diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 44edee7d2..5257aec3f 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -700,6 +700,25 @@ interface(`dev_manage_all_chr_files',`
typeattribute $1 memory_raw_read, memory_raw_write;
')
+########################################
+##
+## Read and write the agp devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rw_agp_dev',`
+ gen_require(`
+ type device_t, agp_device_t;
+ class dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 agp_device_t:chr_file rw_file_perms;
+')
+
########################################
##
## Get the attributes of the apm bios device node.
@@ -795,405 +814,41 @@ interface(`dev_rw_apm_bios',`
########################################
##
-## Read raw memory devices (e.g. /dev/mem).
+## Read the CPU identity.
##
##
## Domain allowed access.
##
#
-interface(`dev_read_raw_memory',`
+interface(`dev_read_cpuid',`
gen_require(`
- type device_t, memory_device_t;
- attribute memory_raw_read;
- class dir r_dir_perms;
- class chr_file r_file_perms;
- class capability sys_rawio;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 memory_device_t:chr_file r_file_perms;
-
- allow $1 self:capability sys_rawio;
- typeattribute $1 memory_raw_read;
-')
-
-########################################
-##
-## Write raw memory devices (e.g. /dev/mem).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_write_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- attribute memory_raw_write;
- class dir r_dir_perms;
- class chr_file write;
- class capability sys_rawio;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 memory_device_t:chr_file write;
-
- allow $1 self:capability sys_rawio;
- typeattribute $1 memory_raw_write;
-')
-
-########################################
-##
-## Read and execute raw memory devices (e.g. /dev/mem).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_rx_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- class chr_file execute;
- ')
-
- dev_read_raw_memory($1)
- allow $1 memory_device_t:chr_file execute;
-')
-
-########################################
-##
-## Write and execute raw memory devices (e.g. /dev/mem).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_wx_raw_memory',`
- gen_require(`
- type device_t, memory_device_t;
- class chr_file execute;
- ')
-
- dev_write_raw_memory($1)
- allow $1 memory_device_t:chr_file execute;
-')
-
-########################################
-##
-## Read from random devices (e.g., /dev/random)
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_read_rand',`
- gen_require(`
- type device_t, random_device_t;
+ type device_t, cpu_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
- allow $1 random_device_t:chr_file r_file_perms;
+ allow $1 cpu_device_t:chr_file r_file_perms;
')
########################################
##
-## Read from pseudo random devices (e.g., /dev/urandom)
+## Read and write the the CPU microcode device. This
+## is required to load CPU microcode.
##
##
## Domain allowed access.
##
#
-interface(`dev_read_urand',`
+interface(`dev_rw_cpu_microcode',`
gen_require(`
- type device_t, urandom_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 urandom_device_t:chr_file r_file_perms;
-')
-
-########################################
-##
-## Write to the random device (e.g., /dev/random). This adds
-## entropy used to generate the random data read from the
-## random device.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_write_rand',`
- gen_require(`
- type device_t, random_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 random_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-##
-## Write to the pseudo random device (e.g., /dev/urandom). This
-## sets the random number generator seed.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_write_urand',`
- gen_require(`
- type device_t, urandom_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 urandom_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-##
-## Read and write to the null device (/dev/null).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_rw_null_dev',`
- gen_require(`
- type device_t, null_device_t;
- class device_t:dir r_dir_perms;
- class chr_file rw_file_perms;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 null_device_t:chr_file rw_file_perms;
-')
-
-########################################
-##
-## Read and write to the zero device (/dev/zero).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_rw_zero_dev',`
- gen_require(`
- type device_t, zero_device_t;
- class device_t:dir r_dir_perms;
- class chr_file r_file_perms;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 zero_device_t:chr_file rw_file_perms;
-')
-
-########################################
-##
-## Read, write, and execute the zero device (/dev/zero).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_rwx_zero_dev',`
- gen_require(`
- type zero_device_t;
- class chr_file execute;
- ')
-
- dev_rw_zero_dev($1)
- allow $1 zero_device_t:chr_file execute;
-')
-
-########################################
-##
-## Read the realtime clock (/dev/rtc).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_read_realtime_clock',`
- gen_require(`
- type device_t, clock_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 clock_device_t:chr_file r_file_perms;
-')
-
-########################################
-##
-## Read the realtime clock (/dev/rtc).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_write_realtime_clock',`
- gen_require(`
- type device_t, clock_device_t;
- class dir r_dir_perms;
- class chr_file { setattr lock write append ioctl };
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
-')
-
-########################################
-##
-## Read the realtime clock (/dev/rtc).
