From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 6 Sep 2017 11:05:00 -0400
Subject: [refpolicy] [PATCH 1/1] Separate read and write interface for
 tun_tap_device_t
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4C192@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B4C192@Exchange10.columbia.tresys.com>
Message-ID: <b8fd13e7-7a1e-875f-9f70-d2299fae67e6@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/05/2017 10:17 AM, David Sugar via refpolicy wrote:
> The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access).  It is possible to open a tap device for only reading or only writing and this allows policy to match that use.
> 
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/kernel/corenetwork.if.in | 38 +++++++++++++++++++++++++++++++++
>   1 file changed, 38 insertions(+)
> 
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index cc205287..58c010fc 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -2028,6 +2028,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
>   
>   ########################################
>   ## <summary>
> +##	Read the TUN/TAP virtual network device.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The domain read allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_read_tun_tap_dev',`
> +	gen_require(`
> +		type tun_tap_device_t;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Write the TUN/TAP virtual network device.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The domain allowed write access.
> +##	</summary>
> +## </param>
> +#
> +interface(`corenet_write_tun_tap_dev',`
> +	gen_require(`
> +		type tun_tap_device_t;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Read and write the TUN/TAP virtual network device.
>   ## </summary>
>   ## <param name="domain">

Merged.

-- 
Chris PeBenito