## ## Device nodes and interfaces for many basic system devices. ## ## ##

## This module creates the device node concept and provides ## the policy for many of the device files. Notable exceptions are ## the mass storage and terminal devices that are covered by other ## modules. ##

##

## This module creates the concept of a device node. That is a ## char or block device file, usually in /dev. All types that ## are used to label device nodes should use the dev_node macro. ##

##

## Additionally, this module controls access to three things: ##

##

##
## ## Depended on by other required modules. ## ######################################## ## ## Make the specified type usable for device ## nodes in a filesystem. ## ## ##

## Make the specified type usable for device nodes ## in a filesystem. Types used for device nodes that ## do not use this interface, or an interface that ## calls this one, will have unexpected behaviors ## while the system is running. ##

##

## Example: ##

##

## type mydev_t; ## dev_node(mydev_t) ## allow mydomain_t mydev_t:chr_file read_chr_file_perms; ##

##

## Related interfaces: ##

## ##
## ## ## Type to be used for device nodes. ## ## ## # interface(`dev_node',` gen_require(` attribute device_node; ') typeattribute $1 device_node; ') ######################################## ## ## Associate the specified file type with device filesystem. ## ## ## ## The type of the file to be associated. ## ## # interface(`dev_associate',` gen_require(` type device_t; ') allow $1 device_t:filesystem associate; fs_associate_tmpfs($1) #For backwards compatibility ') ######################################## ## ## Get attributes of device filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_fs',` gen_require(` type device_t; ') allow $1 device_t:filesystem getattr; ') ######################################## ## ## Mount a filesystem on /dev ## ## ## ## Domain allow access. ## ## # interface(`dev_mounton',` gen_require(` type device_t; ') allow $1 device_t:dir mounton; ') ######################################## ## ## Allow caller domain to mounton all device nodes ## ## ## ## Domain allow access. ## ## # interface(`dev_mounton_all_device_nodes',` gen_require(` attribute device_node; ') allow $1 device_node:file mounton; allow $1 device_node:chr_file mounton; allow $1 device_node:blk_file mounton; ') ######################################## ## ## Allow full relabeling (to and from) of all device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_relabel_all_dev_nodes',` gen_require(` attribute device_node; type device_t; ') relabel_dirs_pattern($1, device_t, device_node) relabel_files_pattern($1, device_t, device_node) relabel_lnk_files_pattern($1, device_t, device_node) relabel_fifo_files_pattern($1, device_t, device_node) relabel_sock_files_pattern($1, device_t, device_node) relabel_blk_files_pattern($1, device_t, device_node) relabel_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Allow full relabeling (to and from) of all device files. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_relabel_all_dev_files',` gen_require(` type device_t; ') relabel_files_pattern($1, device_t, device_t) ') ######################################## ## ## List all of the device nodes in a device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_list_all_dev_nodes',` gen_require(` type device_t; ') list_dirs_pattern($1, device_t, device_t) read_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Set the attributes of /dev directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_generic_dirs',` gen_require(` type device_t; ') setattr_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit attempts to list all device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_list_all_dev_nodes',` gen_require(` type device_t; ') dontaudit $1 device_t:dir list_dir_perms; ') ######################################## ## ## Dontaudit attempts to list all device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_all_access_check',` gen_require(` attribute device_node; ') dontaudit $1 device_node:file_class_set audit_access; ') ######################################## ## ## Add entries to directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_add_entry_generic_dirs',` gen_require(` type device_t; ') allow $1 device_t:dir add_entry_dir_perms; ') ######################################## ## ## Add entries to directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_remove_entry_generic_dirs',` gen_require(` type device_t; ') allow $1 device_t:dir del_entry_dir_perms; ') ######################################## ## ## Create a directory in the device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_dirs',` gen_require(` type device_t; ') allow $1 device_t:dir list_dir_perms; create_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Watch generic device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_watch_generic_dirs',` gen_require(` type device_t; ') watch_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Delete a directory in the device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_dirs',` gen_require(` type device_t; ') delete_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Manage of directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_dirs',` gen_require(` type device_t; ') manage_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## Allow full relabeling (to and from) of directories in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_generic_dev_dirs',` gen_require(` type device_t; ') relabel_dirs_pattern($1, device_t, device_t) ') ######################################## ## ## dontaudit getattr generic files in /dev. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_files',` gen_require(` type device_t; ') dontaudit $1 device_t:file getattr; ') ######################################## ## ## Read generic files in /dev. ## ## ## ## Domain to not audit. ## ## # interface(`dev_read_generic_files',` gen_require(` type device_t; ') read_files_pattern($1, device_t, device_t) ') ####################################### ## ## Read generic files in /dev. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_generic_files',` gen_require(` type device_t; ') dontaudit $1 device_t:file { read getattr }; ') ######################################## ## ## Read and write generic files in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_files',` gen_require(` type device_t; ') rw_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete generic files in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_files',` gen_require(` type device_t; ') delete_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create a file in the device directory. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_files',` gen_require(` type device_t; ') manage_files_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit getattr on generic pipes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_pipes',` gen_require(` type device_t; ') dontaudit $1 device_t:fifo_file getattr; ') ######################################## ## ## Write generic socket files in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_generic_sockets',` gen_require(` type device_t; ') write_sock_files_pattern($1, device_t, device_t) ') ######################################## ## ## Allow getattr on generic block devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_generic_blk_files',` gen_require(` type device_t; ') getattr_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Rename generic block device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rename_generic_blk_files',` gen_require(` type device_t; ') rename_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## write generic sock files in /dev. (Deprecated) ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_generic_sock_files',` refpolicywarn(`$0($*) has been replaced with dev_write_generic_sockets().') dev_write_generic_sockets($1) ') ######################################## ## ## Dontaudit getattr on generic block devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_blk_files',` gen_require(` type device_t; ') dontaudit $1 device_t:blk_file getattr; ') ######################################## ## ## Dontaudit setattr on generic block devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_generic_blk_files',` gen_require(` type device_t; ') dontaudit $1 device_t:blk_file setattr; ') ######################################## ## ## Create generic block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_blk_files',` gen_require(` type device_t; ') create_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete generic block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_blk_files',` gen_require(` type device_t; ') delete_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Allow getattr for generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_generic_chr_files',` gen_require(` type device_t; ') getattr_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit getattr for generic character device files. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_generic_chr_files',` gen_require(` type device_t; ') dontaudit $1 device_t:chr_file getattr; ') ######################################## ## ## Rename generic character device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rename_generic_chr_files',` gen_require(` type device_t; ') rename_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Dontaudit setattr for generic character device files. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_generic_chr_files',` gen_require(` type device_t; ') dontaudit $1 device_t:chr_file setattr; ') ######################################## ## ## Read generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_generic_chr_files',` gen_require(` type device_t; ') allow $1 device_t:chr_file read_chr_file_perms; ') ######################################## ## ## Read and write generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_chr_files',` gen_require(` type device_t; ') allow $1 device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Read and write generic block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_blk_files',` gen_require(` type device_t; ') allow $1 device_t:blk_file rw_chr_file_perms; ') ######################################## ## ## Dontaudit attempts to read/write generic character device files. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_generic_chr_files',` gen_require(` type device_t; ') dontaudit $1 device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Create generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_chr_files',` gen_require(` type device_t; ') create_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_chr_files',` gen_require(` type device_t; ') delete_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Relabel from generic character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabelfrom_generic_chr_files',` gen_require(` type device_t; ') allow $1 device_t:chr_file relabelfrom; ') ######################################## ## ## Do not audit attempts to set the attributes ## of symbolic links in device directories (/dev). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_generic_symlinks',` gen_require(` type device_t; ') dontaudit $1 device_t:lnk_file setattr; ') ######################################## ## ## Create symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_generic_symlinks',` gen_require(` type device_t; ') create_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Delete symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_generic_symlinks',` gen_require(` type device_t; ') delete_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Read symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_generic_symlinks',` gen_require(` type device_t; ') allow $1 device_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Create, delete, read, and write symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_symlinks',` gen_require(` type device_t; ') manage_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Relabel symbolic links in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_generic_symlinks',` gen_require(` type device_t; ') relabel_lnk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, delete, read, and write device nodes in device directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_all_dev_nodes',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; type device_t; ') manage_dirs_pattern($1, device_t, device_t) manage_sock_files_pattern($1, device_t, device_t) manage_lnk_files_pattern($1, device_t, device_t) manage_chr_files_pattern($1, device_t, { device_t device_node }) manage_blk_files_pattern($1, device_t, { device_t device_node }) relabel_dirs_pattern($1, device_t, device_t) relabel_chr_files_pattern($1, device_t, { device_t device_node }) relabel_blk_files_pattern($1, device_t, { device_t device_node }) # these next rules are to satisfy assertions broken by the above lines. # the permissions hopefully can be cut back a lot storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) storage_read_scsi_generic($1) storage_write_scsi_generic($1) typeattribute $1 memory_raw_read; typeattribute $1 memory_raw_write; ') ######################################## ## ## Dontaudit getattr for generic device files. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_generic_dev_nodes',` gen_require(` type device_t; ') dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl }; ') ######################################## ## ## Read block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_generic_blk_files',` gen_require(` type device_t; ') read_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, delete, read, and write block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_blk_files',` gen_require(` type device_t; ') manage_blk_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, delete, read, and write character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_generic_chr_files',` gen_require(` type device_t; ') manage_chr_files_pattern($1, device_t, device_t) ') ######################################## ## ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. ## ## ## ## Domain allowed access. ## ## ## ## ## Type to which the created node will be transitioned. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans',` gen_require(` type device_t; ') filetrans_pattern($1, device_t, $2, $3, $4) dev_associate($2) files_associate_tmp($2) ') ######################################## ## ## Create, read, and write device nodes. The node ## will be transitioned to the type provided. This is ## a temporary interface until devtmpfs functionality ## fixed. ## ## ## ## Domain allowed access. ## ## ## ## ## Object class(es) (single or set including {}) for which this ## the transition will occur. