## <summary>Policy controlling access to storage devices</summary>

########################################

## <summary>

##	Allow the caller to get the attributes of fixed disk

##	device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_getattr_fixed_disk_dev',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file getattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to get

##	the attributes of fixed disk device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_getattr_fixed_disk_dev',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dontaudit $1 fixed_disk_device_t:blk_file getattr;

	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl

')

########################################

## <summary>

##	Allow the caller to set the attributes of fixed disk

##	device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_setattr_fixed_disk_dev',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file setattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to set

##	the attributes of fixed disk device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_setattr_fixed_disk_dev',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dontaudit $1 fixed_disk_device_t:blk_file setattr;

')

########################################

## <summary>

##	Allow the caller to directly read from a fixed disk.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_raw_read_fixed_disk',`

	gen_require(`

		attribute fixed_disk_raw_read;

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;

	typeattribute $1 fixed_disk_raw_read;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to read

##	fixed disk device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_read_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dontaudit $1 fixed_disk_device_t:blk_file { getattr ioctl read };

')

########################################

## <summary>

##	Allow the caller to directly write to a fixed disk.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_raw_write_fixed_disk',`

	gen_require(`

		attribute fixed_disk_raw_write;

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;

	typeattribute $1 fixed_disk_raw_write;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to write

##	fixed disk device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_write_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;

')

########################################

## <summary>

##	Create, read, write, and delete fixed disk device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_manage_fixed_disk',`

	gen_require(`

		attribute fixed_disk_raw_read, fixed_disk_raw_write;

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 self:capability mknod;

	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;

	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;

')

########################################

## <summary>

##	Create block devices in /dev with the fixed disk type

##	via an automatic type transition.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_dev_filetrans_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dev_filetrans($1,fixed_disk_device_t,blk_file)

')

########################################

## <summary>

##	Create block devices in on a tmpfs filesystem with the

##	fixed disk type via an automatic type transition.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_tmpfs_filetrans_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	fs_tmpfs_filetrans($1,fixed_disk_device_t,blk_file)

')

########################################

## <summary>

##	Relabel fixed disk device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_relabel_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;

')

########################################

## <summary>

##	Enable a fixed disk device as swap space

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_swapon_fixed_disk',`

	gen_require(`

		type fixed_disk_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 fixed_disk_device_t:blk_file { getattr swapon };

')

########################################

## <summary>

##	Allow the caller to get the attributes of

##	the generic SCSI interface device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_getattr_scsi_generic_dev',`

	gen_require(`

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file getattr;

')

########################################

## <summary>

##	Allow the caller to set the attributes of

##	the generic SCSI interface device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_setattr_scsi_generic_dev',`

	gen_require(`

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file setattr;

')

########################################

## <summary>

##	Allow the caller to directly read, in a

##	generic fashion, from any SCSI device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_read_scsi_generic',`

	gen_require(`

		attribute scsi_generic_read;

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;

	typeattribute $1 scsi_generic_read;

')

########################################

## <summary>

##	Allow the caller to directly write, in a

##	generic fashion, from any SCSI device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_write_scsi_generic',`

	gen_require(`

		attribute scsi_generic_write;

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;

	typeattribute $1 scsi_generic_write;

')

########################################

## <summary>

##	Set attributes of the device nodes

##	for the SCSI generic inerface.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_setattr_scsi_generic_dev_dev',`

	gen_require(`

		type scsi_generic_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 scsi_generic_device_t:chr_file setattr;

')

########################################

## <summary>

##	Do not audit attempts to read or write

##	SCSI generic device interfaces.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_rw_scsi_generic',`

	gen_require(`

		type scsi_generic_device_t;

	')

	dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;

')

########################################

## <summary>

##	Allow the caller to get the attributes of removable

##	devices device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_getattr_removable_dev',`

	gen_require(`

		type removable_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file getattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to get

##	the attributes of removable devices device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_getattr_removable_dev',`

	gen_require(`

		type removable_device_t;

	')

	dontaudit $1 removable_device_t:blk_file getattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to read

##	removable devices device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_read_removable_device',`

	gen_require(`

		type removable_device_t;

	')

	dontaudit $1 removable_device_t:blk_file { getattr ioctl read };

')

########################################

## <summary>

##	Allow the caller to set the attributes of removable

##	devices device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_setattr_removable_dev',`

	gen_require(`

		type removable_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file setattr;

')

########################################

## <summary>

##	Do not audit attempts made by the caller to set

##	the attributes of removable devices device nodes.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_setattr_removable_dev',`

	gen_require(`

		type removable_device_t;

	')

	dontaudit $1 removable_device_t:blk_file setattr;

')

########################################

## <summary>

##	Allow the caller to directly read from

##	a removable device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_raw_read_removable_device',`

	gen_require(`

		type removable_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file read_blk_file_perms;

')

########################################

## <summary>

##	Do not audit attempts to directly read removable devices.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_raw_read_removable_device',`

	gen_require(`

		type removable_device_t;

	')

	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;

')

########################################

## <summary>

##	Allow the caller to directly write to

##	a removable device.

##	This is extremly dangerous as it can bypass the

##	SELinux protections for filesystem objects, and

##	should only be used by trusted domains.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_raw_write_removable_device',`

	gen_require(`

		type removable_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 removable_device_t:blk_file write_blk_file_perms;

')

########################################

## <summary>

##	Do not audit attempts to directly write removable devices.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`storage_dontaudit_raw_write_removable_device',`

	gen_require(`

		type removable_device_t;

	')

	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;

')

########################################

## <summary>

##	Allow the caller to directly read

##	a tape device.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_read_tape',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file read_chr_file_perms;

')

########################################

## <summary>

##	Allow the caller to directly read

##	a tape device.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_write_tape',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file write_chr_file_perms;

')

########################################

## <summary>

##	Allow the caller to get the attributes

##	of device nodes of tape devices.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_getattr_tape_dev',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file getattr;

')

########################################

## <summary>

##	Allow the caller to set the attributes

##	of device nodes of tape devices.

## </summary>

## <param name="domain">

##	<summary>

##	The type of the process performing this action.

##	</summary>

## </param>

#

interface(`storage_setattr_tape_dev',`

	gen_require(`

		type tape_device_t;

	')

	dev_list_all_dev_nodes($1)

	allow $1 tape_device_t:chr_file setattr;

')

########################################

## <summary>

##	Unconfined access to storage devices.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed access.

##	</summary>

## </param>

#

interface(`storage_unconfined',`

	gen_require(`

		attribute storage_unconfined_type;

	')

	typeattribute $1 storage_unconfined_type;

')