[people/stevee/selinux-policy.git] / refpolicy / policy / modules / kernel / devices.te


policy_module(devices,1.1.13)

########################################
#
# Declarations
#

attribute device_node;
attribute memory_raw_read;
attribute memory_raw_write;
attribute devices_unconfined_type;

#
# device_t is the type of /dev.
#
type device_t;
fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)

# Only directories and symlinks should be labeled device_t.
# If there are other files with this type, it is wrong.
# Relabelto is allowed for setfiles to function, in case
# a device node has no specific type yet, but is for some
# reason labeled with a specific type
#cjp: want this, but udev policy breaks this
#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };

#
# Type for /dev/agpgart
#
type agp_device_t;
dev_node(agp_device_t)

#
# Type for /dev/apm_bios
#
type apm_bios_t;
dev_node(apm_bios_t)

type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)

#
# clock_device_t is the type of
# /dev/rtc.
#
type clock_device_t;
dev_node(clock_device_t)

#
# cpu control devices /dev/cpu/0/*
#
type cpu_device_t;
dev_node(cpu_device_t)

# for the IBM zSeries z90crypt hardware ssl accelorator
type crypt_device_t;
dev_node(crypt_device_t)

type dri_device_t;
dev_node(dri_device_t)

type event_device_t;
dev_node(event_device_t)

#
# Type for framebuffer /dev/fb/*
#
type framebuf_device_t;
dev_node(framebuf_device_t)

#
# Type for /dev/mapper/control
#
type lvm_control_t;
dev_node(lvm_control_t)

#
# memory_device_t is the type of /dev/kmem,
# /dev/mem and /dev/port.
#
type memory_device_t;
dev_node(memory_device_t)

neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };

type misc_device_t;
dev_node(misc_device_t)

#
# A more general type for mouse devices.
#
type mouse_device_t;
dev_node(mouse_device_t)

#
# Type for /dev/cpu/mtrr and /proc/mtrr
#
type mtrr_device_t;
dev_node(mtrr_device_t)
genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)

#
# null_device_t is the type of /dev/null.
#
type null_device_t;
dev_node(null_device_t)
mls_trusted_object(null_device_t)
sid devnull gen_context(system_u:object_r:null_device_t,s0)

#
# Type for /dev/pmu 
#
type power_device_t;
dev_node(power_device_t)

type printer_device_t;
dev_node(printer_device_t)

#
# random_device_t is the type of /dev/random
#
type random_device_t;
dev_node(random_device_t)

type scanner_device_t;
dev_node(scanner_device_t)

#
# Type for sound devices and mixers
#
type sound_device_t;
dev_node(sound_device_t)

#
# sysfs_t is the type for the /sys pseudofs
#
type sysfs_t;
files_mountpoint(sysfs_t)
fs_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)

#
# urandom_device_t is the type of /dev/urandom
#
type urandom_device_t;
dev_node(urandom_device_t)

#
# usbfs_t is the type for the /proc/bus/usb pseudofs
#
type usbfs_t alias usbdevfs_t;
files_mountpoint(usbfs_t)
fs_noxattr_type(usbfs_t)
genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)

#
# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
#
type usb_device_t;
dev_node(usb_device_t)

type v4l_device_t;
dev_node(v4l_device_t)

# Type for vmware devices.
type vmware_device_t;
dev_node(vmware_device_t)

type watchdog_device_t;
dev_node(vmware_device_t)

type xen_device_t;
dev_node(xen_device_t)

type xserver_misc_device_t;
dev_node(xserver_misc_device_t)

#
# zero_device_t is the type of /dev/zero.
#
type zero_device_t;
dev_node(zero_device_t)
mls_trusted_object(zero_device_t)

########################################
#
# Rules for all device nodes
#

fs_associate(device_node)
fs_associate_tmpfs(device_node)

files_associate_tmp(device_node)

