[selinux-policy: 2307/3172] Add devices patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:24:50 UTC 2010 

commit b51e8e0b42cd7e546c2f82946a4f3b84f7b2a467
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Nov 19 09:44:19 2009 -0500

    Add devices patch from Dan Walsh.

 policy/modules/kernel/devices.fc |    9 ++-
 policy/modules/kernel/devices.if |  257 +++++++++++++++++++++++++++++++++++++-
 policy/modules/kernel/devices.te |   34 +++++-
 3 files changed, 292 insertions(+), 8 deletions(-)
---
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 94b4bc4..a241ea1 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -47,8 +47,10 @@
 /dev/kmem		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
 /dev/kmsg		-c	gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
 /dev/kqemu		-c	gen_context(system_u:object_r:qemu_device_t,s0)
+/dev/ksm		-c	gen_context(system_u:object_r:ksm_device_t,s0)
 /dev/kvm		-c	gen_context(system_u:object_r:kvm_device_t,s0)
 /dev/lik.*		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+		-c	gen_context(system_u:object_r:lirc_device_t,s0)
 /dev/lircm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/logibm		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
@@ -61,10 +63,12 @@
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/mpu401.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/msr.*		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/network_latency	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
 /dev/network_throughput	-c	gen_context(system_u:object_r:netcontrol_device_t,s0)
+/dev/noz.* 		-c	gen_context(system_u:object_r:modem_device_t,s0)
 /dev/null		-c	gen_context(system_u:object_r:null_device_t,s0)
 /dev/nvidia.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/nvram		-c	gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
@@ -82,6 +86,7 @@
 /dev/radio.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/random		-c	gen_context(system_u:object_r:random_device_t,s0)
 /dev/raw1394.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/rfkill		-c	gen_context(system_u:object_r:wireless_device_t,s0)
 /dev/(misc/)?rtc[0-9]*	-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/sequencer		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/sequencer2		-c	gen_context(system_u:object_r:sound_device_t,s0)
@@ -101,7 +106,8 @@ ifdef(`distro_suse', `
 /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 ')
 /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
-/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vbox.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/vga_arbiter	-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
 /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
@@ -168,6 +174,7 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_redhat',`
 # originally from named.fc
+/var/named/chroot/dev	-d	gen_context(system_u:object_r:device_t,s0)
 /var/named/chroot/dev/null -c	gen_context(system_u:object_r:null_device_t,s0)
 /var/named/chroot/dev/random -c	gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c	gen_context(system_u:object_r:zero_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index dec0e02..2b7ad83 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -68,8 +68,8 @@ interface(`dev_relabel_all_dev_nodes',`
 	relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
 	relabelfrom_fifo_files_pattern($1, device_t, device_node)
 	relabelfrom_sock_files_pattern($1, device_t, device_node)
-	relabel_blk_files_pattern($1, device_t,{ device_t device_node })
-	relabel_chr_files_pattern($1, device_t,{ device_t device_node })
+	relabel_blk_files_pattern($1, device_t, { device_t device_node })
+	relabel_chr_files_pattern($1, device_t, { device_t device_node })
 ')
 
 ########################################
@@ -1692,6 +1692,78 @@ interface(`dev_read_kmsg',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_ksm_dev',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read the ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to ksm devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_ksm',`
+	gen_require(`
+		type device_t, ksm_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, ksm_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the kvm devices.
 ## </summary>
 ## <param name="domain">
@@ -1762,6 +1834,61 @@ interface(`dev_rw_kvm',`
 	rw_chr_files_pattern($1, device_t, kvm_device_t)
 ')
 
