## ## Device nodes and interfaces for many basic system devices. ## ## ##

## This module creates the device node concept and provides ## the policy for many of the device files. Notable exceptions are ## the mass storage and terminal devices that are covered by other ## modules. ##

##

## This module creates the concept of a device node. That is a ## char or block device file, usually in /dev. All types that ## are used to label device nodes should use the dev_node macro. ##

##

## Additionally, this module controls access to three things: ##

##

##
## ## Depended on by other required modules. ## ######################################## ## ## Make the specified type usable for device ## nodes in a filesystem. ## ## ##

## Make the specified type usable for device nodes ## in a filesystem. Types used for device nodes that ## do not use this interface, or an interface that ## calls this one, will have unexpected behaviors ## while the system is running. ##

##

## Example: ##

##

## type mydev_t; ## dev_node(mydev_t) ## allow mydomain_t mydev_t:chr_file read_chr_file_perms; ##

##

## Related interfaces: ##

## ##
## ## ## Type to be used for device nodes. ## ## ## # interface(`dev_node',` gen_require(` attribute device_node; ') typeattribute $1 device_node; ') ######################################## ## ## Associate the specified file type with device filesystem. ## ## ## ## The type of the file to be associated. ## ## # interface(`dev_associate',` gen_require(` type device_t; ') allow $1 device_t:filesystem associate; fs_associate_tmpfs($1) #For backwards compatibility ') ######################################## ## ## Get attributes of device filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_fs',` gen_require(` type device_t; ') allow $1 device_t:filesystem getattr; ') ######################################## ## ## Watch the directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_watch_dev_dirs',` gen_require(` type device_t; ') allow $1 device_t:dir watch; ') ######################################## ## ## Mount a filesystem on /dev ## ## ## ## Domain allow access. ## ## # interface(`dev_mounton',` gen_require(` type device_t; ') allow $1 device_t:dir mounton; ') ######################################## ## ## Allow full relabeling (to and from) of all device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_relabel_all_dev_nodes',` gen_require(` attribute device_node; type device_t; ') relabelfrom_dirs_pattern($1, device_t, { device_t device_node }) relabelfrom_files_pattern($1, device_t, { device_t device_node }) relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node }) relabelfrom_sock_files_pattern($1, device_t, { device_t device_node }) relabel_blk_files_pattern($1, device_t, { device_t device_node }) relabel_chr_files_pattern($1, device_t, { device_t device_node }) ') ######################################## ## ## Allow full relabeling (to and from) of all device files. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_relabel_all_dev_files',` gen_require(` type device_t; ') relabel_files_pattern($1, device_t, device_t) ') ######################################## ## ## List all of the device nodes in a device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_list_all_dev_nodes',` gen_require(` type device_t; ') list_dirs_pattern($1, device_t, device_t) read_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Set the attributes of /dev directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_generic_dirs',` gen_require(` type device_t; ') setattr_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit attempts to list all device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_list_all_dev_nodes',` gen_require(` type device_t; ') dontaudit $1 device_t:dir list_dir_perms; ') ######################################## ## ## Add entries to directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_add_entry_generic_dirs',` gen_require(` type device_t; ') allow $1 device_t:dir add_entry_dir_perms; ') ######################################## ## ## Remove entries from directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_remove_entry_generic_dirs',` gen_require(` type device_t; ') allow $1 device_t:dir del_entry_dir_perms; ') ######################################## ## ## Create a directory in the device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_dirs',` gen_require(` type device_t; ') allow $1 device_t:dir list_dir_perms; create_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Delete a directory in the device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_dirs',` gen_require(` type device_t; ') delete_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Manage of directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_dirs',` gen_require(` type device_t; ') manage_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Allow full relabeling (to and from) of directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_generic_dev_dirs',` gen_require(` type device_t; ') relabel_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## dontaudit getattr generic files in /dev. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_files',` gen_require(` type device_t; ') dontaudit $1 device_t:file getattr; ') ######################################## ## ## Read generic files in /dev. ## ## ## ## Domain to not audit. ## ## # interface(`dev_read_generic_files',` gen_require(` type device_t; ') read_files_pattern($1, device_t, device_t) ') ######################################## ## ## Read and write generic files in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_files',` gen_require(` type device_t; ') rw_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete generic files in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_files',` gen_require(` type device_t; ') delete_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create a file in the device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_files',` gen_require(` type device_t; ') manage_files_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit getattr on generic pipes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_pipes',` gen_require(` type device_t; ') dontaudit $1 device_t:fifo_file getattr; ') ######################################## ## ## Write generic socket files in /dev. ## ## ## ## Domain to not audit. ## ## # interface(`dev_write_generic_sockets',` gen_require(` type device_t; ') write_sock_files_pattern($1, device_t, device_t) ') ######################################## ## ## Allow getattr on generic block devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_generic_blk_files',` gen_require(` type device_t; ') getattr_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit getattr on generic block devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_blk_files',` gen_require(` type device_t; ') dontaudit $1 device_t:blk_file getattr; ') ######################################## ## ## Set the attributes on generic ## block devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_generic_blk_files',` gen_require(` type device_t; ') allow $1 device_t:blk_file setattr; ') ######################################## ## ## Dontaudit setattr on generic block devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_generic_blk_files',` gen_require(` type device_t; ') dontaudit $1 device_t:blk_file setattr; ') ######################################## ## ## Create generic block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_blk_files',` gen_require(` type device_t; ') create_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete generic block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_blk_files',` gen_require(` type device_t; ') delete_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Allow getattr for generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_generic_chr_files',` gen_require(` type device_t; ') getattr_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit getattr for generic character device files. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_chr_files',` gen_require(` type device_t; ') dontaudit $1 device_t:chr_file getattr; ') ######################################## ## ## Set the attributes for generic ## character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_generic_chr_files',` gen_require(` type device_t; ') allow $1 device_t:chr_file setattr; ') ######################################## ## ## Dontaudit setattr for generic character device files. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_generic_chr_files',` gen_require(` type device_t; ') dontaudit $1 device_t:chr_file setattr; ') ######################################## ## ## Read generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_generic_chr_files',` gen_require(` type device_t; ') allow $1 device_t:chr_file read_chr_file_perms; ') ######################################## ## ## Read and write generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_chr_files',` gen_require(` type device_t; ') allow $1 device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Read and write generic block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_blk_files',` gen_require(` type device_t; ') allow $1 device_t:blk_file rw_blk_file_perms; ') ######################################## ## ## Dontaudit attempts to read/write generic character device files. ## ## ## ## Domain to dontaudit access. ## ## # interface(`dev_dontaudit_rw_generic_chr_files',` gen_require(` type device_t; ') dontaudit $1 device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Create generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_chr_files',` gen_require(` type device_t; ') create_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_chr_files',` gen_require(` type device_t; ') delete_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Relabel from generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabelfrom_generic_chr_files',` gen_require(` type device_t; ') allow $1 device_t:chr_file relabelfrom_chr_file_perms; ') ######################################## ## ## Do not audit attempts to set the attributes ## of symbolic links in device directories (/dev). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_generic_symlinks',` gen_require(` type device_t; ') dontaudit $1 device_t:lnk_file setattr; ') ######################################## ## ## Read symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_generic_symlinks',` gen_require(` type device_t; ') allow $1 device_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Create symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_symlinks',` gen_require(` type device_t; ') create_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_symlinks',` gen_require(` type device_t; ') delete_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, delete, read, and write symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_symlinks',` gen_require(` type device_t; ') manage_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Relabel symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_generic_symlinks',` gen_require(` type device_t; ') relabel_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Write generic sock files in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_generic_sock_files',` gen_require(` type device_t; ') write_sock_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, delete, read, and write device nodes in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_all_dev_nodes',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; type device_t; ') manage_dirs_pattern($1, device_t, device_t) manage_sock_files_pattern($1, device_t, device_t) manage_lnk_files_pattern($1, device_t, device_t) manage_chr_files_pattern($1, device_t, { device_t device_node }) manage_blk_files_pattern($1, device_t, { device_t device_node }) relabel_dirs_pattern($1, device_t, device_t) relabel_chr_files_pattern($1, device_t, { device_t device_node }) relabel_blk_files_pattern($1, device_t, { device_t device_node }) allow $1 { device_t device_node }:dir watch; allow $1 { device_t device_node }:sock_file watch; allow $1 { device_t device_node }:lnk_file watch; allow $1 { device_t device_node }:chr_file watch; allow $1 { device_t device_node }:blk_file watch; # these next rules are to satisfy assertions broken by the above lines. # the permissions hopefully can be cut back a lot storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) storage_read_scsi_generic($1) storage_write_scsi_generic($1) typeattribute $1 memory_raw_read; typeattribute $1 memory_raw_write; ') ######################################## ## ## Dontaudit getattr for generic device files. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_generic_dev_nodes',` gen_require(` type device_t; ') dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') ######################################## ## ## Create, delete, read, and write block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_blk_files',` gen_require(` type device_t; ') manage_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, delete, read, and write character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_chr_files',` gen_require(` type device_t; ') manage_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. ## ## ## ## Domain allowed access. ## ## ## ## ## Type to which the created node will be transitioned. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans',` gen_require(` type device_t; ') filetrans_pattern($1, device_t, $2, $3, $4) dev_associate($2) files_associate_tmp($2) ') ######################################## ## ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. This is ## a temporary interface until devtmpfs functionality ## fixed. ## ## ## ## Domain allowed access. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_tmpfs_filetrans_dev',` gen_require(` type device_t; ') fs_tmpfs_filetrans($1, device_t, $2, $3) ') ######################################## ## ## Getattr on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_getattr_all_blk_files',` gen_require(` attribute device_node; type device_t; ') getattr_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Dontaudit getattr on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_all_blk_files',` gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:blk_file getattr; ') ######################################## ## ## Getattr on all character file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; type device_t; ') getattr_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Dontaudit getattr on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_all_chr_files',` gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:chr_file getattr; ') ######################################## ## ## Setattr on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_setattr_all_blk_files',` gen_require(` attribute device_node; type device_t; ') setattr_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Setattr on all character file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_setattr_all_chr_files',` gen_require(` attribute device_node; type device_t; ') setattr_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Dontaudit read on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_all_blk_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:blk_file { getattr read }; ') ######################################## ## ## Dontaudit write on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_all_blk_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:blk_file write; ') ######################################## ## ## Dontaudit read on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_all_chr_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:chr_file { getattr read }; ') ######################################## ## ## Dontaudit write on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_all_chr_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:chr_file write; ') ######################################## ## ## Create all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_all_blk_files',` gen_require(` attribute device_node; type device_t; ') create_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Create all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_all_chr_files',` gen_require(` attribute device_node; type device_t; ') create_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Delete all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_all_blk_files',` gen_require(` attribute device_node; type device_t; ') delete_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Delete all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_all_chr_files',` gen_require(` attribute device_node; type device_t; ') delete_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Rename all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rename_all_blk_files',` gen_require(` attribute device_node; type device_t; ') rename_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Rename all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rename_all_chr_files',` gen_require(` attribute device_node; type device_t; ') rename_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Read, write, create, and delete all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_all_blk_files',` gen_require(` attribute device_node; type device_t; ') manage_blk_files_pattern($1, device_t, device_node) # these next rules are to satisfy assertions broken by the above lines. storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) storage_read_scsi_generic($1) storage_write_scsi_generic($1) ') ######################################## ## ## Read, write, create, and delete all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_all_chr_files',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; type device_t; ') manage_chr_files_pattern($1, device_t, device_node) typeattribute $1 memory_raw_read, memory_raw_write; ') ######################################## ## ## Get the attributes of the apm bios device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_acpi_bios_dev',` gen_require(` type device_t, acpi_bios_t; ') getattr_chr_files_pattern($1, device_t, acpi_bios_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## the apm bios device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_acpi_bios_dev',` gen_require(` type acpi_bios_t; ') dontaudit $1 acpi_bios_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the apm bios device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_acpi_bios_dev',` gen_require(` type device_t, acpi_bios_t; ') setattr_chr_files_pattern($1, device_t, acpi_bios_t) ') ######################################## ## ## Do not audit attempts to set the attributes of ## the apm bios device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_acpi_bios_dev',` gen_require(` type acpi_bios_t; ') dontaudit $1 acpi_bios_t:chr_file setattr; ') ######################################## ## ## Read and write the apm bios. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_acpi_bios',` gen_require(` type device_t, acpi_bios_t; ') rw_chr_files_pattern($1, device_t, acpi_bios_t) ') ######################################## ## ## Getattr the agp devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_agp_dev',` gen_require(` type device_t, agp_device_t; ') getattr_chr_files_pattern($1, device_t, agp_device_t) ') ######################################## ## ## Read and write the agp devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_agp',` gen_require(` type device_t, agp_device_t; ') rw_chr_files_pattern($1, device_t, agp_device_t) ') ######################################## ## ## Get the attributes of the autofs device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_autofs_dev',` gen_require(` type device_t, autofs_device_t; ') getattr_chr_files_pattern($1, device_t, autofs_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## the autofs device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_autofs_dev',` gen_require(` type autofs_device_t; ') dontaudit $1 autofs_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the autofs device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_autofs_dev',` gen_require(` type device_t, autofs_device_t; ') setattr_chr_files_pattern($1, device_t, autofs_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes of ## the autofs device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_autofs_dev',` gen_require(` type autofs_device_t; ') dontaudit $1 autofs_device_t:chr_file setattr; ') ######################################## ## ## Read and write the autofs device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_autofs',` gen_require(` type device_t, autofs_device_t; ') rw_chr_files_pattern($1, device_t, autofs_device_t) ') ######################################## ## ## Relabel the autofs device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_autofs_dev',` gen_require(` type autofs_device_t; ') allow $1 autofs_device_t:chr_file relabel_chr_file_perms; ') ######################################## ## ## Read and write cachefiles character ## device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_cachefiles',` gen_require(` type device_t, cachefiles_device_t; ') rw_chr_files_pattern($1, device_t, cachefiles_device_t) ') ######################################## ## ## Read and write the PCMCIA card manager device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_cardmgr',` gen_require(` type cardmgr_dev_t, device_t; ') rw_chr_files_pattern($1, device_t, cardmgr_dev_t) ') ######################################## ## ## Do not audit attempts to read and ## write the PCMCIA card manager device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_cardmgr',` gen_require(` type cardmgr_dev_t; ') dontaudit $1 cardmgr_dev_t:chr_file { read write }; ') ######################################## ## ## Create, read, write, and delete ## the PCMCIA card manager device ## with the correct type. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_cardmgr_dev',` gen_require(` type device_t, cardmgr_dev_t; ') create_chr_files_pattern($1, device_t, cardmgr_dev_t) create_blk_files_pattern($1, device_t, cardmgr_dev_t) ') ######################################## ## ## Create, read, write, and delete ## the PCMCIA card manager device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_cardmgr_dev',` gen_require(` type device_t, cardmgr_dev_t; ') manage_chr_files_pattern($1, device_t, cardmgr_dev_t) manage_blk_files_pattern($1, device_t, cardmgr_dev_t) ') ######################################## ## ## Automatic type transition to the type ## for PCMCIA card manager device nodes when ## created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_cardmgr',` gen_require(` type device_t, cardmgr_dev_t; ') filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2) ') ######################################## ## ## Get the attributes of the CPU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_cpu_dev',` gen_require(` type device_t, cpu_device_t; ') getattr_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Set the attributes of the CPU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_cpu_dev',` gen_require(` type device_t, cpu_device_t; ') setattr_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Read the CPU identity. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_cpuid',` gen_require(` type device_t, cpu_device_t; ') read_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Read and write the the CPU microcode device. This ## is required to load CPU microcode. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_cpu_microcode',` gen_require(` type device_t, cpu_device_t; ') rw_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Read the kernel crash device ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_crash',` gen_require(` type device_t, crash_device_t; ') read_chr_files_pattern($1, device_t, crash_device_t) ') ######################################## ## ## Read and write the the hardware SSL accelerator. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_crypto',` gen_require(` type device_t, crypt_device_t; ') rw_chr_files_pattern($1, device_t, crypt_device_t) ') ####################################### ## ## Set the attributes of the dlm control devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_dlm_control',` gen_require(` type device_t, dlm_control_device_t; ') setattr_chr_files_pattern($1, device_t, dlm_control_device_t) ') ####################################### ## ## Read and write the the dlm control device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_dlm_control',` gen_require(` type device_t, dlm_control_device_t; ') rw_chr_files_pattern($1, device_t, dlm_control_device_t) ') ######################################## ## ## getattr the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_dri_dev',` gen_require(` type device_t, dri_device_t; ') getattr_chr_files_pattern($1, device_t, dri_device_t) ') ######################################## ## ## Setattr the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_dri_dev',` gen_require(` type device_t, dri_device_t; ') setattr_chr_files_pattern($1, device_t, dri_device_t) ') ######################################## ## ## IOCTL the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_ioctl_dri_dev',` gen_require(` type dri_device_t; ') allow $1 dri_device_t:chr_file ioctl; ') ######################################## ## ## Read and write the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_dri',` gen_require(` type device_t, dri_device_t; ') rw_chr_files_pattern($1, device_t, dri_device_t) allow $1 dri_device_t:chr_file map; ') ######################################## ## ## Dontaudit read and write on the dri devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_dri',` gen_require(` type dri_device_t; ') dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Create, read, write, and delete the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_dri_dev',` gen_require(` type device_t, dri_device_t; ') manage_chr_files_pattern($1, device_t, dri_device_t) allow $1 dri_device_t:chr_file map; ') ######################################## ## ## Automatic type transition to the type ## for DRI device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_dri',` gen_require(` type device_t, dri_device_t; ') filetrans_pattern($1, device_t, dri_device_t, chr_file, $2) ') ######################################## ## ## Automatic type transition to the type ## for event device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_input_dev',` gen_require(` type device_t, event_device_t; ') filetrans_pattern($1, device_t, event_device_t, chr_file, $2) ') ######################################## ## ## Get the attributes of the event devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_input_dev',` gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir list_dir_perms; allow $1 event_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the event devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_input_dev',` gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir list_dir_perms; allow $1 event_device_t:chr_file setattr; ') ######################################## ## ## Read input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_input',` gen_require(` type device_t, event_device_t; ') read_chr_files_pattern($1, device_t, event_device_t) ') ######################################## ## ## Read and write input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_input_dev',` gen_require(` type device_t, event_device_t; ') rw_chr_files_pattern($1, device_t, event_device_t) ') ######################################## ## ## Create, read, write, and delete input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_input_dev',` gen_require(` type device_t, event_device_t; ') manage_chr_files_pattern($1, device_t, event_device_t) ') ######################################## ## ## Read and write ipmi devices (/dev/ipmi*). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_ipmi_dev',` gen_require(` type device_t, ipmi_device_t; ') rw_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## ## Get the attributes of the framebuffer device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_framebuffer_dev',` gen_require(` type device_t, framebuf_device_t; ') getattr_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Set the attributes of the framebuffer device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_framebuffer_dev',` gen_require(` type device_t, framebuf_device_t; ') setattr_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Dot not audit attempts to set the attributes ## of the framebuffer device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_framebuffer_dev',` gen_require(` type framebuf_device_t; ') dontaudit $1 framebuf_device_t:chr_file setattr; ') ######################################## ## ## Read the framebuffer. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_framebuffer',` gen_require(` type framebuf_device_t, device_t; ') read_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Do not audit attempts to read the framebuffer. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_framebuffer',` gen_require(` type framebuf_device_t; ') dontaudit $1 framebuf_device_t:chr_file { getattr read }; ') ######################################## ## ## Write the framebuffer. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_framebuffer',` gen_require(` type device_t, framebuf_device_t; ') write_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Read and write the framebuffer. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_framebuffer',` gen_require(` type device_t, framebuf_device_t; ') rw_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Read the kernel messages ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_kmsg',` gen_require(` type device_t, kmsg_device_t; ') read_chr_files_pattern($1, device_t, kmsg_device_t) ') ######################################## ## ## Do not audit attempts to read the kernel messages ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_kmsg',` gen_require(` type kmsg_device_t; ') dontaudit $1 kmsg_device_t:chr_file read; ') ######################################## ## ## Write to the kernel messages device ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_kmsg',` gen_require(` type device_t, kmsg_device_t; ') write_chr_files_pattern($1, device_t, kmsg_device_t) ') ######################################## ## ## Read and write to the kernel messages device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_kmsg',` gen_require(` type device_t, kmsg_device_t; ') rw_chr_files_pattern($1, device_t, kmsg_device_t) ') ######################################## ## ## Mount on the kernel messages device ## ## ## ## Domain allowed access. ## ## # interface(`dev_mounton_kmsg',` gen_require(` type kmsg_device_t; ') allow $1 kmsg_device_t:chr_file mounton; ') ######################################## ## ## Get the attributes of the ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_ksm_dev',` gen_require(` type device_t, ksm_device_t; ') getattr_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Set the attributes of the ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_ksm_dev',` gen_require(` type device_t, ksm_device_t; ') setattr_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Read the ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_ksm',` gen_require(` type device_t, ksm_device_t; ') read_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Read and write to ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_ksm',` gen_require(` type device_t, ksm_device_t; ') rw_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Get the attributes of the kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_kvm_dev',` gen_require(` type device_t, kvm_device_t; ') getattr_chr_files_pattern($1, device_t, kvm_device_t) ') ######################################## ## ## Set the attributes of the kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_kvm_dev',` gen_require(` type device_t, kvm_device_t; ') setattr_chr_files_pattern($1, device_t, kvm_device_t) ') ######################################## ## ## Read the kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_kvm',` gen_require(` type device_t, kvm_device_t; ') read_chr_files_pattern($1, device_t, kvm_device_t) ') ######################################## ## ## Read and write to kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_kvm',` gen_require(` type device_t, kvm_device_t; ') rw_chr_files_pattern($1, device_t, kvm_device_t) ') ###################################### ## ## Read the lirc device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_lirc',` gen_require(` type device_t, lirc_device_t; ') read_chr_files_pattern($1, device_t, lirc_device_t) ') ###################################### ## ## Read and write the lirc device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_lirc',` gen_require(` type device_t, lirc_device_t; ') rw_chr_files_pattern($1, device_t, lirc_device_t) ') ###################################### ## ## Automatic type transition to the type ## for lirc device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_lirc',` gen_require(` type device_t, lirc_device_t; ') filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2) ') ###################################### ## ## Read and write the loop-control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_loop_control',` gen_require(` type device_t, loop_control_device_t; ') rw_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## ## Get the attributes of the lvm comtrol device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_lvm_control',` gen_require(` type device_t, lvm_control_t; ') getattr_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## Read the lvm comtrol device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_lvm_control',` gen_require(` type device_t, lvm_control_t; ') read_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## Read and write the lvm control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_lvm_control',` gen_require(` type device_t, lvm_control_t; ') rw_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## Do not audit attempts to read and write lvm control device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_lvm_control',` gen_require(` type lvm_control_t; ') dontaudit $1 lvm_control_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Delete the lvm control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_lvm_control_dev',` gen_require(` type device_t, lvm_control_t; ') delete_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_memory_dev',` gen_require(` type memory_device_t; ') dontaudit $1 memory_device_t:chr_file getattr; ') ######################################## ## ## Read raw memory devices (e.g. /dev/mem). ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_raw_memory',` gen_require(` type device_t, memory_device_t; attribute memory_raw_read; ') read_chr_files_pattern($1, device_t, memory_device_t) allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_read; ') ######################################## ## ## Read raw memory devices (e.g. /dev/mem) if a tunable is set. ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain allowed access. ## ## ## ## ## Tunable to depend on ## ## # interface(`dev_read_raw_memory_cond',` gen_require(` type device_t, memory_device_t; attribute memory_raw_read; ') typeattribute $1 memory_raw_read; tunable_policy(`$2', ` read_chr_files_pattern($1, device_t, memory_device_t) allow $1 self:capability sys_rawio; ') ') ######################################## ## ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_raw_memory',` gen_require(` type memory_device_t; ') dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ') ######################################## ## ## Write raw memory devices (e.g. /dev/mem). ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_raw_memory',` gen_require(` type device_t, memory_device_t; attribute memory_raw_write; ') write_chr_files_pattern($1, device_t, memory_device_t) allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_write; ') ######################################## ## ## Write raw memory devices (e.g. /dev/mem) if a tunable is set. ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain allowed access. ## ## ## ## ## Tunable to depend on ## ## # interface(`dev_write_raw_memory_cond',` gen_require(` type device_t, memory_device_t; attribute memory_raw_write; ') typeattribute $1 memory_raw_write; tunable_policy(`$2', ` write_chr_files_pattern($1, device_t, memory_device_t) allow $1 self:capability sys_rawio; ') ') ######################################## ## ## Read and execute raw memory devices (e.g. /dev/mem). ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rx_raw_memory',` gen_require(` type memory_device_t; ') dev_read_raw_memory($1) allow $1 memory_device_t:chr_file { map execute }; ') ######################################## ## ## Write and execute raw memory devices (e.g. /dev/mem). ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain allowed access. ## ## # interface(`dev_wx_raw_memory',` gen_require(` type memory_device_t; ') dev_write_raw_memory($1) allow $1 memory_device_t:chr_file { map execute }; ') ######################################## ## ## Write and execute raw memory devices (e.g. /dev/mem) if a tunable is set. ## This is extremely dangerous as it can bypass the ## SELinux protections, and should only be used by trusted ## domains. ## ## ## ## Domain allowed access. ## ## ## ## ## Tunable to depend on ## ## # interface(`dev_wx_raw_memory_cond',` gen_require(` type memory_device_t; attribute memory_raw_write; ') typeattribute $1 memory_raw_write; dev_write_raw_memory_cond($1, $2) tunable_policy(`$2', ` allow $1 memory_device_t:chr_file { map execute }; ') ') ######################################## ## ## Get the attributes of miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_misc_dev',` gen_require(` type device_t, misc_device_t; ') getattr_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes ## of miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_misc_dev',` gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_misc_dev',` gen_require(` type device_t, misc_device_t; ') setattr_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes ## of miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_misc_dev',` gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file setattr; ') ######################################## ## ## Read miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_misc',` gen_require(` type device_t, misc_device_t; ') read_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Write miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_misc',` gen_require(` type device_t, misc_device_t; ') write_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Do not audit attempts to read and write miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_dontaudit_rw_misc',` gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Get the attributes of the modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_modem_dev',` gen_require(` type device_t, modem_device_t; ') getattr_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Set the attributes of the modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_modem_dev',` gen_require(` type device_t, modem_device_t; ') setattr_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Read the modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_modem',` gen_require(` type device_t, modem_device_t; ') read_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Read and write to modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_modem',` gen_require(` type device_t, modem_device_t; ') rw_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Get the attributes of the mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_mouse_dev',` gen_require(` type device_t, mouse_device_t; ') getattr_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Set the attributes of the mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_mouse_dev',` gen_require(` type device_t, mouse_device_t; ') setattr_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Read the mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_mouse',` gen_require(` type device_t, mouse_device_t; ') read_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Read and write to mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_mouse',` gen_require(` type device_t, mouse_device_t; ') rw_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Get the attributes of the memory type range ## registers (MTRR) device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_mtrr_dev',` gen_require(` type device_t, mtrr_device_t; ') getattr_files_pattern($1, device_t, mtrr_device_t) getattr_chr_files_pattern($1, device_t, mtrr_device_t) ') ######################################## ## ## Do not audit attempts to write the memory type ## range registers (MTRR). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_mtrr',` gen_require(` type mtrr_device_t; ') dontaudit $1 mtrr_device_t:file write; dontaudit $1 mtrr_device_t:chr_file write; ') ######################################## ## ## Read and write the memory type range registers (MTRR). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_mtrr',` gen_require(` type device_t, mtrr_device_t; ') rw_files_pattern($1, device_t, mtrr_device_t) rw_chr_files_pattern($1, device_t, mtrr_device_t) ') ######################################## ## ## Get the attributes of the network control device (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_netcontrol_dev',` refpolicywarn(`$0() has been deprecated, use dev_getattr_pmqos_dev() instead.') dev_getattr_pmqos_dev($1) ') ######################################## ## ## Read the network control identity. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_netcontrol',` refpolicywarn(`$0() has been deprecated, use dev_read_pmqos() instead.') dev_read_pmqos($1) ') ######################################## ## ## Read and write the the network control device. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_netcontrol',` refpolicywarn(`$0() has been deprecated, use dev_rw_pmqos() instead.') dev_rw_pmqos($1) ') ######################################## ## ## Get the attributes of the null device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_null_dev',` gen_require(` type device_t, null_device_t; ') getattr_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Set the attributes of the null device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_null_dev',` gen_require(` type device_t, null_device_t; ') setattr_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Delete the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_null',` gen_require(` type device_t, null_device_t; ') delete_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Read and write to the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_null',` gen_require(` type device_t, null_device_t; ') rw_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Create the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_null_dev',` gen_require(` type device_t, null_device_t; ') create_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Manage services with script type null_device_t for when ## /lib/systemd/system/something.service is a link to /dev/null ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_null_service',` gen_require(` type null_device_t; class service { status start stop reload }; ') allow $1 null_device_t:service { status start stop reload }; ') ######################################## ## ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_nvram_dev',` gen_require(` type nvram_device_t; ') dontaudit $1 nvram_device_t:chr_file getattr; ') ######################################## ## ## Read and write BIOS non-volatile RAM. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_nvram',` gen_require(` type nvram_device_t, device_t; ') rw_chr_files_pattern($1, device_t, nvram_device_t) ') ######################################## ## ## Get the attributes of the printer device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_printer_dev',` gen_require(` type device_t, printer_device_t; ') getattr_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Set the attributes of the printer device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_printer_dev',` gen_require(` type device_t, printer_device_t; ') setattr_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Append the printer device. ## ## ## ## Domain allowed access. ## ## # # cjp: added for lpd/checkpc_t interface(`dev_append_printer',` gen_require(` type device_t, printer_device_t; ') append_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Read and write the printer device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_printer',` gen_require(` type device_t, printer_device_t; ') rw_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Get the attributes of PM QoS devices ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_pmqos_dev',` gen_require(` type device_t, pmqos_device_t; ') getattr_chr_files_pattern($1, device_t, pmqos_device_t) ') ######################################## ## ## Read the PM QoS devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_pmqos',` gen_require(` type device_t, pmqos_device_t; ') read_chr_files_pattern($1, device_t, pmqos_device_t) ') ######################################## ## ## Read and write the the PM QoS devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_pmqos',` gen_require(` type device_t, pmqos_device_t; ') rw_chr_files_pattern($1, device_t, pmqos_device_t) ') ######################################## ## ## Read printk devices (e.g., /dev/kmsg /dev/mcelog) ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_printk',` refpolicywarn(`$0() has been deprecated.') ') ######################################## ## ## Get the attributes of the QEMU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_qemu_dev',` gen_require(` type device_t, qemu_device_t; ') getattr_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Set the attributes of the QEMU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_qemu_dev',` gen_require(` type device_t, qemu_device_t; ') setattr_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Read the QEMU device ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_qemu',` gen_require(` type device_t, qemu_device_t; ') read_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Read and write the the QEMU device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_qemu',` gen_require(` type device_t, qemu_device_t; ') rw_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Read from random number generator ## devices (e.g., /dev/random). ## ## ##

## Allow the specified domain to read from random number ## generator devices (e.g., /dev/random). Typically this is ## used in situations when a cryptographically secure random ## number is needed. ##

##

## Related interface: ##

##
    ##
  • dev_read_urand()
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`dev_read_rand',` gen_require(` type device_t, random_device_t; ') read_chr_files_pattern($1, device_t, random_device_t) ') ######################################## ## ## Do not audit attempts to read from random ## number generator devices (e.g., /dev/random) ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_rand',` gen_require(` type random_device_t; ') dontaudit $1 random_device_t:chr_file { getattr read }; ') ######################################## ## ## Do not audit attempts to append to random ## number generator devices (e.g., /dev/random) ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_append_rand',` gen_require(` type random_device_t; ') dontaudit $1 random_device_t:chr_file append_chr_file_perms; ') ######################################## ## ## Write to the random device (e.g., /dev/random). This adds ## entropy used to generate the random data read from the ## random device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_rand',` gen_require(` type device_t, random_device_t; ') write_chr_files_pattern($1, device_t, random_device_t) ') ######################################## ## ## Create the random device (/dev/random). ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_rand_dev',` gen_require(` type device_t, random_device_t; ') create_chr_files_pattern($1, device_t, random_device_t) ') ######################################## ## ## Read the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_realtime_clock',` gen_require(` type device_t, clock_device_t; ') read_chr_files_pattern($1, device_t, clock_device_t) ') ######################################## ## ## Set the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_realtime_clock',` gen_require(` type device_t, clock_device_t; ') write_chr_files_pattern($1, device_t, clock_device_t) allow $1 clock_device_t:chr_file setattr; ') ######################################## ## ## Read and set the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_realtime_clock',` dev_read_realtime_clock($1) dev_write_realtime_clock($1) ') ######################################## ## ## Get the attributes of the scanner device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_scanner_dev',` gen_require(` type device_t, scanner_device_t; ') getattr_chr_files_pattern($1, device_t, scanner_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## the scanner device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_scanner_dev',` gen_require(` type scanner_device_t; ') dontaudit $1 scanner_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the scanner device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_scanner_dev',` gen_require(` type device_t, scanner_device_t; ') setattr_chr_files_pattern($1, device_t, scanner_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes of ## the scanner device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_scanner_dev',` gen_require(` type scanner_device_t; ') dontaudit $1 scanner_device_t:chr_file setattr; ') ######################################## ## ## Read and write the scanner device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_scanner',` gen_require(` type device_t, scanner_device_t; ') rw_chr_files_pattern($1, device_t, scanner_device_t) ') ######################################## ## ## Get the attributes of the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_sound_dev',` gen_require(` type device_t, sound_device_t; ') getattr_chr_files_pattern($1, device_t, sound_device_t) ') ######################################## ## ## Set the attributes of the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_sound_dev',` gen_require(` type device_t, sound_device_t; ') setattr_chr_files_pattern($1, device_t, sound_device_t) ') ######################################## ## ## Read the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_sound',` gen_require(` type device_t, sound_device_t; ') read_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; ') ######################################## ## ## Write the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_sound',` gen_require(` type device_t, sound_device_t; ') write_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; ') ######################################## ## ## Read the sound mixer devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_sound_mixer',` gen_require(` type device_t, sound_device_t; ') read_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; ') ######################################## ## ## Write the sound mixer devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_sound_mixer',` gen_require(` type device_t, sound_device_t; ') write_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; ') ######################################## ## ## Get the attributes of the the power management device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_power_mgmt_dev',` gen_require(` type device_t, power_device_t; ') getattr_chr_files_pattern($1, device_t, power_device_t) ') ######################################## ## ## Set the attributes of the the power management device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_power_mgmt_dev',` gen_require(` type device_t, power_device_t; ') setattr_chr_files_pattern($1, device_t, power_device_t) ') ######################################## ## ## Read and write the the power management device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_power_management',` gen_require(` type device_t, power_device_t; ') rw_chr_files_pattern($1, device_t, power_device_t) ') ######################################## ## ## Getattr on smartcard devices ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_smartcard_dev',` gen_require(` type smartcard_device_t; ') allow $1 smartcard_device_t:chr_file getattr; ') ######################################## ## ## dontaudit getattr on smartcard devices ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_smartcard_dev',` gen_require(` type smartcard_device_t; ') dontaudit $1 smartcard_device_t:chr_file getattr; ') ######################################## ## ## Read and write smartcard devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_smartcard',` gen_require(` type device_t, smartcard_device_t; ') rw_chr_files_pattern($1, device_t, smartcard_device_t) ') ######################################## ## ## Create, read, write, and delete smartcard devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_smartcard',` gen_require(` type device_t, smartcard_device_t; ') manage_chr_files_pattern($1, device_t, smartcard_device_t) ') ######################################## ## ## Read, write and map the sysdig device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_sysdig',` gen_require(` type device_t, sysdig_device_t; ') rw_chr_files_pattern($1, device_t, sysdig_device_t) allow $1 sysdig_device_t:chr_file map; ') ######################################## ## ## Mount a filesystem on sysfs. ## ## ## ## Domain allow access. ## ## # interface(`dev_mounton_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir mounton; ') ######################################## ## ## Associate a file to a sysfs filesystem. ## ## ## ## The type of the file to be associated to sysfs. ## ## # interface(`dev_associate_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem associate; ') ######################################## ## ## Get the attributes of sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_sysfs_dirs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir getattr_dir_perms; ') ######################################## ## ## Get the attributes of sysfs filesystem ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem getattr; ') ######################################## ## ## mount a sysfs filesystem ## ## ## ## Domain allowed access. ## ## # interface(`dev_mount_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem mount; ') ######################################## ## ## Do not audit getting the attributes of sysfs filesystem ## ## ## ## Domain to dontaudit access from ## ## # interface(`dev_dontaudit_getattr_sysfs',` gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:filesystem getattr; ') ######################################## ## ## Dont audit attempts to read hardware state information ## ## ## ## Domain for which the attempts do not need to be audited ## ## # interface(`dev_dontaudit_read_sysfs',` gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:file read_file_perms; dontaudit $1 sysfs_t:dir list_dir_perms; dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## mounton sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_mounton_sysfs_dirs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir mounton; ') ######################################## ## ## Search the sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_search_sysfs',` gen_require(` type sysfs_t; ') search_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Do not audit attempts to search sysfs. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_search_sysfs',` gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir search_dir_perms; ') ######################################## ## ## List the contents of the sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_list_sysfs',` gen_require(` type sysfs_t; ') list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Write in a sysfs directories. ## ## ## ## Domain allowed access. ## ## # # cjp: added for cpuspeed interface(`dev_write_sysfs_dirs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir write; ') ######################################## ## ## Do not audit attempts to write in a sysfs directory. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_sysfs_dirs',` gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir write; ') ######################################## ## ## Create, read, write, and delete sysfs ## directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_sysfs_dirs',` gen_require(` type sysfs_t; ') manage_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Read hardware state information. ## ## ##

## Allow the specified domain to read the contents of ## the sysfs filesystem. This filesystem contains ## information, parameters, and other settings on the ## hardware installed on the system. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`dev_read_sysfs',` gen_require(` type sysfs_t; ') read_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Write to hardware state information. ## ## ##

## Allow the specified domain to write to the sysfs ## filesystem. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`dev_write_sysfs',` gen_require(` type sysfs_t; ') list_dirs_pattern($1, sysfs_t, sysfs_t) write_files_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Allow caller to modify hardware state information. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_sysfs',` gen_require(` type sysfs_t; ') rw_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Add a sysfs file ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_sysfs_files',` gen_require(` type sysfs_t; ') create_files_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Relabel hardware state directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_sysfs_dirs',` gen_require(` type sysfs_t; ') relabel_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Relabel from/to all sysfs types. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_all_sysfs',` gen_require(` attribute sysfs_types; ') allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms }; allow $1 sysfs_types:file relabel_file_perms; allow $1 sysfs_types:lnk_file relabel_lnk_file_perms; ') ######################################## ## ## Set the attributes of sysfs files, directories and symlinks. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_all_sysfs',` gen_require(` attribute sysfs_types; ') allow $1 sysfs_types:dir { search_dir_perms setattr }; allow $1 sysfs_types:file setattr; allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr }; ') ######################################## ## ## Read and write the TPM device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_tpm',` gen_require(` type device_t, tpm_device_t; ') rw_chr_files_pattern($1, device_t, tpm_device_t) ') ######################################## ## ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## ##

## Allow the specified domain to read from pseudo random number ## generator devices (e.g., /dev/urandom). Typically this is ## used in situations when a cryptographically secure random ## number is not necessarily needed. One example is the Stack ## Smashing Protector (SSP, formerly known as ProPolice) support ## that may be compiled into programs. ##

##

## Related interface: ##

##
    ##
  • dev_read_rand()
  • ##
##

## Related tunable: ##

##
    ##
  • global_ssp
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`dev_read_urand',` gen_require(` type device_t, urandom_device_t; ') read_chr_files_pattern($1, device_t, urandom_device_t) ') ######################################## ## ## Do not audit attempts to read from pseudo ## random devices (e.g., /dev/urandom) ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_urand',` gen_require(` type urandom_device_t; ') dontaudit $1 urandom_device_t:chr_file { getattr read }; ') ######################################## ## ## Write to the pseudo random device (e.g., /dev/urandom). This ## sets the random number generator seed. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_urand',` gen_require(` type device_t, urandom_device_t; ') write_chr_files_pattern($1, device_t, urandom_device_t) ') ######################################## ## ## Create the urandom device (/dev/urandom). ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_urand_dev',` gen_require(` type device_t, urandom_device_t; ') create_chr_files_pattern($1, device_t, urandom_device_t) ') ######################################## ## ## Getattr generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_generic_usb_dev',` gen_require(` type usb_device_t, device_t; ') getattr_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Setattr generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_generic_usb_dev',` gen_require(` type usb_device_t, device_t; ') setattr_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Read generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_generic_usb_dev',` gen_require(` type usb_device_t, device_t; ') read_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Read and write generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_usb_dev',` gen_require(` type device_t, usb_device_t; ') rw_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Relabel generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_generic_usb_dev',` gen_require(` type usb_device_t, device_t; ') relabel_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Read USB monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_usbmon_dev',` gen_require(` type device_t, usbmon_device_t; ') read_chr_files_pattern($1, device_t, usbmon_device_t) ') ######################################## ## ## Write USB monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_usbmon_dev',` gen_require(` type device_t, usbmon_device_t; ') write_chr_files_pattern($1, device_t, usbmon_device_t) ') ######################################## ## ## Mount a usbfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`dev_mount_usbfs',` gen_require(` type usbfs_t; ') allow $1 usbfs_t:filesystem mount; ') ######################################## ## ## Associate a file to a usbfs filesystem. ## ## ## ## The type of the file to be associated to usbfs. ## ## # interface(`dev_associate_usbfs',` gen_require(` type usbfs_t; ') allow $1 usbfs_t:filesystem associate; ') ######################################## ## ## Get the attributes of a directory in the usb filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_usbfs_dirs',` gen_require(` type usbfs_t; ') allow $1 usbfs_t:dir getattr_dir_perms; ') ######################################## ## ## Do not audit attempts to get the attributes ## of a directory in the usb filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_usbfs_dirs',` gen_require(` type usbfs_t; ') dontaudit $1 usbfs_t:dir getattr_dir_perms; ') ######################################## ## ## Search the directory containing USB hardware information. ## ## ## ## Domain allowed access. ## ## # interface(`dev_search_usbfs',` gen_require(` type usbfs_t; ') search_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Allow caller to get a list of usb hardware. ## ## ## ## Domain allowed access. ## ## # interface(`dev_list_usbfs',` gen_require(` type usbfs_t; ') read_lnk_files_pattern($1, usbfs_t, usbfs_t) getattr_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Set the attributes of usbfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_usbfs_files',` gen_require(` type usbfs_t; ') setattr_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Read USB hardware information using ## the usbfs filesystem interface. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_usbfs',` gen_require(` type usbfs_t; ') read_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Allow caller to modify usb hardware configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_usbfs',` gen_require(` type usbfs_t; ') list_dirs_pattern($1, usbfs_t, usbfs_t) rw_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Get the attributes of video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_video_dev',` gen_require(` type device_t, v4l_device_t; ') getattr_chr_files_pattern($1, device_t, v4l_device_t) ') ###################################### ## ## Read and write userio device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_userio_dev',` gen_require(` type device_t, userio_device_t; ') rw_chr_files_pattern($1, device_t, userio_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes ## of video4linux device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_video_dev',` gen_require(` type v4l_device_t; ') dontaudit $1 v4l_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of video4linux device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_video_dev',` gen_require(` type device_t, v4l_device_t; ') setattr_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes ## of video4linux device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_video_dev',` gen_require(` type v4l_device_t; ') dontaudit $1 v4l_device_t:chr_file setattr; ') ######################################## ## ## Read the video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_video_dev',` gen_require(` type device_t, v4l_device_t; ') read_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Write the video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_video_dev',` gen_require(` type device_t, v4l_device_t; ') write_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Read and write vfio devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_vfio_dev',` gen_require(` type device_t, vfio_device_t; ') rw_chr_files_pattern($1, device_t, vfio_device_t) ') ######################################## ## ## Relabel vfio devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabelfrom_vfio_dev',` gen_require(` type device_t, vfio_device_t; ') relabelfrom_chr_files_pattern($1, device_t, vfio_device_t) ') ############################ ## ## Allow read/write the vhost devices ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_vhost',` gen_require(` type device_t, vhost_device_t; ') rw_chr_files_pattern($1, device_t, vhost_device_t) ') ######################################## ## ## Read and write VMWare devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_vmware',` gen_require(` type device_t, vmware_device_t; ') rw_chr_files_pattern($1, device_t, vmware_device_t) ') ######################################## ## ## Read, write, and mmap VMWare devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rwx_vmware',` gen_require(` type vmware_device_t; ') dev_rw_vmware($1) allow $1 vmware_device_t:chr_file { map execute }; ') ######################################## ## ## Read from watchdog devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_watchdog',` gen_require(` type device_t, watchdog_device_t; ') read_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## ## Write to watchdog devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_watchdog',` gen_require(` type device_t, watchdog_device_t; ') write_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## ## Read the wireless device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_wireless',` gen_require(` type device_t, wireless_device_t; ') read_chr_files_pattern($1, device_t, wireless_device_t) ') ######################################## ## ## Read and write the the wireless device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_wireless',` gen_require(` type device_t, wireless_device_t; ') rw_chr_files_pattern($1, device_t, wireless_device_t) ') ######################################## ## ## manage the wireless device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_wireless',` gen_require(` type device_t, wireless_device_t; ') manage_chr_files_pattern($1, device_t, wireless_device_t) ') ######################################## ## ## Read and write Xen devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_xen',` gen_require(` type device_t, xen_device_t; ') rw_chr_files_pattern($1, device_t, xen_device_t) allow $1 xen_device_t:chr_file map; ') ######################################## ## ## Create, read, write, and delete Xen devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_xen',` gen_require(` type device_t, xen_device_t; ') manage_chr_files_pattern($1, device_t, xen_device_t) ') ######################################## ## ## Automatic type transition to the type ## for xen device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_xen',` gen_require(` type device_t, xen_device_t; ') filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) ') ######################################## ## ## Get the attributes of X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_xserver_misc_dev',` gen_require(` type device_t, xserver_misc_device_t; ') getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') ######################################## ## ## Set the attributes of X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_xserver_misc_dev',` gen_require(` type device_t, xserver_misc_device_t; ') setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') ######################################## ## ## Read and write X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_xserver_misc',` gen_require(` type device_t, xserver_misc_device_t; ') rw_chr_files_pattern($1, device_t, xserver_misc_device_t) ') ######################################## ## ## Map X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_xserver_misc',` gen_require(` type xserver_misc_device_t; ') allow $1 xserver_misc_device_t:chr_file map; ') ######################################## ## ## Read and write to the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_zero',` gen_require(` type device_t, zero_device_t; ') rw_chr_files_pattern($1, device_t, zero_device_t) ') ######################################## ## ## Read, write, and execute the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rwx_zero',` gen_require(` type zero_device_t; ') dev_rw_zero($1) allow $1 zero_device_t:chr_file { map execute }; ') ######################################## ## ## Execmod the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_execmod_zero',` gen_require(` type zero_device_t; ') dev_rw_zero($1) allow $1 zero_device_t:chr_file execmod; ') ######################################## ## ## Create the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_zero_dev',` gen_require(` type device_t, zero_device_t; ') create_chr_files_pattern($1, device_t, zero_device_t) ') ######################################## ## ## Read cpu online hardware state information ## ## ##

## Allow the specified domain to read /sys/devices/system/cpu/online ##

##
## ## ## Domain allowed access. ## ## # interface(`dev_read_cpu_online',` gen_require(` type cpu_online_t; ') allow $1 cpu_online_t:file read_file_perms; dev_search_sysfs($1) ') ######################################## ## ## Unconfined access to devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_unconfined',` gen_require(` attribute devices_unconfined_type; ') typeattribute $1 devices_unconfined_type; ')