##
## Enable polyinstantiated directory support.
diff --git a/policy/modules/admin/ddcprobe.te b/policy/modules/admin/ddcprobe.te
index 212316cbf..da97c257b 100644
--- a/policy/modules/admin/ddcprobe.te
+++ b/policy/modules/admin/ddcprobe.te
@@ -31,8 +31,8 @@ corecmd_list_bin(ddcprobe_t)
corecmd_exec_bin(ddcprobe_t)
dev_read_urand(ddcprobe_t)
-dev_read_raw_memory(ddcprobe_t)
-dev_wx_raw_memory(ddcprobe_t)
+dev_read_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
+dev_wx_raw_memory_cond(ddcprobe_t, allow_raw_memory_access)
files_read_etc_files(ddcprobe_t)
files_read_etc_runtime_files(ddcprobe_t)
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index 9da3529f5..55fdb5f29 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -20,7 +20,6 @@ role dmidecode_roles types dmidecode_t;
allow dmidecode_t self:capability sys_rawio;
-dev_read_raw_memory(dmidecode_t)
dev_read_sysfs(dmidecode_t)
domain_use_interactive_fds(dmidecode_t)
diff --git a/policy/modules/admin/kudzu.te b/policy/modules/admin/kudzu.te
index f088963fe..44f2d091a 100644
--- a/policy/modules/admin/kudzu.te
+++ b/policy/modules/admin/kudzu.te
@@ -56,8 +56,6 @@ corecmd_exec_all_executables(kudzu_t)
dev_list_sysfs(kudzu_t)
dev_read_usbfs(kudzu_t)
dev_read_sysfs(kudzu_t)
-dev_rx_raw_memory(kudzu_t)
-dev_wx_raw_memory(kudzu_t)
dev_rw_mouse(kudzu_t)
dev_rwx_zero(kudzu_t)
diff --git a/policy/modules/admin/mcelog.te b/policy/modules/admin/mcelog.te
index aa40b8493..a9e25e3b4 100644
--- a/policy/modules/admin/mcelog.te
+++ b/policy/modules/admin/mcelog.te
@@ -84,7 +84,7 @@ files_pid_filetrans(mcelog_t, mcelog_runtime_t, { dir file sock_file })
kernel_read_system_state(mcelog_t)
-dev_read_raw_memory(mcelog_t)
+dev_read_raw_memory_cond(mcelog_t, allow_raw_memory_access)
dev_read_kmsg(mcelog_t)
dev_rw_cpu_microcode(mcelog_t)
dev_rw_sysfs(mcelog_t)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 15f249e88..8384028a1 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -139,7 +139,6 @@ corenet_tcp_connect_all_ports(rpm_t)
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
-dev_read_raw_memory(rpm_t)
dev_manage_all_dev_nodes(rpm_t)
dev_relabel_all_dev_nodes(rpm_t)
diff --git a/policy/modules/admin/sosreport.te b/policy/modules/admin/sosreport.te
index 85e0f62ba..6818646db 100644
--- a/policy/modules/admin/sosreport.te
+++ b/policy/modules/admin/sosreport.te
@@ -67,7 +67,7 @@ dev_getattr_all_blk_files(sosreport_t)
dev_getattr_mtrr_dev(sosreport_t)
dev_read_rand(sosreport_t)
dev_read_urand(sosreport_t)
-dev_read_raw_memory(sosreport_t)
+dev_read_raw_memory_cond(sosreport_t, allow_raw_memory_access)
dev_read_sysfs(sosreport_t)
dev_rw_generic_usb_dev(sosreport_t)
diff --git a/policy/modules/admin/tboot.te b/policy/modules/admin/tboot.te
index 57b55ee9d..f6773ce8a 100644
--- a/policy/modules/admin/tboot.te
+++ b/policy/modules/admin/tboot.te
@@ -18,7 +18,5 @@ role txtstat_roles types txtstat_t;
# Local policy
#
-dev_read_raw_memory(txtstat_t)
-
domain_use_interactive_fds(txtstat_t)
userdom_use_user_terminals(txtstat_t)
diff --git a/policy/modules/admin/vbetool.te b/policy/modules/admin/vbetool.te
index b3757d029..d8215f27d 100644
--- a/policy/modules/admin/vbetool.te
+++ b/policy/modules/admin/vbetool.te
@@ -29,8 +29,8 @@ role vbetool_roles types vbetool_t;
allow vbetool_t self:capability { dac_override sys_admin sys_tty_config };
