2 ## Device nodes and interfaces for many basic system devices.
6 ## This module creates the device node concept and provides
7 ## the policy for many of the device files. Notable exceptions are
8 ## the mass storage and terminal devices that are covered by other
12 ## This module creates the concept of a device node. That is a
13 ## char or block device file, usually in /dev. All types that
14 ## are used to label device nodes should use the dev_node macro.
17 ## Additionally, this module controls access to three things:
19 ## <li>the device directories containing device nodes</li>
20 ## <li>device nodes as a group</li>
21 ## <li>individual access to specific device nodes covered by
26 ## <required val="true">
27 ## Depended on by other required modules.
30 ########################################
32 ## Make the passed in type a type appropriate for
33 ## use on device nodes (usually files in /dev).
35 ## <param name="object_type">
37 ## The object type that will be used on device nodes.
41 interface(`dev_node',`
43 attribute device_node;
46 typeattribute $1 device_node;
49 ########################################
51 ## Allow full relabeling (to and from) of all device nodes.
53 ## <param name="domain">
55 ## Domain allowed to relabel.
60 interface(`dev_relabel_all_dev_nodes',`
62 attribute device_node;
66 relabelfrom_dirs_pattern($1,device_t,device_node)
67 relabelfrom_files_pattern($1,device_t,device_node)
68 relabelfrom_lnk_files_pattern($1,device_t,device_node)
69 relabelfrom_fifo_files_pattern($1,device_t,device_node)
70 relabelfrom_sock_files_pattern($1,device_t,device_node)
71 relabel_blk_files_pattern($1,device_t,{ device_t device_node })
72 relabel_chr_files_pattern($1,device_t,{ device_t device_node })
75 ########################################
77 ## List all of the device nodes in a device directory.
79 ## <param name="domain">
81 ## Domain allowed to list device nodes.
85 interface(`dev_list_all_dev_nodes',`
91 list_dirs_pattern($1,device_t,device_t)
92 read_lnk_files_pattern($1,device_t,device_t)
95 ########################################
97 ## Set the attributes of /dev directories.
99 ## <param name="domain">
101 ## Domain allowed access.
105 interface(`dev_setattr_generic_dirs',`
110 setattr_dirs_pattern($1,device_t,device_t)
113 ########################################
115 ## Dontaudit attempts to list all device nodes.
117 ## <param name="domain">
119 ## Domain to dontaudit listing of device nodes.
123 interface(`dev_dontaudit_list_all_dev_nodes',`
128 dontaudit $1 device_t:dir list_dir_perms;
131 ########################################
133 ## Add entries to directories in /dev.
135 ## <param name="domain">
137 ## Domain allowed to add entries.
141 interface(`dev_add_entry_generic_dirs',`
146 allow $1 device_t:dir add_entry_dir_perms;
149 ########################################
151 ## Create a directory in the device directory.
153 ## <param name="domain">
155 ## Domain allowed to create the directory.
159 interface(`dev_create_generic_dirs',`
164 allow $1 device_t:dir { ra_dir_perms create };
165 create_dirs_pattern($1,device_t,device_t)
168 ########################################
170 ## Delete a directory in the device directory.
172 ## <param name="domain">
174 ## Domain allowed to create the directory.
178 interface(`dev_delete_generic_dirs',`
183 delete_dirs_pattern($1,device_t,device_t)
186 ########################################
188 ## Allow full relabeling (to and from) of directories in /dev.
190 ## <param name="domain">
192 ## Domain allowed to relabel.
196 interface(`dev_relabel_generic_dev_dirs',`
201 relabel_dirs_pattern($1,device_t,device_t)
204 ########################################
206 ## dontaudit getattr generic files in /dev.
208 ## <param name="domain">
210 ## Domain to not audit.
214 interface(`dev_dontaudit_getattr_generic_files',`
219 dontaudit $1 device_t:file getattr;
222 ########################################
224 ## Read and write generic files in /dev.
226 ## <param name="domain">
228 ## Domain allowed access.
232 interface(`dev_rw_generic_files',`
237 rw_files_pattern($1,device_t,device_t)
240 ########################################
242 ## Delete generic files in /dev.
244 ## <param name="domain">
246 ## Domain allowed access.
250 interface(`dev_delete_generic_files',`
255 delete_files_pattern($1,device_t,device_t)
258 ########################################
260 ## Create a file in the device directory.
262 ## <param name="domain">
264 ## Domain allowed to create the files.
268 interface(`dev_manage_generic_files',`
273 manage_files_pattern($1,device_t,device_t)
276 ########################################
278 ## Dontaudit getattr on generic pipes.
280 ## <param name="domain">
282 ## Domain to dontaudit.
286 interface(`dev_dontaudit_getattr_generic_pipes',`
291 dontaudit $1 device_t:fifo_file getattr;
294 ########################################
296 ## Allow getattr on generic block devices.
298 ## <param name="domain">
300 ## Domain allowed access.
304 interface(`dev_getattr_generic_blk_files',`
309 getattr_blk_files_pattern($1,device_t,device_t)
312 ########################################
314 ## Dontaudit getattr on generic block devices.
316 ## <param name="domain">
318 ## Domain to dontaudit access.
322 interface(`dev_dontaudit_getattr_generic_blk_files',`
327 dontaudit $1 device_t:blk_file getattr;
330 ########################################
332 ## Dontaudit setattr on generic block devices.
334 ## <param name="domain">
336 ## Domain to dontaudit access.
340 interface(`dev_dontaudit_setattr_generic_blk_files',`
345 dontaudit $1 device_t:blk_file setattr;
348 ########################################
350 ## Allow read, write, and create for generic character device files.
352 ## <param name="domain">
354 ## Domain allowed access.
358 interface(`dev_create_generic_chr_files',`
363 create_chr_files_pattern($1,device_t,device_t)
366 ########################################
368 ## Allow getattr for generic character device files.
370 ## <param name="domain">
372 ## Domain allowed access.
376 interface(`dev_getattr_generic_chr_files',`
381 getattr_chr_files_pattern($1,device_t,device_t)
384 ########################################
386 ## Dontaudit getattr for generic character device files.
388 ## <param name="domain">
390 ## Domain to dontaudit access.
394 interface(`dev_dontaudit_getattr_generic_chr_files',`
399 dontaudit $1 device_t:chr_file getattr;
402 ########################################
404 ## Dontaudit setattr for generic character device files.
406 ## <param name="domain">
408 ## Domain to dontaudit access.
412 interface(`dev_dontaudit_setattr_generic_chr_files',`
417 dontaudit $1 device_t:chr_file setattr;
420 ########################################
422 ## Do not audit attempts to set the attributes
423 ## of symbolic links in device directories (/dev).
425 ## <param name="domain">
427 ## Domain to not audit.
