From: dsugar@tresys.com (David Sugar)
Date: Tue, 5 Sep 2017 14:17:50 +0000
Subject: [refpolicy] [PATCH 1/1] Separate read and write interface for
	tun_tap_device_t
Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B4C192@Exchange10.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access).  It is possible to open a tap device for only reading or only writing and this allows policy to match that use.


Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index cc205287..58c010fc 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -2028,6 +2028,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 
 ########################################
 ## <summary>
+##	Read the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain read allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_read_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed write access.
+##	</summary>
+## </param>
+#
+interface(`corenet_write_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write the TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">
-- 
2.13.5