00:00
########################################
## <summary>
## Read generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_generic_usb_dev',`
gen_require(`
type usb_device_t;
')
read_chr_files_pattern($1, device_t, usb_device_t)
')
For virtd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 18:39:44 +00:00
########################################
## <summary>
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
## Read and write generic the USB devices.
For virtd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 18:39:44 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
interface(`dev_rw_generic_usb_dev',`
For virtd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 18:39:44 +00:00
gen_require(`
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
type device_t, usb_device_t;
For virtd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 18:39:44 +00:00
')
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
rw_chr_files_pattern($1, device_t, usb_device_t)
For virtd Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-10-30 18:39:44 +00:00
')
patch from dan Tue, 14 Feb 2006 09:01:16 -0500
2006-02-16 19:32:13 +00:00
########################################
## <summary>
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
## Relabel generic the USB devices.
patch from dan Tue, 14 Feb 2006 09:01:16 -0500
2006-02-16 19:32:13 +00:00
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
interface(`dev_relabel_generic_usb_dev',`
patch from dan Tue, 14 Feb 2006 09:01:16 -0500
2006-02-16 19:32:13 +00:00
gen_require(`
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
type usb_device_t;
patch from dan Tue, 14 Feb 2006 09:01:16 -0500
2006-02-16 19:32:13 +00:00
')
Rearrange devices interfaces.
2012-10-30 20:11:32 +00:00
relabel_chr_files_pattern($1, device_t, usb_device_t)
patch from dan Tue, 14 Feb 2006 09:01:16 -0500
2006-02-16 19:32:13 +00:00
')
Devices patch from Dan Walsh. vhost_device_t added for libvirt/qemu /dev/usbmon device added lots of new interfaces.
2010-06-07 13:20:18 +00:00
########################################
## <summary>
## Read USB monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_usbmon_dev',`
gen_require(`
type device_t, usbmon_device_t;
')
read_chr_files_pattern($1, device_t, usbmon_device_t)
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
########################################
## <summary>
## Write USB monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_usbmon_dev',`
gen_require(`
type device_t, usbmon_device_t;
')
write_chr_files_pattern($1, device_t, usbmon_device_t)
')
more work on current modules
2005-06-30 18:54:08 +00:00
########################################
## <summary>
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Interface documentation standardization patch from Dan Walsh.
2010-08-02 13:22:09 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## </param>
#
interface(`dev_mount_usbfs',`
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem mount;
')
fixes
2005-10-25 02:51:07 +00:00
########################################
## <summary>
fix documentation
2006-01-31 15:59:20 +00:00
## Associate a file to a usbfs filesystem.
fixes
2005-10-25 02:51:07 +00:00
## </summary>
fix documentation
2006-01-31 15:59:20 +00:00
## <param name="file_type">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
fix documentation
2006-01-31 15:59:20 +00:00
## The type of the file to be associated to usbfs.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
fixes
2005-10-25 02:51:07 +00:00
## </param>
#
interface(`dev_associate_usbfs',`
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem associate;
')
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
########################################
## <summary>
## Get the attributes of a directory in the usb filesystem.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_getattr_usbfs_dirs',`
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
gen_require(`
type usbfs_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
allow $1 usbfs_t:dir getattr_dir_perms;
another round of TODO cleanup
2005-07-08 20:44:57 +00:00
')
pile of sediff fixes
2005-11-08 22:00:30 +00:00
########################################
## <summary>
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
pile of sediff fixes
2005-11-08 22:00:30 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
pile of sediff fixes
2005-11-08 22:00:30 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_dontaudit_getattr_usbfs_dirs',`
pile of sediff fixes
2005-11-08 22:00:30 +00:00
gen_require(`
type usbfs_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
dontaudit $1 usbfs_t:dir getattr_dir_perms;
pile of sediff fixes
2005-11-08 22:00:30 +00:00
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Search the directory containing USB hardware information.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Interface documentation standardization patch from Dan Walsh.
