oreonproject/Oreon-Lime-R2
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Oreon-Lime-R2/selinux-policy/selinux-policy-bc228bd/selinux-policy-bc228bd0c249a9e4aa3dcf238c2b1bb138943b07/policy/modules/kernel/devices.if

7547 lines
185 KiB
Text
Raw Permalink Blame History

## <summary>
## Device nodes and interfaces for many basic system devices.
## </summary>
## <desc>
## <p>
## This module creates the device node concept and provides
## the policy for many of the device files. Notable exceptions are
## the mass storage and terminal devices that are covered by other
## modules.
## </p>
## <p>
## This module creates the concept of a device node. That is a
## char or block device file, usually in /dev. All types that
## are used to label device nodes should use the dev_node macro.
## </p>
## <p>
## Additionally, this module controls access to three things:
## <ul>
## <li>the device directories containing device nodes</li>
## <li>device nodes as a group</li>
## <li>individual access to specific device nodes covered by
## this module.</li>
## </ul>
## </p>
## </desc>
## <required val="true">
## Depended on by other required modules.
## </required>
########################################
## <summary>
## Make the specified type usable for device
## nodes in a filesystem.
## </summary>
## <desc>
## <p>
## Make the specified type usable for device nodes
## in a filesystem. Types used for device nodes that
## do not use this interface, or an interface that
## calls this one, will have unexpected behaviors
## while the system is running.
## </p>
## <p>
## Example:
## </p>
## <p>
## type mydev_t;
## dev_node(mydev_t)
## allow mydomain_t mydev_t:chr_file read_chr_file_perms;
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>term_tty()</li>
## <li>term_pty()</li>
## </ul>
## </desc>
## <param name="type">
## <summary>
## Type to be used for device nodes.
## </summary>
## </param>
## <infoflow type="none"/>
#
interface(`dev_node',`
gen_require(`
attribute device_node;
')
typeattribute $1 device_node;
')
########################################
## <summary>
## Associate the specified file type with device filesystem.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be associated.
## </summary>
## </param>
#
interface(`dev_associate',`
gen_require(`
type device_t;
')
allow $1 device_t:filesystem associate;
fs_associate_tmpfs($1) #For backwards compatibility
')
########################################
## <summary>
## Get attributes of device filesystems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_fs',`
gen_require(`
type device_t;
')
allow $1 device_t:filesystem getattr;
')
########################################
## <summary>
## Mount a filesystem on /dev
## </summary>
## <param name="domain">
## <summary>
## Domain allow access.
## </summary>
## </param>
#
interface(`dev_mounton',`
gen_require(`
type device_t;
')
allow $1 device_t:dir mounton;
')
########################################
## <summary>
## Allow caller domain to mounton all device nodes
## </summary>
## <param name="domain">
## <summary>
## Domain allow access.
## </summary>
## </param>
#
interface(`dev_mounton_all_device_nodes',`
gen_require(`
attribute device_node;
')
allow $1 device_node:file mounton;
allow $1 device_node:chr_file mounton;
allow $1 device_node:blk_file mounton;
')
########################################
## <summary>
## Allow full relabeling (to and from) of all device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_relabel_all_dev_nodes',`
gen_require(`
attribute device_node;
type device_t;
')
relabel_dirs_pattern($1, device_t, device_node)
relabel_files_pattern($1, device_t, device_node)
relabel_lnk_files_pattern($1, device_t, device_node)
relabel_fifo_files_pattern($1, device_t, device_node)
relabel_sock_files_pattern($1, device_t, device_node)
relabel_blk_files_pattern($1, device_t, device_node)
relabel_chr_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Allow full relabeling (to and from) of all device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_relabel_all_dev_files',`
gen_require(`
type device_t;
')
relabel_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## List all of the device nodes in a device directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_list_all_dev_nodes',`
gen_require(`
type device_t;
')
list_dirs_pattern($1, device_t, device_t)
read_lnk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Set the attributes of /dev directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_generic_dirs',`
gen_require(`
type device_t;
')
setattr_dirs_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Dontaudit attempts to list all device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_list_all_dev_nodes',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:dir list_dir_perms;
')
########################################
## <summary>
## Dontaudit attempts to list all device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_all_access_check',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:file_class_set audit_access;
')
########################################
## <summary>
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_add_entry_generic_dirs',`
gen_require(`
type device_t;
')
allow $1 device_t:dir add_entry_dir_perms;
')
########################################
## <summary>
## Add entries to directories in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_remove_entry_generic_dirs',`
gen_require(`
type device_t;
')
allow $1 device_t:dir del_entry_dir_perms;
')
########################################
## <summary>
## Create a directory in the device directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_generic_dirs',`
gen_require(`
type device_t;
')
allow $1 device_t:dir list_dir_perms;
create_dirs_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Watch generic device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_watch_generic_dirs',`
gen_require(`
type device_t;
')
watch_dirs_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete a directory in the device directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_dirs',`
gen_require(`
type device_t;
')
delete_dirs_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Manage of directories in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_generic_dirs',`
gen_require(`
type device_t;
')
manage_dirs_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Allow full relabeling (to and from) of directories in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_generic_dev_dirs',`
gen_require(`
type device_t;
')
relabel_dirs_pattern($1, device_t, device_t)
')
########################################
## <summary>
## dontaudit getattr generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_generic_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:file getattr;
')
