From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 43815C43381 for ; Wed, 13 Mar 2019 18:19:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EF0372075C for ; Wed, 13 Mar 2019 18:19:06 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="o+xBcQDD" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726427AbfCMSTG (ORCPT ); Wed, 13 Mar 2019 14:19:06 -0400 Received: from mail-eopbgr740102.outbound.protection.outlook.com ([40.107.74.102]:11011 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726336AbfCMSTG (ORCPT ); Wed, 13 Mar 2019 14:19:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=c82VUy8h4n2T04Qd6iD8Zt44XkI0KCVfUqmn5H1hcFo=; b=o+xBcQDDjIuCadefgZ2PKSYk8ibrNGv/ZQKSCJlBchcdLdYQcHIDMlhdB0OZPw3xixbMsW7MnC9TBaHCaUIeBrNP1QiBH+TzkcG/vuxKCQYFCAm4/VGBmtkWkCkQ5NkkYhAIRLwHzNygbQAZ2zz16aOvcY0uRuDgzdDDR0hH0MQ= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1698.namprd15.prod.outlook.com (10.174.239.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Wed, 13 Mar 2019 18:18:56 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%8]) with mapi id 15.20.1686.021; Wed, 13 Mar 2019 18:18:56 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH v2] Setup attribute for fixed_disk_device and removable_device Thread-Topic: [PATCH v2] Setup attribute for fixed_disk_device and removable_device Thread-Index: AQHU2ck4A5EXaFg/cUy3bVwnfT96tg== Date: Wed, 13 Mar 2019 18:18:55 +0000 Message-ID: <20190313181804.10224-2-dsugar@tresys.com> References: <20190313181804.10224-1-dsugar@tresys.com> In-Reply-To: <20190313181804.10224-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN7PR10CA0035.namprd10.prod.outlook.com (2603:10b6:406:bc::48) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 08e477f8-6309-4ef4-aaaf-08d6a7e05a90 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1698; x-ms-traffictypediagnostic: BN6PR15MB1698: x-microsoft-antispam-prvs: x-forefront-prvs: 09752BC779 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(136003)(366004)(376002)(39840400004)(346002)(189003)(199004)(256004)(8936002)(14444005)(5024004)(50226002)(36756003)(68736007)(2906002)(26005)(71200400001)(71190400001)(186003)(86362001)(2501003)(97736004)(102836004)(76176011)(6506007)(386003)(508600001)(6486002)(14454004)(81166006)(6436002)(25786009)(52116002)(99286004)(8676002)(81156014)(7736002)(305945005)(6916009)(5660300002)(3846002)(6116002)(66066001)(446003)(11346002)(476003)(53946003)(6512007)(53936002)(5640700003)(1076003)(2616005)(486006)(30864003)(106356001)(316002)(105586002)(2351001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1698;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: GKG93xLg/uSVL5pUM9BNNE+0RYd0HZkJpSoVUosxNAbnr9av+8RT96CKfwddCPCSIf2h+mUgmA30yFmJ14CL8AsU4vUJ2iaucJZ4Kg1GuLircrSpwkESxoVN6fttW/zzpqf4uIuDDO6zR2DrPGz3SZhFxtHfzTCZPcC5dasEa8FqgUlF0lhu/ts3E+qnROjz/FH2hNwgJrAHj95RCmjRJOKfI5ESAkQLgU1f0yKiRnHp9+bcgnQ6qD6Ps1U8vkeeQR81hyZNmSIu22M2yM4i7hJ6Haw29ljRJqHNWj5hHBq7rIpz/7SAkWICVS8bwYfTFMgP1XkdKgHM+bZ1bOtPFXRSBeU+OFIQABPsJbCHOVNyxR3KoRXhFHWAtdGJdv80shS0PxlKLAkHfgkM8KToO4EDNe+PVNeCNU7zklxrXTk= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 08e477f8-6309-4ef4-aaaf-08d6a7e05a90 X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2019 18:18:55.7270 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1698 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I am having trouble with some denials due to the fact I am setting up specific private types for media attached to my system. This changes to use an attribute for media and interfaces to add types to the newly created attribute. Updates based on feedback to create 'all' interfaces rather than updating existing interfaces. I'm trying to resolve issues with denials like the following: type=3DAVC msg=3Daudit(1551461957.121:9050): avc: denied { open } for pi= d=3D30877 comm=3D"cryptsetup" path=3D"/dev/sdb" dev=3D"devtmpfs" ino=3D1104= 50 scontext=3Dsystem_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:ob= ject_r:private_device_t:s0 tclass=3Dblk_file permissive=3D1 type=3DAVC msg=3Daudit(1551461957.121:9051): avc: denied { ioctl } for p= id=3D30877 comm=3D"cryptsetup" path=3D"/dev/sdb" dev=3D"devtmpfs" ino=3D110= 450 ioctlcmd=3D1268 scontext=3Dsystem_u:system_r:lvm_t:s0-s0:c0.c1023 tcont= ext=3Dsystem_u:object_r:private_device_t:s0 tclass=3Dblk_file permissive=3D= 1 type=3DAVC msg=3Daudit(1551461973.149:9101): avc: denied { getattr } for = pid=3D28 comm=3D"kdevtmpfs" path=3D"/sdb1" dev=3D"devtmpfs" ino=3D110461 s= context=3Dsystem_u:system_r:kernel_t:s0 tcontext=3Dsystem_u:object_r:privat= e_device_t:s0 tclass=3Dblk_file permissive=3D1 type=3DAVC msg=3Daudit(1551461973.149:9102): avc: denied { setattr } for = pid=3D28 comm=3D"kdevtmpfs" name=3D"sdb1" dev=3D"devtmpfs" ino=3D110461 sc= ontext=3Dsystem_u:system_r:kernel_t:s0 tcontext=3Dsystem_u:object_r:private= _device_t:s0 tclass=3Dblk_file permissive=3D1 type=3DAVC msg=3Daudit(1551461973.149:9103): avc: denied { unlink } for = pid=3D28 comm=3D"kdevtmpfs" name=3D"sdb1" dev=3D"devtmpfs" ino=3D110461 sco= ntext=3Dsystem_u:system_r:kernel_t:s0 tcontext=3Dsystem_u:object_r:private_= device_t:s0 tclass=3Dblk_file permissive=3D1 type=3DAVC msg=3Daudit(1552228893.128:472): avc: denied { getattr } for = pid=3D8141 comm=3D"systemd-logind" name=3D"sg1" dev=3D"devtmpfs" ino=3D3187= 3 scontext=3Dsystem_u:system_r:systemd_logind_t:s0 tcontext=3Dsystem_u:obje= ct_r:private_device_t:s0 tclass=3Dchr_file permissive=3D1 type=3DAVC msg=3Daudit(1552228893.128:473): avc: denied { setattr } for = pid=3D8141 comm=3D"systemd-logind" name=3D"sg1" dev=3D"devtmpfs" ino=3D3187= 3 scontext=3Dsystem_u:system_r:systemd_logind_t:s0 tcontext=3Dsystem_u:obje= ct_r:private_device_t:s0 tclass=3Dchr_file permissive=3D1 type=3DAVC msg=3Daudit(1552228893.128:474): avc: denied { getattr } for = pid=3D8141 comm=3D"systemd-logind" name=3D"sr0" dev=3D"devtmpfs" ino=3D1457= 0 scontext=3Dsystem_u:system_r:systemd_logind_t:s0 tcontext=3Dsystem_u:obje= ct_r:private_device_t:s0 tclass=3Dblk_file permissive=3D1 type=3DAVC msg=3Daudit(1552228893.128:475): avc: denied { setattr } for = pid=3D8141 comm=3D"systemd-logind" name=3D"sr0" dev=3D"devtmpfs" ino=3D1457= 0 scontext=3Dsystem_u:system_r:systemd_logind_t:s0 tcontext=3Dsystem_u:obje= ct_r:private_device_t:s0 tclass=3Dblk_file permissive=3D1 Signed-off-by: Dave Sugar --- policy/modules/kernel/kernel.te | 7 +- policy/modules/kernel/storage.if | 320 +++++++++++++++++++++++++++++++ policy/modules/kernel/storage.te | 7 + policy/modules/system/lvm.te | 2 +- policy/modules/system/systemd.te | 8 +- 5 files changed, 336 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel= .te index e971c533..acc8a88c 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -352,9 +352,10 @@ ifdef(`init_systemd',` =20 optional_policy(` storage_dev_filetrans_fixed_disk(kernel_t) - storage_setattr_fixed_disk_dev(kernel_t) - storage_create_fixed_disk_dev(kernel_t) - storage_delete_fixed_disk_dev(kernel_t) + storage_getattr_all_scsi_generic_dev(kernel_t) + storage_setattr_all_fixed_disk_dev(kernel_t) + storage_create_all_fixed_disk_dev(kernel_t) + storage_delete_all_fixed_disk_dev(kernel_t) ') ') =20 diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/stora= ge.if index 0292eee4..93208835 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -1,5 +1,25 @@ ## Policy controlling access to storage devices =20 +######################################## +## +## Allow the caller to get the attributes of=20 +## all fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_getattr_all_fixed_disk_dev',` + gen_require(` + attribute fixed_disk_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 fixed_disk_device:blk_file getattr; +') + ######################################## ## ## Allow the caller to get the attributes of fixed disk @@ -20,6 +40,26 @@ interface(`storage_getattr_fixed_disk_dev',` allow $1 fixed_disk_device_t:blk_file getattr; ') =20 +######################################## +## +## Do not audit attempts made by the caller to get +## the attributes of all fixed disk device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`storage_dontaudit_all_getattr_fixed_disk_dev',` + gen_require(` + attribute fixed_disk_device; + ') + + dontaudit $1 fixed_disk_device:blk_file getattr; + dontaudit $1 fixed_disk_device:chr_file getattr; # /dev/rawctl +') + ######################################## ## ## Do not audit attempts made by the caller to get @@ -40,6 +80,26 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',` dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl ') =20 +######################################## +## +## Allow the caller to set the attributes of all +## fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_setattr_all_fixed_disk_dev',` + gen_require(` + attribute fixed_disk_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 fixed_disk_device:blk_file setattr; +') + ######################################## ## ## Allow the caller to set the attributes of fixed disk @@ -79,6 +139,31 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',` dontaudit $1 fixed_disk_device_t:blk_file setattr; ') =20 +######################################## +## +## Allow the caller to directly read from all fixed disks. +## This is extremely dangerous as it can bypass the +## SELinux protections for filesystem objects, and +## should only be used by trusted domains. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_raw_read_all_fixed_disk',` + gen_require(` + attribute fixed_disk_raw_read; + attribute fixed_disk_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 fixed_disk_device:blk_file read_blk_file_perms; + allow $1 fixed_disk_device:chr_file read_chr_file_perms; + typeattribute $1 fixed_disk_raw_read; +') + ######################################## ## ## Allow the caller to directly read from a fixed disk. @@ -188,6 +273,26 @@ interface(`storage_raw_rw_fixed_disk',` storage_raw_write_fixed_disk($1) ') =20 +######################################## +## +## Allow the caller to create all fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_create_all_fixed_disk_dev',` + gen_require(` + attribute fixed_disk_device; + ') + + allow $1 self:capability mknod; + allow $1 fixed_disk_device:blk_file create_blk_file_perms; + dev_add_entry_generic_dirs($1) +') + ######################################## ## ## Allow the caller to create fixed disk device nodes. @@ -208,6 +313,25 @@ interface(`storage_create_fixed_disk_dev',` dev_add_entry_generic_dirs($1) ') =20 +######################################## +## +## Allow the caller to delete all fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_delete_all_fixed_disk_dev',` + gen_require(` + attribute fixed_disk_device; + ') + + allow $1 fixed_disk_device:blk_file delete_blk_file_perms; + dev_remove_entry_generic_dirs($1) +') + ######################################## ## ## Allow the caller to delete fixed disk device nodes. @@ -227,6 +351,29 @@ interface(`storage_delete_fixed_disk_dev',` dev_remove_entry_generic_dirs($1) ') =20 +######################################## +## +## Create, read, write, and delete fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_manage_all_fixed_disk',` + gen_require(` + attribute fixed_disk_raw_read, fixed_disk_raw_write; + attribute fixed_disk_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 self:capability mknod; + allow $1 fixed_disk_device:blk_file manage_blk_file_perms; + allow $1 fixed_disk_device:chr_file manage_chr_file_perms; + typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; +') + ######################################## ## ## Create, read, write, and delete fixed disk device nodes. @@ -293,6 +440,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file) ') =20 +######################################## +## +## Relabel all fixed disk device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_relabel_all_fixed_disk',` + gen_require(` + attribute fixed_disk_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 fixed_disk_device:blk_file relabel_blk_file_perms; +') + ######################################## ## ## Relabel fixed disk device nodes. @@ -388,6 +554,26 @@ interface(`storage_dontaudit_rw_fuse',` dontaudit $1 fuse_device_t:chr_file rw_file_perms; ') =20 +######################################## +## +## Allow the caller to get the attributes of +## all generic SCSI interface device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_getattr_all_scsi_generic_dev',` + gen_require(` + attribute scsi_generic_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 scsi_generic_device:chr_file getattr; +') + ######################################## ## ## Allow the caller to get the attributes of @@ -408,6 +594,26 @@ interface(`storage_getattr_scsi_generic_dev',` allow $1 scsi_generic_device_t:chr_file getattr; ') =20 +######################################## +## +## Allow the caller to set the attributes of +## all generic SCSI interface device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_setattr_all_scsi_generic_dev',` + gen_require(` + attribute scsi_generic_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 scsi_generic_device:chr_file setattr; +') + ######################################## ## ## Allow the caller to set the attributes of @@ -517,6 +723,26 @@ interface(`storage_dontaudit_rw_scsi_generic',` dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms; ') =20 +######################################## +## +## Allow the caller to get the attributes of all removable +## devices device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_getattr_all_removable_dev',` + gen_require(` + attribute removable_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 removable_device:blk_file getattr; +') + ######################################## ## ## Allow the caller to get the attributes of removable @@ -556,6 +782,25 @@ interface(`storage_dontaudit_getattr_removable_dev',` dontaudit $1 removable_device_t:blk_file getattr; ') =20 +######################################## +## +## Do