Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9CE19C43381 for ; Tue, 5 Mar 2019 22:35:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B921420652 for ; Tue, 5 Mar 2019 22:35:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="RCjcUww8" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728159AbfCEWfR (ORCPT ); Tue, 5 Mar 2019 17:35:17 -0500 Received: from mail-eopbgr810133.outbound.protection.outlook.com ([40.107.81.133]:58263 "EHLO NAM01-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726210AbfCEWfR (ORCPT ); Tue, 5 Mar 2019 17:35:17 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nqQVRgBCveHsxECTP5tozRoMDRTk2CixH8ekTRqkMl0=; b=RCjcUww896FE0yxIq7OWQhoTZmSb6NYx1bW1c2d85GYfZSDhGncJsyqr4h4ykfUChFIg6Iu/dW8UlZed3mKaicBxOO/r5hWCjMCFHs7d7I/5L/rb7FmYc0LDoYswPCieheDyWzYW7/Yw7HQoE67Vl4b3cBQbzW4SpiLnK5RuELI= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1444.namprd15.prod.outlook.com (10.172.151.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.16; Tue, 5 Mar 2019 22:34:37 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%7]) with mapi id 15.20.1665.020; Tue, 5 Mar 2019 22:34:37 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Setup attribute for fixed_disk_device and removable_device Thread-Topic: [PATCH] Setup attribute for fixed_disk_device and removable_device Thread-Index: AQHU06OdC5r+KkH6VEygMu5QU2ZaRw== Date: Tue, 5 Mar 2019 22:34:37 +0000 Message-ID: <20190305223402.19263-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [173.8.5.193] x-clientproxiedby: BN7PR10CA0019.namprd10.prod.outlook.com (2603:10b6:406:bc::32) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 5266962c-60af-404e-e2f9-08d6a1babf8f x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1444; x-ms-traffictypediagnostic: BN6PR15MB1444: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1444;23:WgTU49aXvIhEnvaF2MH+z9nGPn9SrHPhQ1rPeTr?= =?iso-8859-1?Q?ngxPiyhymsR0A9p0+p9i3/3Eyh9LhYXlQBUdhuejFE0V9niihGf+NQxBb8?= =?iso-8859-1?Q?RyzP9ueIBuZrgXSqc0eRofaO7pLJdbRaIVN6HTxgyEPpRP9FMQ13ZXL4ar?= =?iso-8859-1?Q?Gwi4zU3nyXE/sU6saF7eDVSTMaqu0DRXa/k1FIfeb8uwNUzZxBdL/BkqOI?= =?iso-8859-1?Q?k3NDn05wFjm4/mGWfS8h/EVpNOB2IwRepzmWKSM1qrP3wSKrtK2yRxucL8?= =?iso-8859-1?Q?KnajPcHrkLhjlP5LPI1i8FhjlygnwS6kTdoVMktCuuWlEgTq76rnglDIgS?= =?iso-8859-1?Q?cAmjis8yjy2k3Y4SA4pd9ASPaq4GxsdoN5L9yQ8kMiY4NDvOH5baXUEk9w?= =?iso-8859-1?Q?JonlK6tR9DTq0NERxdmswndNyhrMT0HFBpF8oBMuLZWbdXDbyWbl3Hgpsp?= =?iso-8859-1?Q?TeOf894IT2EEeDbZulvj7nKnIE76De66GvgsJ8yHKwXanvQNmiFASGVDZy?= =?iso-8859-1?Q?pLWoHgJ87AdUtbaEX+8umkhbpr8CWE6ZXVO2Gl2xc5DLQIxaYqF0nYz5ZW?= =?iso-8859-1?Q?H63L7/8CzOcLUcXmrBpt4KPavG+ZnLSklwxSALbhIUTI5WYDT9op+ad5iH?= =?iso-8859-1?Q?m0us4RkCbKMESL47sXvW98ZlHi+BW+Lsh3zXHQL/ALBRt2+1gBFoCKFxUo?= =?iso-8859-1?Q?D6stOiSDBsDnONWz5vKwlmMTfcEu603JtPYgJt8DHuNJqzGK4lyRT0g9N3?= =?iso-8859-1?Q?LtJ3YjIGGY/W/Lrep5Sdb7VE0JAp93KS52mwMzpJfXNsgGTPPN1kDLhfbI?= =?iso-8859-1?Q?CogYVc5FjpnwvL/DrWym6Viwbi1jFoRkzdIkp6zOY8ovIZl11Mvkw2fY3+?= =?iso-8859-1?Q?sirKtFAG+/NZvc+h0VQjws5xg1Mn0lJKy3RuMHoO8Qraz8TOef4L64IVD2?= =?iso-8859-1?Q?zOAMYDQSV2bnY1fwlONQpX0fqauzWdHddvhhlgWp7b7/f2TTBJUixpec8p?= =?iso-8859-1?Q?3liGEAJfaWBfyh+079j7aWs4ac564TCqFlzWVVDjUH8kgfBpePEkcuPqyr?= =?iso-8859-1?Q?pBggelUhqme8P0OgMXkJzPDVgTo4rbXQcrt9VWDEP3qXzalWkZkqp0FoYJ?= =?iso-8859-1?Q?r7RcZBkLSlTR5FObY7koU30VP0cxnehpU058n08Q4zHYs7pvKdnkvxeVbK?= =?iso-8859-1?Q?guNDS0gHnMV4+FmJVpFP0n9pXol6Ztu7RPNTxJbT6jVHa161QHZVCjl8O3?= =?iso-8859-1?Q?kHIparN1YwiZ8SrDTM/4R5n5YHmcuVyTkxZyIbg=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 0967749BC1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39840400004)(346002)(396003)(366004)(376002)(136003)(189003)(199004)(68736007)(1076003)(50226002)(8936002)(105586002)(2906002)(106356001)(66066001)(36756003)(6916009)(97736004)(2351001)(102836004)(316002)(476003)(52116002)(486006)(386003)(6506007)(2616005)(305945005)(8676002)(7736002)(81166006)(26005)(81156014)(99286004)(186003)(86362001)(6486002)(256004)(6436002)(6116002)(53936002)(14454004)(5640700003)(6512007)(3846002)(508600001)(25786009)(71190400001)(71200400001)(30864003)(5024004)(14444005)(5660300002)(2501003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1444;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 