########################################
## <summary>
## Read generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_read_generic_files',`
gen_require(`
type device_t;
')
read_files_pattern($1, device_t, device_t)
')
#######################################
## <summary>
## Read generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_generic_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:file { read getattr };
')
########################################
## <summary>
## Read and write generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_generic_files',`
gen_require(`
type device_t;
')
rw_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete generic files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_files',`
gen_require(`
type device_t;
')
delete_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Create a file in the device directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_generic_files',`
gen_require(`
type device_t;
')
manage_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Dontaudit getattr on generic pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_generic_pipes',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:fifo_file getattr;
')
########################################
## <summary>
## Write generic socket files in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_generic_sockets',`
gen_require(`
type device_t;
')
write_sock_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Allow getattr on generic block devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_generic_blk_files',`
gen_require(`
type device_t;
')
getattr_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Rename generic block device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rename_generic_blk_files',`
gen_require(`
type device_t;
')
rename_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## write generic sock files in /dev. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_generic_sock_files',`
refpolicywarn(`$0($*) has been replaced with dev_write_generic_sockets().')
dev_write_generic_sockets($1)
')
########################################
## <summary>
## Dontaudit getattr on generic block devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_generic_blk_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:blk_file getattr;
')
########################################
## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_generic_blk_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:blk_file setattr;
')
########################################
## <summary>
## Create generic block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_generic_blk_files',`
gen_require(`
type device_t;
')
create_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete generic block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_blk_files',`
gen_require(`
type device_t;
')
delete_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Allow getattr for generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_generic_chr_files',`
gen_require(`
type device_t;
')
getattr_chr_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Dontaudit getattr for generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_generic_chr_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file getattr;
')
########################################
## <summary>
## Rename generic character device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rename_generic_chr_files',`
gen_require(`
type device_t;
')
rename_chr_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_generic_chr_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file setattr;
')
########################################
## <summary>
## Read generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_generic_chr_files',`
gen_require(`
type device_t;
')
allow $1 device_t:chr_file read_chr_file_perms;
')
########################################
## <summary>
## Read and write generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_generic_chr_files',`
gen_require(`
type device_t;
')
allow $1 device_t:chr_file rw_chr_file_perms;
')
########################################
## <summary>
## Read and write generic block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_generic_blk_files',`
gen_require(`
type device_t;
')
allow $1 device_t:blk_file rw_chr_file_perms;
')
########################################
## <summary>
## Dontaudit attempts to read/write generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_generic_chr_files',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:chr_file rw_chr_file_perms;
')
########################################
## <summary>
## Create generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_generic_chr_files',`
gen_require(`
type device_t;
')
create_chr_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_chr_files',`
gen_require(`
type device_t;
')
delete_chr_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Relabel from generic character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabelfrom_generic_chr_files',`
gen_require(`
type device_t;
')
allow $1 device_t:chr_file relabelfrom;
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## of symbolic links in device directories (/dev).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_generic_symlinks',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:lnk_file setattr;
')
########################################
## <summary>
## Create symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_generic_symlinks',`
gen_require(`
type device_t;
')
create_lnk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Delete symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_generic_symlinks',`
gen_require(`
type device_t;
')
delete_lnk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Read symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_generic_symlinks',`
gen_require(`
type device_t;
')
allow $1 device_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_generic_symlinks',`
gen_require(`
type device_t;
')
manage_lnk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Relabel symbolic links in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_generic_symlinks',`
gen_require(`
type device_t;
')
relabel_lnk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Create, delete, read, and write device nodes in device directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_all_dev_nodes',`
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
type device_t;
')
manage_dirs_pattern($1, device_t, device_t)
manage_sock_files_pattern($1, device_t, device_t)
manage_lnk_files_pattern($1, device_t, device_t)
manage_chr_files_pattern($1, device_t, { device_t device_node })
manage_blk_files_pattern($1, device_t, { device_t device_node })
relabel_dirs_pattern($1, device_t, device_t)