not audit attempts made by the caller to get +## the attributes of all removable devices device nodes. +## +## +## +## Domain to not audit. +## +## +# +interface(`storage_dontaudit_getattr_all_removable_dev',` + gen_require(` + attribute removable_device; + ') + + dontaudit $1 removable_device:blk_file getattr; +') + ######################################## ## ## Do not audit attempts made by the caller to read @@ -595,6 +840,26 @@ interface(`storage_dontaudit_write_removable_device',` dontaudit $1 removable_device_t:blk_file write_blk_file_perms; ') =20 +######################################## +## +## Allow the caller to set the attributes of all removable +## devices device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_setattr_all_removable_dev',` + gen_require(` + attribute removable_device; + ') + + dev_list_all_dev_nodes($1) + allow $1 removable_device:blk_file setattr; +') + ######################################## ## ## Allow the caller to set the attributes of removable @@ -796,6 +1061,61 @@ interface(`storage_setattr_tape_dev',` allow $1 tape_device_t:chr_file setattr; ') =20 +######################################## +## +## Mark a type as a fixed disk device type. +## +## +## +## Type to associate +## +## +# +interface(`storage_fixed_disk_device_type',` + gen_require(` + attribute fixed_disk_device; + ') + + typeattribute $1 fixed_disk_device; +') + +######################################## +## +## Mark a type as a removable device type. +## +## +## +## Type to associate. +## +## +# +interface(`storage_removable_device_type',` + gen_require(` + attribute removable_device; + ') + + typeattribute $1 removable_device; +') + + +######################################## +## +## Mark a type as a scsi generic device type. +## +## +## +## Type to associate. +## +## +# +interface(`storage_scsi_generic_device_type',` + gen_require(` + attribute scsi_generic_device; + ') + + typeattribute $1 scsi_generic_device; +') + ######################################## ## ## Unconfined access to storage devices. diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/stora= ge.te index c10290c0..cc59380d 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -11,12 +11,17 @@ attribute scsi_generic_read; attribute scsi_generic_write; attribute storage_unconfined_type; =20 +attribute fixed_disk_device; +attribute removable_device; +attribute scsi_generic_device; + # # fixed_disk_device_t is the type of # /dev/hd* and /dev/sd*. # type fixed_disk_device_t; dev_node(fixed_disk_device_t) +storage_fixed_disk_device_type(fixed_disk_device_t) =20 neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_dev= ice_t:{ chr_file blk_file } read; neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_de= vice_t:{ chr_file blk_file } { append write }; @@ -33,6 +38,7 @@ dev_node(fuse_device_t) # type scsi_generic_device_t; dev_node(scsi_generic_device_t) +storage_scsi_generic_device_type(scsi_generic_device_t) =20 neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_dev= ice_t:{ chr_file blk_file } read; neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_de= vice_t:{ chr_file blk_file } { append write }; @@ -43,6 +49,7 @@ neverallow ~{ scsi_generic_write storage_unconfined_type = } scsi_generic_device_t # type removable_device_t; dev_node(removable_device_t) +storage_removable_device_type(removable_device_t) =20 # # tape_device_t is the type of diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index ba64c39d..0bb7177c 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -300,7 +300,7 @@ storage_dontaudit_read_removable_device(lvm_t) # cjp: needs to create an interface here for fixed disk create storage_dev_filetrans_fixed_disk(lvm_t) # Access raw devices and old /dev/lvm (c 109,0). Is this needed? -storage_manage_fixed_disk(lvm_t) +storage_manage_all_fixed_disk(lvm_t) =20 term_use_all_terms(lvm_t) =20 diff --git a/policy/modules/system/systemd.te b/policy/modules/system/syste= md.te index 07529a5d..83f85a9d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -472,10 +472,10 @@ fs_unmount_tmpfs(systemd_logind_t) =20 selinux_get_enforce_mode(systemd_logind_t) =20 -storage_getattr_removable_dev(systemd_logind_t) -storage_getattr_scsi_generic_dev(systemd_logind_t) -storage_setattr_removable_dev(systemd_logind_t) -storage_setattr_scsi_generic_dev(systemd_logind_t) +storage_getattr_all_removable_dev(systemd_logind_t) +storage_getattr_all_scsi_generic_dev(systemd_logind_t) +storage_setattr_all_removable_dev(systemd_logind_t) +storage_setattr_all_scsi_generic_dev(systemd_logind_t) =20 term_setattr_unallocated_ttys(systemd_logind_t) term_use_unallocated_ttys(systemd_logind_t) --=20 2.20.1