- ##
-@@ -4113,6 +5056,25 @@ interface(`dev_write_urand',`
+ ##
+@@ -4113,6 +5075,25 @@ interface(`dev_write_urand',`
########################################
##
@@ -8372,7 +8364,7 @@ index 76f285e..72f99c0 100644
## Getattr generic the USB devices.
##
##
-@@ -4123,7 +5085,7 @@ interface(`dev_write_urand',`
+@@ -4123,7 +5104,7 @@ interface(`dev_write_urand',`
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
@@ -8381,12 +8373,62 @@ index 76f285e..72f99c0 100644
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
-@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',`
+@@ -4409,9 +5390,9 @@ interface(`dev_rw_usbfs',`
+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
+ ')
+
+-########################################
++######################################
+ ##
+-## Get the attributes of video4linux devices.
++## Read and write userio device.
+ ##
+ ##
+ ##
+@@ -4419,17 +5400,17 @@ interface(`dev_rw_usbfs',`
+ ##
+ ##
+ #
+-interface(`dev_getattr_video_dev',`
++interface(`dev_rw_userio_dev',`
+ gen_require(`
+- type device_t, v4l_device_t;
++ type device_t, userio_device_t;
+ ')
+
+- getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ rw_chr_files_pattern($1, device_t, userio_device_t)
+ ')
+
+-######################################
++########################################
+ ##
+-## Read and write userio device.
++## Get the attributes of video4linux devices.
+ ##
+ ##
+ ##
+@@ -4437,12 +5418,12 @@ interface(`dev_getattr_video_dev',`
+ ##
+ ##
+ #
+-interface(`dev_rw_userio_dev',`
++interface(`dev_getattr_video_dev',`
+ gen_require(`
+- type device_t, userio_device_t;
++ type device_t, v4l_device_t;
+ ')
+
+- rw_chr_files_pattern($1, device_t, userio_device_t)
++ getattr_chr_files_pattern($1, device_t, v4l_device_t)
+ ')
+
+ ########################################
+@@ -4539,6 +5520,134 @@ interface(`dev_write_video_dev',`
########################################
##
--## Allow caller to get a list of usb hardware.
-+## Allow caller to get a list of usb hardware.
++## Get the attributes of vfio devices.
+##
+##
+##
@@ -8394,40 +8436,36 @@ index 76f285e..72f99c0 100644
+##
+##
+#
-+interface(`dev_list_usbfs',`
++interface(`dev_getattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_files_pattern($1, usbfs_t, usbfs_t)
-+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ getattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Set the attributes of usbfs filesystem.
++## Do not audit attempts to get the attributes
++## of vfio device nodes.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`dev_setattr_usbfs_files',`
++interface(`dev_dontaudit_getattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type vfio_device_t;
+ ')
+
-+ setattr_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 vfio_device_t:chr_file getattr;
+')
+
+########################################
+##
-+## Read USB hardware information using
-+## the usbfs filesystem interface.
++## Set the attributes of vfio device nodes.
+##
+##
+##
@@ -8435,39 +8473,36 @@ index 76f285e..72f99c0 100644
+##
+##
+#
-+interface(`dev_read_usbfs',`
++interface(`dev_setattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ read_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
++ setattr_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Allow caller to modify usb hardware configuration files.
++## Do not audit attempts to set the attributes
++## of vfio device nodes.
+##
+##
+##
-+## Domain allowed access.
++## Domain to not audit.
+##
+##
+#
-+interface(`dev_rw_usbfs',`
++interface(`dev_dontaudit_setattr_vfio_dev',`
+ gen_require(`
-+ type usbfs_t;
++ type vfio_device_t;
+ ')
+
-+ list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ rw_files_pattern($1, usbfs_t, usbfs_t)
-+ read_lnk_files_pattern($1, usbfs_t, usbfs_t)
++ dontaudit $1 vfio_device_t:chr_file setattr;
+')
+
-+######################################
++########################################
+##
-+## Read and write userio device.
++## Read the vfio devices.
+##
+##
+##
@@ -8475,17 +8510,17 @@ index 76f285e..72f99c0 100644
+##
+##
+#
-+interface(`dev_rw_userio_dev',`
++interface(`dev_read_vfio_dev',`
+ gen_require(`
-+ type device_t, userio_device_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ rw_chr_files_pattern($1, device_t, userio_device_t)
++ read_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Get the attributes of video4linux devices.