relabel_chr_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
# these next rules are to satisfy assertions broken by the above lines.
# the permissions hopefully can be cut back a lot
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
typeattribute $1 memory_raw_read;
typeattribute $1 memory_raw_write;
')
########################################
## <summary>
## Dontaudit getattr for generic device files.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_generic_dev_nodes',`
gen_require(`
type device_t;
')
dontaudit $1 device_t:{ chr_file blk_file } { getattr read write ioctl };
')
########################################
## <summary>
## Read block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_generic_blk_files',`
gen_require(`
type device_t;
')
read_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Create, delete, read, and write block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_generic_blk_files',`
gen_require(`
type device_t;
')
manage_blk_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Create, delete, read, and write character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_generic_chr_files',`
gen_require(`
type device_t;
')
manage_chr_files_pattern($1, device_t, device_t)
')
########################################
## <summary>
## Create, read, and write device nodes. The node
## will be transitioned to the type provided.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="file">
## <summary>
## Type to which the created node will be transitioned.
## </summary>
## </param>
## <param name="objectclass(es)">
## <summary>
## Object class(es) (single or set including {}) for which this
## the transition will occur.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_filetrans',`
gen_require(`
type device_t;
')
filetrans_pattern($1, device_t, $2, $3, $4)
dev_associate($2)
files_associate_tmp($2)
')
########################################
## <summary>
## Create, read, and write device nodes. The node
## will be transitioned to the type provided. This is
## a temporary interface until devtmpfs functionality
## fixed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="objectclass(es)">
## <summary>
## Object class(es) (single or set including {}) for which this
## the transition will occur.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_tmpfs_filetrans_dev',`
gen_require(`
type device_t;
')
fs_tmpfs_filetrans($1, device_t, $2, $3)
')
########################################
## <summary>
## Allow getattr on all device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_all',`
gen_require(`
attribute device_node;
type device_t;
')
allow $1 { device_t device_node }:dir_file_class_set getattr;
')
########################################
## <summary>
## Getattr on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_getattr_all_blk_files',`
gen_require(`
attribute device_node;
type device_t;
')
getattr_blk_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Lock on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_lock_all_blk_files',`
gen_require(`
attribute device_node;
type device_t;
')
lock_blk_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Read on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_read_all_blk_files',`
gen_require(`
attribute device_node;
type device_t;
')
read_blk_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Dontaudit getattr on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_all_blk_files',`
gen_require(`
attribute device_node;
type device_t;
')
dontaudit $1 { device_t device_node }:blk_file getattr;
')
########################################
## <summary>
## Getattr on all character file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_getattr_all_chr_files',`
gen_require(`
attribute device_node;
type device_t;
')
getattr_chr_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Dontaudit getattr on all character file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_all_chr_files',`
gen_require(`
attribute device_node;
type device_t;
')
dontaudit $1 { device_t device_node }:chr_file getattr;
')
########################################
## <summary>
## Setattr on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_setattr_all_blk_files',`
gen_require(`
attribute device_node;
')
setattr_blk_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Setattr on all character file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dev_setattr_all_chr_files',`
gen_require(`
attribute device_node;
')
setattr_chr_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Dontaudit read on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_all_blk_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file { getattr read };
')
########################################
## <summary>
## Dontaudit write on all block file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_all_blk_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:blk_file write;
')
########################################
## <summary>
## Dontaudit read on all character file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_all_chr_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file { getattr read };
')
########################################
## <summary>
## Dontaudit write on all character file device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_all_chr_files',`
gen_require(`