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_tmpfs_filetrans_dev',` gen_require(` type device_t; ') fs_tmpfs_filetrans($1, device_t, $2, $3) ') ######################################## ## ## Allow getattr on all device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_all',` gen_require(` attribute device_node; type device_t; ') allow $1 { device_t device_node }:dir_file_class_set getattr; ') ######################################## ## ## Getattr on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_getattr_all_blk_files',` gen_require(` attribute device_node; type device_t; ') getattr_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Lock on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_lock_all_blk_files',` gen_require(` attribute device_node; type device_t; ') lock_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Read on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_read_all_blk_files',` gen_require(` attribute device_node; type device_t; ') read_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Dontaudit getattr on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_all_blk_files',` gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:blk_file getattr; ') ######################################## ## ## Getattr on all character file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; type device_t; ') getattr_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Dontaudit getattr on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_all_chr_files',` gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:chr_file getattr; ') ######################################## ## ## Setattr on all block file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_setattr_all_blk_files',` gen_require(` attribute device_node; ') setattr_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Setattr on all character file device nodes. ## ## ## ## Domain allowed access. ## ## ## # interface(`dev_setattr_all_chr_files',` gen_require(` attribute device_node; ') setattr_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Dontaudit read on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_all_blk_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:blk_file { getattr read }; ') ######################################## ## ## Dontaudit write on all block file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_all_blk_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:blk_file write; ') ######################################## ## ## Dontaudit read on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_all_chr_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:chr_file { getattr read }; ') ######################################## ## ## Dontaudit write on all character file device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_all_chr_files',` gen_require(` attribute device_node; ') dontaudit $1 device_node:chr_file write; ') ######################################## ## ## Create all device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_all_files',` gen_require(` attribute device_node; ') create_files_pattern($1, device_t, device_node) ') ######################################## ## ## Create all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_all_blk_files',` gen_require(` attribute device_node; ') create_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Create all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_all_chr_files',` gen_require(` attribute device_node; ') create_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## rw all inherited character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_all_inherited_chr_files',` gen_require(` attribute device_node; ') allow $1 device_node:chr_file rw_inherited_chr_file_perms; ') ######################################## ## ## rw all inherited blk device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_all_inherited_blk_files',` gen_require(` attribute device_node; ') allow $1 device_node:blk_file rw_inherited_blk_file_perms; ') ######################################## ## ## Delete all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_all_blk_files',` gen_require(` attribute device_node; ') delete_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Delete all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_all_chr_files',` gen_require(` attribute device_node; ') delete_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Rename all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rename_all_blk_files',` gen_require(` attribute device_node; ') rename_blk_files_pattern($1, device_t, device_node) ') ######################################## ## ## Rename all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rename_all_chr_files',` gen_require(` attribute device_node; ') rename_chr_files_pattern($1, device_t, device_node) ') ######################################## ## ## Read, write, create, and delete all block device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_all_blk_files',` gen_require(` attribute device_node; ') manage_blk_files_pattern($1, device_t, device_node) # these next rules are to satisfy assertions broken by the above lines. storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) storage_read_scsi_generic($1) storage_write_scsi_generic($1) ') ######################################## ## ## Read, write, create, and delete all character device files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_all_chr_files',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; ') manage_chr_files_pattern($1, device_t, device_node) typeattribute $1 memory_raw_read, memory_raw_write; ') ######################################## ## ## Getattr the agp devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_agp_dev',` gen_require(` type device_t, agp_device_t; ') getattr_chr_files_pattern($1, device_t, agp_device_t) ') ######################################## ## ## Read and write the agp devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_agp',` gen_require(` type device_t, agp_device_t; ') rw_chr_files_pattern($1, device_t, agp_device_t) ') ######################################## ## ## Get the attributes of the apm bios device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_apm_bios_dev',` gen_require(` type device_t, apm_bios_t; ') getattr_chr_files_pattern($1, device_t, apm_bios_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## the apm bios device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_apm_bios_dev',` gen_require(` type apm_bios_t; ') dontaudit $1 apm_bios_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the apm bios device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_apm_bios_dev',` gen_require(` type device_t, apm_bios_t; ') setattr_chr_files_pattern($1, device_t, apm_bios_t) ') ######################################## ## ## Do not audit attempts to set the attributes of ## the apm bios device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_apm_bios_dev',` gen_require(` type apm_bios_t; ') dontaudit $1 apm_bios_t:chr_file setattr; ') ######################################## ## ## Read and write the apm bios. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_apm_bios',` gen_require(` type device_t, apm_bios_t; ') rw_chr_files_pattern($1, device_t, apm_bios_t) ') ######################################## ## ## Get the attributes of the autofs device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_autofs_dev',` gen_require(` type device_t, autofs_device_t; ') getattr_chr_files_pattern($1, device_t, autofs_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## the autofs device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_autofs_dev',` gen_require(` type autofs_device_t; ') dontaudit $1 autofs_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the autofs device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_autofs_dev',` gen_require(` type device_t, autofs_device_t; ') setattr_chr_files_pattern($1, device_t, autofs_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes of ## the autofs device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_autofs_dev',` gen_require(` type autofs_device_t; ') dontaudit $1 autofs_device_t:chr_file setattr; ') ######################################## ## ## Read and write the autofs device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_autofs',` gen_require(` type device_t, autofs_device_t; ') rw_chr_files_pattern($1, device_t, autofs_device_t) ') ######################################## ## ## Relabel the autofs device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_autofs_dev',` gen_require(` type autofs_device_t; ') allow $1 autofs_device_t:chr_file relabel_chr_file_perms; ') ######################################## ## ## Read and write the PCMCIA card manager device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_cardmgr',` gen_require(` type cardmgr_dev_t; ') rw_chr_files_pattern($1, device_t, cardmgr_dev_t) ') ######################################## ## ## Do not audit attempts to read and ## write the PCMCIA card manager device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_cardmgr',` gen_require(` type cardmgr_dev_t; ') dontaudit $1 cardmgr_dev_t:chr_file { read write }; ') ######################################## ## ## Create, read, write, and delete ## the PCMCIA card manager device ## with the correct type. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_cardmgr_dev',` gen_require(` type device_t, cardmgr_dev_t; ') create_chr_files_pattern($1, device_t, cardmgr_dev_t) create_blk_files_pattern($1, device_t, cardmgr_dev_t) ') ######################################## ## ## Create, read, write, and delete ## the PCMCIA card manager device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_cardmgr_dev',` gen_require(` type device_t, cardmgr_dev_t; ') manage_chr_files_pattern($1, device_t, cardmgr_dev_t) manage_blk_files_pattern($1, device_t, cardmgr_dev_t) ') ######################################## ## ## Automatic type transition to the type ## for PCMCIA card manager device nodes when ## created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_cardmgr',` gen_require(` type device_t, cardmgr_dev_t; ') filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2) ') ######################################## ## ## Automatic type transition to the type ## for xserver misc device nodes when ## created in /dev. ## ## ## ## Domain allowed access. ## ## # interface(`dev_filetrans_xserver_misc',` gen_require(` type device_t, xserver_misc_device_t; ') filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file ) ') ######################################## ## ## Get the attributes of the CPU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_cpu_dev',` gen_require(` type device_t, cpu_device_t; ') getattr_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Set the attributes of the CPU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_cpu_dev',` gen_require(` type device_t, cpu_device_t; ') setattr_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Read the CPU identity. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_cpuid',` gen_require(` type device_t, cpu_device_t; ') read_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Read and write the the CPU microcode device. This ## is required to load CPU microcode. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_cpu_microcode',` gen_require(` type device_t, cpu_device_t; ') rw_chr_files_pattern($1, device_t, cpu_device_t) ') ######################################## ## ## Read the kernel crash device ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_crash',` gen_require(` type device_t, crash_device_t; ') read_chr_files_pattern($1, device_t, crash_device_t) ') ######################################## ## ## Read and write to the cachefilesd device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_cachefiles',` gen_require(` type device_t, cachefiles_device_t; ') rw_chr_files_pattern($1, device_t, cachefiles_device_t) ') ######################################## ## ## Read and write the the hardware SSL accelerator. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_crypto',` gen_require(` type device_t, crypt_device_t; ') rw_chr_files_pattern($1, device_t, crypt_device_t) ') ######################################## ## ## Read and write the the ecrypt filesystem device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_ecryptfs',` gen_require(` type device_t, ecryptfs_device_t; ') rw_chr_files_pattern($1, device_t, ecryptfs_device_t) ') ####################################### ## ## Set the attributes of the dlm control devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_dlm_control',` gen_require(` type device_t, kvm_device_t; ') setattr_chr_files_pattern($1, device_t, dlm_control_device_t) ') ####################################### ## ## Read and write the the dlm control device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_dlm_control',` gen_require(` type device_t, dlm_control_device_t; ') rw_chr_files_pattern($1, device_t, dlm_control_device_t) ') ######################################## ## ## Read and write the the dma device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_dma_dev',` gen_require(` type device_t, dma_device_t; ') rw_chr_files_pattern($1, device_t, dma_device_t) ') ######################################## ## ## getattr the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_dri_dev',` gen_require(` type device_t, dri_device_t; ') getattr_chr_files_pattern($1, device_t, dri_device_t) ') ######################################## ## ## Setattr the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_dri_dev',` gen_require(` type device_t, dri_device_t; ') setattr_chr_files_pattern($1, device_t, dri_device_t) ') ######################################## ## ## Mmap the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_dri',` gen_require(` type device_t, dri_device_t; ') allow $1 dri_device_t:chr_file map; ') ######################################## ## ## Read and write the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_dri',` gen_require(` type device_t, dri_device_t; ') rw_chr_files_pattern($1, device_t, dri_device_t) allow $1 dri_device_t:chr_file map; ') ######################################## ## ## Read and write the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_inherited_dri',` gen_require(` type device_t, dri_device_t; ') allow $1 device_t:dir search_dir_perms; allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## ## ## Dontaudit read and write on the dri devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_dri',` gen_require(` type dri_device_t; ') dontaudit $1 dri_device_t:chr_file rw_chr_file_perms; ') ######################################## ## ## Create, read, write, and delete the dri devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_dri_dev',` gen_require(` type device_t, dri_device_t; ') manage_chr_files_pattern($1, device_t, dri_device_t) ') ######################################## ## ## Automatic type transition to the type ## for DRI device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_dri',` gen_require(` type device_t, dri_device_t; ') filetrans_pattern($1, device_t, dri_device_t, chr_file, $2) ') ######################################## ## ## Get the attributes of the event devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_input_dev',` gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir list_dir_perms; allow $1 event_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the event devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_input_dev',` gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir list_dir_perms; allow $1 event_device_t:chr_file setattr; ') ######################################## ## ## Read input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_input',` gen_require(` type device_t, event_device_t; ') read_chr_files_pattern($1, device_t, event_device_t) ') ######################################## ## ## Read input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_input_dev',` gen_require(` type device_t, event_device_t; ') rw_chr_files_pattern($1, device_t, event_device_t) ') ######################################## ## ## Read input event devices (/dev/input). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_inherited_input_dev',` gen_require(` type device_t, event_device_t; ') allow $1 device_t:dir search_dir_perms; allow $1 event_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## ## ## Read ipmi devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_ipmi_dev',` gen_require(` type device_t, ipmi_device_t; ') read_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## ## Read and write ipmi devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_ipmi_dev',` gen_require(` type device_t, ipmi_device_t; ') rw_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## ## Manage ipmi devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_ipmi_dev',` gen_require(` type device_t, ipmi_device_t; ') manage_chr_files_pattern($1, device_t, ipmi_device_t) ') ######################################## ## ## Automatic type transition to the type ## for PCMCIA card manager device nodes when ## created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_ipmi',` gen_require(` type device_t, ipmi_device_t; ') filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2) ') ######################################## ## ## Get attributes of infiniband devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_infiniband_dev',` gen_require(` type device_t, infiniband_device_t; ') getattr_chr_files_pattern($1, device_t, infiniband_device_t) ') ######################################## ## ## Read infiniband devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_infiniband_dev',` gen_require(` type device_t, infiniband_device_t; ') read_chr_files_pattern($1, device_t, infiniband_device_t) read_blk_files_pattern($1, device_t, infiniband_device_t) ') ######################################## ## ## Read and write ipmi devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_infiniband_dev',` gen_require(` type device_t, infiniband_device_t; ') rw_chr_files_pattern($1, device_t, infiniband_device_t) rw_blk_files_pattern($1, device_t, infiniband_device_t) allow $1 infiniband_device_t:chr_file map; ') ######################################## ## ## Read infiniband mgmt devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_infiniband_mgmt_dev',` gen_require(` type device_t, infiniband_mgmt_device_t; ') read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) ') ######################################## ## ## Read and write ipmi devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_infiniband_mgmt_dev',` gen_require(` type device_t, infiniband_mgmt_device_t; ') rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t) rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t) ') ######################################## ## ## Get the attributes of the framebuffer device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_framebuffer_dev',` gen_require(` type device_t, framebuf_device_t; ') getattr_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Set the attributes of the framebuffer device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_framebuffer_dev',` gen_require(` type device_t, framebuf_device_t; ') setattr_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Dot not audit attempts to set the attributes ## of the framebuffer device node. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_framebuffer_dev',` gen_require(` type framebuf_device_t; ') dontaudit $1 framebuf_device_t:chr_file setattr; ') ######################################## ## ## Read the framebuffer. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_framebuffer',` gen_require(` type framebuf_device_t; ') read_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Do not audit attempts to read the framebuffer. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_framebuffer',` gen_require(` type framebuf_device_t; ') dontaudit $1 framebuf_device_t:chr_file { getattr read }; ') ######################################## ## ## Write the framebuffer. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_framebuffer',` gen_require(` type device_t, framebuf_device_t; ') write_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Mmap the framebuffer. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_framebuffer',` gen_require(` type framebuf_device_t; ') allow $1 framebuf_device_t:chr_file map; ') ######################################## ## ## Read and write the framebuffer. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_framebuffer',` gen_require(` type device_t, framebuf_device_t; ') rw_chr_files_pattern($1, device_t, framebuf_device_t) ') ######################################## ## ## Read the kernel messages ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_kmsg',` gen_require(` type device_t, kmsg_device_t; ') read_chr_files_pattern($1, device_t, kmsg_device_t) ') ######################################## ## ## Do not audit attempts to read the kernel messages ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_kmsg',` gen_require(` type kmsg_device_t; ') dontaudit $1 kmsg_device_t:chr_file read; ') ######################################## ## ## Write to the kernel messages device ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_kmsg',` gen_require(` type device_t, kmsg_device_t; ') write_chr_files_pattern($1, device_t, kmsg_device_t) ') ######################################## ## ## Mounton the kernel messages device ## ## ## ## Domain allowed access. ## ## # interface(`dev_mounton_kmsg',` gen_require(` type kmsg_device_t; ') allow $1 kmsg_device_t:chr_file mounton; ') ######################################## ## ## Get the attributes of the ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_ksm_dev',` gen_require(` type device_t, ksm_device_t; ') getattr_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Set the attributes of the ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_ksm_dev',` gen_require(` type device_t, ksm_device_t; ') setattr_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Read the ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_ksm',` gen_require(` type device_t, ksm_device_t; ') read_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Read and write to ksm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_ksm',` gen_require(` type device_t, ksm_device_t; ') rw_chr_files_pattern($1, device_t, ksm_device_t) ') ######################################## ## ## Get the attributes of the kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_kvm_dev',` gen_require(` type device_t, kvm_device_t; ') getattr_chr_files_pattern($1, device_t, kvm_device_t) ') ######################################## ## ## Set the attributes of the kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_kvm_dev',` gen_require(` type device_t, kvm_device_t; ') setattr_chr_files_pattern($1, device_t, kvm_device_t) ') ######################################## ## ## Read the kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_kvm',` gen_require(` type device_t, kvm_device_t; ') read_chr_files_pattern($1, device_t, kvm_device_t) ') ######################################## ## ## Read and write to kvm devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_kvm',` gen_require(` type device_t, kvm_device_t; ') rw_chr_files_pattern($1, device_t, kvm_device_t) ') ######################################## ## ## Read and write to sev devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_sev',` gen_require(` type device_t, sev_device_t; ') rw_chr_files_pattern($1, device_t, sev_device_t) ') ###################################### ## ## Read the lirc device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_lirc',` gen_require(` type device_t, lirc_device_t; ') read_chr_files_pattern($1, device_t, lirc_device_t) ') ###################################### ## ## Read and write the lirc device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_lirc',` gen_require(` type device_t, lirc_device_t; ') rw_chr_files_pattern($1, device_t, lirc_device_t) ') ###################################### ## ## Automatic type transition to the type ## for lirc device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_lirc',` gen_require(` type device_t, lirc_device_t; ') filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2) ') ######################################## ## ## Get the attributes of the loop comtrol device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_loop_control',` gen_require(` type device_t, loop_control_device_t; ') getattr_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## ## Read the loop comtrol device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_loop_control',` gen_require(` type device_t, loop_control_device_t; ') read_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## ## Read and write the loop control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_loop_control',` gen_require(` type device_t, loop_control_device_t; ') rw_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## ## Do not audit attempts to read and write loop control device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_loop_control',` gen_require(` type loop_control_device_t; ') dontaudit $1 loop_control_device_t:chr_file rw_file_perms; ') ######################################## ## ## Delete the loop control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_loop_control_dev',` gen_require(` type device_t, loop_control_device_t; ') delete_chr_files_pattern($1, device_t, loop_control_device_t) ') ######################################## ## ## Get the attributes of the loop comtrol device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_lvm_control',` gen_require(` type device_t, lvm_control_t; ') getattr_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## Read the lvm comtrol device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_lvm_control',` gen_require(` type device_t, lvm_control_t; ') read_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## Read and write the lvm control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_lvm_control',` gen_require(` type device_t, lvm_control_t; ') rw_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## Do not audit attempts to read and write lvm control device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_lvm_control',` gen_require(` type lvm_control_t; ') dontaudit $1 lvm_control_t:chr_file rw_file_perms; ') ######################################## ## ## Delete the lvm control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_lvm_control_dev',` gen_require(` type device_t, lvm_control_t; ') delete_chr_files_pattern($1, device_t, lvm_control_t) ') ######################################## ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_memory_dev',` gen_require(` type memory_device_t; ') dontaudit $1 memory_device_t:chr_file getattr; ') ######################################## ## ## Read raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_raw_memory',` gen_require(` type device_t, memory_device_t; attribute memory_raw_read; ') read_chr_files_pattern($1, device_t, memory_device_t) allow $1 memory_device_t:chr_file map; allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_read; ') ######################################## ## ## Allow to be reader of raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # interface(`dev_raw_memory_reader',` gen_require(` attribute memory_raw_read; ') typeattribute $1 memory_raw_read; ') ######################################## ## ## Do not audit attempts to read raw memory devices ## (e.g. /dev/mem). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_raw_memory',` gen_require(` type memory_device_t; ') dontaudit $1 memory_device_t:chr_file read_chr_file_perms; ') ######################################## ## ## Do not audit attempts to write to raw memory devices ## (e.g. /dev/mem). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_raw_memory',` gen_require(` type memory_device_t; ') dontaudit $1 memory_device_t:chr_file write_chr_file_perms; ') ######################################## ## ## Write raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_raw_memory',` gen_require(` type device_t, memory_device_t; attribute memory_raw_write; ') write_chr_files_pattern($1, device_t, memory_device_t) allow $1 self:capability sys_rawio; typeattribute $1 memory_raw_write; ') ######################################## ## ## Allow to be writer of raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # interface(`dev_raw_memory_writer',` gen_require(` attribute memory_raw_write; ') typeattribute $1 memory_raw_write; ') ######################################## ## ## Read and execute raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rx_raw_memory',` gen_require(` type device_t, memory_device_t; ') dev_read_raw_memory($1) allow $1 memory_device_t:chr_file { map execute }; ') ######################################## ## ## Write and execute raw memory devices (e.g. /dev/mem). ## ## ## ## Domain allowed access. ## ## # interface(`dev_wx_raw_memory',` gen_require(` type device_t, memory_device_t; ') dev_write_raw_memory($1) allow $1 memory_device_t:chr_file { map execute }; ') ######################################## ## ## Get the attributes of miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_misc_dev',` gen_require(` type device_t, misc_device_t; ') getattr_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes ## of miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_misc_dev',` gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_misc_dev',` gen_require(` type device_t, misc_device_t; ') setattr_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes ## of miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_misc_dev',` gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file setattr; ') ######################################## ## ## Read miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_misc',` gen_require(` type device_t, misc_device_t; ') read_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Write miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_misc',` gen_require(` type device_t, misc_device_t; ') write_chr_files_pattern($1, device_t, misc_device_t) ') ######################################## ## ## Do not audit attempts to read and write miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_rw_misc',` gen_require(` type misc_device_t; ') dontaudit $1 misc_device_t:chr_file rw_file_perms; ') ######################################## ## ## Get the attributes of the modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_modem_dev',` gen_require(` type device_t, modem_device_t; ') getattr_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Set the attributes of the modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_modem_dev',` gen_require(` type device_t, modem_device_t; ') setattr_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Read the modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_modem',` gen_require(` type device_t, modem_device_t; ') read_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Read and write to modem devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_modem',` gen_require(` type device_t, modem_device_t; ') rw_chr_files_pattern($1, device_t, modem_device_t) ') ######################################## ## ## Get the attributes of the monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_monitor_dev',` gen_require(` type device_t, monitor_device_t; ') getattr_chr_files_pattern($1, device_t, monitor_device_t) ') ######################################## ## ## Set the attributes of the monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_monitor_dev',` gen_require(` type device_t, monitor_device_t; ') setattr_chr_files_pattern($1, device_t, monitor_device_t) ') ######################################## ## ## Read the monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_monitor_dev',` gen_require(` type device_t, monitor_device_t; ') read_chr_files_pattern($1, device_t, monitor_device_t) ') ######################################## ## ## Read and write to monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_monitor_dev',` gen_require(` type device_t, monitor_device_t; ') rw_chr_files_pattern($1, device_t, monitor_device_t) ') ######################################## ## ## Get the attributes of the mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_mouse_dev',` gen_require(` type device_t, mouse_device_t; ') getattr_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Set the attributes of the mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_mouse_dev',` gen_require(` type device_t, mouse_device_t; ') setattr_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Read the mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_mouse',` gen_require(` type device_t, mouse_device_t; ') read_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Read and write to mouse devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_mouse',` gen_require(` type device_t, mouse_device_t; ') rw_chr_files_pattern($1, device_t, mouse_device_t) ') ######################################## ## ## Get the attributes of the memory type range ## registers (MTRR) device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_mtrr_dev',` gen_require(` type device_t, mtrr_device_t; ') getattr_files_pattern($1, device_t, mtrr_device_t) getattr_chr_files_pattern($1, device_t, mtrr_device_t) ') ######################################## ## ## Write the memory type range ## registers (MTRR). (Deprecated) ## ## ##

