From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from zombie.ncsc.mil (zombie.ncsc.mil [144.51.88.131]) by tycho.ncsc.mil (8.12.8/8.12.8) with ESMTP id i7NLVErT021564 for ; Mon, 23 Aug 2004 17:31:14 -0400 (EDT) Received: from open.hands.com (jazzdrum.ncsc.mil [144.51.5.7]) by zombie.ncsc.mil (8.12.10/8.12.10) with ESMTP id i7NLVCwb013429 for ; Mon, 23 Aug 2004 21:31:12 GMT Received: from localhost (localhost [127.0.0.1]) by open.hands.com (Postfix) with ESMTP id B660ABF8A for ; Mon, 23 Aug 2004 22:31:12 +0100 (BST) Received: from open.hands.com ([127.0.0.1]) by localhost (open [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29836-01-3 for ; Mon, 23 Aug 2004 22:31:09 +0100 (BST) Received: from lkcl.net (host81-152-10-162.range81-152.btcentralplus.com [81.152.10.162]) by open.hands.com (Postfix) with ESMTP id C5641BF88 for ; Mon, 23 Aug 2004 22:31:08 +0100 (BST) Received: from lkcl by lkcl.net with local (Exim 4.24) id 1BzMaC-0003Yu-By for selinux@tycho.nsa.gov; Mon, 23 Aug 2004 22:42:28 +0100 Date: Mon, 23 Aug 2004 22:42:28 +0100 From: Luke Kenneth Casson Leighton To: SE-Linux Subject: policy patch for tunable "/dev/hdc is removable drive" Message-ID: <20040823214228.GA13677@lkcl.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="EeQfGwPcQSOJBaQU" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline after russell's excellent suggestion of making /dev/hdc a removable_device_t because i happened to have an IDE CD-RW, i decided to add this as a tunable because i sure don't want to keep on merging / patching stuff and i am sure that not everyone has an IDE CD-RW on their second primary ide interface. l. -- -- Truth, honesty and respect are rare commodities that all spring from the same well: Love. If you love yourself and everyone and everything around you, funnily and coincidentally enough, life gets a lot better. -- lkcl.net
lkcl@lkcl.net
--EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=rmdrive diff -Naur --- default.1.14/file_contexts/types.fc 2004-08-02 08:28:37.000000000 +0100 +++ current/file_contexts/types.fc 2004-08-23 10:35:18.000000000 +0100 @@ -112,109 +117,111 @@ # # /dev # -/u?dev(/.*)? system_u:object_r:device_t -/u?dev/pts(/.*)? <> -/u?dev/cpu/.* -c system_u:object_r:cpu_device_t -/u?dev/microcode -c system_u:object_r:cpu_device_t -/u?dev/MAKEDEV -- system_u:object_r:sbin_t -/u?dev/null -c system_u:object_r:null_device_t -/u?dev/full -c system_u:object_r:null_device_t -/u?dev/zero -c system_u:object_r:zero_device_t -/u?dev/console -c system_u:object_r:console_device_t -/u?dev/(kmem|mem|port) -c system_u:object_r:memory_device_t -/u?dev/nvram -c system_u:object_r:memory_device_t -/u?dev/random -c system_u:object_r:random_device_t -/u?dev/urandom -c system_u:object_r:urandom_device_t -/u?dev/.*tty[^/]* -c system_u:object_r:tty_device_t -/u?dev/cu.* -c system_u:object_r:tty_device_t -/u?dev/vcs[^/]* -c system_u:object_r:tty_device_t -/u?dev/ip2[^/]* -c system_u:object_r:tty_device_t -/u?dev/tty -c system_u:object_r:devtty_t -/u?dev/[shmx]d[^/]* -b system_u:object_r:fixed_disk_device_t -/u?dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t -/u?dev/rd.* -b system_u:object_r:fixed_disk_device_t -/u?dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t -/u?dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t -/u?dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t -/u?dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t -/u?dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t -/u?dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t -/u?dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t -/u?dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t -/u?dev/loop.