+######################################
+## <summary>
+##	Read the lirc device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##	Read and write the lirc device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, lirc_device_t)
+')
+
+######################################
+## <summary>
+##	Automatic type transition to the type
+##	for lirc device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_lirc',`
+	gen_require(`
+		type device_t, lirc_device_t;
+	')
+
+	filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
 ########################################
 ## <summary>
 ##	Read the lvm comtrol device.
@@ -1800,6 +1927,24 @@ interface(`dev_rw_lvm_control',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read and write lvm control device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_lvm_control',`
+	gen_require(`
+		type lvm_control_t;
+	')
+
+	dontaudit $1 lvm_control_t:chr_file rw_file_perms;
+')
+
+########################################
+## <summary>
 ##	Delete the lvm control device.
 ## </summary>
 ## <param name="domain">
@@ -2046,6 +2191,78 @@ interface(`dev_dontaudit_rw_misc',`
 
 ########################################
 ## <summary>
+##	Get the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_modem_dev',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Set the attributes of the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_modem_dev',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Read the modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_modem',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	read_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
+##	Read and write to modem devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_modem',`
+	gen_require(`
+		type device_t, modem_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, modem_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the mouse devices.
 ## </summary>
 ## <param name="domain">
@@ -2305,6 +2522,24 @@ interface(`dev_setattr_null_dev',`
 
 ########################################
 ## <summary>
+##	Delete the null device (/dev/null).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_null',`
+	gen_require(`
+		type device_t, null_device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, null_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write to the null device (/dev/null).
 ## </summary>
 ## <param name="domain">
@@ -3599,6 +3834,24 @@ interface(`dev_write_watchdog',`
 
 ########################################
 ## <summary>
+##	Read and write the the wireless device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_wireless',`
+	gen_require(`
+		type device_t, wireless_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, wireless_device_t)
+')
+
+########################################
+## <summary>
 ##	Read and write Xen devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e87179f..1b536ec 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.9.0)
+policy_module(devices, 1.9.1)
 
 ########################################
 #
@@ -84,6 +84,12 @@ type kmsg_device_t;
 dev_node(kmsg_device_t)
 
 #
+# ksm_device_t is the type of /dev/ksm
+#
+type ksm_device_t;
+dev_node(ksm_device_t)
+
+#
 # kvm_device_t is the type of
 # /dev/kvm
 #
@@ -91,6 +97,12 @@ type kvm_device_t;
 dev_node(kvm_device_t)
 
 #
+# Type for /dev/lirc
+#
+type lirc_device_t;
+dev_node(lirc_device_t)
+
+#
 # Type for /dev/mapper/control
 #
 type lvm_control_t;
@@ -110,6 +122,12 @@ type misc_device_t;
 dev_node(misc_device_t)
 
 #
+# A general type for modem devices.
+#
+type modem_device_t;
+dev_node(modem_device_t)
+
+#
 # A more general type for mouse devices.
 #
 type mouse_device_t;
@@ -123,7 +141,7 @@ dev_node(mtrr_device_t)
 genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
 
 #
-# network control devices 
+# network control devices
 #
 type netcontrol_device_t;
 dev_node(netcontrol_device_t)
@@ -137,13 +155,13 @@ mls_trusted_object(null_device_t)
 sid devnull gen_context(system_u:object_r:null_device_t,s0)
 
 #
-# Type for /dev/nvram 
+# Type for /dev/nvram
 #
 type nvram_device_t;
 dev_node(nvram_device_t)
 
 #
-# Type for /dev/pmu 
+# Type for /dev/pmu
 #
 type power_device_t;
 dev_node(power_device_t)
@@ -153,7 +171,7 @@ dev_node(printer_device_t)
 mls_file_write_within_range(printer_device_t)
 
 #
-# qemu control devices 
+# qemu control devices
 #
 type qemu_device_t;
 dev_node(qemu_device_t)
@@ -224,6 +242,12 @@ dev_node(vmware_device_t)
 type watchdog_device_t;
 dev_node(watchdog_device_t)
 
+#
+# wireless control devices
+#
+type wireless_device_t;
+dev_node(wireless_device_t)
+
 type xen_device_t;
 dev_node(xen_device_t)

More information about the scm-commits mailing list