From 8d21fda96020f97ef0fd47fd30422c367b691d0e Mon Sep 17 00:00:00 2001
From: David Sugar <dsugar@tresys.com>
Date: Tue, 5 Sep 2017 14:17:50 +0000
Subject: [PATCH] Separate read and write interface for tun_tap_device_t

The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access).  It is possible to open a tap device for only reading or only writing and this allows policy to match that use.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index cc2052870..58c010fc8 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -2026,6 +2026,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 	dontaudit $1 rpc_port_type:tcp_socket name_connect;
 ')
 
+########################################
+## <summary>
+##	Read the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain read allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_read_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed write access.
+##	</summary>
+## </param>
+#
+interface(`corenet_write_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TUN/TAP virtual network device.