## Write the memory type range ## registers (MTRR). This interface has ## been deprecated, dev_rw_mtrr() should be ## used instead. ##

##

## The MTRR device ioctls can be used for ## reading and writing; thus, write access to the ## device cannot be separated from read access. ##

##
## ## ## Domain allowed access. ## ## # interface(`dev_write_mtrr',` refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().') dev_rw_mtrr($1) ') ######################################## ## ## Do not audit attempts to write the memory type ## range registers (MTRR). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_mtrr',` gen_require(` type mtrr_device_t; ') dontaudit $1 mtrr_device_t:file write_file_perms; dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms; ') ######################################## ## ## Do not audit attempts to read the memory type ## range registers (MTRR). ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_mtrr',` gen_require(` type mtrr_device_t; ') dontaudit $1 mtrr_device_t:file { open read }; dontaudit $1 mtrr_device_t:chr_file { open read }; ') ######################################## ## ## Read the memory type range registers (MTRR). ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_mtrr',` gen_require(` type device_t, mtrr_device_t; ') read_files_pattern($1, device_t, mtrr_device_t) read_chr_files_pattern($1, device_t, mtrr_device_t) ') ######################################## ## ## Read and write the memory type range registers (MTRR). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_mtrr',` gen_require(` type device_t, mtrr_device_t; ') rw_files_pattern($1, device_t, mtrr_device_t) rw_chr_files_pattern($1, device_t, mtrr_device_t) ') ######################################## ## ## Get the attributes of the network control device ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_netcontrol_dev',` gen_require(` type device_t, netcontrol_device_t; ') getattr_chr_files_pattern($1, device_t, netcontrol_device_t) ') ######################################## ## ## Read the network control identity. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_netcontrol',` gen_require(` type device_t, netcontrol_device_t; ') read_chr_files_pattern($1, device_t, netcontrol_device_t) ') ######################################## ## ## Read and write the the network control device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_netcontrol',` gen_require(` type device_t, netcontrol_device_t; ') rw_chr_files_pattern($1, device_t, netcontrol_device_t) ') ######################################## ## ## Get the attributes of the null device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_null_dev',` gen_require(` type device_t, null_device_t; ') getattr_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Set the attributes of the null device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_null_dev',` gen_require(` type device_t, null_device_t; ') setattr_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Delete the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_null',` gen_require(` type device_t, null_device_t; ') delete_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Read and write to the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_null',` gen_require(` type device_t, null_device_t; ') rw_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Create the null device (/dev/null). ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_null_dev',` gen_require(` type device_t, null_device_t; ') create_chr_files_pattern($1, device_t, null_device_t) ') ######################################## ## ## Get the status of a null device service. ## ## ## ## Domain allowed access. ## ## # interface(`dev_service_status_null_dev',` gen_require(` type null_device_t; ') allow $1 null_device_t:service status; ') ######################################## ## ## Configure null_device as a unit files. ## ## ## ## Domain allowed to transition. ## ## # interface(`dev_config_null_dev_service',` gen_require(` type null_device_t; ') allow $1 null_device_t:service manage_service_perms; ') ######################################## ## ## Read Non-Volatile Memory Host Controller Interface. (Deprecated) ## ## ## Use storage_raw_read_fixed_disk() instead. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_nvme',` refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk().') storage_raw_read_fixed_disk($1) ') ######################################## ## ## Read/Write Non-Volatile Memory Host Controller Interface. (Deprecated) ## ## ## Use storage_raw_read_fixed_disk() and ## storage_raw_write_fixed_disk() instead. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_nvme',` refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk() and storage_raw_write_fixed_disk().') storage_raw_read_fixed_disk($1) storage_raw_write_fixed_disk($1) ') ######################################## ## ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_nvram_dev',` gen_require(` type nvram_device_t; ') dontaudit $1 nvram_device_t:chr_file getattr; ') ######################################## ## ## Read BIOS non-volatile RAM. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_nvram',` gen_require(` type nvram_device_t; ') read_chr_files_pattern($1, device_t, nvram_device_t) ') ######################################## ## ## Read and write BIOS non-volatile RAM. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_nvram',` gen_require(` type nvram_device_t; ') rw_chr_files_pattern($1, device_t, nvram_device_t) ') ######################################## ## ## Get the attributes of the printer device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_printer_dev',` gen_require(` type device_t, printer_device_t; ') getattr_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Set the attributes of the printer device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_printer_dev',` gen_require(` type device_t, printer_device_t; ') setattr_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Append the printer device. ## ## ## ## Domain allowed access. ## ## # # cjp: added for lpd/checkpc_t interface(`dev_append_printer',` gen_require(` type device_t, printer_device_t; ') append_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Read and write the printer device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_printer',` gen_require(` type device_t, printer_device_t; ') rw_chr_files_pattern($1, device_t, printer_device_t) ') ######################################## ## ## Relabel the printer device node. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_printer',` gen_require(` type printer_device_t; ') allow $1 printer_device_t:chr_file relabel_chr_file_perms; ') ######################################## ## ## Read and write the printer device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_printer',` gen_require(` type device_t, printer_device_t; ') manage_chr_files_pattern($1, device_t, printer_device_t) dev_filetrans_printer_named_dev($1) ') ######################################## ## ## Get the attributes of the QEMU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_qemu_dev',` gen_require(` type device_t, qemu_device_t; ') getattr_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Set the attributes of the QEMU ## microcode and id interfaces. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_qemu_dev',` gen_require(` type device_t, qemu_device_t; ') setattr_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Read the QEMU device ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_qemu',` gen_require(` type device_t, qemu_device_t; ') read_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Read and write the the QEMU device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_qemu',` gen_require(` type device_t, qemu_device_t; ') rw_chr_files_pattern($1, device_t, qemu_device_t) ') ######################################## ## ## Read from random number generator ## devices (e.g., /dev/random). ## ## ##

