diff options
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/kernel/devices.if | 18 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.te | 6 | ||||
-rw-r--r-- | policy/modules/kernel/storage.if | 20 |
3 files changed, 44 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index d15365737..e8a4560d4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4966,6 +4966,24 @@ interface(`dev_rw_generic_usb_dev',` ######################################## ## <summary> +## Delete the generic USB devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_delete_generic_usb_dev',` + gen_require(` + type device_t, usb_device_t; + ') + + delete_chr_files_pattern($1, device_t, usb_device_t) +') + +######################################## +## <summary> ## Relabel generic the USB devices. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index ba4233b7e..3c37030b6 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,10 +390,16 @@ ifdef(`init_systemd',` ') optional_policy(` + dev_setattr_generic_usb_dev(kernel_t) + dev_delete_generic_usb_dev(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) + + storage_setattr_scsi_generic_dev(kernel_t) + storage_delete_scsi_generic_dev(kernel_t) ') ') diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 777caea69..6f62adead 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -541,6 +541,26 @@ interface(`storage_write_scsi_generic',` ######################################## ## <summary> +## Allow the caller to delete the generic +## SCSI interface device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`storage_delete_scsi_generic_dev',` + gen_require(` + type scsi_generic_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms; +') + +######################################## +## <summary> ## Set attributes of the device nodes ## for the SCSI generic interface. ## </summary> |