--- nsaserefpolicy/policy/modules/kernel/devices.fc 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/kernel/devices.fc 2008-08-14 13:53:54.000000000 -0400 @@ -1,7 +1,7 @@ /dev -d gen_context(system_u:object_r:device_t,s0) /dev/.* gen_context(system_u:object_r:device_t,s0) - +/dev/3dfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/admmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/adsp.* -c gen_context(system_u:object_r:sound_device_t,s0) @@ -12,42 +12,59 @@ /dev/apm_bios -c gen_context(system_u:object_r:apm_bios_t,s0) /dev/atibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/gfx -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/graphics -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/gtrsc.* -c gen_context(system_u:object_r:clock_device_t,s0) +/dev/pcfclock.* -c gen_context(system_u:object_r:clock_device_t,s0) /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0) /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) /dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0) /dev/full -c gen_context(system_u:object_r:null_device_t,s0) +/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/hfmodem -c gen_context(system_u:object_r:sound_device_t,s0) /dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hidraw.* -c gen_context(system_u:object_r:usb_device_t,s0) /dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0) /dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0) /dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0) /dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0) +/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) +/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0) /dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0) +/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/jbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) +/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0) +/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0) /dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh) /dev/mem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) /dev/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/microcode -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/midi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mixer.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/network_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) +/dev/network_throughput -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/null -c gen_context(system_u:object_r:null_device_t,s0) /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh) /dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh) +/dev/opengl -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0) /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0) /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0) @@ -69,14 +86,14 @@ /dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0) -/dev/usbmon[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0) -/dev/usb[0-9]+ -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/ub[a-c] -c gen_context(system_u:object_r:usb_device_t,s0) +/dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0) ') /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) @@ -91,6 +108,7 @@ /dev/cmx.* -c gen_context(system_u:object_r:smartcard_device_t,s0) +/dev/cpu_dma_latency -c gen_context(system_u:object_r:netcontrol_device_t,s0) /dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0) /dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0) @@ -98,13 +116,23 @@ /dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0) +/dev/inportbm -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/input/keyboard.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0) /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0) +/dev/pc110pad -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/vrtpanel -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0) +/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0) +/dev/bometric/sensor.* -c gen_context(system_u:object_r:event_device_t,s0) /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0) +/dev/mga_vid.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/pts(/.*)? <> --- nsaserefpolicy/policy/modules/kernel/devices.if 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/kernel/devices.if 2008-08-14 13:53:54.000000000 -0400 @@ -65,7 +65,7 @@ relabelfrom_dirs_pattern($1, device_t, device_node) relabelfrom_files_pattern($1, device_t, device_node) - relabelfrom_lnk_files_pattern($1, device_t, device_node) + relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) relabelfrom_fifo_files_pattern($1, device_t, device_node) relabelfrom_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1,device_t,{ device_t device_node }) @@ -167,6 +167,25 @@ ######################################## ## +## Manage of directories in /dev. +## +## +## +## Domain allowed to relabel. +## +## +# +interface(`dev_manage_generic_dirs',` + gen_require(` + type device_t; + ') + + manage_dirs_pattern($1, device_t, device_t) +') + + +######################################## +## ## Delete a directory in the device directory. ## ## @@ -667,6 +686,7 @@ ') dontaudit $1 device_node:blk_file getattr; + dev_dontaudit_getattr_generic_blk_files($1) ') ######################################## @@ -704,6 +724,7 @@ ') dontaudit $1 device_node:chr_file getattr; + dev_dontaudit_getattr_generic_chr_files($1) ') ######################################## @@ -1160,6 +1181,25 @@ ######################################## ## +## Set the attributes of the CPU +## microcode and id interfaces. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_cpu_dev',` + gen_require(` + type device_t, cpu_device_t; + ') + + setattr_chr_files_pattern($1, device_t, cpu_device_t) +') + +######################################## +## ## Read the CPU identity. ## ## @@ -1958,6 +1998,42 @@ ######################################## ## +## Get the attributes of the null device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_null_dev',` + gen_require(` + type device_t, null_device_t; + ') + + getattr_chr_files_pattern($1, device_t, null_device_t) +') + +######################################## +## +## Set the attributes of the null device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_null_dev',` + gen_require(` + type device_t, null_device_t; + ') + + setattr_chr_files_pattern($1, device_t, null_device_t) +') + +######################################## +## ## Read and write to the null device (/dev/null). ## ## @@ -2769,6 +2845,24 @@ ######################################## ## +## Read generic the USB devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_generic_usb_dev',` + gen_require(` + type usb_device_t; + ') + + read_chr_files_pattern($1, device_t, usb_device_t) +') + +######################################## +## ## Read and write generic the USB devices. ## ## @@ -2787,6 +2881,97 @@ ######################################## ## +## Read and write generic the USB fifo files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_generic_usb_pipes',` + gen_require(` + type usb_device_t; + ') + + allow $1 device_t:dir search_dir_perms; + allow $1 usb_device_t:fifo_file rw_fifo_file_perms; +') + +######################################## +## +## Get the attributes of the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_kvm_dev',` + gen_require(` + type device_t, kvm_device_t; + ') + + getattr_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## +## +## Set the attributes of the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_kvm_dev',` + gen_require(` + type device_t, kvm_device_t; + ') + + setattr_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## +## +## Read the kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_kvm',` + gen_require(` + type device_t, kvm_device_t; + ') + + read_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## +## +## Read and write to kvm devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_kvm',` + gen_require(` + type device_t, kvm_device_t; + ') + + rw_chr_files_pattern($1, device_t, kvm_device_t) +') + +######################################## +## ## Mount a usbfs filesystem. ## ## @@ -3322,3 +3507,223 @@ typeattribute $1 devices_unconfined_type; ') + +######################################## +## +## Get the attributes of the autofs device node. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_autofs_dev',` + gen_require(` + type device_t, autofs_device_t; + ') + + getattr_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## +## +## Do not audit attempts to get the attributes of +## the autofs device node. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_getattr_autofs_dev',` + gen_require(` + type autofs_device_t; + ') + + dontaudit $1 autofs_device_t:chr_file getattr; +') + +######################################## +## +## Set the attributes of the autofs device node. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_autofs_dev',` + gen_require(` + type device_t, autofs_device_t; + ') + + setattr_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## +## +## Do not audit attempts to set the attributes of +## the autofs device node. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_dontaudit_setattr_autofs_dev',` + gen_require(` + type autofs_device_t; + ') + + dontaudit $1 autofs_device_t:chr_file setattr; +') + +######################################## +## +## Read and write the autofs device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_autofs',` + gen_require(` + type device_t, autofs_device_t; + ') + + rw_chr_files_pattern($1, device_t, autofs_device_t) +') + +######################################## +## +## Get the attributes of the network control device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_netcontrol',` + gen_require(` + type device_t, netcontrol_device_t; + ') + + getattr_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## +## +## Read the network control identity. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_netcontrol',` + gen_require(` + type device_t, netcontrol_device_t; + ') + + read_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## +## +## Read and write the the network control device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_netcontrol',` + gen_require(` + type device_t, netcontrol_device_t; + ') + + rw_chr_files_pattern($1, device_t, netcontrol_device_t) +') + +######################################## +## +## Get the attributes of the QEMU +## microcode and id interfaces. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_getattr_qemu',` + gen_require(` + type device_t, qemu_device_t; + ') + + getattr_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## +## +## Set the attributes of the QEMU +## microcode and id interfaces. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_qemu',` + gen_require(` + type device_t, qemu_device_t; + ') + + setattr_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## +## +## Read the QEMU device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_qemu',` + gen_require(` + type device_t, qemu_device_t; + ') + + read_chr_files_pattern($1, device_t, qemu_device_t) +') + +######################################## +## +## Read and write the the QEMU device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_qemu',` + gen_require(` + type device_t, qemu_device_t; + ') + + rw_chr_files_pattern($1, device_t, qemu_device_t) +') --- nsaserefpolicy/policy/modules/kernel/devices.te 2008-08-07 11:15:01.000000000 -0400 +++ serefpolicy-3.5.5/policy/modules/kernel/devices.te 2008-08-14 13:53:54.000000000 -0400 @@ -32,6 +32,12 @@ type apm_bios_t; dev_node(apm_bios_t) +# +# Type for /dev/autofs +# +type autofs_device_t; +dev_node(autofs_device_t) + type cardmgr_dev_t; dev_node(cardmgr_dev_t) files_tmp_file(cardmgr_dev_t) @@ -49,6 +55,12 @@ type cpu_device_t; dev_node(cpu_device_t) +# +# network control devices +# +type netcontrol_device_t; +dev_node(netcontrol_device_t) + # for the IBM zSeries z90crypt hardware ssl accelorator type crypt_device_t; dev_node(crypt_device_t) @@ -66,12 +78,25 @@ dev_node(framebuf_device_t) # +# Type for /dev/ipmi/0 +# +type ipmi_device_t; +dev_node(ipmi_device_t) + +# # Type for /dev/kmsg # type kmsg_device_t; dev_node(kmsg_device_t) # +# kvm_device_t is the type of +# /dev/kvm +# +type kvm_device_t; +dev_node(kvm_device_t) + +# # Type for /dev/mapper/control # type lvm_control_t; @@ -118,6 +143,12 @@ dev_node(nvram_device_t) # +# qemu control devices +# +type qemu_device_t; +dev_node(qemu_device_t) + +# # Type for /dev/pmu # type power_device_t;