[selinux-policy: 2486/3172] Devices patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:40:55 UTC 2010
commit 05351730cce30f65637ca938ab4b1cd8ec67b037
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Mar 4 15:30:22 2010 -0500
Devices patch from Dan Walsh.
policy/modules/kernel/devices.fc | 7 ++
policy/modules/kernel/devices.if | 164 ++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/devices.te | 14 +++-
3 files changed, 184 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index a241ea1..2268319 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -16,13 +16,16 @@
/dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0)
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/controlD64 -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0)
/dev/event.* -c gen_context(system_u:object_r:event_device_t,s0)
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -61,6 +64,7 @@
/dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.* -c gen_context(system_u:object_r:dlm_control_device_t,s0)
/dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
@@ -80,6 +84,7 @@
/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.* -c gen_context(system_u:object_r:clock_device_t,s0)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
@@ -98,6 +103,8 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tpm[0-9]* -c gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/uinput -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a3796f8..1b72daa 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -479,6 +479,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
########################################
## <summary>
+## Read and write generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
## </summary>
@@ -826,6 +844,24 @@ interface(`dev_dontaudit_read_all_blk_files',`
########################################
## <summary>
+## Dontaudit write on all block file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_blk_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:blk_file write;
+')
+
+########################################
+## <summary>
## Dontaudit read on all character file device nodes.
## </summary>
## <param name="domain">
@@ -844,6 +880,24 @@ interface(`dev_dontaudit_read_all_chr_files',`
########################################
## <summary>
+## Dontaudit write on all character file device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_chr_files',`
+ gen_require(`
+ attribute device_node;
+ ')
+
+ dontaudit $1 device_node:chr_file write;
+')
+
+########################################
+## <summary>
## Create all block device files.
## </summary>
## <param name="domain">
@@ -1405,6 +1459,42 @@ interface(`dev_rw_crypto',`
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
+#######################################
+## <summary>
+## Set the attributes of the dlm control devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_dlm_control',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+## <summary>
+## Read and write the the dlm control device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_dlm_control',`
+ gen_require(`
+ type device_t, dlm_control_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
########################################
## <summary>
## getattr the dri devices.
@@ -1735,6 +1825,24 @@ interface(`dev_read_kmsg',`
########################################
## <summary>
+## Write to the kernel messages device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_write_kmsg',`
+ gen_require(`
+ type device_t, kmsg_device_t;
+ ')
+
+ write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
@@ -2046,6 +2154,25 @@ interface(`dev_read_raw_memory',`
########################################
## <summary>
+## Do not audit attempts to read raw memory devices
+## (e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_raw_memory',`
+ gen_require(`
+ type memory_device_t;
+ ')
+
+ dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
## Write raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
@@ -2456,6 +2583,25 @@ interface(`dev_write_mtrr',`
########################################
## <summary>
+## Do not audit attempts to write the memory type
+## range registers (MTRR).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_write_mtrr',`
+ gen_require(`
+ type mtrr_device_t;
+ ')
+
+ dontaudit $1 mtrr_device_t:chr_file write;
+')
+
+########################################
+## <summary>
## Read and write the memory type range registers (MTRR).
## </summary>
## <param name="domain">
@@ -3775,6 +3921,24 @@ interface(`dev_getattr_video_dev',`
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
+######################################
+## <summary>
+## Read and write userio device.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+ gen_require(`
+ type device_t, userio_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index b3107fa..1586fbb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices, 1.9.2)
+policy_module(devices, 1.9.3)
########################################
#
@@ -59,6 +59,12 @@ dev_node(cpu_device_t)
type crypt_device_t;
dev_node(crypt_device_t)
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
type dri_device_t;
dev_node(dri_device_t)
@@ -232,6 +238,12 @@ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
type usb_device_t;
dev_node(usb_device_t)
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
type v4l_device_t;
dev_node(v4l_device_t)
More information about the scm-commits
mailing list