From: dominick.grift@gmail.com (Dominick Grift)
Date: Sat,  9 Nov 2013 10:44:50 +0100
Subject: [refpolicy] [PATCH 09/39] These are some of the device nodes
	created by kernel,
	and udev with the generic device_t type in debian.
In-Reply-To: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com>
References: <1383990320-3340-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <1383990320-3340-9-git-send-email-dominick.grift@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

These named file transitions make sure that these devices get created
with the proper types

This list is probably far from comprehensive because i only added the
ones i was able to confirm on my virtual machine

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 policy/modules/kernel/corenetwork.if.in |  25 ++++++
 policy/modules/kernel/devices.if        | 146 +++++++++++++++++++++++++++++++-
 policy/modules/kernel/kernel.te         |  42 +++++++++
 policy/modules/kernel/terminal.if       |  50 +++++++++++
 policy/modules/system/udev.te           |   4 +
 5 files changed, 266 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 07126bd..7158d4a 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1993,6 +1993,31 @@ interface(`corenet_rw_tun_tap_dev',`
 
 ########################################
 ## <summary>
+##	Create TUN/TAP virtual network devices
+##	in /dev with the tun tap type
+##	via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`corenet_dev_filetrans_tun_tap',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_filetrans($1, tun_tap_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read or write the TUN/TAP
 ##	virtual network device.
 ## </summary>
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..147170a 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1803,7 +1803,7 @@ interface(`dev_rw_crypto',`
 #
 interface(`dev_setattr_dlm_control',`
 	gen_require(`
-	type device_t, kvm_device_t;
+	type device_t, dlm_control_device_t;
 	')
 
 	setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
@@ -2017,6 +2017,30 @@ interface(`dev_rw_input_dev',`
 
 ########################################
 ## <summary>
+##	Automatic type transition to the type
+##	for input device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_input',`
+	gen_require(`
+		type device_t, event_device_t;
+	')
+
+	filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the framebuffer device node.
 ## </summary>
 ## <param name="domain">
@@ -2340,6 +2364,30 @@ interface(`dev_rw_kvm',`
 	rw_chr_files_pattern($1, device_t, kvm_device_t)
 ')
 
+########################################
+## <summary>
+##	Automatic type transition to the type
+##	for kvm device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_kvm',`
+	gen_require(`
+		type device_t, kvm_device_t;
+	')
+
+	filetrans_pattern($1, device_t, kvm_device_t, chr_file, $2)
+')
+
 ######################################
 ## <summary>
 ##	Read the lirc device.
@@ -2883,6 +2931,30 @@ interface(`dev_rw_mouse',`
 
 ########################################
 ## <summary>
+##	Automatic type transition to the type
+##	for mouse device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_mouse',`
+	gen_require(`
+		type device_t, mouse_device_t;
+	')
+
+	filetrans_pattern($1, device_t, mouse_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the memory type range
 ##	registers (MTRR) device.
 ## </summary>
@@ -3691,6 +3763,30 @@ interface(`dev_write_sound_mixer',`
 
 ########################################
 ## <summary>
+##	Automatic type transition to the type
+##	for sound mixer device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_sound_mixer',`
+	gen_require(`
+		type device_t, sound_device_t;
+	')
+
+	filetrans_pattern($1, device_t, sound_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the the power management device.
 ## </summary>
 ## <param name="domain">
@@ -4203,6 +4299,30 @@ interface(`dev_relabel_generic_usb_dev',`
 
 ########################################
 ## <summary>
+##	Automatic type transition to the type
+##	for usb device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_usb',`
+	gen_require(`
+		type device_t, usb_device_t;
+	')
+
+	filetrans_pattern($1, device_t, usb_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Read USB monitor devices.
 ## </summary>
 ## <param name="domain">
@@ -4648,6 +4768,30 @@ interface(`dev_rw_wireless',`
 
 ########################################
 ## <summary>
+##	Automatic type transition to the type
+##	for wireless device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`dev_filetrans_wireless',`
+	gen_require(`
+		type device_t, wireless_device_t;
+	')
+
+	filetrans_pattern($1, device_t, wireless_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Read and write Xen devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..dd1e7e7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -285,6 +285,48 @@ mls_process_write_down(kernel_t)
 mls_file_write_all_levels(kernel_t)
 mls_file_read_all_levels(kernel_t)
 
+ifdef(`distro_debian',`
+	dev_filetrans_input(kernel_t, "event0")
+	dev_filetrans_input(kernel_t, "event1")
+	dev_filetrans_input(kernel_t, "event2")
+	dev_filetrans_input(kernel_t, "event3")
+	dev_filetrans_input(kernel_t, "event4")
+	dev_filetrans_input(kernel_t, "event5")
+	dev_filetrans_kvm(kernel_t, "kvm")
+	dev_filetrans_mouse(kernel_t, "js0")
+	dev_filetrans_mouse(kernel_t, "js1")
+	dev_filetrans_mouse(kernel_t, "mouse0")
+	dev_filetrans_mouse(kernel_t, "mouse1")
+	dev_filetrans_mouse(kernel_t, "mouse2")
+	dev_filetrans_sound_mixer(kernel_t, "controlC0")
+	dev_filetrans_sound_mixer(kernel_t, "hwC0D0")
+	dev_filetrans_sound_mixer(kernel_t, "pcmC0D0c")
+	dev_filetrans_sound_mixer(kernel_t, "pcmC0D0p")
+	dev_filetrans_usb(kernel_t, "001")
+	dev_filetrans_usb(kernel_t, "002")
+	dev_filetrans_wireless(kernel_t, "rfkill")
+
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs1")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs2")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs3")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs4")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs5")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs6")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcs7")
+
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa1")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa2")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa3")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa4")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa5")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa6")
+	term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa7")
+
+	term_dev_filetrans_virtio_console(kernel_t, "vport1p1")
+')
+
 ifdef(`distro_redhat',`
 	# Bugzilla 222337
 	fs_rw_tmpfs_chr_files(kernel_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b..c08b093 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1245,6 +1245,31 @@ interface(`term_use_unallocated_ttys',`
 
 ########################################
 ## <summary>
+##	Create unallocated tty devices in /dev
+##	with the unallocated tty type
+##	via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`term_dev_filetrans_unallocated_ttys',`
+	gen_require(`
+		type tty_device_t;
+	')
+
+	dev_filetrans($1, tty_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read or
 ##	write unallocated ttys.
 ## </summary>
@@ -1531,3 +1556,28 @@ interface(`term_use_virtio_console',`
 	dev_list_all_dev_nodes($1)
 	allow $1 virtio_device_t:chr_file rw_term_perms;
 ')
+
+########################################
+## <summary>
+##	Create virtio console devices in /dev
+##	with the virtio console type
+##	via an automatic type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`term_dev_filetrans_virtio_console',`
+	gen_require(`
+		type virtio_device_t;
+	')
+
+	dev_filetrans($1, virtio_device_t, chr_file, $2)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 183e45d..47bfc33 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -174,8 +174,12 @@ sysnet_etc_filetrans_config(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
+	corenet_dev_filetrans_tun_tap(udev_t, "tun")
+
 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
 
+	storage_dev_filetrans_fixed_disk(udev_t, "loop0")
+
 	optional_policy(`
 		# for /usr/lib/avahi/avahi-daemon-check-dns.sh
 		kernel_read_vm_sysctls(udev_t)
-- 
1.8.3.1