1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
|
policy_module(devices)
########################################
#
# Declarations
#
attribute device_node;
attribute memory_raw_read;
attribute memory_raw_write;
attribute devices_unconfined_type;
attribute sysfs_types;
#
# device_t is the type of /dev.
#
type device_t;
fs_associate_tmpfs(device_t)
files_type(device_t)
files_mountpoint(device_t)
files_associate_tmp(device_t)
fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
optional_policy(`
container_mountpoint(device_t)
')
optional_policy(`
systemd_tmpfilesd_managed(device_t)
')
#
# Type for /dev/agpgart
#
type agp_device_t;
dev_node(agp_device_t)
#
# Type for /dev/apm_bios
#
type acpi_bios_t;
dev_node(acpi_bios_t)
#
# Type for /dev/autofs
#
type autofs_device_t;
dev_node(autofs_device_t)
optional_policy(`
container_mountpoint(autofs_device_t)
')
type cardmgr_dev_t;
dev_node(cardmgr_dev_t)
files_tmp_file(cardmgr_dev_t)
type cachefiles_device_t;
dev_node(cachefiles_device_t)
#
# clock_device_t is the type of
# /dev/rtc.
#
type clock_device_t;
dev_node(clock_device_t)
#
# cpu control devices /dev/cpu/0/*
#
type cpu_device_t;
dev_node(cpu_device_t)
#
# /sys/devices/system/cpu/online device
#
type cpu_online_t, sysfs_types;
files_type(cpu_online_t)
dev_associate_sysfs(cpu_online_t)
genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
#
# Type for /dev/crash
#
type crash_device_t;
dev_node(crash_device_t)
# for the IBM zSeries z90crypt hardware ssl accelerator
type crypt_device_t;
dev_node(crypt_device_t)
#
# Type for /dev/dax*.*
#
type dax_device_t;
dev_node(dax_device_t)
#
# dlm_misc_device_t is the type of /dev/misc/dlm.*
#
type dlm_control_device_t;
dev_node(dlm_control_device_t)
#
# Type for /dev/dma_heap/* devices
#
type dma_device_t;
dev_node(dma_device_t)
type dri_device_t;
dev_node(dri_device_t)
type event_device_t;
dev_node(event_device_t)
#
# Type for framebuffer /dev/fb/*
#
type framebuf_device_t;
dev_node(framebuf_device_t)
#
# Type for Dell (others?) freefall detection device /dev/freefall
#
type freefall_device_t;
dev_node(freefall_device_t)
#
# Type for GPIO chip /dev/gpiochip*
#
type gpiochip_device_t;
dev_node(gpiochip_device_t)
#
# Types for Hyper-V guest devices
#
type hyperv_kvp_device_t;
dev_node(hyperv_kvp_device_t)
type hyperv_vss_device_t;
dev_node(hyperv_vss_device_t)
#
# Type for /dev/iio:device* (Industrial IO)
#
type iio_device_t;
dev_node(iio_device_t)
#
# Type for /dev/infiniband/*
#
type infiniband_device_t;
dev_node(infiniband_device_t)
#
# Type for /dev/ipmi/0
#
type ipmi_device_t;
dev_node(ipmi_device_t)
#
# Type for /dev/kmsg
#
type kmsg_device_t;
dev_node(kmsg_device_t)
optional_policy(`
container_mountpoint(kmsg_device_t)
')
optional_policy(`
init_mountpoint(kmsg_device_t)
')
#
# ksm_device_t is the type of /dev/ksm
#
type ksm_device_t;
dev_node(ksm_device_t)
#
# kvm_device_t is the type of
# /dev/kvm
#
type kvm_device_t;
dev_node(kvm_device_t)
#
# Type for /dev/lirc
#
type lirc_device_t;
dev_node(lirc_device_t)
type loop_control_device_t;
dev_node(loop_control_device_t)
#
# Type for /dev/mapper/control
#
type lvm_control_t;
dev_node(lvm_control_t)
type mei_device_t;
dev_node(mei_device_t)
#
# memory_device_t is the type of /dev/kmem,
# /dev/mem and /dev/port.
#
type memory_device_t;
dev_node(memory_device_t)
neverallow ~{ memory_raw_read devices_unconfined_type } memory_device_t:{ chr_file blk_file } read;
neverallow ~{ memory_raw_write devices_unconfined_type } memory_device_t:{ chr_file blk_file } { append write };
type misc_device_t;
dev_node(misc_device_t)
#
# A general type for modem devices.
#
type modem_device_t;
dev_node(modem_device_t)
#
# A more general type for mouse devices.
#
type mouse_device_t;
dev_node(mouse_device_t)
#
# Serial Attached SCSI Management device
#
type mptctl_device_t;
dev_node(mptctl_device_t)
#
# Type for /dev/cpu/mtrr and /proc/mtrr
#
type mtrr_device_t;
dev_node(mtrr_device_t)
genfscon proc /mtrr gen_context(system_u:object_r:mtrr_device_t,s0)
optional_policy(`
init_mountpoint(mtrr_device_t)
')
