From: dsugar@tresys.com (David Sugar) Date: Tue, 5 Sep 2017 14:17:50 +0000 Subject: [refpolicy] [PATCH 1/1] Separate read and write interface for tun_tap_device_t Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B4C192@Exchange10.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use. Signed-off-by: Dave Sugar --- policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index cc205287..58c010fc 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -2028,6 +2028,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` ######################################## ## +## Read the TUN/TAP virtual network device. +## +## +## +## The domain read allowed access. +## +## +# +interface(`corenet_read_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file read_chr_file_perms; +') + +######################################## +## +## Write the TUN/TAP virtual network device. +## +## +## +## The domain allowed write access. +## +## +# +interface(`corenet_write_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file write_chr_file_perms; +') + +######################################## +## ## Read and write the TUN/TAP virtual network device. ## ## -- 2.13.5