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_rw_realtime_clock',`
- dev_read_realtime_clock($1)
- dev_write_realtime_clock($1)
-')
-
-########################################
-##
-## Get the attributes of the sound devices.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_getattr_snd_dev',`
- gen_require(`
- type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file getattr;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file getattr;
-')
-
-########################################
-##
-## Set the attributes of the sound devices.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_setattr_snd_dev',`
- gen_require(`
- type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file setattr;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file setattr;
-')
-
-########################################
-##
-## Read the sound devices.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_read_snd_dev',`
- gen_require(`
- type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file r_file_perms;
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file r_file_perms;
-')
-
-########################################
-##
-## Write the sound devices.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_write_snd_dev',`
- gen_require(`
- type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-##
-## Read the sound mixer devices.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_read_snd_mixer_dev',`
- gen_require(`
- type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file { getattr read ioctl };
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr read ioctl };
-')
-
-########################################
-##
-## Write the sound mixer devices.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_write_snd_mixer_dev',`
- gen_require(`
- type device_t, sound_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 sound_device_t:chr_file { getattr write ioctl };
-')
-
-########################################
-##
-## Read and write the agp devices.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_rw_agp_dev',`
- gen_require(`
- type device_t, agp_device_t;
+ type device_t, cpu_device_t;
class dir r_dir_perms;
class chr_file rw_file_perms;
')
allow $1 device_t:dir r_dir_perms;
- allow $1 agp_device_t:chr_file rw_file_perms;
+ allow $1 cpu_device_t:chr_file rw_file_perms;
')
########################################
@@ -1253,40 +908,21 @@ interface(`dev_dontaudit_rw_dri_dev',`
########################################
##
-## Read the mtrr device.
+## Read input event devices (/dev/input).
##
##
## Domain allowed access.
##
#
-interface(`dev_read_mtrr',`
+interface(`dev_read_input',`
gen_require(`
- type device_t, mtrr_device_t;
+ type device_t, event_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
- allow $1 mtrr_device_t:chr_file r_file_perms;
-')
-
-########################################
-##
-## Write the mtrr device.
-##
-##
-## Domain allowed access.
-##
-#
-interface(`dev_write_mtrr',`
- gen_require(`
- type device_t, mtrr_device_t;
- class dir r_dir_perms;
- class chr_file { getattr write ioctl };
- ')
-
- allow $1 device_t:dir r_dir_perms;
- allow $1 mtrr_device_t:chr_file { getattr write ioctl };
+ allow $1 event_device_t:chr_file r_file_perms;
')
########################################
@@ -1457,6 +1093,90 @@ interface(`dev_delete_lvm_control',`
allow $1 lvm_control_t:chr_file unlink;
')
+########################################
+##
+## Read raw memory devices (e.g. /dev/mem).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_read_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_read;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ class capability sys_rawio;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 memory_device_t:chr_file r_file_perms;
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_read;
+')
+
+########################################
+##
+## Write raw memory devices (e.g. /dev/mem).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_write_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ attribute memory_raw_write;
+ class dir r_dir_perms;
+ class chr_file write;
+ class capability sys_rawio;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 memory_device_t:chr_file write;
+
+ allow $1 self:capability sys_rawio;
+ typeattribute $1 memory_raw_write;
+')
+
+########################################
+##
+## Read and execute raw memory devices (e.g. /dev/mem).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ class chr_file execute;
+ ')
+
+ dev_read_raw_memory($1)
+ allow $1 memory_device_t:chr_file execute;
+')
+
+########################################
+##
+## Write and execute raw memory devices (e.g. /dev/mem).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_wx_raw_memory',`
+ gen_require(`
+ type device_t, memory_device_t;
+ class chr_file execute;
+ ')
+
+ dev_write_raw_memory($1)
+ allow $1 memory_device_t:chr_file execute;
+')
+
########################################
##
## Get the attributes of miscellaneous devices.
@@ -1626,6 +1346,63 @@ interface(`dev_read_mouse',`
allow $1 mouse_device_t:chr_file r_file_perms;
')
+########################################
+##
+## Read the mtrr device.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_read_mtrr',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mtrr_device_t:chr_file r_file_perms;
+')
+
+########################################
+##
+## Write the mtrr device.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_write_mtrr',`
+ gen_require(`
+ type device_t, mtrr_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 mtrr_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+##
+## Read and write to the null device (/dev/null).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rw_null_dev',`
+ gen_require(`
+ type device_t, null_device_t;
+ class device_t:dir r_dir_perms;
+ class chr_file rw_file_perms;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 null_device_t:chr_file rw_file_perms;
+')
+
########################################
##
## Set the attributes of the printer device nodes.
@@ -1647,60 +1424,93 @@ interface(`dev_setattr_printer',`
########################################
##
-## Read input event devices (/dev/input).