#
# null_device_t is the type of /dev/null.
#
type null_device_t;
dev_node(null_device_t)
mls_trusted_object(null_device_t)
sid devnull gen_context(system_u:object_r:null_device_t,s0)
optional_policy(`
container_mountpoint(null_device_t)
')
#
# Type for /dev/nvram
#
type nvram_device_t;
dev_node(nvram_device_t)
#
# Type for /dev/pmu
#
type power_device_t;
dev_node(power_device_t)
#
# PM QoS Interface, /dev/cpu_dma_latency, network_latency,
# network_throughput, and memory_bandwidth
#
type pmqos_device_t alias netcontrol_device_t;
dev_node(pmqos_device_t)
type printer_device_t;
dev_node(printer_device_t)
mls_file_write_within_range(printer_device_t)
#
# qemu control devices
#
type qemu_device_t;
dev_node(qemu_device_t)
#
# random_device_t is the type of /dev/random
#
type random_device_t;
dev_node(random_device_t)
optional_policy(`
container_mountpoint(random_device_t)
')
type scanner_device_t;
dev_node(scanner_device_t)
#
# Type for smartcards
#
type smartcard_device_t;
dev_node(smartcard_device_t)
#
# Type for sound devices and mixers
#
type sound_device_t;
dev_node(sound_device_t)
#
# Type for sysdig device
#
type sysdig_device_t;
dev_node(sysdig_device_t)
#
# sysfs_t is the type for the /sys pseudofs
#
type sysfs_t, sysfs_types;
files_mountpoint(sysfs_t)
fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
#
# Types for trusted execution environment interface
#
type tee_device_t;
dev_node(tee_device_t)
type tee_priv_device_t;
dev_node(tee_priv_device_t)
#
# Type for /dev/tpm
#
type tpm_device_t;
dev_node(tpm_device_t)
#
# uhid_device_t is the type of /dev/uhid -
# User-space I/O driver support for HID subsystem
#
type uhid_device_t;
dev_node(uhid_device_t)
#
# urandom_device_t is the type of /dev/urandom
#
type urandom_device_t;
dev_node(urandom_device_t)
optional_policy(`
container_mountpoint(urandom_device_t)
')
#
# usbfs_t is the type for the /proc/bus/usb pseudofs
#
type usbfs_t;
files_mountpoint(usbfs_t)
fs_pseudo_type(usbfs_t)
genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
genfscon functionfs / gen_context(system_u:object_r:usbfs_t,s0)
genfscon gadgetfs / gen_context(system_u:object_r:usbfs_t,s0)
#
# usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+
#
type usb_device_t;
dev_node(usb_device_t)
optional_policy(`
container_mountpoint(usb_device_t)
')
#
# usb_device_t is the type for /dev/usbmon
#
type usbmon_device_t;
dev_node(usbmon_device_t)
#
# Type for /dev/userfaultfd
#
type userfaultfd_device_t;
dev_node(userfaultfd_device_t)
#
# userio_device_t is the type for /dev/uio[0-9]+
#
type userio_device_t;
dev_node(userio_device_t)
type vfio_device_t;
dev_node(vfio_device_t)
type v4l_device_t;
dev_node(v4l_device_t)
#
# vhost_device_t is the type for vhost devices like
# /dev/vhost-net and /dev/vhost-scsi
#
type vhost_device_t;
dev_node(vhost_device_t)
# Type for vmware devices.
type vmware_device_t;
dev_node(vmware_device_t)
#
# vsock_device_t is the type for /dev/vsock
#
type vsock_device_t;
dev_node(vsock_device_t)
type watchdog_device_t;
dev_node(watchdog_device_t)
#
# wireless control devices
#
type wireless_device_t;
dev_node(wireless_device_t)
type xen_device_t;
dev_node(xen_device_t)
type xserver_misc_device_t;
dev_node(xserver_misc_device_t)
#
# zero_device_t is the type of /dev/zero.
#
type zero_device_t;
dev_node(zero_device_t)
mls_trusted_object(zero_device_t)
optional_policy(`
container_mountpoint(zero_device_t)
')
########################################
#
# Rules for all device nodes
#
allow device_node device_t:filesystem associate;
fs_associate(device_node)
fs_associate_tmpfs(device_node)
files_associate_tmp(device_node)
########################################
#
# Unconfined access to this module
#
allow devices_unconfined_type self:capability sys_rawio;
allow devices_unconfined_type device_node:blk_file { execmod execute manage_blk_file_perms map mounton quotaon relabel_blk_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow devices_unconfined_type device_node:chr_file { execmod execute manage_chr_file_perms map mounton quotaon relabel_chr_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
allow devices_unconfined_type mtrr_device_t:file { entrypoint exec_file_perms execmod manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm };
|
GitWeb