1
## <summary>Policy controlling access to storage devices</summary>
3
########################################
5
## Allow the caller to get the attributes of fixed disk
8
## <param name="domain">
10
## The type of the process performing this action.
14
interface(`storage_getattr_fixed_disk_dev',`
16
type fixed_disk_device_t;
19
dev_list_all_dev_nodes($1)
20
allow $1 fixed_disk_device_t:blk_file getattr;
23
########################################
25
## Do not audit attempts made by the caller to get
26
## the attributes of fixed disk device nodes.
28
## <param name="domain">
30
## The type of the process to not audit.
34
interface(`storage_dontaudit_getattr_fixed_disk_dev',`
36
type fixed_disk_device_t;
39
dontaudit $1 fixed_disk_device_t:blk_file getattr;
40
dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
43
########################################
45
## Allow the caller to set the attributes of fixed disk
48
## <param name="domain">
50
## The type of the process performing this action.
54
interface(`storage_setattr_fixed_disk_dev',`
56
type fixed_disk_device_t;
59
dev_list_all_dev_nodes($1)
60
allow $1 fixed_disk_device_t:blk_file setattr;
63
########################################
65
## Do not audit attempts made by the caller to set
66
## the attributes of fixed disk device nodes.
68
## <param name="domain">
70
## The type of the process to not audit.
74
interface(`storage_dontaudit_setattr_fixed_disk_dev',`
76
type fixed_disk_device_t;
79
dontaudit $1 fixed_disk_device_t:blk_file setattr;
82
########################################
84
## Allow the caller to directly read from a fixed disk.
85
## This is extremly dangerous as it can bypass the
86
## SELinux protections for filesystem objects, and
87
## should only be used by trusted domains.
89
## <param name="domain">
91
## The type of the process performing this action.
95
interface(`storage_raw_read_fixed_disk',`
97
attribute fixed_disk_raw_read;
98
type fixed_disk_device_t;
101
dev_list_all_dev_nodes($1)
102
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
103
allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
104
typeattribute $1 fixed_disk_raw_read;
107
########################################
109
## Do not audit attempts made by the caller to read
110
## fixed disk device nodes.
112
## <param name="domain">
114
## The type of the process to not audit.
118
interface(`storage_dontaudit_read_fixed_disk',`
120
type fixed_disk_device_t;
124
dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
125
dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
128
########################################
130
## Allow the caller to directly write to a fixed disk.
131
## This is extremly dangerous as it can bypass the
132
## SELinux protections for filesystem objects, and
133
## should only be used by trusted domains.
135
## <param name="domain">
137
## The type of the process performing this action.
141
interface(`storage_raw_write_fixed_disk',`
143
attribute fixed_disk_raw_write;
144
type fixed_disk_device_t;
147
dev_list_all_dev_nodes($1)
148
allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
149
allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
150
typeattribute $1 fixed_disk_raw_write;
153
########################################
155
## Do not audit attempts made by the caller to write
156
## fixed disk device nodes.
158
## <param name="domain">
160
## Domain to not audit.
164
interface(`storage_dontaudit_write_fixed_disk',`
166
type fixed_disk_device_t;
170
dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
173
########################################
175
## Allow the caller to directly read and write to a fixed disk.
176
## This is extremly dangerous as it can bypass the
177
## SELinux protections for filesystem objects, and
178
## should only be used by trusted domains.
180
## <param name="domain">
182
## Domain allowed access.
186
interface(`storage_raw_rw_fixed_disk',`
187
storage_raw_read_fixed_disk($1)
188
storage_raw_write_fixed_disk($1)
191
########################################
193
## Create, read, write, and delete fixed disk device nodes.
195
## <param name="domain">
197
## The type of the process performing this action.
201
interface(`storage_manage_fixed_disk',`
203
attribute fixed_disk_raw_read, fixed_disk_raw_write;
204
type fixed_disk_device_t;
207
dev_list_all_dev_nodes($1)
208
allow $1 self:capability mknod;
209
allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
210
allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
211
typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
214
########################################
216
## Create block devices in /dev with the fixed disk type
217
## via an automatic type transition.
219
## <param name="domain">
221
## The type of the process performing this action.
225
interface(`storage_dev_filetrans_fixed_disk',`
227
type fixed_disk_device_t;
230
dev_filetrans($1, fixed_disk_device_t, blk_file)
