policy/modules/kernel/storage.te

   1
   2 policy_module(storage, 1.8.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 attribute fixed_disk_raw_read;
  10 attribute fixed_disk_raw_write;
  11 attribute scsi_generic_read;
  12 attribute scsi_generic_write;
  13 attribute storage_unconfined_type;
  14
  15 #
  16 # fixed_disk_device_t is the type of
  17 # /dev/hd* and /dev/sd*.
  18 #
  19 type fixed_disk_device_t;
  20 dev_node(fixed_disk_device_t)
  21
  22 neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
  23 neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
  24
  25 #
  26 # fuse_device_t is the type of /dev/fuse
  27 #
  28 type fuse_device_t;
  29 dev_node(fuse_device_t)
  30
  31 #
  32 # scsi_generic_device_t is the type of /dev/sg*
  33 # it gives access to ALL SCSI devices (both fixed and removable)
  34 #
  35 type scsi_generic_device_t;
  36 dev_node(scsi_generic_device_t)
  37
  38 neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
  39 neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
  40
  41 #
  42 # removable_device_t is the type of
  43 # /dev/scd* and /dev/fd*.
  44 #
  45 type removable_device_t;
  46 dev_node(removable_device_t)
  47
  48 #
  49 # tape_device_t is the type of
  50 #
  51 type tape_device_t;
  52 dev_node(tape_device_t)
  53
  54 ########################################
  55 #
  56 # Unconfined access to this module
  57 #
  58
  59 allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
  60 allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;