psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   d35c621eb0d40723ba9505f5a9a6ce8b21b18aa5
  2.   refpolicy
  3.   policy
  4.   modules
  5.   kernel
  6.   storage.if
Blob Blame History Raw 
## <module name="storage" layer="kernel">
## <summary>Policy controlling access to storage devices</summary>

########################################
## <interface name="storage_getattr_fixed_disk">
##	<description>
##		Allow the caller to get the attributes of fixed disk
##		device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_getattr_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
		class blk_file getattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file getattr;
')

########################################
## <interface name="storage_dontaudit_getattr_fixed_disk">
##	<description>
##		Do not audit attempts made by the caller to get
##		the attributes of fixed disk device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process to not audit.
##	</parameter>
## </interface>
#
define(`storage_dontaudit_getattr_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
		class blk_file getattr;
	')

	dontaudit $1 fixed_disk_device_t:blk_file getattr;
')

########################################
## <interface name="storage_setattr_fixed_disk">
##	<description>
##		Allow the caller to set the attributes of fixed disk
##		device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_setattr_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
		class blk_file setattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file setattr;
')

########################################
## <interface name="storage_dontaudit_setattr_fixed_disk">
##	<description>
##		Do not audit attempts made by the caller to set
##		the attributes of fixed disk device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process to not audit.
##	</parameter>
## </interface>
#
define(`storage_dontaudit_setattr_fixed_disk',`
	gen_require(`
		type fixed_disk_device_t;
		class blk_file getattr;
	')

	dontaudit $1 fixed_disk_device_t:blk_file getattr;
')

########################################
## <interface name="storage_raw_read_fixed_disk">
##	<description>
##		Allow the caller to directly read from a fixed disk.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_raw_read_fixed_disk',`
	gen_require(`
		attribute fixed_disk_raw_read;
		type fixed_disk_device_t;
		class blk_file r_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file r_file_perms;
	typeattribute $1 fixed_disk_raw_read;
')

########################################
## <interface name="storage_raw_write_fixed_disk">
##	<description>
##		Allow the caller to directly write to a fixed disk.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_raw_write_fixed_disk',`
	gen_require(`
		attribute fixed_disk_raw_write;
		type fixed_disk_device_t;
		class blk_file { getattr write ioctl };
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file { getattr write ioctl };
	typeattribute $1 fixed_disk_raw_write;
')

########################################
## <interface name="storage_create_fixed_disk">
##	<description>
##		Create block devices in /dev with the fixed disk type.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_create_fixed_disk_dev_entry',`
	gen_require(`
		attribute fixed_disk_raw_read, fixed_disk_raw_write;
		type fixed_disk_device_t;
		class blk_file create_file_perms;
	')

	allow $1 fixed_disk_device_t:blk_file create_file_perms;
	dev_create_dev_node($1,fixed_disk_device_t,blk_file)
	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')

########################################
## <interface name="storage_manage_fixed_disk">
##	<description>
##		Create, read, write, and delete fixed disk device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_manage_fixed_disk',`
	gen_require(`
		attribute fixed_disk_raw_read, fixed_disk_raw_write;
		type fixed_disk_device_t;
		class blk_file create_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 fixed_disk_device_t:blk_file create_file_perms;
	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
')

########################################
## <interface name="storage_raw_read_lvm_volume">
##	<description>
##		Allow the caller to directly read from a logical volume.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_raw_read_lvm_volume',`
	gen_require(`
		attribute fixed_disk_raw_read;
		type lvm_vg_t;
		class blk_file r_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 lvm_vg_t:blk_file r_file_perms;
	typeattribute $1 fixed_disk_raw_read;
')

########################################
## <interface name="storage_raw_write_lvm_volume">
##	<description>
##		Allow the caller to directly read from a logical volume.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_raw_write_lvm_volume',`
	gen_require(`
		attribute fixed_disk_raw_write;
		type lvm_vg_t;
		class blk_file { getattr write ioctl };
	')

	dev_list_all_dev_nodes($1)
	allow $1 lvm_vg_t:blk_file { getattr write ioctl };
	typeattribute $1 fixed_disk_raw_write;
')