431 interface(`dev_dontaudit_setattr_generic_symlinks',`
436 dontaudit $1 device_t:lnk_file setattr;
439 ########################################
441 ## Create symbolic links in device directories.
443 ## <param name="domain">
445 ## Domain allowed access.
449 interface(`dev_create_generic_symlinks',`
454 create_lnk_files_pattern($1,device_t,device_t)
457 ########################################
459 ## Delete symbolic links in device directories.
461 ## <param name="domain">
463 ## Domain allowed access.
467 interface(`dev_delete_generic_symlinks',`
472 delete_lnk_files_pattern($1,device_t,device_t)
475 ########################################
477 ## Create, delete, read, and write symbolic links in device directories.
479 ## <param name="domain">
481 ## Domain allowed access.
485 interface(`dev_manage_generic_symlinks',`
490 manage_lnk_files_pattern($1,device_t,device_t)
493 ########################################
495 ## Relabel symbolic links in device directories.
497 ## <param name="domain">
499 ## Domain allowed access.
503 interface(`dev_relabel_generic_symlinks',`
508 relabel_lnk_files_pattern($1,device_t,device_t)
511 ########################################
513 ## Create, delete, read, and write device nodes in device directories.
515 ## <param name="domain">
517 ## Domain allowed access.
521 interface(`dev_manage_all_dev_nodes',`
523 attribute device_node, memory_raw_read, memory_raw_write;
527 manage_dirs_pattern($1,device_t,device_t)
528 manage_sock_files_pattern($1,device_t,device_t)
529 manage_lnk_files_pattern($1,device_t,device_t)
530 manage_chr_files_pattern($1,device_t,{ device_t device_node })
531 manage_blk_files_pattern($1,device_t,{ device_t device_node })
532 relabel_dirs_pattern($1,device_t,device_t)
533 relabel_chr_files_pattern($1,device_t,{ device_t device_node })
534 relabel_blk_files_pattern($1,device_t,{ device_t device_node })
536 # these next rules are to satisfy assertions broken by the above lines.
537 # the permissions hopefully can be cut back a lot
538 storage_raw_read_fixed_disk($1)
539 storage_raw_write_fixed_disk($1)
540 storage_read_scsi_generic($1)
541 storage_write_scsi_generic($1)
543 typeattribute $1 memory_raw_read;
544 typeattribute $1 memory_raw_write;
547 ########################################
549 ## Dontaudit getattr for generic device files.
551 ## <param name="domain">
553 ## Domain to dontaudit access.
557 interface(`dev_dontaudit_rw_generic_dev_nodes',`
562 dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
565 ########################################
567 ## Create, delete, read, and write block device files.
569 ## <param name="domain">
571 ## Domain allowed access.
575 interface(`dev_manage_generic_blk_files',`
580 manage_blk_files_pattern($1,device_t,device_t)
583 ########################################
585 ## Create, delete, read, and write character device files.
587 ## <param name="domain">
589 ## Domain allowed access.
593 interface(`dev_manage_generic_chr_files',`
598 manage_chr_files_pattern($1,device_t,device_t)
601 ########################################
603 ## Create, read, and write device nodes. The node
604 ## will be transitioned to the type provided.
606 ## <param name="domain">
608 ## Domain allowed access.
611 ## <param name="file">
613 ## Type to which the created node will be transitioned.
616 ## <param name="objectclass(es)">
618 ## Object class(es) (single or set including {}) for which this
619 ## the transition will occur.
623 interface(`dev_filetrans',`
628 filetrans_pattern($1,device_t,$2,$3)
630 fs_associate_tmpfs($2)
631 files_associate_tmp($2)
634 ########################################
636 ## Getattr on all block file device nodes.
638 ## <param name="domain">
640 ## Domain allowed access.
645 interface(`dev_getattr_all_blk_files',`
647 attribute device_node;
651 getattr_blk_files_pattern($1,device_t,device_node)
654 ########################################
656 ## Dontaudit getattr on all block file device nodes.
658 ## <param name="domain">
660 ## Domain to dontaudit access.
664 interface(`dev_dontaudit_getattr_all_blk_files',`
666 attribute device_node;
669 dontaudit $1 device_node:blk_file getattr;
672 ########################################
674 ## Getattr on all character file device nodes.
676 ## <param name="domain">
678 ## Domain allowed access.
683 interface(`dev_getattr_all_chr_files',`
685 attribute device_node;
688 getattr_chr_files_pattern($1,device_t,device_node)
691 ########################################
693 ## Dontaudit getattr on all character file device nodes.
695 ## <param name="domain">
697 ## Domain to dontaudit access.
701 interface(`dev_dontaudit_getattr_all_chr_files',`
703 attribute device_node;
706 dontaudit $1 device_node:chr_file getattr;
709 ########################################
711 ## Setattr on all block file device nodes.
713 ## <param name="domain">
715 ## Domain allowed access.
720 interface(`dev_setattr_all_blk_files',`
722 attribute device_node;
725 setattr_blk_files_pattern($1,device_t,device_node)
728 ########################################
730 ## Setattr on all character file device nodes.
732 ## <param name="domain">
734 ## Domain allowed access.
739 interface(`dev_setattr_all_chr_files',`
741 attribute device_node;
744 setattr_chr_files_pattern($1,device_t,device_node)
747 ########################################
749 ## Dontaudit read on all block file device nodes.
751 ## <param name="domain">
753 ## Domain to not audit.
757 interface(`dev_dontaudit_read_all_blk_files',`
759 attribute device_node;
762 dontaudit $1 device_node:blk_file { getattr read };
765 ########################################
767 ## Dontaudit read on all character file device nodes.
769 ## <param name="domain">
771 ## Domain to not audit.
775 interface(`dev_dontaudit_read_all_chr_files',`
777 attribute device_node;
780 dontaudit $1 device_node:chr_file { getattr read };
783 ########################################
785 ## Create all block device files.
787 ## <param name="domain">
789 ## Domain allowed access.
793 interface(`dev_create_all_blk_files',`
795 attribute device_node;
798 create_blk_files_pattern($1,device_t,device_node)
801 ########################################
803 ## Create all character device files.
805 ## <param name="domain">
807 ## Domain allowed access.
811 interface(`dev_create_all_chr_files',`
813 attribute device_node;
816 create_chr_files_pattern($1,device_t,device_node)
819 ########################################
821 ## Delete all block device files.
823 ## <param name="domain">
825 ## Domain allowed access.
829 interface(`dev_delete_all_blk_files',`
831 attribute device_node;
834 delete_blk_files_pattern($1,device_t,device_node)
837 ########################################
839 ## Delete all character device files.
841 ## <param name="domain">
843 ## Domain allowed access.
847 interface(`dev_delete_all_chr_files',`
849 attribute device_node;
852 delete_chr_files_pattern($1,device_t,device_node)
855 ########################################
857 ## Rename all block device files.
859 ## <param name="domain">
861 ## Domain allowed access.
865 interface(`dev_rename_all_blk_files',`
867 attribute device_node;
870 rename_blk_files_pattern($1,device_t,device_node)
873 ########################################
875 ## Rename all character device files.
877 ## <param name="domain">
879 ## Domain allowed access.
883 interface(`dev_rename_all_chr_files',`
885 attribute device_node;
888 rename_chr_files_pattern($1,device_t,device_node)
891 ########################################
893 ## Read, write, create, and delete all block device files.
895 ## <param name="domain">
897 ## Domain allowed access.
901 interface(`dev_manage_all_blk_files',`
903 attribute device_node;
906 manage_blk_files_pattern($1,device_t,device_node)
908 # these next rules are to satisfy assertions broken by the above lines.
909 storage_raw_read_fixed_disk($1)
910 storage_raw_write_fixed_disk($1)
911 storage_read_scsi_generic($1)
912 storage_write_scsi_generic($1)
915 ########################################
917 ## Read, write, create, and delete all character device files.
919 ## <param name="domain">
921 ## Domain allowed access.
925 interface(`dev_manage_all_chr_files',`
927 attribute device_node, memory_raw_read, memory_raw_write;
930 manage_chr_files_pattern($1,device_t,device_node)
932 typeattribute $1 memory_raw_read, memory_raw_write;
935 ########################################
937 ## Getattr the agp devices.
939 ## <param name="domain">
941 ## Domain allowed access.
945 interface(`dev_getattr_agp_dev',`
947 type device_t, agp_device_t;
950 getattr_chr_files_pattern($1,device_t,agp_device_t)
953 ########################################
955 ## Read and write the agp devices.
957 ## <param name="domain">
959 ## Domain allowed access.
963 interface(`dev_rw_agp',`
965 type device_t, agp_device_t;
968 rw_chr_files_pattern($1,device_t,agp_device_t)
971 ########################################
973 ## Get the attributes of the apm bios device node.
975 ## <param name="domain">
977 ## Domain allowed access.
981 interface(`dev_getattr_apm_bios_dev',`
983 type device_t, apm_bios_t;
986 getattr_chr_files_pattern($1,device_t,apm_bios_t)
989 ########################################
991 ## Do not audit attempts to get the attributes of
992 ## the apm bios device node.
994 ## <param name="domain">
996 ## Domain to not audit.
1000 interface(`dev_dontaudit_getattr_apm_bios_dev',`
1005 dontaudit $1 apm_bios_t:chr_file getattr;
1008 ########################################
1010 ## Set the attributes of the apm bios device node.
1012 ## <param name="domain">
1014 ## Domain allowed access.
1018 interface(`dev_setattr_apm_bios_dev',`
1020 type device_t, apm_bios_t;
1023 setattr_chr_files_pattern($1,device_t,apm_bios_t)
1026 ########################################
1028 ## Do not audit attempts to set the attributes of
1029 ## the apm bios device node.
1031 ## <param name="domain">
1033 ## Domain to not audit.
1037 interface(`dev_dontaudit_setattr_apm_bios_dev',`
1042 dontaudit $1 apm_bios_t:chr_file setattr;
1045 ########################################
1047 ## Read and write the apm bios.
1049 ## <param name="domain">
1051 ## Domain allowed access.
1055 interface(`dev_rw_apm_bios',`
1057 type device_t, apm_bios_t;
1060 rw_chr_files_pattern($1,device_t,apm_bios_t)
1063 ########################################
1065 ## Read and write the PCMCIA card manager device.
1067 ## <param name="domain">
1069 ## Domain allowed access.
1073 interface(`dev_rw_cardmgr',`
1078 rw_chr_files_pattern($1,device_t,cardmgr_dev_t)
1081 ########################################
1083 ## Do not audit attempts to read and
1084 ## write the PCMCIA card manager device.
1086 ## <param name="domain">
1088 ## Domain to not audit.
1092 interface(`dev_dontaudit_rw_cardmgr',`
1097 dontaudit $1 cardmgr_dev_t:chr_file { read write };
1100 ########################################
1102 ## Create, read, write, and delete
1103 ## the PCMCIA card manager device.
1105 ## <param name="domain">
1107 ## Domain allowed access.
1111 interface(`dev_manage_cardmgr_dev',`
1113 type device_t, cardmgr_dev_t;
1116 manage_chr_files_pattern($1,device_t,cardmgr_dev_t)
1117 manage_blk_files_pattern($1,device_t,cardmgr_dev_t)
1120 ########################################
1122 ## Create, read, write, and delete
1123 ## the PCMCIA card manager device
1124 ## with the correct type.
1126 ## <param name="domain">
1128 ## Domain allowed access.
1132 interface(`dev_create_cardmgr_dev',`
1134 type device_t, cardmgr_dev_t;
1137 create_chr_files_pattern($1,device_t,cardmgr_dev_t)
1138 create_blk_files_pattern($1,device_t,cardmgr_dev_t)
1139 filetrans_pattern($1,device_t,cardmgr_dev_t,{ chr_file blk_file })
1142 ########################################
1144 ## Get the attributes of the CPU
1145 ## microcode and id interfaces.
1147 ## <param name="domain">
1149 ## Domain allowed access.
1153 interface(`dev_getattr_cpu_dev',`
1155 type device_t, cpu_device_t;
1158 getattr_chr_files_pattern($1,device_t,cpu_device_t)
1161 ########################################
1163 ## Read the CPU identity.
1165 ## <param name="domain">
1167 ## Domain allowed access.
1171 interface(`dev_read_cpuid',`
1173 type device_t, cpu_device_t;
1176 read_chr_files_pattern($1,device_t,cpu_device_t)
1179 ########################################
1181 ## Read and write the the CPU microcode device. This
1182 ## is required to load CPU microcode.
1184 ## <param name="domain">
1186 ## Domain allowed access.
1190 interface(`dev_rw_cpu_microcode',`
1192 type device_t, cpu_device_t;
1195 rw_chr_files_pattern($1,device_t,cpu_device_t)
1198 ########################################
1200 ## Read and write the the hardware SSL accelerator.
1202 ## <param name="domain">
1204 ## Domain allowed access.
1208 interface(`dev_rw_crypto',`
1210 type device_t, crypt_device_t;
1213 rw_chr_files_pattern($1,device_t,crypt_device_t)
1216 ########################################
1218 ## getattr the dri devices.
1220 ## <param name="domain">
1222 ## Domain allowed access.
1226 interface(`dev_getattr_dri_dev',`
1228 type device_t, dri_device_t;
1231 getattr_chr_files_pattern($1,device_t,dri_device_t)
1234 ########################################
1236 ## Setattr the dri devices.
1238 ## <param name="domain">
1240 ## Domain allowed access.
1244 interface(`dev_setattr_dri_dev',`
1246 type device_t, dri_device_t;
1249 setattr_chr_files_pattern($1,device_t,dri_device_t)
1252 ########################################
1254 ## Read and write the dri devices.
1256 ## <param name="domain">
1258 ## Domain allowed access.
1262 interface(`dev_rw_dri',`
1264 type device_t, dri_device_t;
1267 rw_chr_files_pattern($1,device_t,dri_device_t)
1270 ########################################
1272 ## Dontaudit read and write on the dri devices.
1274 ## <param name="domain">
1276 ## Domain to dontaudit access.
1280 interface(`dev_dontaudit_rw_dri',`
1285 dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
1288 ########################################
1290 ## Create, read, write, and delete the dri devices.
1292 ## <param name="domain">
1294 ## Domain allowed access.
1298 interface(`dev_manage_dri_dev',`
1300 type device_t, dri_device_t;
1303 manage_chr_files_pattern($1,device_t,dri_device_t)
1304 filetrans_pattern($1,device_t,dri_device_t,chr_file)
1307 ########################################
1309 ## Read input event devices (/dev/input).
1311 ## <param name="domain">
1313 ## Domain allowed access.
1317 interface(`dev_read_input',`
1319 type device_t, event_device_t;
1322 read_chr_files_pattern($1,device_t,event_device_t)
1325 ########################################
1327 ## Read input event devices (/dev/input).
1329 ## <param name="domain">
1331 ## Domain allowed access.
1335 interface(`dev_rw_input_dev',`
1337 type device_t, event_device_t;
1340 rw_chr_files_pattern($1,device_t,event_device_t)
1343 ########################################
1345 ## Get the attributes of the framebuffer device node.
1347 ## <param name="domain">
1349 ## Domain allowed access.
1353 interface(`dev_getattr_framebuffer_dev',`
1355 type device_t, framebuf_device_t;
1358 getattr_chr_files_pattern($1,device_t,framebuf_device_t)
1361 ########################################
1363 ## Set the attributes of the framebuffer device node.
1365 ## <param name="domain">
1367 ## Domain allowed access.
1371 interface(`dev_setattr_framebuffer_dev',`
1373 type device_t, framebuf_device_t;
1376 setattr_chr_files_pattern($1,device_t,framebuf_device_t)
1379 ########################################
1381 ## Dot not audit attempts to set the attributes
1382 ## of the framebuffer device node.
1384 ## <param name="domain">
1386 ## Domain to not audit.
1390 interface(`dev_dontaudit_setattr_framebuffer_dev',`
1392 type framebuf_device_t;
1395 dontaudit $1 framebuf_device_t:chr_file setattr;
1398 ########################################
1400 ## Read the framebuffer.
1402 ## <param name="domain">
1404 ## Domain allowed access.
1408 interface(`dev_read_framebuffer',`
1410 type framebuf_device_t;
1413 read_chr_files_pattern($1,device_t,framebuf_device_t)
1416 ########################################
1418 ## Do not audit attempts to read the framebuffer.
1420 ## <param name="domain">
1422 ## Domain allowed access.
1426 interface(`dev_dontaudit_read_framebuffer',`
1428 type framebuf_device_t;
1431 dontaudit $1 framebuf_device_t:chr_file { getattr read };
1434 ########################################
1436 ## Write the framebuffer.
1438 ## <param name="domain">
1440 ## Domain allowed access.
1444 interface(`dev_write_framebuffer',`
1446 type device_t, framebuf_device_t;
1449 write_chr_files_pattern($1,device_t,framebuf_device_t)
1452 ########################################
1454 ## Read and write the framebuffer.
1456 ## <param name="domain">
1458 ## Domain allowed access.
1462 interface(`dev_rw_framebuffer',`
1464 type device_t, framebuf_device_t;
1467 rw_chr_files_pattern($1,device_t,framebuf_device_t)
1470 ########################################
1472 ## Read the lvm comtrol device.
1474 ## <param name="domain">
1476 ## Domain allowed access.
1480 interface(`dev_read_lvm_control',`
1482 type device_t, lvm_control_t;
1485 read_chr_files_pattern($1,device_t,lvm_control_t)
1488 ########################################
1490 ## Read and write the lvm control device.
1492 ## <param name="domain">
1494 ## Domain allowed access.
1498 interface(`dev_rw_lvm_control',`
1500 type device_t, lvm_control_t;
1503 rw_chr_files_pattern($1,device_t,lvm_control_t)
1506 ########################################
1508 ## Delete the lvm control device.
1510 ## <param name="domain">
1512 ## Domain allowed access.
1516 interface(`dev_delete_lvm_control_dev',`
1518 type device_t, lvm_control_t;
1521 delete_chr_files_pattern($1,device_t,lvm_control_t)
1524 ########################################
1526 ## dontaudit getattr raw memory devices (e.g. /dev/mem).
1528 ## <param name="domain">
1530 ## Domain allowed access.
1534 interface(`dev_dontaudit_getattr_memory_dev',`
1536 type memory_device_t;
1539 dontaudit $1 memory_device_t:chr_file getattr;
1542 ########################################
1544 ## Read raw memory devices (e.g. /dev/mem).
1546 ## <param name="domain">
1548 ## Domain allowed access.
1552 interface(`dev_read_raw_memory',`
1554 type device_t, memory_device_t;
1555 attribute memory_raw_read;
1558 read_chr_files_pattern($1,device_t,memory_device_t)
1560 allow $1 self:capability sys_rawio;
1561 typeattribute $1 memory_raw_read;
1564 ########################################
1566 ## Write raw memory devices (e.g. /dev/mem).
1568 ## <param name="domain">
1570 ## Domain allowed access.
1574 interface(`dev_write_raw_memory',`
1576 type device_t, memory_device_t;
1577 attribute memory_raw_write;
1580 write_chr_files_pattern($1,device_t,memory_device_t)
1582 allow $1 self:capability sys_rawio;
1583 typeattribute $1 memory_raw_write;
1586 ########################################
1588 ## Read and execute raw memory devices (e.g. /dev/mem).
1590 ## <param name="domain">
1592 ## Domain allowed access.
1596 interface(`dev_rx_raw_memory',`
1598 type device_t, memory_device_t;
1601 dev_read_raw_memory($1)
1602 allow $1 memory_device_t:chr_file execute;
1605 ########################################
1607 ## Write and execute raw memory devices (e.g. /dev/mem).
1609 ## <param name="domain">
1611 ## Domain allowed access.