########################################
#
# Unconfined access to this module
#

allow devices_unconfined_type self:capability sys_rawio;
allow devices_unconfined_type device_node:{ blk_file chr_file } *;
allow devices_unconfined_type mtrr_device_t:{ dir file } *;
Commit	Line	Data
e181fe05	1
d592b69e	2	policy_module(devices,1.1.13)
960373dd	3
fd89e19f CP	4	########################################
	5	#
	6	# Declarations
	7	#
	8
b4cd1533	9	attribute device_node;
6b674012 CP	10	attribute memory_raw_read;
6b674012 CP	11	attribute memory_raw_write;
b518fc2e	12	attribute devices_unconfined_type;
b4cd1533 CP	13
	14	#
	15	# device_t is the type of /dev.
	16	#
ee5772e4	17	type device_t;
2aec1461	18	fs_associate_tmpfs(device_t)
8fd36732	19	files_type(device_t)
c9428d33	20	files_mountpoint(device_t)
2aec1461	21	files_associate_tmp(device_t)
b4cd1533 CP	22
	23	# Only directories and symlinks should be labeled device_t.
	24	# If there are other files with this type, it is wrong.
	25	# Relabelto is allowed for setfiles to function, in case
	26	# a device node has no specific type yet, but is for some
	27	# reason labeled with a specific type
07d6e32f	28	#cjp: want this, but udev policy breaks this
fd89e19f	29	#neverallow domain device_t:{ file fifo_file sock_file chr_file blk_file } ~{ getattr setattr relabelfrom relabelto };
b4cd1533	30
b4cd1533 CP	31	#
	32	# Type for /dev/agpgart
	33	#
2aec1461 CP	34	type agp_device_t;
2aec1461 CP	35	dev_node(agp_device_t)
b4cd1533 CP	36
	37	#
	38	# Type for /dev/apm_bios
	39	#
2aec1461 CP	40	type apm_bios_t;
2aec1461 CP	41	dev_node(apm_bios_t)
b4cd1533	42
2aec1461 CP	43	type cardmgr_dev_t;
2aec1461 CP	44	dev_node(cardmgr_dev_t)
34e722f3	45	files_tmp_file(cardmgr_dev_t)
dec1686f	46
b4cd1533 CP	47	#
	48	# clock_device_t is the type of
	49	# /dev/rtc.
	50	#
2aec1461 CP	51	type clock_device_t;
2aec1461 CP	52	dev_node(clock_device_t)
b4cd1533 CP	53
	54	#
	55	# cpu control devices /dev/cpu/0/*
	56	#
2aec1461 CP	57	type cpu_device_t;
2aec1461 CP	58	dev_node(cpu_device_t)
b4cd1533	59
0907bda1	60	# for the IBM zSeries z90crypt hardware ssl accelorator
2aec1461 CP	61	type crypt_device_t;
2aec1461 CP	62	dev_node(crypt_device_t)
0907bda1	63
2aec1461 CP	64	type dri_device_t;
2aec1461 CP	65	dev_node(dri_device_t)
6b674012	66
2aec1461 CP	67	type event_device_t;
2aec1461 CP	68	dev_node(event_device_t)
6b674012	69
b4cd1533 CP	70	#
	71	# Type for framebuffer /dev/fb/*
	72	#
2aec1461 CP	73	type framebuf_device_t;
2aec1461 CP	74	dev_node(framebuf_device_t)
b4cd1533	75
7009881c CP	76	#
	77	# Type for /dev/mapper/control
	78	#
2aec1461 CP	79	type lvm_control_t;
2aec1461 CP	80	dev_node(lvm_control_t)
7009881c	81
6b674012 CP	82	#
	83	# memory_device_t is the type of /dev/kmem,
	84	# /dev/mem and /dev/port.
	85	#
2aec1461 CP	86	type memory_device_t;
2aec1461 CP	87	dev_node(memory_device_t)
6b674012	88
f82f22cf CP	89	neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
f82f22cf CP	90	neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
6b674012	91
2aec1461 CP	92	type misc_device_t;
2aec1461 CP	93	dev_node(misc_device_t)
b16c6b8c	94
6b674012 CP	95	#
	96	# A more general type for mouse devices.
	97	#
2aec1461 CP	98	type mouse_device_t;
2aec1461 CP	99	dev_node(mouse_device_t)
6b674012	100