attribute device_node;
')
dontaudit $1 device_node:chr_file write;
')
########################################
## <summary>
## Create all device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_all_files',`
gen_require(`
attribute device_node;
')
create_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Create all block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_all_blk_files',`
gen_require(`
attribute device_node;
')
create_blk_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Create all character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_all_chr_files',`
gen_require(`
attribute device_node;
')
create_chr_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## rw all inherited character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_all_inherited_chr_files',`
gen_require(`
attribute device_node;
')
allow $1 device_node:chr_file rw_inherited_chr_file_perms;
')
########################################
## <summary>
## rw all inherited blk device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_all_inherited_blk_files',`
gen_require(`
attribute device_node;
')
allow $1 device_node:blk_file rw_inherited_blk_file_perms;
')
########################################
## <summary>
## Delete all block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_all_blk_files',`
gen_require(`
attribute device_node;
')
delete_blk_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Delete all character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_all_chr_files',`
gen_require(`
attribute device_node;
')
delete_chr_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Rename all block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rename_all_blk_files',`
gen_require(`
attribute device_node;
')
rename_blk_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Rename all character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rename_all_chr_files',`
gen_require(`
attribute device_node;
')
rename_chr_files_pattern($1, device_t, device_node)
')
########################################
## <summary>
## Read, write, create, and delete all block device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_all_blk_files',`
gen_require(`
attribute device_node;
')
manage_blk_files_pattern($1, device_t, device_node)
# these next rules are to satisfy assertions broken by the above lines.
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
storage_read_scsi_generic($1)
storage_write_scsi_generic($1)
')
########################################
## <summary>
## Read, write, create, and delete all character device files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_all_chr_files',`
gen_require(`
attribute device_node, memory_raw_read, memory_raw_write;
')
manage_chr_files_pattern($1, device_t, device_node)
typeattribute $1 memory_raw_read, memory_raw_write;
')
########################################
## <summary>
## Getattr the agp devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_agp_dev',`
gen_require(`
type device_t, agp_device_t;
')
getattr_chr_files_pattern($1, device_t, agp_device_t)
')
########################################
## <summary>
## Read and write the agp devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_agp',`
gen_require(`
type device_t, agp_device_t;
')
rw_chr_files_pattern($1, device_t, agp_device_t)
')
########################################
## <summary>
## Get the attributes of the apm bios device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_apm_bios_dev',`
gen_require(`
type device_t, apm_bios_t;
')
getattr_chr_files_pattern($1, device_t, apm_bios_t)
')
########################################
## <summary>
## Do not audit attempts to get the attributes of
## the apm bios device node.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_apm_bios_dev',`
gen_require(`
type apm_bios_t;
')
dontaudit $1 apm_bios_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the apm bios device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_apm_bios_dev',`
gen_require(`
type device_t, apm_bios_t;
')
setattr_chr_files_pattern($1, device_t, apm_bios_t)
')
########################################
## <summary>
## Do not audit attempts to set the attributes of
## the apm bios device node.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_apm_bios_dev',`
gen_require(`
type apm_bios_t;
')
dontaudit $1 apm_bios_t:chr_file setattr;
')
########################################
## <summary>
## Read and write the apm bios.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_apm_bios',`
gen_require(`
type device_t, apm_bios_t;
')
rw_chr_files_pattern($1, device_t, apm_bios_t)
')
########################################
## <summary>
## Get the attributes of the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_autofs_dev',`
gen_require(`
type device_t, autofs_device_t;
')
getattr_chr_files_pattern($1, device_t, autofs_device_t)
')
########################################
## <summary>
## Do not audit attempts to get the attributes of
## the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_autofs_dev',`
gen_require(`
type autofs_device_t;
')
dontaudit $1 autofs_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_autofs_dev',`
gen_require(`
type device_t, autofs_device_t;
')
