Add devices patch from Dan Walsh.
This commit is contained in:
parent
e276b8e5d0
commit
b51e8e0b42
|
@ -47,8 +47,10 @@
|
||||||
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
|
||||||
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
|
||||||
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
|
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
|
||||||
|
/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
|
||||||
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
|
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
|
||||||
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
|
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
|
||||||
|
/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
|
||||||
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
|
||||||
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||||
|
@ -61,10 +63,12 @@
|
||||||
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
|
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||||
|
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
|
||||||
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
/dev/msr.* -c gen_context(system_u:object_r:cpu_device_t,s0)
|
||||||
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||||
/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0)
|
||||||
|
/dev/noz.* -c gen_context(system_u:object_r:modem_device_t,s0)
|
||||||
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
|
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
|
||||||
|
@ -82,6 +86,7 @@
|
||||||
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||||
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0)
|
||||||
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
|
/dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
|
||||||
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
|
||||||
|
@ -101,7 +106,8 @@ ifdef(`distro_suse', `
|
||||||
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
|
||||||
')
|
')
|
||||||
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
/dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
|
/dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
|
||||||
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
|
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||||
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
|
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
|
||||||
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
|
||||||
|
@ -168,6 +174,7 @@ ifdef(`distro_gentoo',`
|
||||||
|
|
||||||
ifdef(`distro_redhat',`
|
ifdef(`distro_redhat',`
|
||||||
# originally from named.fc
|
# originally from named.fc
|
||||||
|
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
|
||||||
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
/var/named/chroot/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
|
||||||
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||||
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||||
|
|
|
@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',`
|
||||||
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
|
||||||
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
relabelfrom_fifo_files_pattern($1, device_t, device_node)
|
||||||
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
relabelfrom_sock_files_pattern($1, device_t, device_node)
|
||||||
relabel_blk_files_pattern($1, device_t,{ device_t device_node })
|
relabel_blk_files_pattern($1, device_t, { device_t device_node })
|
||||||
relabel_chr_files_pattern($1, device_t,{ device_t device_node })
|
relabel_chr_files_pattern($1, device_t, { device_t device_node })
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -1690,6 +1690,78 @@ interface(`dev_read_kmsg',`
|
||||||
read_chr_files_pattern($1, device_t, kmsg_device_t)
|
read_chr_files_pattern($1, device_t, kmsg_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of the ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_getattr_ksm_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of the ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_setattr_ksm_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
setattr_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read the ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_read_ksm',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write to ksm devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_ksm',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, ksm_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, ksm_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of the kvm devices.
|
## Get the attributes of the kvm devices.
|
||||||
|
@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',`
|
||||||
rw_chr_files_pattern($1, device_t, kvm_device_t)
|
rw_chr_files_pattern($1, device_t, kvm_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Read the lirc device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_read_lirc',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, lirc_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, lirc_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write the lirc device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_lirc',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, lirc_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, lirc_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Automatic type transition to the type
|
||||||
|
## for lirc device nodes when created in /dev.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_filetrans_lirc',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, lirc_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
filetrans_pattern($1, device_t, lirc_device_t, chr_file)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the lvm comtrol device.
|
## Read the lvm comtrol device.
|
||||||
|
@ -1798,6 +1925,24 @@ interface(`dev_rw_lvm_control',`
|
||||||
rw_chr_files_pattern($1, device_t, lvm_control_t)
|
rw_chr_files_pattern($1, device_t, lvm_control_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Do not audit attempts to read and write lvm control device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_dontaudit_rw_lvm_control',`
|
||||||
|
gen_require(`
|
||||||
|
type lvm_control_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
dontaudit $1 lvm_control_t:chr_file rw_file_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Delete the lvm control device.
|
## Delete the lvm control device.
|
||||||
|
@ -2044,6 +2189,78 @@ interface(`dev_dontaudit_rw_misc',`
|
||||||
dontaudit $1 misc_device_t:chr_file rw_file_perms;
|
dontaudit $1 misc_device_t:chr_file rw_file_perms;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Get the attributes of the modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_getattr_modem_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
getattr_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Set the attributes of the modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_setattr_modem_dev',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
setattr_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read the modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_read_modem',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
read_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write to modem devices.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_modem',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, modem_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, modem_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Get the attributes of the mouse devices.
|
## Get the attributes of the mouse devices.
|
||||||
|
@ -2303,6 +2520,24 @@ interface(`dev_setattr_null_dev',`
|
||||||
setattr_chr_files_pattern($1, device_t, null_device_t)
|
setattr_chr_files_pattern($1, device_t, null_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Delete the null device (/dev/null).
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_delete_null',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, null_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
delete_chr_files_pattern($1, device_t, null_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write to the null device (/dev/null).
|
## Read and write to the null device (/dev/null).
|
||||||
|
@ -3597,6 +3832,24 @@ interface(`dev_write_watchdog',`
|
||||||
write_chr_files_pattern($1, device_t, watchdog_device_t)
|
write_chr_files_pattern($1, device_t, watchdog_device_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read and write the the wireless device.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`dev_rw_wireless',`
|
||||||
|
gen_require(`
|
||||||
|
type device_t, wireless_device_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
rw_chr_files_pattern($1, device_t, wireless_device_t)
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read and write Xen devices.
|
## Read and write Xen devices.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(devices, 1.9.0)
|
policy_module(devices, 1.9.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -83,6 +83,12 @@ dev_node(ipmi_device_t)
|
||||||
type kmsg_device_t;
|
type kmsg_device_t;
|
||||||
dev_node(kmsg_device_t)
|
dev_node(kmsg_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# ksm_device_t is the type of /dev/ksm
|
||||||
|
#
|
||||||
|
type ksm_device_t;
|
||||||
|
dev_node(ksm_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# kvm_device_t is the type of
|
# kvm_device_t is the type of
|
||||||
# /dev/kvm
|
# /dev/kvm
|
||||||
|
@ -90,6 +96,12 @@ dev_node(kmsg_device_t)
|
||||||
type kvm_device_t;
|
type kvm_device_t;
|
||||||
dev_node(kvm_device_t)
|
dev_node(kvm_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Type for /dev/lirc
|
||||||
|
#
|
||||||
|
type lirc_device_t;
|
||||||
|
dev_node(lirc_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Type for /dev/mapper/control
|
# Type for /dev/mapper/control
|
||||||
#
|
#
|
||||||
|
@ -109,6 +121,12 @@ neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_f
|
||||||
type misc_device_t;
|
type misc_device_t;
|
||||||
dev_node(misc_device_t)
|
dev_node(misc_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# A general type for modem devices.
|
||||||
|
#
|
||||||
|
type modem_device_t;
|
||||||
|
dev_node(modem_device_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# A more general type for mouse devices.
|
# A more general type for mouse devices.
|
||||||
#
|
#
|
||||||
|
@ -224,6 +242,12 @@ dev_node(vmware_device_t)
|
||||||
type watchdog_device_t;
|
type watchdog_device_t;
|
||||||
dev_node(watchdog_device_t)
|
dev_node(watchdog_device_t)
|
||||||
|
|
||||||
|
#
|
||||||
|
# wireless control devices
|
||||||
|
#
|
||||||
|
type wireless_device_t;
|
||||||
|
dev_node(wireless_device_t)
|
||||||
|
|
||||||
type xen_device_t;
|
type xen_device_t;
|
||||||
dev_node(xen_device_t)
|
dev_node(xen_device_t)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue