selinux-refpolicy/www/api-docs/kernel_storage.html

1020 lines
15 KiB
HTML

<html>
<head>
<title>
Security Enhanced Linux Reference Policy
</title>
<style type="text/css" media="all">@import "style.css";</style>
</head>
<body>
<div id="Header">Security Enhanced Linux Reference Policy</div>
<div id='Menu'>
<a href="admin.html">+&nbsp;
admin</a></br/>
<div id='subitem'>
</div>
<a href="kernel.html">+&nbsp;
kernel</a></br/>
<div id='subitem'>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_bootloader.html'>
bootloader</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_corenetwork.html'>
corenetwork</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_devices.html'>
devices</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_filesystem.html'>
filesystem</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_kernel.html'>
kernel</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_selinux.html'>
selinux</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_storage.html'>
storage</a><br/>
&nbsp;&nbsp;&nbsp;-&nbsp;<a href='kernel_terminal.html'>
terminal</a><br/>
</div>
<a href="services.html">+&nbsp;
services</a></br/>
<div id='subitem'>
</div>
<a href="system.html">+&nbsp;
system</a></br/>
<div id='subitem'>
</div>
<br/><p/>
<a href="interfaces.html">*&nbsp;Interface Index</a>
</div>
<div id="Content">
<h1>Layer: kernel</h1><p/>
<h2>Module: storage</h2><p/>
<h3>Description:</h3>
<p>Policy controlling access to storage devices</p>
<h3>Interfaces: </h3>
<div id="interface">
<div id="codeblock">
<b>storage_create_fixed_disk</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Create block devices in /dev with the fixed disk type.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_dontaudit_getattr_fixed_disk</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Do not audit attempts made by the caller to get
the attributes of fixed disk device nodes.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process to not audit.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_dontaudit_getattr_removable_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Do not audit attempts made by the caller to get
the attributes of removable devices device nodes.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process to not audit.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_getattr_fixed_disk</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to get the attributes of fixed disk
device nodes.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_getattr_removable_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to get the attributes of removable
devices device nodes.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_getattr_scsi_generic</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Get attributes of the device nodes
for the SCSI generic inerface.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_getattr_tape_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to get the attributes
of device nodes of tape devices.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_manage_fixed_disk</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Create, read, write, and delete fixed disk device nodes.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_raw_read_fixed_disk</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly read from a fixed disk.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_raw_read_lvm_volume</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly read from a logical volume.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_raw_read_removable_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly read from
a removable device.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_raw_write_fixed_disk</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly write to a fixed disk.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_raw_write_lvm_volume</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly read from a logical volume.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_raw_write_removable_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly write to
a removable device.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_read_scsi_generic</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly read, in a
generic fashion, from any SCSI device.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_read_tape_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly read
a tape device.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_setattr_fixed_disk</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to set the attributes of fixed disk
device nodes.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_setattr_removable_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to set the attributes of removable
devices device nodes.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_setattr_scsi_generic</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Set attributes of the device nodes
for the SCSI generic inerface.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_setattr_tape_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to set the attributes
of device nodes of tape devices.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_write_scsi_generic</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly write, in a
generic fashion, from any SCSI device.
This is extremly dangerous as it can bypass the
SELinux protections for filesystem objects, and
should only be used by trusted domains.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
<div id="interface">
<div id="codeblock">
<b>storage_write_tape_device</b>(
domain
)<br>
</div>
<div id="description">
<h5>Description:</h5>
<p>
Allow the caller to directly read
a tape device.
</p><br/>
<h5>Parameters:</h5>
<div id="description">
<table border="1" cellspacing="0" cellpadding="3" width="80%">
<tr><th >Parameter:</td><th >Description:</td><th >Optional:</td></tr>
<tr><td>
domain
</td><td>
The type of the process performing this action.
</td><td>
No
</td></tr>
</table>
</div>
</div>
</div>
</div>
</body>
</html>