[selinux-policy: 2486/3172] Devices patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:40:55 UTC 2010 

commit 05351730cce30f65637ca938ab4b1cd8ec67b037
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Mar 4 15:30:22 2010 -0500

    Devices patch from Dan Walsh.

 policy/modules/kernel/devices.fc |    7 ++
 policy/modules/kernel/devices.if |  164 ++++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te |   14 +++-
 3 files changed, 184 insertions(+), 1 deletions(-)
---
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index a241ea1..2268319 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -16,13 +16,16 @@
 /dev/audio.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/autofs.*		-c	gen_context(system_u:object_r:autofs_device_t,s0)
 /dev/beep		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/btrfs-control	-c	gen_context(system_u:object_r:lvm_control_t,s0)
 /dev/controlD64		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+/dev/dahdi/.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmfm		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/efirtc		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/elographics/e2201	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/em8300.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+/dev/etherd/.+		-c	gen_context(system_u:object_r:lvm_control_t,s0)
 /dev/event.*		-c	gen_context(system_u:object_r:event_device_t,s0)
 /dev/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
 /dev/fb[0-9]*		-c	gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -61,6 +64,7 @@
 /dev/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/microcode		-c	gen_context(system_u:object_r:cpu_device_t,s0)
 /dev/midi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
+/dev/misc/dlm.*		-c	gen_context(system_u:object_r:dlm_control_device_t,s0)
 /dev/mixer.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/mmetfgrab		-c	gen_context(system_u:object_r:scanner_device_t,s0)
 /dev/modem		-c	gen_context(system_u:object_r:modem_device_t,s0)
@@ -80,6 +84,7 @@
 /dev/pcfclock.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
 /dev/port		-c	gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+/dev/pps.*		-c	gen_context(system_u:object_r:clock_device_t,s0)
 /dev/(misc/)?psaux	-c	gen_context(system_u:object_r:mouse_device_t,s0)
 /dev/rmidi.*		-c	gen_context(system_u:object_r:sound_device_t,s0)
 /dev/radeon		-c	gen_context(system_u:object_r:dri_device_t,s0)
@@ -98,6 +103,8 @@
 /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/tpm[0-9]*		-c	gen_context(system_u:object_r:tpm_device_t,s0)
+/dev/uinput		-c	gen_context(system_u:object_r:event_device_t,s0)
+/dev/uio[0-9]+		-c	gen_context(system_u:object_r:userio_device_t,s0)
 /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
 /dev/ub[a-c]		-c	gen_context(system_u:object_r:usb_device_t,s0)
 /dev/usb.+		-c	gen_context(system_u:object_r:usb_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a3796f8..1b72daa 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -479,6 +479,24 @@ interface(`dev_dontaudit_setattr_generic_chr_files',`
 
 ########################################
 ## <summary>
+##	Read and write generic character device files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_generic_chr_files',`
+	gen_require(`
+		type device_t;
+	')
+
+	allow $1 device_t:chr_file rw_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to set the attributes
 ##	of symbolic links in device directories (/dev).
 ## </summary>
@@ -826,6 +844,24 @@ interface(`dev_dontaudit_read_all_blk_files',`
 
 ########################################
 ## <summary>
+##	Dontaudit write on all block file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_blk_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:blk_file write;
+')
+
+########################################
+## <summary>
 ##	Dontaudit read on all character file device nodes.
 ## </summary>
 ## <param name="domain">
@@ -844,6 +880,24 @@ interface(`dev_dontaudit_read_all_chr_files',`
 
 ########################################
 ## <summary>
+##	Dontaudit write on all character file device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_all_chr_files',`
+	gen_require(`
+		attribute device_node;
+	')
+
+	dontaudit $1 device_node:chr_file write;
+')
+
+########################################
+## <summary>
 ##	Create all block device files.
 ## </summary>
 ## <param name="domain">
@@ -1405,6 +1459,42 @@ interface(`dev_rw_crypto',`
 	rw_chr_files_pattern($1, device_t, crypt_device_t)
 ')
 
+#######################################
+## <summary>
+##	Set the attributes of the dlm control devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_setattr_dlm_control',`
+	gen_require(`
+	type device_t, kvm_device_t;
+	')
+
+	setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
+#######################################
+## <summary>
+##	Read and write the the dlm control device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_dlm_control',`
+	gen_require(`
+		type device_t, dlm_control_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, dlm_control_device_t)
+')
+
 ########################################
 ## <summary>
 ##	getattr the dri devices.
@@ -1735,6 +1825,24 @@ interface(`dev_read_kmsg',`
 
 ########################################
 ## <summary>
+##	Write to the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_write_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	write_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the ksm devices.
 ## </summary>
 ## <param name="domain">
@@ -2046,6 +2154,25 @@ interface(`dev_read_raw_memory',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read raw memory devices
+##	(e.g. /dev/mem).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_read_raw_memory',`
+	gen_require(`
+		type memory_device_t;
+	')
+
+	dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Write raw memory devices (e.g. /dev/mem).
 ## </summary>
 ## <param name="domain">
@@ -2456,6 +2583,25 @@ interface(`dev_write_mtrr',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to write the memory type
+##	range registers (MTRR).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_write_mtrr',`
+	gen_require(`
+		type mtrr_device_t;
+	')
+
+	dontaudit $1 mtrr_device_t:chr_file write;
+')
+
+########################################
+## <summary>
 ##	Read and write the memory type range registers (MTRR).
 ## </summary>
 ## <param name="domain">
@@ -3775,6 +3921,24 @@ interface(`dev_getattr_video_dev',`
 	getattr_chr_files_pattern($1, device_t, v4l_device_t)
 ')
 
+######################################
+## <summary>
+##	Read and write userio device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_userio_dev',`
+	gen_require(`
+		type device_t, userio_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, userio_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the attributes
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index b3107fa..1586fbb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
 
-policy_module(devices, 1.9.2)
+policy_module(devices, 1.9.3)
 
 ########################################
 #
@@ -59,6 +59,12 @@ dev_node(cpu_device_t)
 type crypt_device_t;
 dev_node(crypt_device_t)
 
+#
+# dlm_misc_device_t is the type of /dev/misc/dlm.*
+#
+type dlm_control_device_t;
+dev_node(dlm_control_device_t)
+
 type dri_device_t;
 dev_node(dri_device_t)
 
@@ -232,6 +238,12 @@ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 type usb_device_t;
 dev_node(usb_device_t)
 
+#
+# userio_device_t is the type for /dev/uio[0-9]+
+#
+type userio_device_t;
+dev_node(userio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)

More information about the scm-commits mailing list