233
########################################
235
## Create block devices in on a tmpfs filesystem with the
236
## fixed disk type via an automatic type transition.
238
## <param name="domain">
240
## The type of the process performing this action.
244
interface(`storage_tmpfs_filetrans_fixed_disk',`
246
type fixed_disk_device_t;
249
fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
252
########################################
254
## Relabel fixed disk device nodes.
256
## <param name="domain">
258
## The type of the process performing this action.
262
interface(`storage_relabel_fixed_disk',`
264
type fixed_disk_device_t;
267
dev_list_all_dev_nodes($1)
268
allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
271
########################################
273
## Enable a fixed disk device as swap space
275
## <param name="domain">
277
## The type of the process performing this action.
281
interface(`storage_swapon_fixed_disk',`
283
type fixed_disk_device_t;
286
dev_list_all_dev_nodes($1)
287
allow $1 fixed_disk_device_t:blk_file { getattr swapon };
290
########################################
292
## Allow the caller to get the attributes
293
## of device nodes of fuse devices.
295
## <param name="domain">
297
## The type of the process performing this action.
301
interface(`storage_getattr_fuse_dev',`
306
dev_list_all_dev_nodes($1)
307
allow $1 fuse_device_t:chr_file getattr;
310
########################################
312
## read or write fuse device interfaces.
314
## <param name="domain">
316
## Domain to not audit.
320
interface(`storage_rw_fuse',`
325
allow $1 fuse_device_t:chr_file rw_file_perms;
328
########################################
330
## Do not audit attempts to read or write
331
## fuse device interfaces.
333
## <param name="domain">
335
## Domain to not audit.
339
interface(`storage_dontaudit_rw_fuse',`
344
dontaudit $1 fuse_device_t:chr_file rw_file_perms;
347
########################################
349
## Allow the caller to get the attributes of
350
## the generic SCSI interface device nodes.
352
## <param name="domain">
354
## The type of the process performing this action.
358
interface(`storage_getattr_scsi_generic_dev',`
360
type scsi_generic_device_t;
363
dev_list_all_dev_nodes($1)
364
allow $1 scsi_generic_device_t:chr_file getattr;
367
########################################
369
## Allow the caller to set the attributes of
370
## the generic SCSI interface device nodes.
372
## <param name="domain">
374
## The type of the process performing this action.
378
interface(`storage_setattr_scsi_generic_dev',`
380
type scsi_generic_device_t;
383
dev_list_all_dev_nodes($1)
384
allow $1 scsi_generic_device_t:chr_file setattr;
387
########################################
389
## Allow the caller to directly read, in a
390
## generic fashion, from any SCSI device.
391
## This is extremly dangerous as it can bypass the
392
## SELinux protections for filesystem objects, and
393
## should only be used by trusted domains.
395
## <param name="domain">
397
## The type of the process performing this action.
401
interface(`storage_read_scsi_generic',`
403
attribute scsi_generic_read;
404
type scsi_generic_device_t;
407
dev_list_all_dev_nodes($1)
408
allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
409
typeattribute $1 scsi_generic_read;
412
########################################
414
## Allow the caller to directly write, in a
415
## generic fashion, from any SCSI device.
416
## This is extremly dangerous as it can bypass the
417
## SELinux protections for filesystem objects, and
418
## should only be used by trusted domains.
420
## <param name="domain">
422
## The type of the process performing this action.
426
interface(`storage_write_scsi_generic',`
428
attribute scsi_generic_write;
429
type scsi_generic_device_t;
432
dev_list_all_dev_nodes($1)
433
allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
434
typeattribute $1 scsi_generic_write;
437
########################################
439
## Set attributes of the device nodes
440
## for the SCSI generic inerface.
442
## <param name="domain">
444
## The type of the process performing this action.
448
interface(`storage_setattr_scsi_generic_dev_dev',`
450
type scsi_generic_device_t;
453
dev_list_all_dev_nodes($1)
454
allow $1 scsi_generic_device_t:chr_file setattr;
457
########################################
459
## Do not audit attempts to read or write
460
## SCSI generic device interfaces.
462
## <param name="domain">
464
## Domain to not audit.
468
interface(`storage_dontaudit_rw_scsi_generic',`
470
type scsi_generic_device_t;
