diff --git a/policy-f25-base.patch b/policy-f25-base.patch index 0bcf164..fbb472a 100644 --- a/policy-f25-base.patch +++ b/policy-f25-base.patch @@ -6601,7 +6601,7 @@ index b31c054..1ed65a0 100644 +/usr/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0) +/usr/lib/udev/devices/zero -c gen_context(system_u:object_r:zero_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if -index 76f285e..6843613 100644 +index 76f285e..72f99c0 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,13 +143,32 @@ interface(`dev_relabel_all_dev_nodes',` @@ -8048,7 +8048,7 @@ index 76f285e..6843613 100644 ## ## ## -@@ -4024,17 +4722,243 @@ interface(`dev_rw_sysfs',` +@@ -4024,17 +4722,262 @@ interface(`dev_rw_sysfs',` ## ## # @@ -8274,6 +8274,25 @@ index 76f285e..6843613 100644 + +######################################## +## ++## Allow caller to modify hardware state information. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_manage_sysfs',` ++ gen_require(` ++ type sysfs_t; ++ ') ++ ++ manage_dirs_pattern($1, sysfs_t, sysfs_t) ++ manage_files_pattern($1, sysfs_t, sysfs_t) ++') ++ ++######################################## ++## +## Read and write the TPM device. +## +## @@ -8296,7 +8315,7 @@ index 76f285e..6843613 100644 ## ## ##

-@@ -4113,6 +5037,25 @@ interface(`dev_write_urand',` +@@ -4113,6 +5056,25 @@ interface(`dev_write_urand',` ######################################## ##

@@ -8322,7 +8341,7 @@ index 76f285e..6843613 100644 ## Getattr generic the USB devices. ## ## -@@ -4123,7 +5066,7 @@ interface(`dev_write_urand',` +@@ -4123,7 +5085,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` @@ -8331,149 +8350,33 @@ index 76f285e..6843613 100644 ') getattr_chr_files_pattern($1, device_t, usb_device_t) -@@ -4409,9 +5352,9 @@ interface(`dev_rw_usbfs',` - read_lnk_files_pattern($1, usbfs_t, usbfs_t) - ') - --######################################## -+###################################### - ## --## Get the attributes of video4linux devices. -+## Read and write userio device. - ## - ## - ## -@@ -4419,17 +5362,17 @@ interface(`dev_rw_usbfs',` - ## - ## - # --interface(`dev_getattr_video_dev',` -+interface(`dev_rw_userio_dev',` - gen_require(` -- type device_t, v4l_device_t; -+ type device_t, userio_device_t; - ') - -- getattr_chr_files_pattern($1, device_t, v4l_device_t) -+ rw_chr_files_pattern($1, device_t, userio_device_t) - ') - --###################################### -+######################################## - ## --## Read and write userio device. -+## Get the attributes of video4linux devices. - ## - ## - ## -@@ -4437,12 +5380,12 @@ interface(`dev_getattr_video_dev',` - ## - ## - # --interface(`dev_rw_userio_dev',` -+interface(`dev_getattr_video_dev',` - gen_require(` -- type device_t, userio_device_t; -+ type device_t, v4l_device_t; - ') - -- rw_chr_files_pattern($1, device_t, userio_device_t) -+ getattr_chr_files_pattern($1, device_t, v4l_device_t) - ') - - ######################################## -@@ -4539,7 +5482,7 @@ interface(`dev_write_video_dev',` - - ######################################## - ## --## Allow read/write the vhost net device -+## Get the attributes of vfio devices. - ## - ## - ## -@@ -4547,35 +5490,36 @@ interface(`dev_write_video_dev',` - ## - ## - # --interface(`dev_rw_vhost',` -+interface(`dev_getattr_vfio_dev',` - gen_require(` -- type device_t, vhost_device_t; -+ type device_t, vfio_device_t; - ') - -- rw_chr_files_pattern($1, device_t, vhost_device_t) -+ getattr_chr_files_pattern($1, device_t, vfio_device_t) - ') - - ######################################## - ## --## Read and write VMWare devices. -+## Do not audit attempts to get the attributes -+## of vfio device nodes. - ## - ## - ## --## Domain allowed access. -+## Domain to not audit. - ## - ## - # --interface(`dev_rw_vmware',` -+interface(`dev_dontaudit_getattr_vfio_dev',` - gen_require(` -- type