++## Write the vfio devices.
+##
+##
+##
@@ -8493,36 +8528,42 @@ index 76f285e..72f99c0 100644
+##
+##
+#
-+interface(`dev_getattr_video_dev',`
++interface(`dev_write_vfio_dev',`
+ gen_require(`
-+ type device_t, v4l_device_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ getattr_chr_files_pattern($1, device_t, v4l_device_t)
++ write_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Do not audit attempts to get the attributes
-+## of video4linux device nodes.
++## Read and write the VFIO devices.
+##
+##
+##
-+## Domain to not audit.
++## Domain allowed access.
+##
+##
+#
-+interface(`dev_dontaudit_getattr_video_dev',`
++interface(`dev_rw_vfio_dev',`
+ gen_require(`
-+ type v4l_device_t;
++ type device_t, vfio_device_t;
+ ')
+
-+ dontaudit $1 v4l_device_t:chr_file getattr;
++ rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+########################################
+##
-+## Set the attributes of video4linux device nodes.
+ ## Allow read/write the vhost net device
+ ##
+ ##
+@@ -4557,6 +5666,24 @@ interface(`dev_rw_vhost',`
+
+ ########################################
+ ##
++## Allow read/write inheretid the vhost net device
+##
+##
+##
@@ -8530,296 +8571,20 @@ index 76f285e..72f99c0 100644
+##
+##
+#
-+interface(`dev_setattr_video_dev',`
++interface(`dev_rw_inherited_vhost',`
+ gen_require(`
-+ type device_t, v4l_device_t;
++ type device_t, vhost_device_t;
+ ')
+
-+ setattr_chr_files_pattern($1, device_t, v4l_device_t)
++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
+')
+
+########################################
+##
-+## Do not audit attempts to set the attributes
-+## of video4linux device nodes.
+ ## Read and write VMWare devices.
##
##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_list_usbfs',`
-+interface(`dev_dontaudit_setattr_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type v4l_device_t;
- ')
-
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- getattr_files_pattern($1, usbfs_t, usbfs_t)
--
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ dontaudit $1 v4l_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of usbfs filesystem.
-+## Read the video4linux devices.
- ##
- ##
- ##
-@@ -4359,19 +5473,17 @@ interface(`dev_list_usbfs',`
- ##
- ##
- #
--interface(`dev_setattr_usbfs_files',`
-+interface(`dev_read_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- setattr_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ read_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Read USB hardware information using
--## the usbfs filesystem interface.
-+## Write the video4linux devices.
- ##
- ##
- ##
-@@ -4379,19 +5491,17 @@ interface(`dev_setattr_usbfs_files',`
- ##
- ##
- #
--interface(`dev_read_usbfs',`
-+interface(`dev_write_video_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, v4l_device_t;
- ')
-
-- read_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-+ write_chr_files_pattern($1, device_t, v4l_device_t)
- ')
-
- ########################################
- ##
--## Allow caller to modify usb hardware configuration files.
-+## Get the attributes of vfio devices.
- ##
- ##
- ##
-@@ -4399,37 +5509,36 @@ interface(`dev_read_usbfs',`
- ##
- ##
- #
--interface(`dev_rw_usbfs',`
-+interface(`dev_getattr_vfio_dev',`
- gen_require(`
-- type usbfs_t;
-+ type device_t, vfio_device_t;
- ')
-
-- list_dirs_pattern($1, usbfs_t, usbfs_t)
-- rw_files_pattern($1, usbfs_t, usbfs_t)
-- read_lnk_files_pattern($1, usbfs_t, usbfs_t)
-+ getattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Get the attributes of video4linux devices.
-+## Do not audit attempts to get the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
--## Domain allowed access.
-+## Domain to not audit.
- ##
- ##
- #
--interface(`dev_getattr_video_dev',`
-+interface(`dev_dontaudit_getattr_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- getattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ dontaudit $1 vfio_device_t:chr_file getattr;
- ')
-
--######################################
-+########################################
- ##
--## Read and write userio device.
-+## Set the attributes of vfio device nodes.
- ##
- ##
- ##
-@@ -4437,18 +5546,18 @@ interface(`dev_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_userio_dev',`
-+interface(`dev_setattr_vfio_dev',`
- gen_require(`
-- type device_t, userio_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, userio_device_t)
-+ setattr_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to get the attributes
--## of video4linux device nodes.