########################################
## <interface name="storage_read_scsi_generic">
##	<description>
##		Allow the caller to directly read, in a
##		generic fashion, from any SCSI device.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_read_scsi_generic',`
	gen_require(`
		attribute scsi_generic_read;
		type scsi_generic_device_t;
		class blk_file r_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:blk_file r_file_perms;
	typeattribute $1 scsi_generic_read;
')

########################################
## <interface name="storage_write_scsi_generic">
##	<description>
##		Allow the caller to directly write, in a
##		generic fashion, from any SCSI device.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_write_scsi_generic',`
	gen_require(`
		attribute scsi_generic_write;
		type scsi_generic_device_t;
		class blk_file { getattr write ioctl };
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:blk_file { getattr write ioctl };
	typeattribute $1 scsi_generic_write;
')

########################################
## <interface name="storage_getattr_scsi_generic">
##	<description>
##		Get attributes of the device nodes
##		for the SCSI generic inerface.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_getattr_scsi_generic',`
	gen_require(`
		type scsi_generic_device_t;
		class blk_file getattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:blk_file getattr;
')

########################################
## <interface name="storage_setattr_scsi_generic">
##	<description>
##		Set attributes of the device nodes
##		for the SCSI generic inerface.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_set_scsi_generic_attributes',`
	gen_require(`
		type scsi_generic_device_t;
		class blk_file setattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 scsi_generic_device_t:blk_file setattr;
')

########################################
## <interface name="storage_getattr_removable_device">
##	<description>
##		Allow the caller to get the attributes of removable
##		devices device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_getattr_removable_device',`
	gen_require(`
		type removable_device_t;
		class blk_file getattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file getattr;
')

########################################
## <interface name="storage_dontaudit_getattr_removable_device">
##	<description>
##		Do not audit attempts made by the caller to get
##		the attributes of removable devices device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process to not audit.
##	</parameter>
## </interface>
#
define(`storage_dontaudit_getattr_removable_device',`
	gen_require(`
		type removable_device_t;
		class blk_file getattr;
	')

	dontaudit $1 removable_device_t:blk_file getattr;
')

########################################
## <interface name="storage_setattr_removable_device">
##	<description>
##		Allow the caller to set the attributes of removable
##		devices device nodes.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_setattr_removable_device',`
	gen_require(`
		type removable_device_t;
		class blk_file setattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file setattr;
')

########################################
## <interface name="storage_raw_read_removable_device">
##	<description>
##		Allow the caller to directly read from
##		a removable device.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_raw_read_removable_device',`
	gen_require(`
		type removable_device_t;
		class blk_file r_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file r_file_perms;
')

########################################
## <interface name="storage_raw_write_removable_device">
##	<description>
##		Allow the caller to directly write to
##		a removable device.
##		This is extremly dangerous as it can bypass the
##		SELinux protections for filesystem objects, and
##		should only be used by trusted domains.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_raw_write_removable_device',`
	gen_require(`
		type removable_device_t;
		class blk_file { getattr write ioctl };
	')

	dev_list_all_dev_nodes($1)
	allow $1 removable_device_t:blk_file { getattr write ioctl };
')

########################################
## <interface name="storage_read_tape_device">
##	<description>
##		Allow the caller to directly read
##		a tape device.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_read_tape_device',`
	gen_require(`
		type tape_device_t;
		class blk_file r_file_perms;
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:blk_file r_file_perms;
')

########################################
## <interface name="storage_write_tape_device">
##	<description>
##		Allow the caller to directly read
##		a tape device.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_write_tape_device',`
	gen_require(`
		type tape_device_t;
		class blk_file { getattr write ioctl };
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:blk_file { getattr write ioctl };
')

########################################
## <interface name="storage_getattr_tape_device">
##	<description>
##		Allow the caller to get the attributes
##		of device nodes of tape devices.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_getattr_tape_device',`
	gen_require(`
		type tape_device_t;
		class blk_file getattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:blk_file getattr;
')

########################################
## <interface name="storage_setattr_tape_device">
##	<description>
##		Allow the caller to set the attributes
##		of device nodes of tape devices.
##	</description>
##	<parameter name="domain">
##		The type of the process performing this action.
##	</parameter>
## </interface>
#
define(`storage_setattr_tape_device',`
	gen_require(`
		type tape_device_t;
		class blk_file setattr;
	')

	dev_list_all_dev_nodes($1)
	allow $1 tape_device_t:blk_file setattr;
')

## </module>
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.