device_t, vmware_device_t; -+ type vfio_device_t; - ') - -- rw_chr_files_pattern($1, device_t, vmware_device_t) -+ dontaudit $1 vfio_device_t:chr_file getattr; - ') +@@ -4330,28 +5292,180 @@ interface(`dev_search_usbfs',` ######################################## ## --## Read, write, and mmap VMWare devices. -+## Set the attributes of vfio device nodes. - ## - ## - ## -@@ -4583,12 +5527,157 @@ interface(`dev_rw_vmware',` - ## - ## - # --interface(`dev_rwx_vmware',` -+interface(`dev_setattr_vfio_dev',` - gen_require(` -- type device_t, vmware_device_t; -+ type device_t, vfio_device_t; - ') - -- dev_rw_vmware($1) -+ setattr_chr_files_pattern($1, device_t, vfio_device_t) -+') -+ -+######################################## -+## -+## Do not audit attempts to set the attributes -+## of vfio device nodes. +-## Allow caller to get a list of usb hardware. ++## Allow caller to get a list of usb hardware. +## +## +## -+## Domain to not audit. ++## Domain allowed access. +## +## +# -+interface(`dev_dontaudit_setattr_vfio_dev',` ++interface(`dev_list_usbfs',` + gen_require(` -+ type vfio_device_t; ++ type usbfs_t; + ') + -+ dontaudit $1 vfio_device_t:chr_file setattr; ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ getattr_files_pattern($1, usbfs_t, usbfs_t) ++ ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Read the vfio devices. ++## Set the attributes of usbfs filesystem. +## +## +## @@ -8481,17 +8384,19 @@ index 76f285e..6843613 100644 +## +## +# -+interface(`dev_read_vfio_dev',` ++interface(`dev_setattr_usbfs_files',` + gen_require(` -+ type device_t, vfio_device_t; ++ type usbfs_t; + ') + -+ read_chr_files_pattern($1, device_t, vfio_device_t) ++ setattr_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Write the vfio devices. ++## Read USB hardware information using ++## the usbfs filesystem interface. +## +## +## @@ -8499,17 +8404,19 @@ index 76f285e..6843613 100644 +## +## +# -+interface(`dev_write_vfio_dev',` ++interface(`dev_read_usbfs',` + gen_require(` -+ type device_t, vfio_device_t; ++ type usbfs_t; + ') + -+ write_chr_files_pattern($1, device_t, vfio_device_t) ++ read_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) +') + +######################################## +## -+## Read and write the VFIO devices. ++## Allow caller to modify usb hardware configuration files. +## +## +## @@ -8517,17 +8424,19 @@ index 76f285e..6843613 100644 +## +## +# -+interface(`dev_rw_vfio_dev',` ++interface(`dev_rw_usbfs',` + gen_require(` -+ type device_t, vfio_device_t; ++ type usbfs_t; + ') + -+ rw_chr_files_pattern($1, device_t, vfio_device_t) ++ list_dirs_pattern($1, usbfs_t, usbfs_t) ++ rw_files_pattern($1, usbfs_t, usbfs_t) ++ read_lnk_files_pattern($1, usbfs_t, usbfs_t) +') + -+######################################## ++###################################### +## -+## Allow read/write the vhost net device ++## Read and write userio device. +## +## +## @@ -8535,17 +8444,17 @@ index 76f285e..6843613 100644 +## +## +# -+interface(`dev_rw_vhost',` ++interface(`dev_rw_userio_dev',` + gen_require(` -+ type device_t, vhost_device_t; ++ type device_t, userio_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, vhost_device_t) ++ rw_chr_files_pattern($1, device_t, userio_device_t) +') + +######################################## +## -+## Allow read/write inheretid the vhost net device ++## Get the attributes of video4linux devices. +## +## +## @@ -8553,35 +8462,36 @@ index 76f285e..6843613 100644 +## +## +# -+interface(`dev_rw_inherited_vhost',` ++interface(`dev_getattr_video_dev',` + gen_require(` -+ type device_t, vhost_device_t; ++ type device_t, v4l_device_t; + ') + -+ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; ++ getattr_chr_files_pattern($1, device_t, v4l_device_t) +') + +######################################## +## -+## Read