[selinux-policy: 2092/3172] trunk: devices patch from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:05:36 UTC 2010 

commit 7b76207e378e85194470434fd47921710136a919
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Mar 5 15:36:41 2009 +0000

    trunk: devices patch from dan.

 policy/modules/kernel/devices.fc |   43 ++++-
 policy/modules/kernel/devices.if |  448 +++++++++++++++++++++++++++++++++++++-
 policy/modules/kernel/devices.te |   33 +++-
 3 files changed, 515 insertions(+), 9 deletions(-)
---
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d55a50c..5ec99e9 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -3,6 +3,8 @@
 /dev/.*				gen_context(system_u:object_r:device_t,s0)
 
 /dev/.*mouse.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/[0-9].*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/3dfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/admmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/adsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/(misc/)?agpgart	-c	gen_context(system_u:object_r:agp_device_t,s0)
@@ -12,44 +14,65 @@
 /dev/apm_bios		-c	gen_context(system_u:object_r:apm_bios_t,s0)
 /dev/atibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
 /dev/full		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/fw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/gfx		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/graphics		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/gtrsc.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
+/dev/hfmodem		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/hiddev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hidraw.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/hpet		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/hw_random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/hwrng		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/i915		-c	gen_context(system_u:object_r:dri_device_t,s0)
+/dev/inportbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/ipmi[0-9]+		-c	gen_context(system_u:object_r:ipmi_device_t,s0)
+/dev/ipmi/[0-9]+	-c	gen_context(system_u:object_r:ipmi_device_t,s0)
 /dev/irlpt[0-9]+	-c	gen_context(system_u:object_r:printer_device_t,s0)
+/dev/jbm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
+/dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/mcelog		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/mem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mergemem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/mga_vid.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
 /dev/oldmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/opengl		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/pc110pad		-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -69,17 +92,18 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
-/dev/usbmon[0-9]+	-c	gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usbdev.*		-c	gen_context(system_u:object_r:usb_device_t,s0)
-/dev/usb[0-9]+		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
+/dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/vrtpanel		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/watchdog		-c	gen_context(system_u:object_r:watchdog_device_t,s0)
@@ -91,14 +115,20 @@ ifdef(`distro_suse', `
 
 /dev/cmx.*		-c	gen_context(system_u:object_r:smartcard_device_t,s0)
 
-/dev/cpu/.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
+/dev/cpu_dma_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/cpu.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/cpu/mtrr		-c	gen_context(system_u:object_r:mtrr_device_t,s0)
 
+/dev/bometric/sensor.*	-c	gen_context(system_u:object_r:event_device_t,s0)
+
 /dev/dri/.+		-c	gen_context(system_u:object_r:dri_device_t,s0)
 
 /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 
+/dev/input/.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/input/m.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/input/keyboard.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
@@ -106,10 +136,15 @@ ifdef(`distro_suse', `
 
 /dev/mapper/control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 
+/dev/mvideo/.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+
 /dev/pts(/.*)?			<<none>>
 
 /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
 
+/dev/touchscreen/ucb1x00 -c	gen_context(system_u:object_r:mouse_device_t,s0)
+/dev/touchscreen/mk712	-c	gen_context(system_u:object_r:mouse_device_t,s0)
+
 /dev/usb/dc2xx.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/usb/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 /dev/usb/mdc800.*	-c	gen_context(system_u:object_r:scanner_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f0f7089..c3dbd7d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -65,7 +65,7 @@ interface(`dev_relabel_all_dev_nodes',`
 
 	relabelfrom_dirs_pattern($1, device_t, device_node)
 	relabelfrom_files_pattern($1, device_t, device_node)
-	relabelfrom_lnk_files_pattern($1, device_t, device_node)
+	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
 	relabelfrom_sock_files_pattern($1, device_t, device_node)
 	relabel_blk_files_pattern($1,device_t,{ device_t device_node })
@@ -184,6 +184,24 @@ interface(`dev_delete_generic_dirs',`
 
 ########################################
 ## <summary>
+##	Manage of directories in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to relabel.
+##	</summary>
+## </param>
+#
+interface(`dev_manage_generic_dirs',`
+	gen_require(`
+		type device_t;
+	')
+
+	manage_dirs_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
 ##	Allow full relabeling (to and from) of directories in /dev.
 ## </summary>
 ## <param name="domain">
@@ -663,9 +681,10 @@ interface(`dev_getattr_all_blk_files',`
 interface(`dev_dontaudit_getattr_all_blk_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
-	dontaudit $1 device_node:blk_file getattr;
+	dontaudit $1 { device_t device_node }:blk_file getattr;
 ')
 
 ########################################
@@ -700,9 +719,10 @@ interface(`dev_getattr_all_chr_files',`
 interface(`dev_dontaudit_getattr_all_chr_files',`
 	gen_require(`
 		attribute device_node;
+		type device_t;
 	')
 
-	dontaudit $1 device_node:chr_file getattr;
+	dontaudit $1 { device_t device_node }:chr_file getattr;
 ')
 