## Allow the specified domain to read from random number ## generator devices (e.g., /dev/random). Typically this is ## used in situations when a cryptographically secure random ## number is needed. ##

##

## Related interface: ##

##
    ##
  • dev_read_urand()
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`dev_read_rand',` gen_require(` type device_t, random_device_t; ') read_chr_files_pattern($1, device_t, random_device_t) ') ######################################## ## ## Do not audit attempts to read from random ## number generator devices (e.g., /dev/random) ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_rand',` gen_require(` type random_device_t; ') dontaudit $1 random_device_t:chr_file { getattr read }; ') ######################################## ## ## Do not audit attempts to append to the random ## number generator devices (e.g., /dev/random) ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_append_rand',` gen_require(` type random_device_t; ') dontaudit $1 random_device_t:chr_file { append }; ') ######################################## ## ## Write to the random device (e.g., /dev/random). This adds ## entropy used to generate the random data read from the ## random device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_rand',` gen_require(` type device_t, random_device_t; ') write_chr_files_pattern($1, device_t, random_device_t) ') ######################################## ## ## Read the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_realtime_clock',` gen_require(` type device_t, clock_device_t; ') read_chr_files_pattern($1, device_t, clock_device_t) ') ######################################## ## ## Set the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_realtime_clock',` gen_require(` type device_t, clock_device_t; ') write_chr_files_pattern($1, device_t, clock_device_t) allow $1 clock_device_t:chr_file setattr; ') ######################################## ## ## Read and set the realtime clock (/dev/rtc). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_realtime_clock',` dev_read_realtime_clock($1) dev_write_realtime_clock($1) ') ######################################## ## ## Get the attributes of the scanner device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_scanner_dev',` gen_require(` type device_t, scanner_device_t; ') getattr_chr_files_pattern($1, device_t, scanner_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes of ## the scanner device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_scanner_dev',` gen_require(` type scanner_device_t; ') dontaudit $1 scanner_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of the scanner device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_scanner_dev',` gen_require(` type device_t, scanner_device_t; ') setattr_chr_files_pattern($1, device_t, scanner_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes of ## the scanner device. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_scanner_dev',` gen_require(` type scanner_device_t; ') dontaudit $1 scanner_device_t:chr_file setattr; ') ######################################## ## ## Read and write the scanner device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_scanner',` gen_require(` type device_t, scanner_device_t; ') rw_chr_files_pattern($1, device_t, scanner_device_t) ') ######################################## ## ## Get the attributes of the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_sound_dev',` gen_require(` type device_t, sound_device_t; ') getattr_chr_files_pattern($1, device_t, sound_device_t) ') ######################################## ## ## Set the attributes of the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_sound_dev',` gen_require(` type device_t, sound_device_t; ') setattr_chr_files_pattern($1, device_t, sound_device_t) ') ######################################## ## ## Read the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_sound',` gen_require(` type device_t, sound_device_t; ') read_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; ') ######################################## ## ## Write the sound devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_sound',` gen_require(` type device_t, sound_device_t; ') write_chr_files_pattern($1, device_t, sound_device_t) ') ######################################## ## ## Read the sound mixer devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_sound_mixer',` gen_require(` type device_t, sound_device_t; ') read_chr_files_pattern($1, device_t, sound_device_t) allow $1 sound_device_t:chr_file map; ') ######################################## ## ## Write the sound mixer devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_sound_mixer',` gen_require(` type device_t, sound_device_t; ') write_chr_files_pattern($1, device_t, sound_device_t) ') ######################################## ## ## Get the attributes of the the power management device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_power_mgmt_dev',` gen_require(` type device_t, power_device_t; ') getattr_chr_files_pattern($1, device_t, power_device_t) ') ######################################## ## ## Set the attributes of the the power management device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_power_mgmt_dev',` gen_require(` type device_t, power_device_t; ') setattr_chr_files_pattern($1, device_t, power_device_t) ') ######################################## ## ## Read and write the the power management device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_power_management',` gen_require(` type device_t, power_device_t; ') rw_chr_files_pattern($1, device_t, power_device_t) ') ######################################## ## ## Getattr on smartcard devices ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_smartcard_dev',` gen_require(` type smartcard_device_t; ') allow $1 smartcard_device_t:chr_file getattr; ') ######################################## ## ## dontaudit getattr on smartcard devices ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_smartcard_dev',` gen_require(` type smartcard_device_t; ') dontaudit $1 smartcard_device_t:chr_file getattr; ') ######################################## ## ## Read and write smartcard devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_smartcard',` gen_require(` type device_t, smartcard_device_t; ') rw_chr_files_pattern($1, device_t, smartcard_device_t) ') ######################################## ## ## Create, read, write, and delete smartcard devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_smartcard',` gen_require(` type device_t, smartcard_device_t; ') manage_chr_files_pattern($1, device_t, smartcard_device_t) ') ######################################## ## ## Associate a file to a sysfs filesystem. ## ## ## ## The type of the file to be associated to sysfs. ## ## # interface(`dev_associate_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem associate; ') ######################################## ## ## Get the attributes of sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_sysfs_dirs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir getattr_dir_perms; ') ######################################## ## ## Set the attributes of sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_sysfs_dirs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir setattr_dir_perms; ') ######################################## ## ## Get attributes of sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_sysfs_fs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem getattr; ') ######################################## ## ## Mount a filesystem on /sys ## ## ## ## Domain allow access. ## ## # interface(`dev_mounton_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir mounton; ') ######################################## ## ## Dontaudit attempts to mount a filesystem on /sys ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_mounton_sysfs',` gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir mounton; ') ######################################## ## ## Mount sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`dev_mount_sysfs_fs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem mount; ') ######################################## ## ## Unmount sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`dev_unmount_sysfs_fs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem unmount; ') ######################################## ## ## Remount sysfs filesystems. ## ## ## ## Domain allowed access. ## ## # interface(`dev_remount_sysfs_fs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:filesystem remount; ') ######################################## ## ## Search the sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_search_sysfs',` gen_require(` type sysfs_t; ') search_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Do not audit attempts to search sysfs. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_search_sysfs',` gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir search_dir_perms; ') ######################################## ## ## List the contents of the sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_list_sysfs',` gen_require(` type sysfs_t; ') read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Write in a sysfs directories. ## ## ## ## Domain allowed access. ## ## # # cjp: added for cpuspeed interface(`dev_write_sysfs_dirs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir write; ') ######################################## ## ## Access check for a sysfs directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_access_check_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:dir audit_access; ') ######################################## ## ## Do not audit attempts to write in a sysfs directory. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_sysfs_dirs',` gen_require(` type sysfs_t; ') dontaudit $1 sysfs_t:dir write; ') ######################################## ## ## Read cpu online hardware state information. ## ## ##