4ZQ7lCffLVxMgCggW7YbW9qbybo8KMVkQztoOTjbCJSgnvy6unOtkaUIXCCrpijmtaxyWg3QfmB0t9A9XmytVsJFji6J0PPZmN1wD9RAqFv/i69s/hioG9SRXuEMeyl/Z9YVqCv5HzjwS1kyI0j6TLxqDVkPUklruja8b8cqf7rSs2SU8FJJj3jBJ4DBp2EmFB32D+KQg1z/zWpik02GzvY/yyn5oCBckucdaLRfIsG+Tt3P0/Rn/6/NHeQ1UR6DN2OacdZn2aDQjbDH20joNIMgcku/tePI/FglyPP6qXswo5lqY7XyoS/LYlq3FSNb2BbP8ZC9IEzVkEASpN+aC03fuhXHE/maww9ybZt7TTEfdIa2XU9kmigWlV5KMhVDnu8laC9ykLUx52hSSQp5KfDNNDgBmku2Szfu/e6Pec4= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 5266962c-60af-404e-e2f9-08d6a1babf8f X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 22:34:37.1652 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1444 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I am having trouble with some denials due to the fact I am setting up specific private types for media attached to my system. This changes to use an attribute for media and interfaces to add types to the newly created attribute. I'm seeing denials from lvm_t which this helps to resolve. If the names of the new attributes are not OK, please suggest others. I will update as needed. Signed-off-by: Dave Sugar --- policy/modules/kernel/storage.if | 139 +++++++++++++++++++------------ policy/modules/kernel/storage.te | 11 ++- 2 files changed, 96 insertions(+), 54 deletions(-) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/stora= ge.if index 0292eee4..c8d9bfcc 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -13,11 +13,11 @@ # interface(`storage_getattr_fixed_disk_dev',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file getattr; + allow $1 fixed_disk_device:blk_file getattr; ') =20 ######################################## @@ -33,11 +33,11 @@ interface(`storage_getattr_fixed_disk_dev',` # interface(`storage_dontaudit_getattr_fixed_disk_dev',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 - dontaudit $1 fixed_disk_device_t:blk_file getattr; - dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl + dontaudit $1 fixed_disk_device:blk_file getattr; + dontaudit $1 fixed_disk_device:chr_file getattr; # /dev/rawctl ') =20 ######################################## @@ -53,11 +53,11 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',` # interface(`storage_setattr_fixed_disk_dev',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file setattr; + allow $1 fixed_disk_device:blk_file setattr; ') =20 ######################################## @@ -73,10 +73,10 @@ interface(`storage_setattr_fixed_disk_dev',` # interface(`storage_dontaudit_setattr_fixed_disk_dev',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 - dontaudit $1 fixed_disk_device_t:blk_file setattr; + dontaudit $1 fixed_disk_device:blk_file setattr; ') =20 ######################################## @@ -95,12 +95,12 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',` interface(`storage_raw_read_fixed_disk',` gen_require(` attribute fixed_disk_raw_read; - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; + allow $1 fixed_disk_device:blk_file read_blk_file_perms; + allow $1 fixed_disk_device:chr_file read_chr_file_perms; typeattribute $1 fixed_disk_raw_read; ') =20 @@ -117,12 +117,12 @@ interface(`storage_raw_read_fixed_disk',` # interface(`storage_dontaudit_read_fixed_disk',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; =20 ') =20 - dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; - dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; + dontaudit $1 fixed_disk_device:blk_file read_blk_file_perms; + dontaudit $1 fixed_disk_device:chr_file read_chr_file_perms; ') =20 ######################################## @@ -141,12 +141,12 @@ interface(`storage_dontaudit_read_fixed_disk',` interface(`storage_raw_write_fixed_disk',` gen_require(` attribute fixed_disk_raw_write; - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file write_chr_file_perms; + allow $1 fixed_disk_device:blk_file write_blk_file_perms; + allow $1 fixed_disk_device:chr_file write_chr_file_perms; typeattribute $1 fixed_disk_raw_write; ') =20 @@ -163,11 +163,11 @@ interface(`storage_raw_write_fixed_disk',` # interface(`storage_dontaudit_write_fixed_disk',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; =20 ') =20 - dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; + dontaudit $1 fixed_disk_device:blk_file write_blk_file_perms; ') =20 ######################################## @@ -200,11 +200,11 @@ interface(`storage_raw_rw_fixed_disk',` # interface(`storage_create_fixed_disk_dev',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; + allow $1 fixed_disk_device:blk_file create_blk_file_perms; dev_add_entry_generic_dirs($1) ') =20 @@ -220,10 +220,10 @@ interface(`storage_create_fixed_disk_dev',` # interface(`storage_delete_fixed_disk_dev',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 - allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms; + allow $1 fixed_disk_device:blk_file delete_blk_file_perms; dev_remove_entry_generic_dirs($1) ') =20 @@ -240,13 +240,13 @@ interface(`storage_delete_fixed_disk_dev',` interface(`storage_manage_fixed_disk',` gen_require(` attribute fixed_disk_raw_read, fixed_disk_raw_write; - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 dev_list_all_dev_nodes($1) allow $1 self:capability mknod; - allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; - allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms; + allow $1 fixed_disk_device:blk_file manage_blk_file_perms; + allow $1 fixed_disk_device:chr_file manage_chr_file_perms; typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; ') =20 @@ -305,11 +305,11 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` # interface(`storage_relabel_fixed_disk',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; + allow $1 fixed_disk_device:blk_file relabel_blk_file_perms; ') =20 ######################################## @@ -324,11 +324,11 @@ interface(`storage_relabel_fixed_disk',` # interface(`storage_swapon_fixed_disk',` gen_require(` - type fixed_disk_device_t; + attribute fixed_disk_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 fixed_disk_device_t:blk_file { getattr swapon }; + allow $1 fixed_disk_device:blk_file { getattr swapon }; ') =20 ######################################## @@ -530,11 +530,11 @@ interface(`storage_dontaudit_rw_scsi_generic',` # interface(`storage_getattr_removable_dev',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file getattr; + allow $1 removable_device:blk_file getattr; ') =20 ######################################## @@ -550,10 +550,10 @@ interface(`storage_getattr_removable_dev',` # interface(`storage_dontaudit_getattr_removable_dev',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 - dontaudit $1 removable_device_t:blk_file getattr; + dontaudit $1 removable_device:blk_file getattr; ') =20 ######################################## @@ -569,11 +569,11 @@ interface(`storage_dontaudit_getattr_removable_dev',` # interface(`storage_dontaudit_read_removable_device',` gen_require(` - type removable_device_t; + attribute removable_device; =20 ') =20 - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; + dontaudit $1 removable_device:blk_file read_blk_file_perms; ') =20 ######################################## @@ -589,10 +589,10 @@ interface(`storage_dontaudit_read_removable_device',` # interface(`storage_dontaudit_write_removable_device',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; + dontaudit $1 removable_device:blk_file write_blk_file_perms; ') =20 ######################################## @@ -608,11 +608,11 @@ interface(`storage_dontaudit_write_removable_device',= ` # interface(`storage_setattr_removable_dev',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file setattr; + allow $1 removable_device:blk_file setattr; ') =20 ######################################## @@ -628,10 +628,10 @@ interface(`storage_setattr_removable_dev',` # interface(`storage_dontaudit_setattr_removable_dev',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 - dontaudit $1 removable_device_t:blk_file setattr; + dontaudit $1 removable_device:blk_file setattr; ') =20 ######################################## @@ -650,11 +650,11 @@ interface(`storage_dontaudit_setattr_removable_dev',` # interface(`storage_raw_read_removable_device',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file read_blk_file_perms; + allow $1 removable_device:blk_file read_blk_file_perms; ') =20 ######################################## @@ -669,10 +669,10 @@ interface(`storage_raw_read_removable_device',` # interface(`storage_dontaudit_raw_read_removable_device',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; + dontaudit $1 removable_device:blk_file read_blk_file_perms; ') =20 ######################################## @@ -691,11 +691,11 @@ interface(`storage_dontaudit_raw_read_removable_devic= e',` # interface(`storage_raw_write_removable_device',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 dev_list_all_dev_nodes($1) - allow $1 removable_device_t:blk_file write_blk_file_perms; + allow $1 removable_device:blk_file write_blk_file_perms; ') =20 ######################################## @@ -710,10 +710,10 @@ interface(`storage_raw_write_removable_device',` # interface(`storage_dontaudit_raw_write_removable_device',` gen_require(` - type removable_device_t; + attribute removable_device; ') =20 - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; + dontaudit $1 removable_device:blk_file write_blk_file_perms; ') =20 ######################################## @@ -813,3 +813,40 @@ interface(`storage_unconfined',` =20 typeattribute $1 storage_unconfined_type; ') + +######################################## +## +## Mark a type as a removable device type. +## +## +## +## Type to associate. +## +## +# +interface(`storage_removable_device_type',` + gen_require(` + attribute removable_device; + ') + + typeattribute $1 removable_device; +') + +######################################## +## +## Mark a type as a fixed disk device type. +## +## +## +## Type to associate +## +## +# +interface(`storage_fixed_disk_device_type',` + gen_require(` + attribute fixed_disk_device; + ') + + typeattribute $1 fixed_disk_device; +') + diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/stora= ge.te index c10290c0..7a358290 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -11,15 +11,19 @@ attribute scsi_generic_read; attribute scsi_generic_write; attribute storage_unconfined_type; =20 +attribute removable_device; +attribute fixed_disk_device; + # # fixed_disk_device_t is the type of # /dev/hd* and /dev/sd*. # type fixed_disk_device_t; dev_node(fixed_disk_device_t) +storage_fixed_disk_device_type(fixed_disk_device_t) =20 -neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_dev= ice_t:{ chr_file blk_file } read; -neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_de= vice_t:{ chr_file blk_file } { append write }; +neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_dev= ice:{ chr_file blk_file } read; +neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_de= vice:{ chr_file blk_file } { append write }; =20 # # fuse_device_t is the type of /dev/fuse @@ -43,6 +47,7 @@ neverallow ~{ scsi_generic_write storage_unconfined_type = } scsi_generic_device_t # type removable_device_t; dev_node(removable_device_t) +storage_removable_device_type(removable_device_t) =20 # # tape_device_t is the type of @@ -55,5 +60,5 @@ dev_node(tape_device_t) # Unconfined access to this module # =20 -allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:b= lk_file { manage_blk_file_perms relabelfrom relabelto map execute swapon qu= otaon mounton audit_access execmod }; +allow storage_unconfined_type { fixed_disk_device removable_device }:blk_f= ile { manage_blk_file_perms relabelfrom relabelto map execute swapon quotao= n mounton audit_access execmod }; allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_= file { manage_chr_file_perms relabelfrom relabelto map execute swapon quota= on mounton execute_no_trans entrypoint execmod audit_access }; --=20 2.20.1