* -b system_u:object_r:fixed_disk_device_t -/u?dev/net/.* -c system_u:object_r:tun_tap_device_t -/u?dev/ram.* -b system_u:object_r:fixed_disk_device_t -/u?dev/rawctl -c system_u:object_r:fixed_disk_device_t -/u?dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t -/u?dev/initrd -b system_u:object_r:fixed_disk_device_t -/u?dev/jsfd -b system_u:object_r:fixed_disk_device_t -/u?dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t -/u?dev/usb/rio500 -c system_u:object_r:removable_device_t -/u?dev/fd[^/]+ -b system_u:object_r:removable_device_t +/.?u?dev(/.*)? system_u:object_r:device_t +/.?u?dev/pts(/.*)? <> +/.?u?dev/cpu/.* -c system_u:object_r:cpu_device_t +/.?u?dev/microcode -c system_u:object_r:cpu_device_t +/.?u?dev/MAKEDEV -- system_u:object_r:sbin_t +/.?u?dev/null -c system_u:object_r:null_device_t +/.?u?dev/full -c system_u:object_r:null_device_t +/.?u?dev/zero -c system_u:object_r:zero_device_t +/.?u?dev/console -c system_u:object_r:console_device_t +/.?u?dev/(kmem|mem|port) -c system_u:object_r:memory_device_t +/.?u?dev/nvram -c system_u:object_r:memory_device_t +/.?u?dev/random -c system_u:object_r:random_device_t +/.?u?dev/urandom -c system_u:object_r:urandom_device_t +/.?u?dev/.*tty[^/]* -c system_u:object_r:tty_device_t +/.?u?dev/cu.* -c system_u:object_r:tty_device_t +/.?u?dev/vcs[^/]* -c system_u:object_r:tty_device_t +/.?u?dev/ip2[^/]* -c system_u:object_r:tty_device_t +/.?u?dev/tty -c system_u:object_r:devtty_t +/.?u?dev/hdc -b system_u:object_r:tunably_defined_disk_t +/.?u?dev/[h]d[^/^c]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/[smx]d[^/]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/sg[0-9]+ -c system_u:object_r:scsi_generic_device_t +/.?u?dev/rd.* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/i2o/hd[^/]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/ubd[^/]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/cciss/[^/]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/nb[^/]+ -b system_u:object_r:fixed_disk_device_t +/.?u?dev/ataraid/.* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/loop.* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/net/.* -c system_u:object_r:tun_tap_device_t +/.?u?dev/ram.* -b system_u:object_r:fixed_disk_device_t +/.?u?dev/rawctl -c system_u:object_r:fixed_disk_device_t +/.?u?dev/raw/raw[0-9]+ -c system_u:object_r:fixed_disk_device_t +/.?u?dev/initrd -b system_u:object_r:fixed_disk_device_t +/.?u?dev/jsfd -b system_u:object_r:fixed_disk_device_t +/.?u?dev/s(cd|r)[^/]* -b system_u:object_r:removable_device_t +/.?u?dev/usb/rio500 -c system_u:object_r:removable_device_t +/.?u?dev/fd[^/]+ -b system_u:object_r:removable_device_t # I think a parallel port disk is a removable device... -/u?dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t -/u?dev/p[fg][0-3] -b system_u:object_r:removable_device_t -/u?dev/aztcd -b system_u:object_r:removable_device_t -/u?dev/bpcd -b system_u:object_r:removable_device_t -/u?dev/gscd -b system_u:object_r:removable_device_t -/u?dev/hitcd -b system_u:object_r:removable_device_t -/u?dev/pcd[0-3] -b system_u:object_r:removable_device_t -/u?dev/mcdx? -b system_u:object_r:removable_device_t -/u?dev/cdu.* -b system_u:object_r:removable_device_t -/u?dev/cm20.* -b system_u:object_r:removable_device_t -/u?dev/optcd -b system_u:object_r:removable_device_t -/u?dev/sbpcd.