 ########################################
@@ -1061,6 +1081,98 @@ interface(`dev_rw_apm_bios',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to get the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file getattr;
+')
+
+########################################
+## <summary>
+##	Set the attributes of the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_autofs_dev',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to set the attributes of
+##	the autofs device node.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_setattr_autofs_dev',`
+	gen_require(`
+		type autofs_device_t;
+	')
+
+	dontaudit $1 autofs_device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
+##	Read and write the autofs device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_autofs',`
+	gen_require(`
+		type device_t, autofs_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, autofs_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write the PCMCIA card manager device.
 ## </summary>
 ## <param name="domain">
@@ -1159,6 +1271,25 @@ interface(`dev_getattr_cpu_dev',`
 
 ########################################
 ## <summary>
+##	Set the attributes of the CPU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_cpu_dev',`
+	gen_require(`
+		type device_t, cpu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, cpu_device_t)
+')
+
+########################################
+## <summary>
 ##	Read the CPU identity.
 ## </summary>
 ## <param name="domain">
@@ -1281,7 +1412,7 @@ interface(`dev_dontaudit_rw_dri',`
 		type dri_device_t;
 	')
 
-	dontaudit $1 dri_device_t:chr_file { getattr read write ioctl };
+	dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
 ')
 
 ########################################
@@ -1506,6 +1637,96 @@ interface(`dev_rw_framebuffer',`
 
 ########################################
 ## <summary>
+##	Read the kernel messages
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_kvm_dev',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
+##      Read and write to kvm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##      Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, kvm_device_t)
+')
+
+########################################
+## <summary>
 ##	Read the lvm comtrol device.
 ## </summary>
 ## <param name="domain">
@@ -1957,6 +2178,96 @@ interface(`dev_rw_mtrr',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the network control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_netcontrol_dev',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read the network control identity.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the network control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_netcontrol',`
+	gen_require(`
+		type device_t, netcontrol_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, netcontrol_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the null device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_null_dev',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write to the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
@@ -2103,6 +2414,98 @@ interface(`dev_rw_printer',`
 
 ########################################
 ## <summary>
+##	Read printk devices (e.g., /dev/kmsg /dev/mcelog)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_printk',`
+	gen_require(`
+		type device_t, printk_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, printk_device_t)
+')
+
+########################################
+## <summary>
+##	Get the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the QEMU
+##	microcode and id interfaces.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_qemu_dev',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read the QEMU device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write the the QEMU device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_qemu',`
+	gen_require(`
+		type device_t, qemu_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, qemu_device_t)
+')
+
+########################################
+## <summary>
 ##	Read from random number generator
 ##	devices (e.g., /dev/random)
 ## </summary>
@@ -2141,6 +2544,25 @@ interface(`dev_dontaudit_read_rand',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to append to random
+##	number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_append_rand',`
+	gen_require(`
+		type random_device_t;
+	')
+
+	dontaudit $1 random_device_t:chr_file append_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Write to the random device (e.g., /dev/random). This adds
 ##	entropy used to generate the random data read from the
 ##	random device.
@@ -2767,6 +3189,24 @@ interface(`dev_setattr_generic_usb_dev',`
 
 ########################################
 ## <summary>
+##	Read generic the USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_generic_usb_dev',`
+	gen_require(`
+		type usb_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write generic the USB devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0de9187..893c4a8 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.7.0)
+policy_module(devices, 1.7.1)
 
 ########################################
 #
@@ -32,6 +32,12 @@ dev_node(agp_device_t)
 type apm_bios_t;
 dev_node(apm_bios_t)
 
+#
+# Type for /dev/autofs
+#
+type autofs_device_t;
+dev_node(autofs_device_t)
+
 type cardmgr_dev_t;
 dev_node(cardmgr_dev_t)
 files_tmp_file(cardmgr_dev_t)
@@ -66,12 +72,25 @@ type framebuf_device_t;
 dev_node(framebuf_device_t)
 
 #
+# Type for /dev/ipmi/0
+#
+type ipmi_device_t;
+dev_node(ipmi_device_t)
+
+#
 # Type for /dev/kmsg
 #
 type kmsg_device_t;
 dev_node(kmsg_device_t)
 
 #
+# kvm_device_t is the type of
+# /dev/kvm
+#
+type kvm_device_t;
+dev_node(kvm_device_t)
+
+#
 # Type for /dev/mapper/control
 #
 type lvm_control_t;
@@ -104,6 +123,12 @@ dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
 #
+# network control devices 
+#
+type netcontrol_device_t;
+dev_node(netcontrol_device_t)
+
+#
 # null_device_t is the type of /dev/null.
 #
 type null_device_t;
@@ -128,6 +153,12 @@ dev_node(printer_device_t)
 mls_file_write_within_range(printer_device_t)
 
 #
+# qemu control devices 
+#
+type qemu_device_t;
+dev_node(qemu_device_t)
+
+#
 # random_device_t is the type of /dev/random
 #
 type random_device_t;

More information about the scm-commits mailing list