b4cd1533 CP	101	#
	102	# Type for /dev/cpu/mtrr and /proc/mtrr
	103	#
2aec1461 CP	104	type mtrr_device_t;
2aec1461 CP	105	dev_node(mtrr_device_t)
e02c61cf	106	genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
b4cd1533	107
6b674012 CP	108	#
	109	# null_device_t is the type of /dev/null.
	110	#
2aec1461 CP	111	type null_device_t;
2aec1461 CP	112	dev_node(null_device_t)
f0574fa9	113	mls_trusted_object(null_device_t)
e02c61cf	114	sid devnull gen_context(system_u:object_r:null_device_t,s0)
6b674012	115
b4cd1533 CP	116	#
	117	# Type for /dev/pmu
	118	#
2aec1461 CP	119	type power_device_t;
2aec1461 CP	120	dev_node(power_device_t)
b4cd1533	121
2aec1461 CP	122	type printer_device_t;
2aec1461 CP	123	dev_node(printer_device_t)
46be1f32	124
6b674012 CP	125	#
	126	# random_device_t is the type of /dev/random
	127	#
2aec1461 CP	128	type random_device_t;
2aec1461 CP	129	dev_node(random_device_t)
6b674012	130
2aec1461 CP	131	type scanner_device_t;
2aec1461 CP	132	dev_node(scanner_device_t)
6b674012	133
b4cd1533 CP	134	#
	135	# Type for sound devices and mixers
	136	#
2aec1461 CP	137	type sound_device_t;
2aec1461 CP	138	dev_node(sound_device_t)
7009881c	139
8bd67899 CP	140	#
	141	# sysfs_t is the type for the /sys pseudofs
	142	#
	143	type sysfs_t;
	144	files_mountpoint(sysfs_t)
cbca03f5	145	fs_type(sysfs_t)
e02c61cf	146	genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
8bd67899	147
6b674012 CP	148	#
	149	# urandom_device_t is the type of /dev/urandom
	150	#
2aec1461 CP	151	type urandom_device_t;
2aec1461 CP	152	dev_node(urandom_device_t)
6b674012	153
8bd67899 CP	154	#
	155	# usbfs_t is the type for the /proc/bus/usb pseudofs
	156	#
	157	type usbfs_t alias usbdevfs_t;
	158	files_mountpoint(usbfs_t)
4d851fe9	159	fs_noxattr_type(usbfs_t)
e02c61cf CP	160	genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
e02c61cf CP	161	genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
8bd67899	162
b0d2243c CP	163	#
	164	# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
	165	#
	166	type usb_device_t;
	167	dev_node(usb_device_t)
	168
2aec1461 CP	169	type v4l_device_t;
2aec1461 CP	170	dev_node(v4l_device_t)
35b2fb4d	171
a6a638dc CP	172	# Type for vmware devices.
	173	type vmware_device_t;
	174	dev_node(vmware_device_t)
	175
d592b69e CP	176	type watchdog_device_t;
	177	dev_node(vmware_device_t)
	178
a3cf80d8 CP	179	type xen_device_t;
	180	dev_node(xen_device_t)
	181
2aec1461 CP	182	type xserver_misc_device_t;
2aec1461 CP	183	dev_node(xserver_misc_device_t)
6b674012 CP	184
	185	#
	186	# zero_device_t is the type of /dev/zero.
	187	#
2aec1461 CP	188	type zero_device_t;
2aec1461 CP	189	dev_node(zero_device_t)
f0574fa9	190	mls_trusted_object(zero_device_t)
710791f1	191
28567af2 CP	192	########################################
	193	#
	194	# Rules for all device nodes
	195	#
	196
	197	fs_associate(device_node)
	198	fs_associate_tmpfs(device_node)
	199
	200	files_associate_tmp(device_node)
b518fc2e CP	201
	202	########################################
	203	#
	204	# Unconfined access to this module
	205	#
	206
	207	allow devices_unconfined_type self:capability sys_rawio;
	208	allow devices_unconfined_type device_node:{ blk_file chr_file } *;
	209	allow devices_unconfined_type mtrr_device_t:{ dir file } *;