2010-08-02 13:22:09 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_search_usbfs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type usbfs_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
search_dirs_pattern($1, usbfs_t, usbfs_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Allow caller to get a list of usb hardware.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_list_usbfs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type usbfs_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
getattr_files_pattern($1, usbfs_t, usbfs_t)
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
list_dirs_pattern($1, usbfs_t, usbfs_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
second part of dans patch Tue, 11 Apr 2006 09:25:24 -0400
2006-04-12 16:58:23 +00:00
########################################
## <summary>
## Set the attributes of usbfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_usbfs_files',`
gen_require(`
type usbfs_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
second part of dans patch Tue, 11 Apr 2006 09:25:24 -0400
2006-04-12 16:58:23 +00:00
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Read USB hardware information using
## the usbfs filesystem interface.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Interface documentation standardization patch from Dan Walsh.
2010-08-02 13:22:09 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_read_usbfs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type usbfs_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_files_pattern($1, usbfs_t, usbfs_t)
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Allow caller to modify usb hardware configuration files.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
Kernel layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-08-05 12:57:11 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_rw_usbfs',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type usbfs_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
list_dirs_pattern($1, usbfs_t, usbfs_t)
rw_files_pattern($1, usbfs_t, usbfs_t)
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
## Get the attributes of video4linux devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_getattr_video_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t, v4l_device_t;
')
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, v4l_device_t)
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
')
Devices patch from Dan Walsh.
2010-03-04 20:30:22 +00:00
######################################
## <summary>
## Read and write userio device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_userio_dev',`
gen_require(`
type device_t, userio_device_t;
')
rw_chr_files_pattern($1, device_t, userio_device_t)
')
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
########################################
update for new documentation method
2005-06-23 21:30:57 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Do not audit attempts to get the attributes
## of video4linux device nodes.
update for new documentation method
2005-06-23 21:30:57 +00:00
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## </param>
#
interface(`dev_dontaudit_getattr_video_dev',`
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of video4linux device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
update for new documentation method
2005-06-23 21:30:57 +00:00
## </param>
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
#
move all interfaces over to the interface macro. add traceback debugging info
2005-06-22 19:21:31 +00:00
interface(`dev_setattr_video_dev',`
more work to clean up and complete current modules
2005-06-20 17:41:29 +00:00
gen_require(`
type device_t, v4l_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, v4l_device_t)
move constraints interfaces to domain module. move sysfs and usbfs to devices module
2005-06-14 19:56:46 +00:00
')
more work on current modules
2005-06-30 18:54:08 +00:00
########################################
## <summary>
## Do not audit attempts to set the attributes
## of video4linux device nodes.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## Domain to not audit.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more work on current modules
2005-06-30 18:54:08 +00:00
## </param>
#
interface(`dev_dontaudit_setattr_video_dev',`
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file setattr;
')
add unconfined
2005-07-05 20:59:51 +00:00
add mplayer
2006-03-09 20:28:51 +00:00
########################################
## <summary>
## Read the video4linux devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_video_dev',`
gen_require(`
type device_t, v4l_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
read_chr_files_pattern($1, device_t, v4l_device_t)
add mplayer
2006-03-09 20:28:51 +00:00
')
Patch to begin separating out hald helper programs from Dan Walsh.
2007-05-07 17:57:48 +00:00
########################################
## <summary>
## Write the video4linux devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_video_dev',`
gen_require(`
type device_t, v4l_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, v4l_device_t)
Patch to begin separating out hald helper programs from Dan Walsh.
2007-05-07 17:57:48 +00:00
')
Devices patch from Dan Walsh. vhost_device_t added for libvirt/qemu /dev/usbmon device added lots of new interfaces.
2010-06-07 13:20:18 +00:00
########################################
## <summary>
adds vfio device support to base policy Signed-off-by: Alexander Wetzel <alexander.wetzel@web.de>
2015-09-05 07:41:48 +00:00
## Read and write vfio devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_vfio_dev',`
gen_require(`
type device_t, vfio_device_t;
')
rw_chr_files_pattern($1, device_t, vfio_device_t)
')
########################################
## <summary>
## Relabel vfio devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabelfrom_vfio_dev',`
gen_require(`
type device_t, vfio_device_t;
')
relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
')
############################
## <summary>
Devices patch from Dan Walsh. vhost_device_t added for libvirt/qemu /dev/usbmon device added lots of new interfaces.
2010-06-07 13:20:18 +00:00
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_vhost',`
gen_require(`
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
type device_t, vhost_device_t;
Devices patch from Dan Walsh. vhost_device_t added for libvirt/qemu /dev/usbmon device added lots of new interfaces.