allow vbetool_t self:process execmem;
-dev_wx_raw_memory(vbetool_t)
-dev_read_raw_memory(vbetool_t)
+dev_wx_raw_memory_cond(vbetool_t, allow_raw_memory_access)
+dev_read_raw_memory_cond(vbetool_t, allow_raw_memory_access)
dev_rwx_zero(vbetool_t)
dev_rw_sysfs(vbetool_t)
dev_rw_xserver_misc(vbetool_t)
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 66cfc4d57..f51dcc274 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -221,8 +221,8 @@ kernel_read_kernel_sysctls(vmware_t)
corecmd_exec_bin(vmware_t)
corecmd_exec_shell(vmware_t)
-dev_read_raw_memory(vmware_t)
-dev_write_raw_memory(vmware_t)
+dev_read_raw_memory_cond(vmware_t, allow_raw_memory_access)
+dev_write_raw_memory_cond(vmware_t, allow_raw_memory_access)
dev_read_mouse(vmware_t)
dev_write_sound(vmware_t)
dev_read_realtime_clock(vmware_t)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f525cf2a3..424d3d3d5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2737,6 +2737,9 @@ interface(`dev_dontaudit_getattr_memory_dev',`
########################################
##
## Read raw memory devices (e.g. /dev/mem).
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
##
##
##
@@ -2756,10 +2759,44 @@ interface(`dev_read_raw_memory',`
typeattribute $1 memory_raw_read;
')
+########################################
+##
+## Read raw memory devices (e.g. /dev/mem) if a tunable is set.
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Tunable to depend on
+##
+##
+#
+interface(`dev_read_raw_memory_cond',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_read;
+ ')
+
+ typeattribute $1 memory_raw_read;
+ tunable_policy($2, `
+ read_chr_files_pattern($1, device_t, memory_device_t)
+ allow $1 self:capability sys_rawio;
+ ')
+')
+
########################################
##
## Do not audit attempts to read raw memory devices
## (e.g. /dev/mem).
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
##
##
##
@@ -2778,6 +2815,9 @@ interface(`dev_dontaudit_read_raw_memory',`
########################################
##
## Write raw memory devices (e.g. /dev/mem).
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
##
##
##
@@ -2797,9 +2837,43 @@ interface(`dev_write_raw_memory',`
typeattribute $1 memory_raw_write;
')
+########################################
+##
+## Write raw memory devices (e.g. /dev/mem) if a tunable is set.
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Tunable to depend on
+##
+##
+#
+interface(`dev_write_raw_memory_cond',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_write;
+ ')
+
+ typeattribute $1 memory_raw_write;
+ tunable_policy($2, `
+ write_chr_files_pattern($1, device_t, memory_device_t)
+ allow $1 self:capability sys_rawio;
+ ')
+')
+
########################################
##
## Read and execute raw memory devices (e.g. /dev/mem).
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
##
##
##
@@ -2819,6 +2893,9 @@ interface(`dev_rx_raw_memory',`
########################################
##
## Write and execute raw memory devices (e.g. /dev/mem).
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
##
##
##
@@ -2835,6 +2912,37 @@ interface(`dev_wx_raw_memory',`
allow $1 memory_device_t:chr_file { map execute };
')
+########################################
+##
+## Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set.