setattr_chr_files_pattern($1, device_t, autofs_device_t)
')
########################################
## <summary>
## Do not audit attempts to set the attributes of
## the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_autofs_dev',`
gen_require(`
type autofs_device_t;
')
dontaudit $1 autofs_device_t:chr_file setattr;
')
########################################
## <summary>
## Read and write the autofs device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_autofs',`
gen_require(`
type device_t, autofs_device_t;
')
rw_chr_files_pattern($1, device_t, autofs_device_t)
')
########################################
## <summary>
## Relabel the autofs device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_autofs_dev',`
gen_require(`
type autofs_device_t;
')
allow $1 autofs_device_t:chr_file relabel_chr_file_perms;
')
########################################
## <summary>
## Read and write the PCMCIA card manager device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_cardmgr',`
gen_require(`
type cardmgr_dev_t;
')
rw_chr_files_pattern($1, device_t, cardmgr_dev_t)
')
########################################
## <summary>
## Do not audit attempts to read and
## write the PCMCIA card manager device.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_cardmgr',`
gen_require(`
type cardmgr_dev_t;
')
dontaudit $1 cardmgr_dev_t:chr_file { read write };
')
########################################
## <summary>
## Create, read, write, and delete
## the PCMCIA card manager device
## with the correct type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_cardmgr_dev',`
gen_require(`
type device_t, cardmgr_dev_t;
')
create_chr_files_pattern($1, device_t, cardmgr_dev_t)
create_blk_files_pattern($1, device_t, cardmgr_dev_t)
')
########################################
## <summary>
## Create, read, write, and delete
## the PCMCIA card manager device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_cardmgr_dev',`
gen_require(`
type device_t, cardmgr_dev_t;
')
manage_chr_files_pattern($1, device_t, cardmgr_dev_t)
manage_blk_files_pattern($1, device_t, cardmgr_dev_t)
')
########################################
## <summary>
## Automatic type transition to the type
## for PCMCIA card manager device nodes when
## created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_filetrans_cardmgr',`
gen_require(`
type device_t, cardmgr_dev_t;
')
filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2)
')
########################################
## <summary>
## Automatic type transition to the type
## for xserver misc device nodes when
## created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_filetrans_xserver_misc',`
gen_require(`
type device_t, xserver_misc_device_t;
')
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file )
')
########################################
## <summary>
## Get the attributes of the CPU
## microcode and id interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_cpu_dev',`
gen_require(`
type device_t, cpu_device_t;
')
getattr_chr_files_pattern($1, device_t, cpu_device_t)
')
########################################
## <summary>
## Set the attributes of the CPU
## microcode and id interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_cpu_dev',`
gen_require(`
type device_t, cpu_device_t;
')
setattr_chr_files_pattern($1, device_t, cpu_device_t)
')
########################################
## <summary>
## Read the CPU identity.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_cpuid',`
gen_require(`
type device_t, cpu_device_t;
')
read_chr_files_pattern($1, device_t, cpu_device_t)
')
########################################
## <summary>
## Read and write the the CPU microcode device. This
## is required to load CPU microcode.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_cpu_microcode',`
gen_require(`
type device_t, cpu_device_t;
')
rw_chr_files_pattern($1, device_t, cpu_device_t)
')
########################################
## <summary>
## Read the kernel crash device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_crash',`
gen_require(`
type device_t, crash_device_t;
')
read_chr_files_pattern($1, device_t, crash_device_t)
')
########################################
## <summary>
## Read and write to the cachefilesd device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_cachefiles',`
gen_require(`
type device_t, cachefiles_device_t;
')
rw_chr_files_pattern($1, device_t, cachefiles_device_t)
')
########################################
## <summary>
## Read and write the the hardware SSL accelerator.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_crypto',`
gen_require(`
type device_t, crypt_device_t;
')
rw_chr_files_pattern($1, device_t, crypt_device_t)
')
########################################
## <summary>
## Read and write the the ecrypt filesystem device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_ecryptfs',`
gen_require(`
type device_t, ecryptfs_device_t;
')
rw_chr_files_pattern($1, device_t, ecryptfs_device_t)
')
#######################################
## <summary>
## Set the attributes of the dlm control devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_dlm_control',`
gen_require(`
type device_t, kvm_device_t;
')
setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
')
#######################################