1615 interface(`dev_wx_raw_memory',`
1617 type device_t, memory_device_t;
1620 dev_write_raw_memory($1)
1621 allow $1 memory_device_t:chr_file execute;
1624 ########################################
1626 ## Get the attributes of miscellaneous devices.
1628 ## <param name="domain">
1630 ## Domain allowed access.
1634 interface(`dev_getattr_misc_dev',`
1636 type device_t, misc_device_t;
1639 getattr_chr_files_pattern($1,device_t,misc_device_t)
1642 ########################################
1644 ## Do not audit attempts to get the attributes
1645 ## of miscellaneous devices.
1647 ## <param name="domain">
1649 ## Domain allowed access.
1653 interface(`dev_dontaudit_getattr_misc_dev',`
1658 dontaudit $1 misc_device_t:chr_file getattr;
1661 ########################################
1663 ## Set the attributes of miscellaneous devices.
1665 ## <param name="domain">
1667 ## Domain allowed access.
1671 interface(`dev_setattr_misc_dev',`
1673 type device_t, misc_device_t;
1676 setattr_chr_files_pattern($1,device_t,misc_device_t)
1679 ########################################
1681 ## Do not audit attempts to set the attributes
1682 ## of miscellaneous devices.
1684 ## <param name="domain">
1686 ## Domain allowed access.
1690 interface(`dev_dontaudit_setattr_misc_dev',`
1695 dontaudit $1 misc_device_t:chr_file setattr;
1698 ########################################
1700 ## Read miscellaneous devices.
1702 ## <param name="domain">
1704 ## Domain allowed access.
1708 interface(`dev_read_misc',`
1710 type device_t, misc_device_t;
1713 read_chr_files_pattern($1,device_t,misc_device_t)
1716 ########################################
1718 ## Write miscellaneous devices.
1720 ## <param name="domain">
1722 ## Domain allowed access.
1726 interface(`dev_write_misc',`
1728 type device_t, misc_device_t;
1731 write_chr_files_pattern($1,device_t,misc_device_t)
1734 ########################################
1736 ## Do not audit attempts to read and write miscellaneous devices.
1738 ## <param name="domain">
1740 ## Domain allowed access.
1744 interface(`dev_dontaudit_rw_misc',`
1749 dontaudit $1 misc_device_t:chr_file rw_file_perms;
1752 ########################################
1754 ## Get the attributes of the mouse devices.
1756 ## <param name="domain">
1758 ## Domain allowed access.
1762 interface(`dev_getattr_mouse_dev',`
1764 type device_t, mouse_device_t;
1767 getattr_chr_files_pattern($1,device_t,mouse_device_t)
1770 ########################################
1772 ## Set the attributes of the mouse devices.
1774 ## <param name="domain">
1776 ## Domain allowed access.
1780 interface(`dev_setattr_mouse_dev',`
1782 type device_t, mouse_device_t;
1785 setattr_chr_files_pattern($1,device_t,mouse_device_t)
1788 ########################################
1790 ## Read the mouse devices.
1792 ## <param name="domain">
1794 ## Domain allowed access.
1798 interface(`dev_read_mouse',`
1800 type device_t, mouse_device_t;
1803 read_chr_files_pattern($1,device_t,mouse_device_t)
1806 ########################################
1808 ## Read and write to mouse devices.
1810 ## <param name="domain">
1812 ## Domain allowed access.
1816 interface(`dev_rw_mouse',`
1818 type device_t, mouse_device_t;
1821 rw_chr_files_pattern($1,device_t,mouse_device_t)
1824 ########################################
1826 ## Get the attributes of the memory type range
1827 ## registers (MTRR) device.
1829 ## <param name="domain">
1831 ## Domain allowed access.
1835 interface(`dev_getattr_mtrr_dev',`
1837 type device_t, mtrr_device_t;
1840 getattr_files_pattern($1,device_t,mtrr_device_t)
1841 getattr_chr_files_pattern($1,device_t,mtrr_device_t)
1844 ########################################
1846 ## Read the memory type range
1847 ## registers (MTRR). (Deprecated)
1851 ## Read the memory type range
1852 ## registers (MTRR). This interface has
1853 ## been deprecated, dev_rw_mtrr() should be
1857 ## The MTRR device ioctls can be used for
1858 ## reading and writing; thus, read access to the
1859 ## device cannot be separated from write access.
1862 ## <param name="domain">
1864 ## Domain allowed access.
1868 interface(`dev_read_mtrr',`
1869 refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
1873 ########################################
1875 ## Write the memory type range
1876 ## registers (MTRR). (Deprecated)
1880 ## Write the memory type range
1881 ## registers (MTRR). This interface has
1882 ## been deprecated, dev_rw_mtrr() should be
1886 ## The MTRR device ioctls can be used for
1887 ## reading and writing; thus, write access to the
1888 ## device cannot be separated from read access.
1891 ## <param name="domain">
1893 ## Domain allowed access.
1897 interface(`dev_write_mtrr',`
1898 refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
1902 ########################################
1904 ## Read and write the memory type range registers (MTRR).
1906 ## <param name="domain">
1908 ## Domain allowed access.
1912 interface(`dev_rw_mtrr',`
1914 type device_t, mtrr_device_t;
1917 rw_files_pattern($1,device_t,mtrr_device_t)
1918 rw_chr_files_pattern($1,device_t,mtrr_device_t)
1921 ########################################
1923 ## Read and write to the null device (/dev/null).
1925 ## <param name="domain">
1927 ## Domain allowed access.
1931 interface(`dev_rw_null',`
1933 type device_t, null_device_t;
1936 rw_chr_files_pattern($1,device_t,null_device_t)
1939 ########################################
1941 ## Create the null device (/dev/null).
1943 ## <param name="domain">
1945 ## Domain allowed access.
1949 interface(`dev_create_null_dev',`
1951 type device_t, null_device_t;
1954 create_chr_files_pattern($1,device_t,null_device_t)
1957 ########################################
1959 ## Do not audit attempts to get the attributes
1960 ## of the BIOS non-volatile RAM device.
1962 ## <param name="domain">
1964 ## Domain allowed access.
1968 interface(`dev_dontaudit_getattr_nvram_dev',`
1970 type nvram_device_t;
1973 dontaudit $1 nvram_device_t:chr_file getattr;
1976 ########################################
1978 ## Read and write BIOS non-volatile RAM.
1980 ## <param name="domain">
1982 ## Domain allowed access.
1986 interface(`dev_rw_nvram',`
1988 type nvram_device_t;
1991 rw_chr_files_pattern($1,device_t,nvram_device_t)
1994 ########################################
1996 ## Get the attributes of the printer device nodes.
1998 ## <param name="domain">
2000 ## Domain allowed access.
2004 interface(`dev_getattr_printer_dev',`
2006 type device_t, printer_device_t;
2009 getattr_chr_files_pattern($1,device_t,printer_device_t)
2012 ########################################
2014 ## Set the attributes of the printer device nodes.
2016 ## <param name="domain">
2018 ## Domain allowed access.
2022 interface(`dev_setattr_printer_dev',`
2024 type device_t, printer_device_t;
2027 setattr_chr_files_pattern($1,device_t,printer_device_t)
2030 ########################################
2032 ## Append the printer device.
2034 ## <param name="domain">
2036 ## Domain allowed access.
2040 # cjp: added for lpd/checkpc_t
2041 interface(`dev_append_printer',`
2043 type device_t, printer_device_t;
2046 append_chr_files_pattern($1,device_t,printer_device_t)
2049 ########################################
2051 ## Read and write the printer device.
2053 ## <param name="domain">
2055 ## Domain allowed access.
2059 interface(`dev_rw_printer',`
2061 type device_t, printer_device_t;
2064 rw_chr_files_pattern($1,device_t,printer_device_t)
2067 ########################################
2069 ## Read from random number generator
2070 ## devices (e.g., /dev/random)
2072 ## <param name="domain">
2074 ## Domain allowed access.
2078 interface(`dev_read_rand',`
2080 type device_t, random_device_t;
2083 read_chr_files_pattern($1,device_t,random_device_t)
2086 ########################################
2088 ## Do not audit attempts to read from random
2089 ## number generator devices (e.g., /dev/random)
2091 ## <param name="domain">
2093 ## Domain allowed access.
2097 interface(`dev_dontaudit_read_rand',`
2099 type random_device_t;
2102 dontaudit $1 random_device_t:chr_file { getattr read };
2105 ########################################
2107 ## Write to the random device (e.g., /dev/random). This adds
2108 ## entropy used to generate the random data read from the
2111 ## <param name="domain">
2113 ## Domain allowed access.
2117 interface(`dev_write_rand',`
2119 type device_t, random_device_t;
2122 write_chr_files_pattern($1,device_t,random_device_t)
2125 ########################################
2127 ## Read the realtime clock (/dev/rtc).
2129 ## <param name="domain">
2131 ## Domain allowed access.
2135 interface(`dev_read_realtime_clock',`
2137 type device_t, clock_device_t;
2140 read_chr_files_pattern($1,device_t,clock_device_t)
2143 ########################################
2145 ## Set the realtime clock (/dev/rtc).
2147 ## <param name="domain">
2149 ## Domain allowed access.
2153 interface(`dev_write_realtime_clock',`
2155 type device_t, clock_device_t;
2158 write_chr_files_pattern($1,device_t,clock_device_t)
2160 allow $1 clock_device_t:chr_file setattr;
2163 ########################################
2165 ## Read and set the realtime clock (/dev/rtc).
2167 ## <param name="domain">
2169 ## Domain allowed access.
2173 interface(`dev_rw_realtime_clock',`
2174 dev_read_realtime_clock($1)
2175 dev_write_realtime_clock($1)
2178 ########################################
2180 ## Get the attributes of the scanner device.
2182 ## <param name="domain">
2184 ## Domain allowed access.
2188 interface(`dev_getattr_scanner_dev',`
2190 type device_t, scanner_device_t;
2193 getattr_chr_files_pattern($1,device_t,scanner_device_t)
2196 ########################################
2198 ## Do not audit attempts to get the attributes of
2199 ## the scanner device.
2201 ## <param name="domain">
2203 ## Domain to not audit.
2207 interface(`dev_dontaudit_getattr_scanner_dev',`
2209 type scanner_device_t;
2212 dontaudit $1 scanner_device_t:chr_file getattr;
2215 ########################################
2217 ## Set the attributes of the scanner device.
2219 ## <param name="domain">
2221 ## Domain allowed access.
2225 interface(`dev_setattr_scanner_dev',`
2227 type device_t, scanner_device_t;
2230 setattr_chr_files_pattern($1,device_t,scanner_device_t)
2233 ########################################
2235 ## Do not audit attempts to set the attributes of
2236 ## the scanner device.
2238 ## <param name="domain">
2240 ## Domain to not audit.
2244 interface(`dev_dontaudit_setattr_scanner_dev',`
2246 type scanner_device_t;
2249 dontaudit $1 scanner_device_t:chr_file setattr;
2252 ########################################
2254 ## Read and write the scanner device.
2256 ## <param name="domain">
2258 ## Domain allowed access.
2262 interface(`dev_rw_scanner',`
2264 type device_t, scanner_device_t;
2267 rw_chr_files_pattern($1,device_t,scanner_device_t)
2270 ########################################
2272 ## Get the attributes of the sound devices.
2274 ## <param name="domain">
2276 ## Domain allowed access.
2280 interface(`dev_getattr_sound_dev',`
2282 type device_t, sound_device_t;
2285 getattr_chr_files_pattern($1,device_t,sound_device_t)
2288 ########################################
2290 ## Set the attributes of the sound devices.
2292 ## <param name="domain">
2294 ## Domain allowed access.
2298 interface(`dev_setattr_sound_dev',`
2300 type device_t, sound_device_t;
2303 setattr_chr_files_pattern($1,device_t,sound_device_t)
2306 ########################################
2308 ## Read the sound devices.
2310 ## <param name="domain">
2312 ## Domain allowed access.
2316 interface(`dev_read_sound',`
2318 type device_t, sound_device_t;
2321 read_chr_files_pattern($1,device_t,sound_device_t)
2324 ########################################
2326 ## Write the sound devices.
2328 ## <param name="domain">
2330 ## Domain allowed access.
2334 interface(`dev_write_sound',`
2336 type device_t, sound_device_t;
2339 write_chr_files_pattern($1,device_t,sound_device_t)
2342 ########################################
2344 ## Read the sound mixer devices.
2346 ## <param name="domain">
2348 ## Domain allowed access.
2352 interface(`dev_read_sound_mixer',`
2354 type device_t, sound_device_t;
2357 read_chr_files_pattern($1,device_t,sound_device_t)
2360 ########################################
2362 ## Write the sound mixer devices.
2364 ## <param name="domain">
2366 ## Domain allowed access.
2370 interface(`dev_write_sound_mixer',`
2372 type device_t, sound_device_t;
2375 write_chr_files_pattern($1,device_t,sound_device_t)
2378 ########################################
2380 ## Get the attributes of the the power management device.
2382 ## <param name="domain">
2384 ## Domain allowed access.
2388 interface(`dev_getattr_power_mgmt_dev',`
2390 type device_t, power_device_t;
2393 getattr_chr_files_pattern($1,device_t,power_device_t)
2396 ########################################
2398 ## Set the attributes of the the power management device.
2400 ## <param name="domain">
2402 ## Domain allowed access.