+## This is extremely dangerous as it can bypass the
+## SELinux protections, and should only be used by trusted
+## domains.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Tunable to depend on
+##
+##
+#
+interface(`dev_wx_raw_memory_cond',`
+ gen_require(`
+ type memory_device_t;
+ attribute memory_raw_write;
+ ')
+
+ typeattribute $1 memory_raw_write;
+ dev_write_raw_memory_cond($1, $2)
+ tunable_policy($2, `
+ allow $1 memory_device_t:chr_file { map execute };
+ ')
+')
+
########################################
##
## Get the attributes of miscellaneous devices.
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 246833cf2..1820505eb 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -165,7 +165,7 @@ dev_getattr_all_blk_files(abrt_t)
dev_read_rand(abrt_t)
dev_read_urand(abrt_t)
dev_rw_sysfs(abrt_t)
-dev_dontaudit_read_raw_memory(abrt_t)
+dev_read_raw_memory_cond(abrt_t, allow_raw_memory_access)
domain_getattr_all_domains(abrt_t)
domain_read_all_domains_state(abrt_t)
diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index b7cecc1d4..f1a836bb1 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -67,8 +67,6 @@ corenet_tcp_connect_ipp_port(colord_t)
corecmd_exec_bin(colord_t)
corecmd_exec_shell(colord_t)
-dev_read_raw_memory(colord_t)
-dev_write_raw_memory(colord_t)
dev_read_video_dev(colord_t)
dev_write_video_dev(colord_t)
dev_rw_printer(colord_t)
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 8a9020f27..7b2c22dae 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -155,11 +155,6 @@ miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
userdom_search_user_home_dirs(devicekit_disk_t)
-ifdef(`distro_debian',`
- # /dev/mem is accessed by libparted to get EFI data
- dev_read_raw_memory(devicekit_disk_t)
-')
-
optional_policy(`
dbus_system_bus_client(devicekit_disk_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index d0bec6c0a..d08e6f181 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -133,7 +133,6 @@ dev_rw_generic_usb_dev(hald_t)
dev_setattr_generic_usb_dev(hald_t)
dev_setattr_usbfs_files(hald_t)
dev_rw_power_management(hald_t)
-dev_read_raw_memory(hald_t)
dev_rw_sysfs(hald_t)
dev_read_video_dev(hald_t)
@@ -401,8 +400,6 @@ append_files_pattern(hald_mac_t, hald_log_t, hald_log_t)
kernel_read_system_state(hald_mac_t)
-dev_read_raw_memory(hald_mac_t)
-dev_write_raw_memory(hald_mac_t)
dev_read_sysfs(hald_mac_t)
auth_use_nsswitch(hald_mac_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 46899272f..0a2ef7579 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -719,9 +719,6 @@ dev_manage_dri_dev(xserver_t)
dev_filetrans_dri(xserver_t)
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
-# raw memory access is needed if not using the frame buffer
-dev_read_raw_memory(xserver_t)
-dev_wx_raw_memory(xserver_t)
# for other device nodes such as the NVidia binary-only driver
dev_rw_xserver_misc(xserver_t)
dev_map_xserver_misc(xserver_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 69a901f15..e3cecfd1a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -894,8 +894,6 @@ ifdef(`distro_redhat',`
# during device initialization:
dev_create_generic_dirs(initrc_t)
dev_rwx_zero(initrc_t)
- dev_rx_raw_memory(initrc_t)
- dev_wx_raw_memory(initrc_t)
storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index c6c5d460a..e0f2442c4 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -84,10 +84,8 @@ corenet_tcp_connect_iscsi_port(iscsid_t)
corenet_sendrecv_isns_client_packets(iscsid_t)
corenet_tcp_connect_isns_port(iscsid_t)
-dev_read_raw_memory(iscsid_t)
dev_rw_sysfs(iscsid_t)
dev_rw_userio_dev(iscsid_t)
-dev_write_raw_memory(iscsid_t)
domain_use_interactive_fds(iscsid_t)
domain_dontaudit_read_all_domains_state(iscsid_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d671a0348..a1eed729a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -339,7 +339,7 @@ kernel_change_ring_buffer_level(klogd_t)
files_read_kernel_symbol_table(klogd_t)
-dev_read_raw_memory(klogd_t)
+dev_read_raw_memory_cond(klogd_t, allow_raw_memory_access)
dev_read_sysfs(klogd_t)
fs_getattr_all_fs(klogd_t)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 1cbd7e326..e77fed878 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -53,7 +53,6 @@ dev_rw_sysfs(mdadm_t)
dev_dontaudit_getattr_all_blk_files(mdadm_t)
dev_dontaudit_getattr_all_chr_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
-dev_read_raw_memory(mdadm_t)
domain_use_interactive_fds(mdadm_t)