2 policy_module(storage, 1.8.0)
4 ########################################
9 attribute fixed_disk_raw_read;
10 attribute fixed_disk_raw_write;
11 attribute scsi_generic_read;
12 attribute scsi_generic_write;
13 attribute storage_unconfined_type;
16 # fixed_disk_device_t is the type of
17 # /dev/hd* and /dev/sd*.
19 type fixed_disk_device_t;
20 dev_node(fixed_disk_device_t)
22 neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
23 neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
26 # fuse_device_t is the type of /dev/fuse
29 dev_node(fuse_device_t)
32 # scsi_generic_device_t is the type of /dev/sg*
33 # it gives access to ALL SCSI devices (both fixed and removable)
35 type scsi_generic_device_t;
36 dev_node(scsi_generic_device_t)
38 neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
39 neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
42 # removable_device_t is the type of
43 # /dev/scd* and /dev/fd*.
45 type removable_device_t;
46 dev_node(removable_device_t)
49 # tape_device_t is the type of
52 dev_node(tape_device_t)
54 ########################################
56 # Unconfined access to this module
59 allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file *;
60 allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file *;