2406 interface(`dev_setattr_power_mgmt_dev',`
2408 type device_t, power_device_t;
2411 setattr_chr_files_pattern($1,device_t,power_device_t)
2414 ########################################
2416 ## Read and write the the power management device.
2418 ## <param name="domain">
2420 ## Domain allowed access.
2424 interface(`dev_rw_power_management',`
2426 type device_t, power_device_t;
2429 rw_chr_files_pattern($1,device_t,power_device_t)
2432 ########################################
2434 ## Get the attributes of sysfs directories.
2436 ## <param name="domain">
2438 ## The type of the process performing this action.
2442 interface(`dev_getattr_sysfs_dirs',`
2447 allow $1 sysfs_t:dir getattr_dir_perms;
2450 ########################################
2452 ## Search the sysfs directories.
2454 ## <param name="domain">
2456 ## The type of the process performing this action.
2460 interface(`dev_search_sysfs',`
2465 search_dirs_pattern($1,sysfs_t,sysfs_t)
2468 ########################################
2470 ## Do not audit attempts to search sysfs.
2472 ## <param name="domain">
2474 ## The type of the process performing this action.
2478 interface(`dev_dontaudit_search_sysfs',`
2483 dontaudit $1 sysfs_t:dir search_dir_perms;
2486 ########################################
2488 ## List the contents of the sysfs directories.
2490 ## <param name="domain">
2492 ## The type of the process performing this action.
2496 interface(`dev_list_sysfs',`
2501 list_dirs_pattern($1,sysfs_t,sysfs_t)
2504 ########################################
2506 ## Write in a sysfs directories.
2508 ## <param name="domain">
2510 ## The type of the process performing this action.
2514 # cjp: added for cpuspeed
2515 interface(`dev_write_sysfs_dirs',`
2520 allow $1 sysfs_t:dir write;
2523 ########################################
2525 ## Allow caller to read hardware state information.
2527 ## <param name="domain">
2529 ## The process type reading hardware state information.
2533 interface(`dev_read_sysfs',`
2538 read_files_pattern($1,sysfs_t,sysfs_t)
2539 read_lnk_files_pattern($1,sysfs_t,sysfs_t)
2541 list_dirs_pattern($1,sysfs_t,sysfs_t)
2544 ########################################
2546 ## Allow caller to modify hardware state information.
2548 ## <param name="domain">
2550 ## The process type modifying hardware state information.
2554 interface(`dev_rw_sysfs',`
2560 rw_files_pattern($1,sysfs_t,sysfs_t)
2561 read_lnk_files_pattern($1,sysfs_t,sysfs_t)
2563 list_dirs_pattern($1,sysfs_t,sysfs_t)
2566 ########################################
2568 ## Read from pseudo random devices (e.g., /dev/urandom)
2570 ## <param name="domain">
2572 ## Domain allowed access.
2576 interface(`dev_read_urand',`
2578 type device_t, urandom_device_t;
2581 read_chr_files_pattern($1,device_t,urandom_device_t)
2584 ########################################
2586 ## Do not audit attempts to read from pseudo
2587 ## random devices (e.g., /dev/urandom)
2589 ## <param name="domain">
2591 ## Domain to not audit.
2595 interface(`dev_dontaudit_read_urand',`
2597 type urandom_device_t;
2600 dontaudit $1 urandom_device_t:chr_file { getattr read };
2603 ########################################
2605 ## Write to the pseudo random device (e.g., /dev/urandom). This
2606 ## sets the random number generator seed.
2608 ## <param name="domain">
2610 ## Domain allowed access.
2614 interface(`dev_write_urand',`
2616 type device_t, urandom_device_t;
2619 write_chr_files_pattern($1,device_t,urandom_device_t)
2622 ########################################
2624 ## Getattr generic the USB devices.
2626 ## <param name="domain">
2628 ## Domain allowed access.
2632 interface(`dev_getattr_generic_usb_dev',`
2637 getattr_chr_files_pattern($1,device_t,usb_device_t)
2640 ########################################
2642 ## Setattr generic the USB devices.
2644 ## <param name="domain">
2646 ## Domain allowed access.
2650 interface(`dev_setattr_generic_usb_dev',`
2655 setattr_chr_files_pattern($1,device_t,usb_device_t)
2658 ########################################
2660 ## Read and write generic the USB devices.
2662 ## <param name="domain">
2664 ## Domain allowed access.
2668 interface(`dev_rw_generic_usb_dev',`
2673 rw_chr_files_pattern($1,device_t,usb_device_t)
2676 ########################################
2678 ## Mount a usbfs filesystem.
2680 ## <param name="domain">
2682 ## The type of the process performing this action.
2686 interface(`dev_mount_usbfs',`
2691 allow $1 usbfs_t:filesystem mount;
2694 ########################################
2696 ## Associate a file to a usbfs filesystem.
2698 ## <param name="file_type">
2700 ## The type of the file to be associated to usbfs.
2704 interface(`dev_associate_usbfs',`
2709 allow $1 usbfs_t:filesystem associate;
2712 ########################################
2714 ## Get the attributes of a directory in the usb filesystem.
2716 ## <param name="domain">
2718 ## Domain allowed access.
2722 interface(`dev_getattr_usbfs_dirs',`
2727 allow $1 usbfs_t:dir getattr_dir_perms;
2730 ########################################
2732 ## Do not audit attempts to get the attributes
2733 ## of a directory in the usb filesystem.
2735 ## <param name="domain">
2737 ## Domain to not audit.
2741 interface(`dev_dontaudit_getattr_usbfs_dirs',`
2746 dontaudit $1 usbfs_t:dir getattr_dir_perms;
2749 ########################################
2751 ## Search the directory containing USB hardware information.
2753 ## <param name="domain">
2755 ## The type of the process performing this action.
2759 interface(`dev_search_usbfs',`
2764 search_dirs_pattern($1,usbfs_t,usbfs_t)
2767 ########################################
2769 ## Allow caller to get a list of usb hardware.
2771 ## <param name="domain">
2773 ## The process type getting the list.
2777 interface(`dev_list_usbfs',`
2782 read_lnk_files_pattern($1,usbfs_t,usbfs_t)
2783 getattr_files_pattern($1,usbfs_t,usbfs_t)
2785 list_dirs_pattern($1,usbfs_t,usbfs_t)
2788 ########################################
2790 ## Set the attributes of usbfs filesystem.
2792 ## <param name="domain">
2794 ## Domain allowed access.
2798 interface(`dev_setattr_usbfs_files',`
2803 setattr_files_pattern($1,usbfs_t,usbfs_t)
2804 list_dirs_pattern($1,usbfs_t,usbfs_t)
2807 ########################################
2809 ## Read USB hardware information using
2810 ## the usbfs filesystem interface.
2812 ## <param name="domain">
2814 ## The type of the process performing this action.