* -b system_u:object_r:removable_device_t -/u?dev/sjcd -b system_u:object_r:removable_device_t -/u?dev/sonycd -b system_u:object_r:removable_device_t +/.?u?dev/pd[a-d][^/]* -b system_u:object_r:removable_device_t +/.?u?dev/p[fg][0-3] -b system_u:object_r:removable_device_t +/.?u?dev/aztcd -b system_u:object_r:removable_device_t +/.?u?dev/bpcd -b system_u:object_r:removable_device_t +/.?u?dev/gscd -b system_u:object_r:removable_device_t +/.?u?dev/hitcd -b system_u:object_r:removable_device_t +/.?u?dev/pcd[0-3] -b system_u:object_r:removable_device_t +/.?u?dev/mcdx? -b system_u:object_r:removable_device_t +/.?u?dev/cdu.* -b system_u:object_r:removable_device_t +/.?u?dev/cm20.* -b system_u:object_r:removable_device_t +/.?u?dev/optcd -b system_u:object_r:removable_device_t +/.?u?dev/sbpcd.* -b system_u:object_r:removable_device_t +/.?u?dev/sjcd -b system_u:object_r:removable_device_t +/.?u?dev/sonycd -b system_u:object_r:removable_device_t # parallel port ATAPI generic device -/u?dev/pg[0-3] -c system_u:object_r:removable_device_t -/u?dev/rtc -c system_u:object_r:clock_device_t -/u?dev/psaux -c system_u:object_r:mouse_device_t -/u?dev/atibm -c system_u:object_r:mouse_device_t -/u?dev/logibm -c system_u:object_r:mouse_device_t -/u?dev/.*mouse.* -c system_u:object_r:mouse_device_t -/u?dev/input/.*mouse.* -c system_u:object_r:mouse_device_t -/u?dev/input/event.* -c system_u:object_r:event_device_t -/u?dev/input/mice -c system_u:object_r:mouse_device_t -/u?dev/input/js.* -c system_u:object_r:mouse_device_t -/u?dev/js.* -c system_u:object_r:mouse_device_t -/u?dev/jsflash -c system_u:object_r:fixed_disk_device_t -/u?dev/ptmx -c system_u:object_r:ptmx_t -/u?dev/sequencer -c system_u:object_r:misc_device_t -/u?dev/fb[0-9]* -c system_u:object_r:framebuf_device_t -/u?dev/apm_bios -c system_u:object_r:apm_bios_t -/u?dev/cpu/mtrr -c system_u:object_r:mtrr_device_t -/u?dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t -/u?dev/winradio. -c system_u:object_r:v4l_device_t -/u?dev/vttuner -c system_u:object_r:v4l_device_t -/u?dev/tlk[0-3] -c system_u:object_r:v4l_device_t -/u?dev/mixer.* -c system_u:object_r:sound_device_t -/u?dev/dsp.* -c system_u:object_r:sound_device_t -/u?dev/audio.* -c system_u:object_r:sound_device_t -/u?dev/r?midi.* -c system_u:object_r:sound_device_t -/u?dev/smpte.* -c system_u:object_r:sound_device_t -/u?dev/sndstat -c system_u:object_r:sound_device_t -/u?dev/beep -c system_u:object_r:sound_device_t -/u?dev/patmgr[01] -c system_u:object_r:sound_device_t -/u?dev/mpu401.* -c system_u:object_r:sound_device_t -/u?dev/srnd[0-7] -c system_u:object_r:sound_device_t -/u?dev/aload.* -c system_u:object_r:sound_device_t -/u?dev/amidi.* -c system_u:object_r:sound_device_t -/u?dev/amixer.* -c system_u:object_r:sound_device_t -/u?dev/snd/.* -c system_u:object_r:sound_device_t -/u?dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t -/u?dev/(n?raw)?qft[0-3] -c system_u:object_r:tape_device_t -/u?dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t -/u?dev/n?tpqic[12].* -c system_u:object_r:tape_device_t -/u?dev/ht[0-1] -b system_u:object_r:tape_device_t -/u?dev/n?osst[0-3].* -c system_u:object_r:tape_device_t -/u?dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t -/u?dev/usb/scanner.* -c system_u:object_r:scanner_device_t -/u?dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t -/u?dev/usb/mdc800.* -c system_u:object_r:scanner_device_t -/u?dev/usb/tty.* -c system_u:object_r:usbtty_device_t -/u?dev/mmetfgrab -c system_u:object_r:scanner_device_t -/u?dev/nvidia.