473
dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
476
########################################
478
## Allow the caller to get the attributes of removable
479
## devices device nodes.
481
## <param name="domain">
483
## The type of the process performing this action.
487
interface(`storage_getattr_removable_dev',`
489
type removable_device_t;
492
dev_list_all_dev_nodes($1)
493
allow $1 removable_device_t:blk_file getattr;
496
########################################
498
## Do not audit attempts made by the caller to get
499
## the attributes of removable devices device nodes.
501
## <param name="domain">
503
## The type of the process to not audit.
507
interface(`storage_dontaudit_getattr_removable_dev',`
509
type removable_device_t;
512
dontaudit $1 removable_device_t:blk_file getattr;
515
########################################
517
## Do not audit attempts made by the caller to read
518
## removable devices device nodes.
520
## <param name="domain">
522
## The type of the process to not audit.
526
interface(`storage_dontaudit_read_removable_device',`
528
type removable_device_t;
532
dontaudit $1 removable_device_t:blk_file { getattr ioctl read };
535
########################################
537
## Allow the caller to set the attributes of removable
538
## devices device nodes.
540
## <param name="domain">
542
## The type of the process performing this action.
546
interface(`storage_setattr_removable_dev',`
548
type removable_device_t;
551
dev_list_all_dev_nodes($1)
552
allow $1 removable_device_t:blk_file setattr;
555
########################################
557
## Do not audit attempts made by the caller to set
558
## the attributes of removable devices device nodes.
560
## <param name="domain">
562
## The type of the process to not audit.
566
interface(`storage_dontaudit_setattr_removable_dev',`
568
type removable_device_t;
571
dontaudit $1 removable_device_t:blk_file setattr;
574
########################################
576
## Allow the caller to directly read from
577
## a removable device.
578
## This is extremly dangerous as it can bypass the
579
## SELinux protections for filesystem objects, and
580
## should only be used by trusted domains.
582
## <param name="domain">
584
## The type of the process performing this action.
588
interface(`storage_raw_read_removable_device',`
590
type removable_device_t;
593
dev_list_all_dev_nodes($1)
594
allow $1 removable_device_t:blk_file read_blk_file_perms;
597
########################################
599
## Do not audit attempts to directly read removable devices.
601
## <param name="domain">
603
## Domain to not audit.
607
interface(`storage_dontaudit_raw_read_removable_device',`
609
type removable_device_t;
612
dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
615
########################################
617
## Allow the caller to directly write to
618
## a removable device.
619
## This is extremly dangerous as it can bypass the
620
## SELinux protections for filesystem objects, and
621
## should only be used by trusted domains.
623
## <param name="domain">
625
## The type of the process performing this action.
629
interface(`storage_raw_write_removable_device',`
631
type removable_device_t;
634
dev_list_all_dev_nodes($1)
635
allow $1 removable_device_t:blk_file write_blk_file_perms;
638
########################################
640
## Do not audit attempts to directly write removable devices.
642
## <param name="domain">
644
## Domain to not audit.
648
interface(`storage_dontaudit_raw_write_removable_device',`
650
type removable_device_t;
653
dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
656
########################################
658
## Allow the caller to directly read
661
## <param name="domain">
663
## The type of the process performing this action.
667
interface(`storage_read_tape',`
672
dev_list_all_dev_nodes($1)
673
allow $1 tape_device_t:chr_file read_chr_file_perms;
676
########################################
678
## Allow the caller to directly read
681
## <param name="domain">
683
## The type of the process performing this action.
687
interface(`storage_write_tape',`
692
dev_list_all_dev_nodes($1)
693
allow $1 tape_device_t:chr_file write_chr_file_perms;
696
########################################
698
## Allow the caller to get the attributes
699
## of device nodes of tape devices.
701
## <param name="domain">
703
## The type of the process performing this action.
707
interface(`storage_getattr_tape_dev',`
712
dev_list_all_dev_nodes($1)
713
allow $1 tape_device_t:chr_file getattr;
716
########################################
718
## Allow the caller to set the attributes
719
## of device nodes of tape devices.
721
## <param name="domain">
723
## The type of the process performing this action.
727
interface(`storage_setattr_tape_dev',`
732
dev_list_all_dev_nodes($1)
733
allow $1 tape_device_t:chr_file setattr;
736
########################################
738
## Unconfined access to storage devices.
740
## <param name="domain">
742
## Domain allowed access.
746
interface(`storage_unconfined',`
748
attribute storage_unconfined_type;
751
typeattribute $1 storage_unconfined_type;