2818 interface(`dev_read_usbfs',`
2823 read_files_pattern($1,usbfs_t,usbfs_t)
2824 read_lnk_files_pattern($1,usbfs_t,usbfs_t)
2825 list_dirs_pattern($1,usbfs_t,usbfs_t)
2828 ########################################
2830 ## Allow caller to modify usb hardware configuration files.
2832 ## <param name="domain">
2834 ## The process type modifying the options.
2838 interface(`dev_rw_usbfs',`
2843 list_dirs_pattern($1,usbfs_t,usbfs_t)
2844 rw_files_pattern($1,usbfs_t,usbfs_t)
2845 read_lnk_files_pattern($1,usbfs_t,usbfs_t)
2848 ########################################
2850 ## Get the attributes of video4linux devices.
2852 ## <param name="domain">
2854 ## Domain allowed access.
2858 interface(`dev_getattr_video_dev',`
2860 type device_t, v4l_device_t;
2863 getattr_chr_files_pattern($1,device_t,v4l_device_t)
2866 ########################################
2868 ## Do not audit attempts to get the attributes
2869 ## of video4linux device nodes.
2871 ## <param name="domain">
2873 ## Domain to not audit.
2877 interface(`dev_dontaudit_getattr_video_dev',`
2882 dontaudit $1 v4l_device_t:chr_file getattr;
2885 ########################################
2887 ## Set the attributes of video4linux device nodes.
2889 ## <param name="domain">
2891 ## Domain allowed access.
2895 interface(`dev_setattr_video_dev',`
2897 type device_t, v4l_device_t;
2900 setattr_chr_files_pattern($1,device_t,v4l_device_t)
2903 ########################################
2905 ## Do not audit attempts to set the attributes
2906 ## of video4linux device nodes.
2908 ## <param name="domain">
2910 ## Domain to not audit.
2914 interface(`dev_dontaudit_setattr_video_dev',`
2919 dontaudit $1 v4l_device_t:chr_file setattr;
2922 ########################################
2924 ## Read the video4linux devices.
2926 ## <param name="domain">
2928 ## Domain allowed access.
2932 interface(`dev_read_video_dev',`
2934 type device_t, v4l_device_t;
2937 read_chr_files_pattern($1,device_t,v4l_device_t)
2940 ########################################
2942 ## Write the video4linux devices.
2944 ## <param name="domain">
2946 ## Domain allowed access.
2950 interface(`dev_write_video_dev',`
2952 type device_t, v4l_device_t;
2955 write_chr_files_pattern($1,device_t,v4l_device_t)
2958 ########################################
2960 ## Read and write VMWare devices.
2962 ## <param name="domain">
2964 ## Domain allowed access.
2968 interface(`dev_rw_vmware',`
2970 type device_t, vmware_device_t;
2973 rw_chr_files_pattern($1,device_t,vmware_device_t)
2976 ########################################
2978 ## Read, write, and mmap VMWare devices.
2980 ## <param name="domain">
2982 ## Domain allowed access.
2986 interface(`dev_rwx_vmware',`
2988 type device_t, vmware_device_t;
2992 allow $1 vmware_device_t:chr_file execute;
2995 ########################################
2997 ## Write to watchdog devices.
2999 ## <param name="domain">
3001 ## Domain allowed access.
3005 interface(`dev_write_watchdog',`
3007 type device_t, watchdog_device_t;
3010 write_chr_files_pattern($1,device_t,watchdog_device_t)
3013 ########################################
3015 ## Read and write Xen devices.
3017 ## <param name="domain">
3019 ## Domain allowed access.
3023 interface(`dev_rw_xen',`
3025 type device_t, xen_device_t;
3028 rw_chr_files_pattern($1,device_t,xen_device_t)
3031 ########################################
3033 ## Create, read, write, and delete Xen devices.
3035 ## <param name="domain">
3037 ## Domain allowed access.
3041 interface(`dev_manage_xen',`
3043 type device_t, xen_device_t;
3046 manage_chr_files_pattern($1,device_t,xen_device_t)
3049 ########################################
3051 ## Automatic type transition to the type
3052 ## for xen device nodes when created in /dev.
3054 ## <param name="domain">
3056 ## Domain allowed access.
3060 interface(`dev_filetrans_xen',`
3062 type device_t, xen_device_t;
3065 filetrans_pattern($1,device_t,xen_device_t,chr_file)
3068 ########################################
3070 ## Get the attributes of X server miscellaneous devices.
3072 ## <param name="domain">
3074 ## Domain allowed access.
3078 interface(`dev_getattr_xserver_misc_dev',`
3080 type device_t, xserver_misc_device_t;
3083 getattr_chr_files_pattern($1,device_t,xserver_misc_device_t)
3086 ########################################
3088 ## Set the attributes of X server miscellaneous devices.
3090 ## <param name="domain">
3092 ## Domain allowed access.
3096 interface(`dev_setattr_xserver_misc_dev',`
3098 type device_t, xserver_misc_device_t;
3101 setattr_chr_files_pattern($1,device_t,xserver_misc_device_t)
3104 ########################################
3106 ## Read and write X server miscellaneous devices.
3108 ## <param name="domain">
3110 ## Domain allowed access.
3114 interface(`dev_rw_xserver_misc',`
3116 type device_t, xserver_misc_device_t;
3119 rw_chr_files_pattern($1,device_t,xserver_misc_device_t)
3122 ########################################
3124 ## Read and write to the zero device (/dev/zero).
3126 ## <param name="domain">
3128 ## Domain allowed access.
3132 interface(`dev_rw_zero',`
3134 type device_t, zero_device_t;
3137 rw_chr_files_pattern($1,device_t,zero_device_t)
3140 ########################################
3142 ## Read, write, and execute the zero device (/dev/zero).
3144 ## <param name="domain">
3146 ## Domain allowed access.
3150 interface(`dev_rwx_zero',`
3156 allow $1 zero_device_t:chr_file execute;
3159 ########################################
3161 ## Execmod the zero device (/dev/zero).
3163 ## <param name="domain">
3165 ## Domain allowed access.
3169 interface(`dev_execmod_zero',`
3175 allow $1 zero_device_t:chr_file execmod;
3178 ########################################
3180 ## Create the zero device (/dev/zero).
3182 ## <param name="domain">
3184 ## Domain allowed access.
3188 interface(`dev_create_zero_dev',`
3190 type device_t, zero_device_t;
3193 create_chr_files_pattern($1,device_t,zero_device_t)
3196 ########################################
3198 ## Unconfined access to devices.
3200 ## <param name="domain">
3202 ## Domain allowed access.
3206 interface(`dev_unconfined',`
3208 attribute devices_unconfined_type;
3211 typeattribute $1 devices_unconfined_type;