## Allow the specified domain to read /sys/devices/system/cpu/online file. ##

##
## ## ## Domain allowed access. ## ## # interface(`dev_read_cpu_online',` gen_require(` type cpu_online_t; ') dev_search_sysfs($1) read_files_pattern($1, cpu_online_t, cpu_online_t) ') ######################################## ## ## Relabel cpu online hardware state information. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_cpu_online',` gen_require(` type cpu_online_t; type sysfs_t; ') dev_search_sysfs($1) allow $1 cpu_online_t:file relabel_file_perms; ') ######################################## ## ## Read hardware state information. ## ## ##

## Allow the specified domain to read the contents of ## the sysfs filesystem. This filesystem contains ## information, parameters, and other settings on the ## hardware installed on the system. ##

##
## ## ## Domain allowed access. ## ## ## # interface(`dev_read_sysfs',` gen_require(` type sysfs_t; ') read_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Allow caller to modify hardware state information. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_sysfs',` gen_require(` type sysfs_t; ') rw_files_pattern($1, sysfs_t, sysfs_t) read_lnk_files_pattern($1, sysfs_t, sysfs_t) list_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Allow caller create hardware state information files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_sysfs_files',` gen_require(` type sysfs_t; ') create_files_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Relabel hardware state directories. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_sysfs_dirs',` gen_require(` type sysfs_t; ') relabel_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Relabel hardware state files ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_all_sysfs',` gen_require(` type sysfs_t; ') relabel_dirs_pattern($1, sysfs_t, sysfs_t) relabel_files_pattern($1, sysfs_t, sysfs_t) relabel_lnk_files_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Allow caller to modify hardware state information. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_sysfs_dirs',` gen_require(` type sysfs_t; ') manage_dirs_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Allow caller to modify hardware state information. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_sysfs',` gen_require(` type sysfs_t; ') manage_dirs_pattern($1, sysfs_t, sysfs_t) manage_files_pattern($1, sysfs_t, sysfs_t) manage_lnk_files_pattern($1, sysfs_t, sysfs_t) ') ######################################## ## ## Mmap the sysfs. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_sysfs',` gen_require(` type sysfs_t; ') allow $1 sysfs_t:file map; ') ######################################## ## ## Read the TPM device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_tpm',` gen_require(` type device_t, tpm_device_t; ') read_chr_files_pattern($1, device_t, tpm_device_t) ') ######################################## ## ## Read and write the TPM device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_tpm',` gen_require(` type device_t, tpm_device_t; ') rw_chr_files_pattern($1, device_t, tpm_device_t) ') ######################################## ## ## Read from pseudo random number generator devices (e.g., /dev/urandom). ## ## ##

## Allow the specified domain to read from pseudo random number ## generator devices (e.g., /dev/urandom). Typically this is ## used in situations when a cryptographically secure random ## number is not necessarily needed. One example is the Stack ## Smashing Protector (SSP, formerly known as ProPolice) support ## that may be compiled into programs. ##