-+## Do not audit attempts to set the attributes
-+## of vfio device nodes.
- ##
- ##
- ##
-@@ -4456,17 +5565,17 @@ interface(`dev_rw_userio_dev',`
- ##
- ##
- #
--interface(`dev_dontaudit_getattr_video_dev',`
-+interface(`dev_dontaudit_setattr_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file getattr;
-+ dontaudit $1 vfio_device_t:chr_file setattr;
- ')
-
- ########################################
- ##
--## Set the attributes of video4linux device nodes.
-+## Read the vfio devices.
- ##
- ##
- ##
-@@ -4474,36 +5583,35 @@ interface(`dev_dontaudit_getattr_video_dev',`
- ##
- ##
- #
--interface(`dev_setattr_video_dev',`
-+interface(`dev_read_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- setattr_chr_files_pattern($1, device_t, v4l_device_t)
-+ read_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Do not audit attempts to set the attributes
--## of video4linux device nodes.
-+## Write the vfio devices.
- ##
- ##
- ##
--## Domain to not audit.
-+## Domain allowed access.
- ##
- ##
- #
--interface(`dev_dontaudit_setattr_video_dev',`
-+interface(`dev_write_vfio_dev',`
- gen_require(`
-- type v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- dontaudit $1 v4l_device_t:chr_file setattr;
-+ write_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Read the video4linux devices.
-+## Read and write the VFIO devices.
- ##
- ##
- ##
-@@ -4511,17 +5619,17 @@ interface(`dev_dontaudit_setattr_video_dev',`
- ##
- ##
- #
--interface(`dev_read_video_dev',`
-+interface(`dev_rw_vfio_dev',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vfio_device_t;
- ')
-
-- read_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vfio_device_t)
- ')
-
- ########################################
- ##
--## Write the video4linux devices.
-+## Allow read/write the vhost net device
- ##
- ##
- ##
-@@ -4529,17 +5637,17 @@ interface(`dev_read_video_dev',`
- ##
- ##
- #
--interface(`dev_write_video_dev',`
-+interface(`dev_rw_vhost',`
- gen_require(`
-- type device_t, v4l_device_t;
-+ type device_t, vhost_device_t;
- ')
-
-- write_chr_files_pattern($1, device_t, v4l_device_t)
-+ rw_chr_files_pattern($1, device_t, vhost_device_t)
- ')
-
- ########################################
- ##
--## Allow read/write the vhost net device
-+## Allow read/write inheretid the vhost net device
- ##
- ##
- ##
-@@ -4547,12 +5655,12 @@ interface(`dev_write_video_dev',`
- ##
- ##
- #
--interface(`dev_rw_vhost',`
-+interface(`dev_rw_inherited_vhost',`
- gen_require(`
- type device_t, vhost_device_t;
- ')
-
-- rw_chr_files_pattern($1, device_t, vhost_device_t)
-+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
- ')
-
- ########################################
-@@ -4630,6 +5738,24 @@ interface(`dev_write_watchdog',`
+@@ -4630,6 +5757,24 @@ interface(`dev_write_watchdog',`
########################################
##
@@ -8844,7 +8609,7 @@ index 76f285e..72f99c0 100644
## Read and write the the wireless device.
##
##
-@@ -4762,6 +5888,44 @@ interface(`dev_rw_xserver_misc',`
+@@ -4762,6 +5907,44 @@ interface(`dev_rw_xserver_misc',`
########################################
##
@@ -8889,7 +8654,7 @@ index 76f285e..72f99c0 100644
## Read and write to the zero device (/dev/zero).
##
##
-@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',`
+@@ -4851,3 +6034,1022 @@ interface(`dev_unconfined',`
typeattribute $1 devices_unconfined_type;
')
@@ -10097,7 +9862,7 @@ index 0b1a871..29965c3 100644
+dev_getattr_all(devices_unconfined_type)
+
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
-index 6a1e4d1..1a2713b 100644
+index 6a1e4d1..08fd8e4 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -76,33 +76,8 @@ interface(`domain_type',`
@@ -10343,7 +10108,7 @@ index 6a1e4d1..1a2713b 100644
## Unconfined access to domains.
##