## <summary>
## Read and write the the dlm control device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_dlm_control',`
gen_require(`
type device_t, dlm_control_device_t;
')
rw_chr_files_pattern($1, device_t, dlm_control_device_t)
')
########################################
## <summary>
## getattr the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_dri_dev',`
gen_require(`
type device_t, dri_device_t;
')
getattr_chr_files_pattern($1, device_t, dri_device_t)
')
########################################
## <summary>
## Setattr the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_dri_dev',`
gen_require(`
type device_t, dri_device_t;
')
setattr_chr_files_pattern($1, device_t, dri_device_t)
')
########################################
## <summary>
## Mmap the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_dri',`
gen_require(`
type device_t, dri_device_t;
')
allow $1 dri_device_t:chr_file map;
')
########################################
## <summary>
## Read and write the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_dri',`
gen_require(`
type device_t, dri_device_t;
')
rw_chr_files_pattern($1, device_t, dri_device_t)
allow $1 dri_device_t:chr_file map;
')
########################################
## <summary>
## Read and write the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_inherited_dri',`
gen_require(`
type device_t, dri_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 dri_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
## <summary>
## Dontaudit read and write on the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_dri',`
gen_require(`
type dri_device_t;
')
dontaudit $1 dri_device_t:chr_file rw_chr_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete the dri devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_dri_dev',`
gen_require(`
type device_t, dri_device_t;
')
manage_chr_files_pattern($1, device_t, dri_device_t)
')
########################################
## <summary>
## Automatic type transition to the type
## for DRI device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_filetrans_dri',`
gen_require(`
type device_t, dri_device_t;
')
filetrans_pattern($1, device_t, dri_device_t, chr_file, $2)
')
########################################
## <summary>
## Get the attributes of the event devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_input_dev',`
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 event_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the event devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_input_dev',`
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir list_dir_perms;
allow $1 event_device_t:chr_file setattr;
')
########################################
## <summary>
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_input',`
gen_require(`
type device_t, event_device_t;
')
read_chr_files_pattern($1, device_t, event_device_t)
')
########################################
## <summary>
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_input_dev',`
gen_require(`
type device_t, event_device_t;
')
rw_chr_files_pattern($1, device_t, event_device_t)
')
########################################
## <summary>
## Read input event devices (/dev/input).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_inherited_input_dev',`
gen_require(`
type device_t, event_device_t;
')
allow $1 device_t:dir search_dir_perms;
allow $1 event_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
## <summary>
## Read ipmi devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_ipmi_dev',`
gen_require(`
type device_t, ipmi_device_t;
')
read_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
## <summary>
## Read and write ipmi devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_ipmi_dev',`
gen_require(`
type device_t, ipmi_device_t;
')
rw_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
## <summary>
## Manage ipmi devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_ipmi_dev',`
gen_require(`
type device_t, ipmi_device_t;
')
manage_chr_files_pattern($1, device_t, ipmi_device_t)
')
########################################
## <summary>
## Automatic type transition to the type
## for PCMCIA card manager device nodes when
## created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_filetrans_ipmi',`
gen_require(`
type device_t, ipmi_device_t;
')
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, $2)
')
########################################
## <summary>
## Get attributes of infiniband devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_infiniband_dev',`
gen_require(`
type device_t, infiniband_device_t;
')
getattr_chr_files_pattern($1, device_t, infiniband_device_t)
')
########################################
## <summary>
## Read infiniband devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_infiniband_dev',`
gen_require(`
type device_t, infiniband_device_t;
')
read_chr_files_pattern($1, device_t, infiniband_device_t)
read_blk_files_pattern($1, device_t, infiniband_device_t)
')
########################################
## <summary>
## Read and write ipmi devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_infiniband_dev',`
gen_require(`
type device_t, infiniband_device_t;
')
rw_chr_files_pattern($1, device_t, infiniband_device_t)
rw_blk_files_pattern($1, device_t, infiniband_device_t)
