selinux-refpolicy/refpolicy/policy/modules/kernel/storage.te
2005-12-09 16:38:39 +00:00

57 lines
1.4 KiB
Plaintext

policy_module(storage,1.0.0)
########################################
#
# Declarations
#
attribute fixed_disk_raw_read;
attribute fixed_disk_raw_write;
attribute scsi_generic_read;
attribute scsi_generic_write;
#
# fixed_disk_device_t is the type of
# /dev/hd* and /dev/sd*.
#
type fixed_disk_device_t;
dev_node(fixed_disk_device_t)
neverallow ~fixed_disk_raw_read fixed_disk_device_t:{ chr_file blk_file } read;
neverallow ~fixed_disk_raw_write fixed_disk_device_t:{ chr_file blk_file } { append write };
#
# lvm_vg_t is the type of logical volume groups
#
type lvm_vg_t;
dev_node(lvm_vg_t)
# from the subject's point of view, same as read/writing a regular
# fixed disk, so use the same assertions as above
neverallow ~fixed_disk_raw_read lvm_vg_t:{ chr_file blk_file } read;
neverallow ~fixed_disk_raw_write lvm_vg_t:{ chr_file blk_file } { append write };
#
# scsi_generic_device_t is the type of /dev/sg*
# it gives access to ALL SCSI devices (both fixed and removable)
#
type scsi_generic_device_t;
dev_node(scsi_generic_device_t)
neverallow ~scsi_generic_read scsi_generic_device_t:{ chr_file blk_file } read;
neverallow ~scsi_generic_write scsi_generic_device_t:{ chr_file blk_file } { append write };
#
# removable_device_t is the type of
# /dev/scd* and /dev/fd*.
#
type removable_device_t;
dev_node(removable_device_t)
#
# tape_device_t is the type of
#
type tape_device_t;
dev_node(tape_device_t)