* -c system_u:object_r:xserver_misc_device_t +/.?u?dev/pg[0-3] -c system_u:object_r:removable_device_t +/.?u?dev/rtc -c system_u:object_r:clock_device_t +/.?u?dev/psaux -c system_u:object_r:mouse_device_t +/.?u?dev/atibm -c system_u:object_r:mouse_device_t +/.?u?dev/logibm -c system_u:object_r:mouse_device_t +/.?u?dev/.*mouse.* -c system_u:object_r:mouse_device_t +/.?u?dev/input/.*mouse.* -c system_u:object_r:mouse_device_t +/.?u?dev/input/event.* -c system_u:object_r:event_device_t +/.?u?dev/input/mice -c system_u:object_r:mouse_device_t +/.?u?dev/input/js.* -c system_u:object_r:mouse_device_t +/.?u?dev/js.* -c system_u:object_r:mouse_device_t +/.?u?dev/jsflash -c system_u:object_r:fixed_disk_device_t +/.?u?dev/ptmx -c system_u:object_r:ptmx_t +/.?u?dev/sequencer -c system_u:object_r:misc_device_t +/.?u?dev/fb[0-9]* -c system_u:object_r:framebuf_device_t +/.?u?dev/apm_bios -c system_u:object_r:apm_bios_t +/.?u?dev/cpu/mtrr -c system_u:object_r:mtrr_device_t +/.?u?dev/(radio|video|vbi|vtx).* -c system_u:object_r:v4l_device_t +/.?u?dev/winradio. -c system_u:object_r:v4l_device_t +/.?u?dev/vttuner -c system_u:object_r:v4l_device_t +/.?u?dev/tlk[0-3] -c system_u:object_r:v4l_device_t +/.?u?dev/mixer.* -c system_u:object_r:sound_device_t +/.?u?dev/dsp.* -c system_u:object_r:sound_device_t +/.?u?dev/audio.* -c system_u:object_r:sound_device_t +/.?u?dev/r?midi.* -c system_u:object_r:sound_device_t +/.?u?dev/smpte.* -c system_u:object_r:sound_device_t +/.?u?dev/sndstat -c system_u:object_r:sound_device_t +/.?u?dev/beep -c system_u:object_r:sound_device_t +/.?u?dev/patmgr[01] -c system_u:object_r:sound_device_t +/.?u?dev/mpu401.* -c system_u:object_r:sound_device_t +/.?u?dev/srnd[0-7] -c system_u:object_r:sound_device_t +/.?u?dev/aload.* -c system_u:object_r:sound_device_t +/.?u?dev/amidi.* -c system_u:object_r:sound_device_t +/.?u?dev/amixer.* -c system_u:object_r:sound_device_t +/.?u?dev/snd/.* -c system_u:object_r:sound_device_t +/.?u?dev/n?[hs]t[0-9].* -c system_u:object_r:tape_device_t +/.?u?dev/(n?raw)?qft[0-3] -c system_u:object_r:tape_device_t +/.?u?dev/n?z?qft[0-3] -c system_u:object_r:tape_device_t +/.?u?dev/n?tpqic[12].* -c system_u:object_r:tape_device_t +/.?u?dev/ht[0-1] -b system_u:object_r:tape_device_t +/.?u?dev/n?osst[0-3].* -c system_u:object_r:tape_device_t +/.?u?dev/n?pt[0-9]+ -c system_u:object_r:tape_device_t +/.?u?dev/usb/scanner.* -c system_u:object_r:scanner_device_t +/.?u?dev/usb/dc2xx.* -c system_u:object_r:scanner_device_t +/.?u?dev/usb/mdc800.* -c system_u:object_r:scanner_device_t +/.?u?dev/usb/tty.* -c system_u:object_r:usbtty_device_t +/.?u?dev/mmetfgrab -c system_u:object_r:scanner_device_t +/.?u?dev/nvidia.* -c system_u:object_r:xserver_misc_device_t /proc(/.*)? <> /sys(/.*)? <> diff -Naur --- default.1.14/tunables/tunable.te 2004-08-02 08:28:37.000000000 +0100 +++ current/tunables/tunable.te 2004-08-23 10:34:30.000000000 +0100 @@ -101,7 +101,11 @@ dnl define(`user_net_control') # Allow user to rw usb devices -dnl define(`user_rw_usb') +dnl define(`user_rw_usb') # Allow user to connect to database server define(`user_db_connect') + +# Define whether hdc is an IDE CD(RW) DVD(RW) +define(`hdc_is_cd_dvd') + diff -Naur --- default.1.14/types/device.te 2004-08-02 08:28:37.000000000 +0100 +++ current/types/device.te 2004-08-23 10:31:13.000000000 +0100 @@ -73,6 +73,14 @@ # type removable_device_t, device_type; +# /dev/hdc could be an IDE CD/RW or DVD/RW. + +ifdef(`hdc_is_cd_dvd', ` +typealias removable_device_t alias tunably_defined_disk_t; +',` +typealias fixed_disk_device_t alias tunably_defined_disk_t; +') + # # clock_device_t is the type of # /dev/rtc. --EeQfGwPcQSOJBaQU-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.