+## Read from random devices (e.g., /dev/random)
##
##
## Domain allowed access.
##
#
-interface(`dev_read_input',`
+interface(`dev_read_rand',`
gen_require(`
- type device_t, event_device_t;
+ type device_t, random_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
- allow $1 event_device_t:chr_file r_file_perms;
+ allow $1 random_device_t:chr_file r_file_perms;
')
########################################
##
-## Read the multiplexed input device (/dev/input).
+## Write to the random device (e.g., /dev/random). This adds
+## entropy used to generate the random data read from the
+## random device.
##
##
## Domain allowed access.
##
#
-interface(`dev_read_cpuid',`
+interface(`dev_write_rand',`
gen_require(`
- type device_t, cpu_device_t;
+ type device_t, random_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 random_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+##
+## Read the realtime clock (/dev/rtc).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_read_realtime_clock',`
+ gen_require(`
+ type device_t, clock_device_t;
class dir r_dir_perms;
class chr_file r_file_perms;
')
allow $1 device_t:dir r_dir_perms;
- allow $1 cpu_device_t:chr_file r_file_perms;
+ allow $1 clock_device_t:chr_file r_file_perms;
')
########################################
##
-## Read and write the the cpu microcode device. This
-## is required to load cpu microcode.
+## Set the realtime clock (/dev/rtc).
##
##
## Domain allowed access.
##
#
-interface(`dev_rw_cpu_microcode',`
+interface(`dev_write_realtime_clock',`
gen_require(`
- type device_t, cpu_device_t;
+ type device_t, clock_device_t;
class dir r_dir_perms;
- class chr_file rw_file_perms;
+ class chr_file { setattr lock write append ioctl };
')
allow $1 device_t:dir r_dir_perms;
- allow $1 cpu_device_t:chr_file rw_file_perms;
+ allow $1 clock_device_t:chr_file { setattr lock write append ioctl };
+')
+
+########################################
+##
+## Read and set the realtime clock (/dev/rtc).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rw_realtime_clock',`
+ dev_read_realtime_clock($1)
+ dev_write_realtime_clock($1)
')
########################################
@@ -1796,6 +1606,120 @@ interface(`dev_rw_scanner',`
allow $1 scanner_device_t:chr_file rw_file_perms;
')
+########################################
+##
+## Get the attributes of the sound devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_getattr_snd_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file getattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file getattr;
+')
+
+########################################
+##
+## Set the attributes of the sound devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_setattr_snd_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file setattr;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file setattr;
+')
+
+########################################
+##
+## Read the sound devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_read_snd_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file r_file_perms;
+')
+
+########################################
+##
+## Write the sound devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_write_snd_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr write ioctl };
+')
+
+########################################
+##
+## Read the sound mixer devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_read_snd_mixer_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr read ioctl };
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr read ioctl };
+')
+
+########################################
+##
+## Write the sound mixer devices.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_write_snd_mixer_dev',`
+ gen_require(`
+ type device_t, sound_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 sound_device_t:chr_file { getattr write ioctl };
+')
+
########################################
##
## Get the attributes of the the power management device.
@@ -1962,6 +1886,45 @@ interface(`dev_rw_sysfs',`
allow $1 sysfs_t:file rw_file_perms;
')
+########################################
+##
+## Read from pseudo random devices (e.g., /dev/urandom)
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_read_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ class dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 urandom_device_t:chr_file r_file_perms;
+')
+
+########################################
+##
+## Write to the pseudo random device (e.g., /dev/urandom). This
+## sets the random number generator seed.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_write_urand',`
+ gen_require(`
+ type device_t, urandom_device_t;
+ class dir r_dir_perms;
+ class chr_file { getattr write ioctl };
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 urandom_device_t:chr_file { getattr write ioctl };
+')
+
########################################
##
## Mount a usbfs filesystem.
@@ -2150,6 +2113,43 @@ interface(`dev_dontaudit_setattr_video_dev',`
dontaudit $1 v4l_device_t:chr_file setattr;
')
+########################################
+##
+## Read and write to the zero device (/dev/zero).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rw_zero_dev',`
+ gen_require(`
+ type device_t, zero_device_t;
+ class device_t:dir r_dir_perms;
+ class chr_file r_file_perms;
+ ')
+
+ allow $1 device_t:dir r_dir_perms;
+ allow $1 zero_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
+## Read, write, and execute the zero device (/dev/zero).
+##
+##
+## Domain allowed access.
+##
+#
+interface(`dev_rwx_zero_dev',`
+ gen_require(`
+ type zero_device_t;
+ class chr_file execute;
+ ')
+
+ dev_rw_zero_dev($1)
+ allow $1 zero_device_t:chr_file execute;
+')
+
########################################
##
## Unconfined access to devices.