2010-06-07 13:20:18 +00:00
')
Pull in devices changes from Fedora.
2011-03-07 15:47:09 +00:00
rw_chr_files_pattern($1, device_t, vhost_device_t)
Devices patch from Dan Walsh. vhost_device_t added for libvirt/qemu /dev/usbmon device added lots of new interfaces.
2010-06-07 13:20:18 +00:00
')
add vmware, bug 1389
2006-04-26 18:18:15 +00:00
########################################
## <summary>
## Read and write VMWare devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_vmware',`
gen_require(`
type device_t, vmware_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, vmware_device_t)
add vmware, bug 1389
2006-04-26 18:18:15 +00:00
')
fixes for confined vmware sessions
2006-04-26 20:30:08 +00:00
########################################
## <summary>
## Read, write, and mmap VMWare devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rwx_vmware',`
gen_require(`
type device_t, vmware_device_t;
')
merge policy patterns to trunk
2006-12-12 20:08:08 +00:00
dev_rw_vmware($1)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 vmware_device_t:chr_file { map execute };
fixes for confined vmware sessions
2006-04-26 20:30:08 +00:00
')
Start pulling in kernel layer pieces from Fedora.
2011-03-29 14:33:43 +00:00
########################################
## <summary>
## Read from watchdog devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_watchdog',`
gen_require(`
type device_t, watchdog_device_t;
')
read_chr_files_pattern($1, device_t, watchdog_device_t)
')
add watchdog, bug 1662
2006-04-28 20:20:40 +00:00
########################################
## <summary>
## Write to watchdog devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_watchdog',`
gen_require(`
type device_t, watchdog_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
write_chr_files_pattern($1, device_t, watchdog_device_t)
add watchdog, bug 1662
2006-04-28 20:20:40 +00:00
')
Add devices patch from Dan Walsh.
2009-11-19 14:44:19 +00:00
########################################
## <summary>
## Read and write the the wireless device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_wireless',`
gen_require(`
type device_t, wireless_device_t;
')
rw_chr_files_pattern($1, device_t, wireless_device_t)
')
another version of systemd cgroups hostnamed and logind From Russell Coker
2017-03-25 17:45:37 +00:00
########################################
## <summary>
## manage the wireless device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_wireless',`
gen_require(`
type device_t, wireless_device_t;
')
manage_chr_files_pattern($1, device_t, wireless_device_t)
')
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
########################################
## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_xen',`
gen_require(`
type device_t, xen_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, xen_device_t)
kernel/xen: Add map permission to the dev_rw_xen type=AVC msg=audit(1504637347.487:280): avc: denied { map } for pid=857 comm="xenconsoled" path="/dev/xen/privcmd" dev="devtmpfs" ino=16289 scontext=system_u:system_r:xenconsoled_t:s0 Without this we can't use xenconsole (client) to talk to xenconsoled (server). Signed-off-by: Konrad Rzeszutek Wilk <konrad@kernel.org>
2017-10-09 15:53:47 +00:00
allow $1 xen_device_t:chr_file map;
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
')
########################################
## <summary>
## Create, read, write, and delete Xen devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_xen',`
gen_require(`
type device_t, xen_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
manage_chr_files_pattern($1, device_t, xen_device_t)
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
')
########################################
## <summary>
## Automatic type transition to the type
## for xen device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
#
interface(`dev_filetrans_xen',`
gen_require(`
type device_t, xen_device_t;
')
Add optional name for kernel and system filetrans interfaces.
2012-05-10 13:53:45 +00:00
filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
patch from dan Fri, 17 Mar 2006 15:22:53 -0500
2006-03-23 19:19:38 +00:00
')
more upstream merging
2005-09-16 21:20:37 +00:00
########################################
## <summary>
## Get the attributes of X server miscellaneous devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## </param>
#
interface(`dev_getattr_xserver_misc_dev',`
gen_require(`
type device_t, xserver_misc_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
more upstream merging
2005-09-16 21:20:37 +00:00
')
########################################
## <summary>
## Set the attributes of X server miscellaneous devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
more upstream merging
2005-09-16 21:20:37 +00:00
## </param>
#
interface(`dev_setattr_xserver_misc_dev',`
gen_require(`
type device_t, xserver_misc_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
more upstream merging
2005-09-16 21:20:37 +00:00
')
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
########################################
## <summary>
## Read and write X server miscellaneous devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_rw_xserver_misc',`
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
gen_require(`
type device_t, xserver_misc_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
login fixes and pieces of xserver
2006-01-19 21:04:33 +00:00
')
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
########################################
## <summary>
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_rw_zero',`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
gen_require(`
type device_t, zero_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
rw_chr_files_pattern($1, device_t, zero_device_t)
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
')
