aboutsummaryrefslogtreecommitdiff
blob: 027c5239f3f8d0f4779279da2a80a942e24af7f3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
policy_module(devices, 1.24.0)

########################################
#
# Declarations
#

attribute device_node;
attribute memory_raw_read;
attribute memory_raw_write;
attribute devices_unconfined_type;
attribute sysfs_types;

#
# device_t is the type of /dev.
#
type device_t;
fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);

optional_policy(`
	systemd_tmpfilesd_managed(device_t, fifo_file)
')

#
# Type for /dev/agpgart
#
type agp_device_t;
dev_node(agp_device_t)

#
# Type for /dev/apm_bios
#
type acpi_bios_t;
dev_node(acpi_bios_t)

#
# Type for /dev/autofs
#
type autofs_device_t;
dev_node(autofs_device_t)

type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)

type cachefiles_device_t;
dev_node(cachefiles_device_t)

#
# clock_device_t is the type of
# /dev/rtc.
#
type clock_device_t;
dev_node(clock_device_t)

#
# cpu control devices /dev/cpu/0/*
#
type cpu_device_t;
dev_node(cpu_device_t)

#
# /sys/devices/system/cpu/online device
#
type cpu_online_t, sysfs_types;
files_type(cpu_online_t)
dev_associate_sysfs(cpu_online_t)
genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)

#
# Type for /dev/crash
#
type crash_device_t;
dev_node(crash_device_t)

# for the IBM zSeries z90crypt hardware ssl accelorator
type crypt_device_t;
dev_node(crypt_device_t)

#
# dlm_misc_device_t is the type of /dev/misc/dlm.*
#
type dlm_control_device_t;
dev_node(dlm_control_device_t)

type dri_device_t;
dev_node(dri_device_t)

type event_device_t;
dev_node(event_device_t)

#
# Type for framebuffer /dev/fb/*
#
type framebuf_device_t;
dev_node(framebuf_device_t)

#
# Type for /dev/ipmi/0
#
type ipmi_device_t;
dev_node(ipmi_device_t)

#
# Type for /dev/kmsg
#
type kmsg_device_t;
dev_node(kmsg_device_t)

#
# ksm_device_t is the type of /dev/ksm
#
type ksm_device_t;
dev_node(ksm_device_t)

#
# kvm_device_t is the type of
# /dev/kvm
#
type kvm_device_t;
dev_node(kvm_device_t)

#
# Type for /dev/lirc
#
type lirc_device_t;
dev_node(lirc_device_t)

type loop_control_device_t;
dev_node(loop_control_device_t)

#
# Type for /dev/mapper/control
#
type lvm_control_t;
dev_node(lvm_control_t)

type mei_device_t;
dev_node(mei_device_t)

#
# memory_device_t is the type of /dev/kmem,
# /dev/mem and /dev/port.
#
type memory_device_t;
dev_node(memory_device_t)

neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };

type misc_device_t;
dev_node(misc_device_t)

#
# A general type for modem devices.
#
type modem_device_t;
dev_node(modem_device_t)

#
# A more general type for mouse devices.
#
type mouse_device_t;
dev_node(mouse_device_t)

#
# Type for /dev/cpu/mtrr and /proc/mtrr
#
type mtrr_device_t;
dev_node(mtrr_device_t)
genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)

#
# network control devices
#
type netcontrol_device_t;
dev_node(netcontrol_device_t)

#
# null_device_t is the type of /dev/null.
#
type null_device_t;
dev_node(null_device_t)
mls_trusted_object(null_device_t)
sid devnull gen_context(system_u:object_r:null_device_t,s0)

#
# Type for /dev/nvram
#
type nvram_device_t;
dev_node(nvram_device_t)

#
# Type for /dev/pmu
#
type power_device_t;
dev_node(power_device_t)

type printer_device_t;
dev_node(printer_device_t)
mls_file_write_within_range(printer_device_t)

#
# qemu control devices
#
type qemu_device_t;
dev_node(qemu_device_t)

#
# random_device_t is the type of /dev/random
#
type random_device_t;
dev_node(random_device_t)

type scanner_device_t;
dev_node(scanner_device_t)

#
# Type for smartcards
#
type smartcard_device_t;
dev_node(smartcard_device_t)

#
# Type for sound devices and mixers
#
type sound_device_t;
dev_node(sound_device_t)

#
# sysfs_t is the type for the /sys pseudofs
#
type sysfs_t, sysfs_types;
files_mountpoint(sysfs_t)
fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)

#
# Type for /dev/tpm
#
type tpm_device_t;
dev_node(tpm_device_t)

#
# urandom_device_t is the type of /dev/urandom
#
type urandom_device_t;
dev_node(urandom_device_t)

#
# usbfs_t is the type for the /proc/bus/usb pseudofs
#
type usbfs_t alias usbdevfs_t;
files_mountpoint(usbfs_t)
fs_noxattr_type(usbfs_t)
genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)

#
# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
#
type usb_device_t;
dev_node(usb_device_t)

#
# usb_device_t is the type for /dev/usbmon
#
type usbmon_device_t;
dev_node(usbmon_device_t)

#
# userio_device_t is the type for /dev/uio[0-9]+
#
type userio_device_t;
dev_node(userio_device_t)

type vfio_device_t;
dev_node(vfio_device_t)

type v4l_device_t;
dev_node(v4l_device_t)

#
# vhost_device_t is the type for vhost devices like
# /dev/vhost-net and /dev/vhost-scsi
#
type vhost_device_t;
dev_node(vhost_device_t)

# Type for vmware devices.
type vmware_device_t;
dev_node(vmware_device_t)

type watchdog_device_t;
dev_node(watchdog_device_t)

#
# wireless control devices
#
type wireless_device_t;
dev_node(wireless_device_t)

type xen_device_t;
dev_node(xen_device_t)

type xserver_misc_device_t;
dev_node(xserver_misc_device_t)

#
# zero_device_t is the type of /dev/zero.
#
type zero_device_t;
dev_node(zero_device_t)
mls_trusted_object(zero_device_t)

########################################
#
# Rules for all device nodes
#

allow device_node device_t:filesystem associate;

fs_associate(device_node)
fs_associate_tmpfs(device_node)

files_associate_tmp(device_node)

########################################
#
# Unconfined access to this module
#

allow devices_unconfined_type self:capability sys_rawio;
allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabelfrom relabelto map execute swapon quotaon mounton audit_access execmod };
allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabelfrom relabelto map execute swapon quotaon mounton execute_no_trans entrypoint execmod audit_access };
allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabelfrom relabelto map execute swapon quotaon mounton execute_no_trans entrypoint execmod audit_access };