##

## Related interface: ##

##
    ##
  • dev_read_rand()
  • ##
##

## Related tunable: ##

##
    ##
  • global_ssp
  • ##
##
## ## ## Domain allowed access. ## ## ## # interface(`dev_read_urand',` gen_require(` type device_t, urandom_device_t; ') read_chr_files_pattern($1, device_t, urandom_device_t) ') ######################################## ## ## Do not audit attempts to read from pseudo ## random devices (e.g., /dev/urandom) ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_read_urand',` gen_require(` type urandom_device_t; ') dontaudit $1 urandom_device_t:chr_file { getattr read }; ') ######################################## ## ## Write to the pseudo random device (e.g., /dev/urandom). This ## sets the random number generator seed. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_urand',` gen_require(` type device_t, urandom_device_t; ') write_chr_files_pattern($1, device_t, urandom_device_t) ') ######################################## ## ## Do not audit attempts to write to pseudo ## random devices (e.g., /dev/urandom) ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_write_urand',` gen_require(` type urandom_device_t; ') dontaudit $1 urandom_device_t:chr_file write; ') ######################################## ## ## Delete files in the dev/urandom. ## ## ## ## Domain allowed access. ## ## # interface(`dev_delete_urand',` gen_require(` type urandom_device_t; ') allow $1 urandom_device_t:chr_file unlink; ') ######################################## ## ## Getattr generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_generic_usb_dev',` gen_require(` type usb_device_t,device_t; ') getattr_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Setattr generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_generic_usb_dev',` gen_require(` type usb_device_t; ') setattr_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Read generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_generic_usb_dev',` gen_require(` type usb_device_t; ') read_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Read and write generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_generic_usb_dev',` gen_require(` type device_t, usb_device_t; ') rw_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Relabel generic the USB devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_relabel_generic_usb_dev',` gen_require(` type usb_device_t; ') relabel_chr_files_pattern($1, device_t, usb_device_t) ') ######################################## ## ## Read USB monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_usbmon_dev',` gen_require(` type device_t, usbmon_device_t; ') read_chr_files_pattern($1, device_t, usbmon_device_t) ') ######################################## ## ## Mmap USB monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_usbmon_dev',` gen_require(` type usbmon_device_t; ') allow $1 usbmon_device_t:chr_file map; ') ######################################## ## ## Write USB monitor devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_usbmon_dev',` gen_require(` type device_t, usbmon_device_t; ') write_chr_files_pattern($1, device_t, usbmon_device_t) ') ######################################## ## ## Mount a usbfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`dev_mount_usbfs',` gen_require(` type usbfs_t; ') allow $1 usbfs_t:filesystem mount; ') ######################################## ## ## Associate a file to a usbfs filesystem. ## ## ## ## The type of the file to be associated to usbfs. ## ## # interface(`dev_associate_usbfs',` gen_require(` type usbfs_t; ') allow $1 usbfs_t:filesystem associate; ') ######################################## ## ## Get the attributes of a directory in the usb filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_usbfs_dirs',` gen_require(` type usbfs_t; ') allow $1 usbfs_t:dir getattr_dir_perms; ') ######################################## ## ## Do not audit attempts to get the attributes ## of a directory in the usb filesystem. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_usbfs_dirs',` gen_require(` type usbfs_t; ') dontaudit $1 usbfs_t:dir getattr_dir_perms; ') ######################################## ## ## Search the directory containing USB hardware information. ## ## ## ## Domain allowed access. ## ## # interface(`dev_search_usbfs',` gen_require(` type usbfs_t; ') search_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Allow caller to get a list of usb hardware. ## ## ## ## Domain allowed access. ## ## # interface(`dev_list_usbfs',` gen_require(` type usbfs_t; ') read_lnk_files_pattern($1, usbfs_t, usbfs_t) getattr_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Set the attributes of usbfs filesystem. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_usbfs_files',` gen_require(` type usbfs_t; ') setattr_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Read USB hardware information using ## the usbfs filesystem interface. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_usbfs',` gen_require(` type usbfs_t; ') read_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t) list_dirs_pattern($1, usbfs_t, usbfs_t) ') ######################################## ## ## Allow caller to modify usb hardware configuration files. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_usbfs',` gen_require(` type usbfs_t; ') list_dirs_pattern($1, usbfs_t, usbfs_t) rw_files_pattern($1, usbfs_t, usbfs_t) read_lnk_files_pattern($1, usbfs_t, usbfs_t) ') ###################################### ## ## Read and write userio device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_userio_dev',` gen_require(` type device_t, userio_device_t; ') rw_chr_files_pattern($1, device_t, userio_device_t) ') ######################################## ## ## Mmap the userio devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_userio_dev',` gen_require(` type device_t, userio_device_t; ') allow $1 userio_device_t:chr_file map; ') ######################################## ## ## Get the attributes of video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_video_dev',` gen_require(` type device_t, v4l_device_t; ') getattr_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes ## of video4linux device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_video_dev',` gen_require(` type v4l_device_t; ') dontaudit $1 v4l_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of video4linux device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_video_dev',` gen_require(` type device_t, v4l_device_t; ') setattr_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes ## of video4linux device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_video_dev',` gen_require(` type v4l_device_t; ') dontaudit $1 v4l_device_t:chr_file setattr; ') ######################################## ## ## Read the video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_video_dev',` gen_require(` type device_t, v4l_device_t; ') read_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Mmap the video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_video_dev',` gen_require(` type device_t, v4l_device_t; ') allow $1 v4l_device_t:chr_file map; ') ######################################## ## ## Write the video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_video_dev',` gen_require(` type device_t, v4l_device_t; ') write_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Watch the video4linux devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_watch_video_dev',` gen_require(` type device_t, v4l_device_t; ') watch_chr_files_pattern($1, device_t, v4l_device_t) ') ######################################## ## ## Get the attributes of vfio devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_vfio_dev',` gen_require(` type device_t, vfio_device_t; ') getattr_chr_files_pattern($1, device_t, vfio_device_t) ') ######################################## ## ## Do not audit attempts to get the attributes ## of vfio device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_vfio_dev',` gen_require(` type vfio_device_t; ') dontaudit $1 vfio_device_t:chr_file getattr; ') ######################################## ## ## Set the attributes of vfio device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_vfio_dev',` gen_require(` type device_t, vfio_device_t; ') setattr_chr_files_pattern($1, device_t, vfio_device_t) ') ######################################## ## ## Do not audit attempts to set the attributes ## of vfio device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_setattr_vfio_dev',` gen_require(` type vfio_device_t; ') dontaudit $1 vfio_device_t:chr_file setattr; ') ######################################## ## ## Read the vfio devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_vfio_dev',` gen_require(` type device_t, vfio_device_t; ') read_chr_files_pattern($1, device_t, vfio_device_t) ') ######################################## ## ## Write the vfio devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_vfio_dev',` gen_require(` type device_t, vfio_device_t; ') write_chr_files_pattern($1, device_t, vfio_device_t) ') ######################################## ## ## Read and write the VFIO devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_vfio_dev',` gen_require(` type device_t, vfio_device_t; ') rw_chr_files_pattern($1, device_t, vfio_device_t) ') ######################################## ## ## Allow read/write the vhost net device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_vhost',` gen_require(` type device_t, vhost_device_t; ') rw_chr_files_pattern($1, device_t, vhost_device_t) ') ######################################## ## ## Allow read/write inheretid the vhost net device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_inherited_vhost',` gen_require(` type device_t, vhost_device_t; ') allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms; ') ######################################## ## ## Allow map the vhost devices ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_vhost',` gen_require(` type device_t, vhost_device_t; ') allow $1 vhost_device_t:chr_file map; ') ######################################## ## ## Read and write VMWare devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_vmware',` gen_require(` type device_t, vmware_device_t; ') rw_chr_files_pattern($1, device_t, vmware_device_t) ') ######################################## ## ## Read, write, and mmap VMWare devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rwx_vmware',` gen_require(` type device_t, vmware_device_t; ') dev_rw_vmware($1) allow $1 vmware_device_t:chr_file { map execute }; ') ######################################## ## ## Read from watchdog devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_watchdog',` gen_require(` type device_t, watchdog_device_t; ') read_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## ## Write to watchdog devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_write_watchdog',` gen_require(` type device_t, watchdog_device_t; ') write_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## ## RW to watchdog devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_watchdog',` gen_require(` type device_t, watchdog_device_t; ') rw_chr_files_pattern($1, device_t, watchdog_device_t) ') ######################################## ## ## Read and write the the wireless device. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_wireless',` gen_require(` type device_t, wireless_device_t; ') rw_chr_files_pattern($1, device_t, wireless_device_t) ') ######################################## ## ## Read and write Xen devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_xen',` gen_require(` type device_t, xen_device_t; ') rw_chr_files_pattern($1, device_t, xen_device_t) allow $1 xen_device_t:chr_file map; ') ######################################## ## ## Create, read, write, and delete Xen devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_xen',` gen_require(` type device_t, xen_device_t; ') manage_chr_files_pattern($1, device_t, xen_device_t) ') ######################################## ## ## Automatic type transition to the type ## for xen device nodes when created in /dev. ## ## ## ## Domain allowed access. ## ## ## ## ## The name of the object being created. ## ## # interface(`dev_filetrans_xen',` gen_require(` type device_t, xen_device_t; ') filetrans_pattern($1, device_t, xen_device_t, chr_file, $2) ') ######################################## ## ## Get the attributes of X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_xserver_misc_dev',` gen_require(` type device_t, xserver_misc_device_t; ') getattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') ######################################## ## ## Set the attributes of X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_xserver_misc_dev',` gen_require(` type device_t, xserver_misc_device_t; ') setattr_chr_files_pattern($1, device_t, xserver_misc_device_t) ') ######################################## ## ## Read and write X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_xserver_misc',` gen_require(` type device_t, xserver_misc_device_t; ') rw_chr_files_pattern($1, device_t, xserver_misc_device_t) allow $1 xserver_misc_device_t:chr_file map; ') ######################################## ## ## Dontaudit attempts to Read and write X server miscellaneous devices. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_leaked_xserver_misc',` gen_require(` type xserver_misc_device_t; ') dontaudit $1 xserver_misc_device_t:chr_file { read write }; ') ######################################## ## ## Read and write X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_manage_xserver_misc',` gen_require(` type device_t, xserver_misc_device_t; ') manage_chr_files_pattern($1, device_t, xserver_misc_device_t) dev_filetrans_xserver_named_dev($1) ') ######################################## ## ## mmap X server miscellaneous devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_map_xserver_misc',` gen_require(` type xserver_misc_device_t; ') allow $1 xserver_misc_device_t:chr_file map; ') ######################################## ## ## Read and write to the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_zero',` gen_require(` type device_t, zero_device_t; ') rw_chr_files_pattern($1, device_t, zero_device_t) allow $1 zero_device_t:chr_file map; ') ######################################## ## ## Read, write, and execute the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_rwx_zero',` gen_require(` type zero_device_t; ') dev_rw_zero($1) allow $1 zero_device_t:chr_file { map execute }; ') ######################################## ## ## Execmod the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_execmod_zero',` gen_require(` type zero_device_t; ') dev_rw_zero($1) allow $1 zero_device_t:chr_file execmod; ') ######################################## ## ## Create the zero device (/dev/zero). ## ## ## ## Domain allowed access. ## ## # interface(`dev_create_zero_dev',` gen_require(` type device_t, zero_device_t; ') create_chr_files_pattern($1, device_t, zero_device_t) ') ######################################## ## ## Unconfined access to devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_unconfined',` gen_require(` attribute devices_unconfined_type; ') typeattribute $1 devices_unconfined_type; ') ######################################## ## ## Dontaudit getattr on all device nodes. ## ## ## ## Domain to not audit. ## ## # interface(`dev_dontaudit_getattr_all',` gen_require(` attribute device_node; type device_t; ') dontaudit $1 { device_t device_node }:dir_file_class_set getattr; ') ######################################## ## ## Get the attributes of the mei devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_getattr_mei',` gen_require(` type device_t, mei_device_t; ') getattr_chr_files_pattern($1, device_t, mei_device_t) ') ######################################## ## ## Read the mei devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_mei',` gen_require(` type device_t, mei_device_t; ') read_chr_files_pattern($1, device_t, mei_device_t) ') ######################################## ## ## Read and write to mei devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_mei',` gen_require(` type device_t, mei_device_t; ') rw_chr_files_pattern($1, device_t, mei_device_t) ') ######################################## ## ## Read and write uhid devices. ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_uhid_dev',` gen_require(` type device_t, uhid_device_t; ') rw_chr_files_pattern($1, device_t, uhid_device_t) ') ######################################## ## ## Allow read/write the hypervkvp device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_hypervkvp',` gen_require(` type device_t, hypervkvp_device_t; ') rw_chr_files_pattern($1, device_t, hypervkvp_device_t) ') ######################################## ## ## Allow read/write the hypervkvp device ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_gpfs',` gen_require(` type device_t, gpfs_device_t; ') read_chr_files_pattern($1, device_t, gpfs_device_t) ') ######################################## ## ## Allow read/write the gpiochip device ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_gpio',` gen_require(` type device_t, gpio_device_t; ') read_chr_files_pattern($1, device_t, gpio_device_t) ') ######################################## ## ## Allow read/write the hypervvssd device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_hypervvssd',` gen_require(` type device_t, hypervvssd_device_t; ') rw_chr_files_pattern($1, device_t, hypervvssd_device_t) ') ######################################## ## ## Allow read the vsock device ## ## ## ## Domain allowed access. ## ## # interface(`dev_read_vsock',` gen_require(` type device_t, vsock_device_t; ') read_chr_files_pattern($1, device_t, vsock_device_t) ') ######################################## ## ## Allow read/write the gnss device ## ## ## ## Domain allowed access. ## ## # interface(`dev_rw_gnss',` gen_require(` type device_t, gnss_device_t; ') rw_chr_files_pattern($1, device_t, gnss_device_t) ') ######################################## ## ## Allow setattr the gnss device ## ## ## ## Domain allowed access. ## ## # interface(`dev_setattr_gnss',` gen_require(` type device_t, gnss_device_t; ') setattr_chr_files_pattern($1, device_t, gnss_device_t) ') ######################################## ## ## Create all named devices with the correct label ## ## ## ## Domain allowed access. ## ## # interface(`dev_filetrans_printer_named_dev',` gen_require(` type printer_device_t; ') filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8") filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9") ') ######################################## ## ## Create all named devices with the correct label ## ## ## ## Domain allowed access. ## ## # interface(`dev_filetrans_all_named_dev',` gen_require(` type device_t; type acpi_device_t; type dma_device_t; type usb_device_t; type uhid_device_t; type sound_device_t; type apm_bios_t; type mouse_device_t; type autofs_device_t; type lvm_control_t; type crash_device_t; type dlm_control_device_t; type clock_device_t; type v4l_device_t; type vsock_device_t; type vmci_device_t; type vfio_device_t; type event_device_t; type xen_device_t; type framebuf_device_t; type null_device_t; type random_device_t; type dri_device_t; type hsa_device_t; type ipmi_device_t; type memory_device_t; type kmsg_device_t; type qemu_device_t; type ksm_device_t; type kvm_device_t; type sev_device_t; type lirc_device_t; type cpu_device_t; type scanner_device_t; type modem_device_t; type monitor_device_t; type vhost_device_t; type netcontrol_device_t; type nvram_device_t; type power_device_t; type opal_device_t; type wireless_device_t; type hwtracing_device_t; type tpm_device_t; type userio_device_t; type urandom_device_t; type usbmon_device_t; type vmware_device_t; type watchdog_device_t; type crypt_device_t; type zero_device_t; type smartcard_device_t; type mtrr_device_t; type ecryptfs_device_t; type mptctl_device_t; type hypervkvp_device_t; type hypervvssd_device_t; type gpfs_device_t; type gpio_device_t; type cachefiles_device_t; ') dev_filetrans_printer_named_dev($1) filetrans_pattern($1, device_t, acpi_device_t, chr_file, "acpi_thermal_rel") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9") filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9") filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8") filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep") filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control") filetrans_pattern($1, device_t, cachefiles_device_t, chr_file, "cachefiles") filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash") filetrans_pattern($1, device_t, acpi_device_t, chr_file, "dell-smbios") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8") filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9") # Note this file path is /dev/dma_heap/system filetrans_pattern($1, device_t, dma_device_t, chr_file, "system") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9") filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201") filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009") filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock") filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci") filetrans_pattern($1, device_t, event_device_t, chr_file, "event0") filetrans_pattern($1, device_t, event_device_t, chr_file, "event1") filetrans_pattern($1, device_t, event_device_t, chr_file, "event2") filetrans_pattern($1, device_t, event_device_t, chr_file, "event3") filetrans_pattern($1, device_t, event_device_t, chr_file, "event4") filetrans_pattern($1, device_t, event_device_t, chr_file, "event5") filetrans_pattern($1, device_t, event_device_t, chr_file, "event6") filetrans_pattern($1, device_t, event_device_t, chr_file, "event7") filetrans_pattern($1, device_t, event_device_t, chr_file, "event8") filetrans_pattern($1, device_t, event_device_t, chr_file, "event9") filetrans_pattern($1, device_t, event_device_t, chr_file, "event10") filetrans_pattern($1, device_t, event_device_t, chr_file, "event11") filetrans_pattern($1, device_t, event_device_t, chr_file, "event12") filetrans_pattern($1, device_t, event_device_t, chr_file, "event13") filetrans_pattern($1, device_t, event_device_t, chr_file, "event14") filetrans_pattern($1, device_t, event_device_t, chr_file, "event15") filetrans_pattern($1, device_t, event_device_t, chr_file, "event16") filetrans_pattern($1, device_t, event_device_t, chr_file, "event17") filetrans_pattern($1, device_t, event_device_t, chr_file, "event18") filetrans_pattern($1, device_t, event_device_t, chr_file, "event19") filetrans_pattern($1, device_t, event_device_t, chr_file, "event20") filetrans_pattern($1, device_t, event_device_t, chr_file, "event21") filetrans_pattern($1, device_t, event_device_t, chr_file, "event22") filetrans_pattern($1, device_t, event_device_t, chr_file, "event23") filetrans_pattern($1, device_t, event_device_t, chr_file, "event24") filetrans_pattern($1, device_t, event_device_t, chr_file, "event25") filetrans_pattern($1, device_t, event_device_t, chr_file, "event26") filetrans_pattern($1, device_t, event_device_t, chr_file, "event27") filetrans_pattern($1, device_t, event_device_t, chr_file, "event28") filetrans_pattern($1, device_t, event_device_t, chr_file, "event29") filetrans_pattern($1, device_t, event_device_t, chr_file, "event30") filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8") filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9") filetrans_pattern($1, device_t, null_device_t, chr_file, "full") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8") filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9") filetrans_pattern($1, device_t, usb_device_t, chr_file, "000") filetrans_pattern($1, device_t, usb_device_t, chr_file, "001") filetrans_pattern($1, device_t, usb_device_t, chr_file, "002") filetrans_pattern($1, device_t, usb_device_t, chr_file, "003") filetrans_pattern($1, device_t, usb_device_t, chr_file, "004") filetrans_pattern($1, device_t, usb_device_t, chr_file, "005") filetrans_pattern($1, device_t, usb_device_t, chr_file, "006") filetrans_pattern($1, device_t, usb_device_t, chr_file, "007") filetrans_pattern($1, device_t, usb_device_t, chr_file, "008") filetrans_pattern($1, device_t, usb_device_t, chr_file, "009") filetrans_pattern($1, device_t, usb_device_t, chr_file, "010") filetrans_pattern($1, device_t, usb_device_t, chr_file, "011") filetrans_pattern($1, device_t, usb_device_t, chr_file, "012") filetrans_pattern($1, device_t, usb_device_t, chr_file, "013") filetrans_pattern($1, device_t, usb_device_t, chr_file, "014") filetrans_pattern($1, device_t, usb_device_t, chr_file, "015") filetrans_pattern($1, device_t, usb_device_t, chr_file, "016") filetrans_pattern($1, device_t, usb_device_t, chr_file, "017") filetrans_pattern($1, device_t, usb_device_t, chr_file, "018") filetrans_pattern($1, device_t, usb_device_t, chr_file, "019") filetrans_pattern($1, device_t, usb_device_t, chr_file, "020") filetrans_pattern($1, device_t, usb_device_t, chr_file, "021") filetrans_pattern($1, device_t, usb_device_t, chr_file, "022") filetrans_pattern($1, device_t, usb_device_t, chr_file, "023") filetrans_pattern($1, device_t, usb_device_t, chr_file, "024") filetrans_pattern($1, device_t, usb_device_t, chr_file, "025") filetrans_pattern($1, device_t, usb_device_t, chr_file, "026") filetrans_pattern($1, device_t, usb_device_t, chr_file, "027") filetrans_pattern($1, device_t, usb_device_t, chr_file, "028") filetrans_pattern($1, device_t, usb_device_t, chr_file, "029") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8") filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8") filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9") filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet") filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random") filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "isst_interface") filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915") filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8") filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9") filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl") filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl") filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg") filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu") filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm") filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm") filetrans_pattern($1, device_t, sev_device_t, chr_file, "sev") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8") filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8") filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm") filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog") filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem") filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab") filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem") filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018") filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost") filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency") filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8") filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9") filetrans_pattern($1, device_t, null_device_t, chr_file, "null") filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram") filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9") filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu") filetrans_pattern($1, device_t, opal_device_t, chr_file, "op_panel") filetrans_pattern($1, device_t, opal_device_t, chr_file, "opal-prd") filetrans_pattern($1, device_t, memory_device_t, chr_file, "port") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8") filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9") filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9") filetrans_pattern($1, device_t, random_device_t, chr_file, "random") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949") filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0") filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1") filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill") filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer") filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9") filetrans_pattern($1, device_t, power_device_t, chr_file, "smu") filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot") filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi") filetrans_pattern($1, device_t, hwtracing_device_t, chr_file, "tmc_etr0") filetrans_pattern($1, device_t, hwtracing_device_t, chr_file, "tmc_etr1") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm0") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm1") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm2") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm3") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm4") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm5") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm6") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm7") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm8") filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm9") filetrans_pattern($1, device_t, random_device_t, chr_file, "trng") filetrans_pattern($1, device_t, dma_device_t, chr_file, "udmabuf") filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8") filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9") filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7") filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8") filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-0") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-1") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-2") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-3") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-4") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-5") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-6") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-7") filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vsock") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8") filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9") filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9") filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt") filetrans_pattern($1, device_t, crypt_device_t, chr_file, "pkey") filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8") filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9") filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8") filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9") filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8") filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8") filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9") filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00") filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8") filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8") filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9") filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev") filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc") filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd") filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus") filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus_backend") filetrans_pattern($1, device_t, xen_device_t, chr_file, "hypercall") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28") filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29") filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6") filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2") filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3") filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba") filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb") filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc") filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid") filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp") filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss") filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0") filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0") filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1") filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2") dev_filetrans_xserver_named_dev($1) ') ######################################## ## ## Create all named devices with the correct label ## ## ## ## Domain allowed access. ## ## # interface(`dev_filetrans_xserver_named_dev',` gen_require(` type xserver_misc_device_t; ') filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia-uvm") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8") filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") ') ######################################## ## ## Allow to use IORING_OP_URING_CMD on all device nodes. ## ## ## ## Domain allowed access. ## ## # interface(`dev_io_uring_cmd_on_all_dev_nodes',` gen_require(` attribute device_node; ') allow $1 device_node:io_uring cmd; ')