########################################
## <summary>
## Read, write, and execute the zero device (/dev/zero).
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
## </param>
#
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
interface(`dev_rwx_zero',`
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
gen_require(`
type zero_device_t;
')
renaming from 20060131 interface review
2006-01-31 16:08:56 +00:00
dev_rw_zero($1)
refpolicy: Define and allow map permission Kernel commit 6941857e82ae ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This refpolicy change defines map permission for refpolicy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33, < RHEL 6); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change only allows map permission as needed, e.g. only in the mmap_file_perms and exec_file_perms object permission sets (since map is always required there) and only in specific interfaces or modules where denials were observed in limited testing. It is important to note that effective use of this permission requires complete removal of unconfined, as otherwise unconfined domains will be able to map all file types and therefore bypass the intended protection. If we wanted to exclude map permission to all file types by default from unconfined, we would need to add it to the list of permissions excluded from files_unconfined_type in kernel/files.te. Policies that depend on this permission not being allowed to specific file types should also make use of neverallow rules to ensure that this is not undermined by any allow rule, and ensure that they are performing neverallow checking at policy build time (e.g. make validate) or runtime (e.g. semanage.conf expand-check=1). Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-05-24 19:40:18 +00:00
allow $1 zero_device_t:chr_file { map execute };
reorder in alpha order of type, for sanity purposes
2005-07-15 14:30:19 +00:00
')
add mplayer
2006-03-09 20:28:51 +00:00
########################################
## <summary>
## Execmod the zero device (/dev/zero).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_execmod_zero',`
gen_require(`
type zero_device_t;
')
dev_rw_zero($1)
allow $1 zero_device_t:chr_file execmod;
')
more testing fixes
2006-08-23 03:47:39 +00:00
########################################
## <summary>
## Create the zero device (/dev/zero).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_zero_dev',`
gen_require(`
type device_t, zero_device_t;
')
trunk: massive whitespace cleanup from dominick grift.
2008-07-23 21:38:39 +00:00
create_chr_files_pattern($1, device_t, zero_device_t)
more testing fixes
2006-08-23 03:47:39 +00:00
')
Support /sys/devices/system/cpu/online In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need to grant most domains read access to this file. As we don't want them to have read access on sysfs_t by default, create a new type (cpu_online_t) and assign it to the file, and grant domains read access to the file. This does require systems to relabel the file upon every boot, something distributions do in their bootup scripts, as /sys devices don't keep their context. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2014-03-25 20:30:06 +00:00
########################################
## <summary>
## Read cpu online hardware state information
## </summary>
## <desc>
## <p>
## Allow the specified domain to read /sys/devices/system/cpu/online
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_cpu_online',`
gen_require(`
type cpu_online_t;
')
allow $1 cpu_online_t:file read_file_perms;
dev_search_sysfs($1)
')
add unconfined
2005-07-05 20:59:51 +00:00
########################################
## <summary>
## Unconfined access to devices.
## </summary>
## <param name="domain">
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## <summary>
add unconfined
2005-07-05 20:59:51 +00:00
## Domain allowed access.
xml building changes, add desc tag to booleans, add summary tag to bools
2006-02-10 18:41:53 +00:00
## </summary>
add unconfined
2005-07-05 20:59:51 +00:00
## </param>
#
interface(`dev_unconfined',`
gen_require(`
move over to attributes for unconfined interfaces.
2006-04-10 21:04:51 +00:00
attribute devices_unconfined_type;
add unconfined
2005-07-05 20:59:51 +00:00
')
move over to attributes for unconfined interfaces.
2006-04-10 21:04:51 +00:00
typeattribute $1 devices_unconfined_type;
add unconfined
2005-07-05 20:59:51 +00:00
')