and write VMWare devices. ++## Do not audit attempts to get the attributes ++## of video4linux device nodes. +## +## +## -+## Domain allowed access. ++## Domain to not audit. +## +## +# -+interface(`dev_rw_vmware',` ++interface(`dev_dontaudit_getattr_video_dev',` + gen_require(` -+ type device_t, vmware_device_t; ++ type v4l_device_t; + ') + -+ rw_chr_files_pattern($1, device_t, vmware_device_t) ++ dontaudit $1 v4l_device_t:chr_file getattr; +') + +######################################## +## -+## Read, write, and mmap VMWare devices. ++## Set the attributes of video4linux device nodes. +## +## +## @@ -8589,16 +8499,296 @@ index 76f285e..6843613 100644 +## +## +# -+interface(`dev_rwx_vmware',` ++interface(`dev_setattr_video_dev',` + gen_require(` -+ type device_t, vmware_device_t; ++ type device_t, v4l_device_t; + ') + -+ dev_rw_vmware($1) - allow $1 vmware_device_t:chr_file execute; ++ setattr_chr_files_pattern($1, device_t, v4l_device_t) ++') ++ ++######################################## ++## ++## Do not audit attempts to set the attributes ++## of video4linux device nodes. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_list_usbfs',` ++interface(`dev_dontaudit_setattr_video_dev',` + gen_require(` +- type usbfs_t; ++ type v4l_device_t; + ') + +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- getattr_files_pattern($1, usbfs_t, usbfs_t) +- +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ dontaudit $1 v4l_device_t:chr_file setattr; ') -@@ -4630,6 +5719,24 @@ interface(`dev_write_watchdog',` + ######################################## + ## +-## Set the attributes of usbfs filesystem. ++## Read the video4linux devices. + ## + ## + ## +@@ -4359,19 +5473,17 @@ interface(`dev_list_usbfs',` + ## + ## + # +-interface(`dev_setattr_usbfs_files',` ++interface(`dev_read_video_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, v4l_device_t; + ') + +- setattr_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ read_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## + ## +-## Read USB hardware information using +-## the usbfs filesystem interface. ++## Write the video4linux devices. + ## + ## + ## +@@ -4379,19 +5491,17 @@ interface(`dev_setattr_usbfs_files',` + ## + ## + # +-interface(`dev_read_usbfs',` ++interface(`dev_write_video_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, v4l_device_t; + ') + +- read_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) +- list_dirs_pattern($1, usbfs_t, usbfs_t) ++ write_chr_files_pattern($1, device_t, v4l_device_t) + ') + + ######################################## + ## +-## Allow caller to modify usb hardware configuration files. ++## Get the attributes of vfio devices. + ## + ## + ## +@@ -4399,37 +5509,36 @@ interface(`dev_read_usbfs',` + ## + ## + # +-interface(`dev_rw_usbfs',` ++interface(`dev_getattr_vfio_dev',` + gen_require(` +- type usbfs_t; ++ type device_t, vfio_device_t; + ') + +- list_dirs_pattern($1, usbfs_t, usbfs_t) +- rw_files_pattern($1, usbfs_t, usbfs_t) +- read_lnk_files_pattern($1, usbfs_t, usbfs_t) ++ getattr_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Get the attributes of video4linux devices. ++## Do not audit attempts to get the attributes ++## of vfio device nodes. + ## + ## + ## +-## Domain allowed access. ++## Domain to not audit. + ## + ## + # +-interface(`dev_getattr_video_dev',` ++interface(`dev_dontaudit_getattr_vfio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type vfio_device_t; + ') + +- getattr_chr_files_pattern($1, device_t, v4l_device_t) ++ dontaudit $1 vfio_device_t:chr_file getattr; + ') + +-###################################### ++######################################## + ## +-## Read and write userio device. ++## Set the attributes of vfio device nodes. + ## + ## + ## +@@ -4437,18 +5546,18 @@ interface(`dev_getattr_video_dev',` + ## + ## + # +-interface(`dev_rw_userio_dev',` ++interface(`dev_setattr_vfio_dev',` + gen_require(` +- type device_t, userio_device_t; ++ type device_t, vfio_device_t; + ') + +- rw_chr_files_pattern($1, device_t, userio_device_t) ++ setattr_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to get the attributes +-## of video4linux device nodes. ++## Do not audit attempts to set the attributes ++## of vfio device nodes. + ## + ## + ## +@@ -4456,17 +5565,17 @@ interface(`dev_rw_userio_dev',` + ## + ## + # +-interface(`dev_dontaudit_getattr_video_dev',` ++interface(`dev_dontaudit_setattr_vfio_dev',` + gen_require(` +- type v4l_device_t; ++ type vfio_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file getattr; ++ dontaudit $1 vfio_device_t:chr_file setattr; + ') + + ######################################## + ## +-## Set the attributes of video4linux device nodes. ++## Read the vfio devices. + ## + ## + ## +@@ -4474,36 +5583,35 @@ interface(`dev_dontaudit_getattr_video_dev',` + ## + ## + # +-interface(`dev_setattr_video_dev',` ++interface(`dev_read_vfio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, vfio_device_t; + ') + +- setattr_chr_files_pattern($1, device_t, v4l_device_t) ++ read_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Do not audit attempts to set the attributes +-## of video4linux device nodes. ++## Write the vfio devices. + ## + ## + ## +-## Domain to not audit. ++## Domain allowed access. + ## + ## + # +-interface(`dev_dontaudit_setattr_video_dev',` ++interface(`dev_write_vfio_dev',` + gen_require(` +- type v4l_device_t; ++ type device_t, vfio_device_t; + ') + +- dontaudit $1 v4l_device_t:chr_file setattr; ++ write_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Read the video4linux devices. ++## Read and write the VFIO devices. + ## + ## + ## +@@ -4511,17 +5619,17 @@ interface(`dev_dontaudit_setattr_video_dev',` + ## + ## + # +-interface(`dev_read_video_dev',` ++interface(`dev_rw_vfio_dev',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, vfio_device_t; + ') + +- read_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, vfio_device_t) + ') + + ######################################## + ## +-## Write the video4linux devices. ++## Allow read/write the vhost net device + ## + ## + ## +@@ -4529,17 +5637,17 @@ interface(`dev_read_video_dev',` + ## + ## + # +-interface(`dev_write_video_dev',` ++interface(`dev_rw_vhost',` + gen_require(` +- type device_t, v4l_device_t; ++ type device_t, vhost_device_t; + ') + +- write_chr_files_pattern($1, device_t, v4l_device_t) ++ rw_chr_files_pattern($1, device_t, vhost_device_t) + ') + + ######################################## + ## +-## Allow read/write the vhost net device ++## Allow read/write inheretid the vhost net device + ## + ## + ## +@@ -4547,12 +5655,12 @@ interface(`dev_write_video_dev',` + ## + ## + # +-interface(`dev_rw_vhost',` ++interface(`dev_rw_inherited_vhost',` + gen_require(` + type device_t, vhost_device_t; + ') + +- rw_chr_files_pattern($1, device_t, vhost_device_t) ++ allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; + ') + + ######################################## +@@ -4630,6 +5738,24 @@ interface(`dev_write_watchdog',` ######################################## ## @@ -8623,7 +8813,7 @@ index 76f285e..6843613 100644 ## Read and write the the wireless device. ## ## -@@ -4762,6 +5869,44 @@ interface(`dev_rw_xserver_misc',` +@@ -4762,6 +5888,44 @@ interface(`dev_rw_xserver_misc',` ######################################## ## @@ -8668,7 +8858,7 @@ index 76f285e..6843613 100644 ## Read and write to the zero device (/dev/zero). ## ## -@@ -4851,3 +5996,1022 @@ interface(`dev_unconfined',` +@@ -4851,3 +6015,1022 @@ interface(`dev_unconfined',` typeattribute $1 devices_unconfined_type; ')