## Policy controlling access to storage devices ######################################## ## ## Allow the caller to get the attributes of fixed disk ## device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_getattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; ') ######################################## ## ## Do not audit attempts made by the caller to get ## the attributes of fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_getattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file getattr; dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl ') ######################################## ## ## Allow the caller to set the attributes of fixed disk ## device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_setattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file setattr; ') ######################################## ## ## Do not audit attempts made by the caller to set ## the attributes of fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_setattr_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file setattr; ') ######################################## ## ## Allow the caller to directly read from a fixed disk. ## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # interface(`storage_raw_read_fixed_disk',` gen_require(` attribute fixed_disk_raw_read; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; typeattribute $1 fixed_disk_raw_read; ') ######################################## ## ## Do not audit attempts made by the caller to read ## fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_read_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; ') ######################################## ## ## Allow the caller to directly write to a fixed disk. ## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # interface(`storage_raw_write_fixed_disk',` gen_require(` attribute fixed_disk_raw_write; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; allow $1 fixed_disk_device_t:chr_file write_chr_file_perms; typeattribute $1 fixed_disk_raw_write; ') ######################################## ## ## Do not audit attempts made by the caller to write ## fixed disk device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_write_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; ') ######################################## ## ## Allow the caller to directly read and write to a fixed disk. ## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # interface(`storage_raw_rw_fixed_disk',` storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) ') ######################################## ## ## Allow the caller to create fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_create_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; dev_add_entry_generic_dirs($1) ') ######################################## ## ## Allow the caller to delete fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_delete_fixed_disk_dev',` gen_require(` type fixed_disk_device_t; ') allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms; dev_remove_entry_generic_dirs($1) ') ######################################## ## ## Create, read, write, and delete fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_manage_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 self:capability mknod; allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') ######################################## ## ## Create block devices in /dev with the fixed disk type ## via an automatic type transition. ## ## ## ## Domain allowed access. ## ## ## ## ## Optional filename of the block device to be created ## ## # interface(`storage_dev_filetrans_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dev_filetrans($1, fixed_disk_device_t, blk_file, $2) ') ######################################## ## ## Create block devices in on a tmpfs filesystem with the ## fixed disk type via an automatic type transition. ## ## ## ## Domain allowed access. ## ## # interface(`storage_tmpfs_filetrans_fixed_disk',` gen_require(` type fixed_disk_device_t; ') fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) ') ######################################## ## ## Relabel fixed disk device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_relabel_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; ') ######################################## ## ## Enable a fixed disk device as swap space ## ## ## ## Domain allowed access. ## ## # interface(`storage_swapon_fixed_disk',` gen_require(` type fixed_disk_device_t; ') dev_list_all_dev_nodes($1) allow $1 fixed_disk_device_t:blk_file getattr; ') ######################################## ## ## Allow the caller to get the attributes ## of device nodes of fuse devices. ## ## ## ## Domain allowed access. ## ## # interface(`storage_getattr_fuse_dev',` gen_require(` type fuse_device_t; ') dev_list_all_dev_nodes($1) allow $1 fuse_device_t:chr_file getattr; ') ######################################## ## ## read or write fuse device interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`storage_rw_fuse',` gen_require(` type fuse_device_t; ') allow $1 fuse_device_t:chr_file rw_file_perms; ') ######################################## ## ## Do not audit attempts to read or write ## fuse device interfaces. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_rw_fuse',` gen_require(` type fuse_device_t; ') dontaudit $1 fuse_device_t:chr_file rw_file_perms; ') ######################################## ## ## Allow the caller to get the attributes of ## the generic SCSI interface device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_getattr_scsi_generic_dev',` gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file getattr; ') ######################################## ## ## Allow the caller to set the attributes of ## the generic SCSI interface device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_setattr_scsi_generic_dev',` gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file setattr; ') ######################################## ## ## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. ## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # interface(`storage_read_scsi_generic',` gen_require(` attribute scsi_generic_read; type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file read_chr_file_perms; typeattribute $1 scsi_generic_read; ') ######################################## ## ## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. ## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # interface(`storage_write_scsi_generic',` gen_require(` attribute scsi_generic_write; type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file write_chr_file_perms; typeattribute $1 scsi_generic_write; ') ######################################## ## ## Set attributes of the device nodes ## for the SCSI generic inerface. ## ## ## ## Domain allowed access. ## ## # interface(`storage_setattr_scsi_generic_dev_dev',` gen_require(` type scsi_generic_device_t; ') dev_list_all_dev_nodes($1) allow $1 scsi_generic_device_t:chr_file setattr; ') ######################################## ## ## Do not audit attempts to read or write ## SCSI generic device interfaces. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_rw_scsi_generic',` gen_require(` type scsi_generic_device_t; ') dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms; ') ######################################## ## ## Allow the caller to get the attributes of removable ## devices device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_getattr_removable_dev',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file getattr; ') ######################################## ## ## Do not audit attempts made by the caller to get ## the attributes of removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_getattr_removable_dev',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file getattr; ') ######################################## ## ## Do not audit attempts made by the caller to read ## removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_read_removable_device',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## ## ## Do not audit attempts made by the caller to write ## removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_write_removable_device',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') ######################################## ## ## Allow the caller to set the attributes of removable ## devices device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`storage_setattr_removable_dev',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file setattr; ') ######################################## ## ## Do not audit attempts made by the caller to set ## the attributes of removable devices device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_setattr_removable_dev',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file setattr; ') ######################################## ## ## Allow the caller to directly read from ## a removable device. ## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # interface(`storage_raw_read_removable_device',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## ## ## Do not audit attempts to directly read removable devices. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_raw_read_removable_device',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file read_blk_file_perms; ') ######################################## ## ## Allow the caller to directly write to ## a removable device. ## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## ## ## ## Domain allowed access. ## ## # interface(`storage_raw_write_removable_device',` gen_require(` type removable_device_t; ') dev_list_all_dev_nodes($1) allow $1 removable_device_t:blk_file write_blk_file_perms; ') ######################################## ## ## Do not audit attempts to directly write removable devices. ## ## ## ## Domain to not audit. ## ## # interface(`storage_dontaudit_raw_write_removable_device',` gen_require(` type removable_device_t; ') dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') ######################################## ## ## Allow the caller to directly read ## a tape device. ## ## ## ## Domain allowed access. ## ## # interface(`storage_read_tape',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file read_chr_file_perms; ') ######################################## ## ## Allow the caller to directly write ## a tape device. ## ## ## ## Domain allowed access. ## ## # interface(`storage_write_tape',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file write_chr_file_perms; ') ######################################## ## ## Allow the caller to get the attributes ## of device nodes of tape devices. ## ## ## ## Domain allowed access. ## ## # interface(`storage_getattr_tape_dev',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file getattr; ') ######################################## ## ## Allow the caller to set the attributes ## of device nodes of tape devices. ## ## ## ## Domain allowed access. ## ## # interface(`storage_setattr_tape_dev',` gen_require(` type tape_device_t; ') dev_list_all_dev_nodes($1) allow $1 tape_device_t:chr_file setattr; ') ######################################## ## ## Unconfined access to storage devices. ## ## ## ## Domain allowed access. ## ## # interface(`storage_unconfined',` gen_require(` attribute storage_unconfined_type; ') typeattribute $1 storage_unconfined_type; ')