allow $1 infiniband_device_t:chr_file map;
')
########################################
## <summary>
## Read infiniband mgmt devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_infiniband_mgmt_dev',`
gen_require(`
type device_t, infiniband_mgmt_device_t;
')
read_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
read_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
')
########################################
## <summary>
## Read and write ipmi devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_infiniband_mgmt_dev',`
gen_require(`
type device_t, infiniband_mgmt_device_t;
')
rw_chr_files_pattern($1, device_t, infiniband_mgmt_device_t)
rw_blk_files_pattern($1, device_t, infiniband_mgmt_device_t)
')
########################################
## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_framebuffer_dev',`
gen_require(`
type device_t, framebuf_device_t;
')
getattr_chr_files_pattern($1, device_t, framebuf_device_t)
')
########################################
## <summary>
## Set the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_framebuffer_dev',`
gen_require(`
type device_t, framebuf_device_t;
')
setattr_chr_files_pattern($1, device_t, framebuf_device_t)
')
########################################
## <summary>
## Dot not audit attempts to set the attributes
## of the framebuffer device node.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_framebuffer_dev',`
gen_require(`
type framebuf_device_t;
')
dontaudit $1 framebuf_device_t:chr_file setattr;
')
########################################
## <summary>
## Read the framebuffer.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_framebuffer',`
gen_require(`
type framebuf_device_t;
')
read_chr_files_pattern($1, device_t, framebuf_device_t)
')
########################################
## <summary>
## Do not audit attempts to read the framebuffer.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_framebuffer',`
gen_require(`
type framebuf_device_t;
')
dontaudit $1 framebuf_device_t:chr_file { getattr read };
')
########################################
## <summary>
## Write the framebuffer.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_framebuffer',`
gen_require(`
type device_t, framebuf_device_t;
')
write_chr_files_pattern($1, device_t, framebuf_device_t)
')
########################################
## <summary>
## Mmap the framebuffer.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_framebuffer',`
gen_require(`
type framebuf_device_t;
')
allow $1 framebuf_device_t:chr_file map;
')
########################################
## <summary>
## Read and write the framebuffer.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_framebuffer',`
gen_require(`
type device_t, framebuf_device_t;
')
rw_chr_files_pattern($1, device_t, framebuf_device_t)
')
########################################
## <summary>
## Read the kernel messages
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_kmsg',`
gen_require(`
type device_t, kmsg_device_t;
')
read_chr_files_pattern($1, device_t, kmsg_device_t)
')
########################################
## <summary>
## Do not audit attempts to read the kernel messages
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_kmsg',`
gen_require(`
type kmsg_device_t;
')
dontaudit $1 kmsg_device_t:chr_file read;
')
########################################
## <summary>
## Write to the kernel messages device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_kmsg',`
gen_require(`
type device_t, kmsg_device_t;
')
write_chr_files_pattern($1, device_t, kmsg_device_t)
')
########################################
## <summary>
## Mounton the kernel messages device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_mounton_kmsg',`
gen_require(`
type kmsg_device_t;
')
allow $1 kmsg_device_t:chr_file mounton;
')
########################################
## <summary>
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_ksm_dev',`
gen_require(`
type device_t, ksm_device_t;
')
getattr_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Set the attributes of the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_ksm_dev',`
gen_require(`
type device_t, ksm_device_t;
')
setattr_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Read the ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_ksm',`
gen_require(`
type device_t, ksm_device_t;
')
read_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Read and write to ksm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_ksm',`
gen_require(`
type device_t, ksm_device_t;
')
rw_chr_files_pattern($1, device_t, ksm_device_t)
')
########################################
## <summary>
## Get the attributes of the kvm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_kvm_dev',`
gen_require(`
type device_t, kvm_device_t;
')
getattr_chr_files_pattern($1, device_t, kvm_device_t)
')
########################################
## <summary>
## Set the attributes of the kvm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_kvm_dev',`
gen_require(`
type device_t, kvm_device_t;
')
setattr_chr_files_pattern($1, device_t, kvm_device_t)
')
########################################
## <summary>
## Read the kvm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_kvm',`
gen_require(`
type device_t, kvm_device_t;
')
read_chr_files_pattern($1, device_t, kvm_device_t)
')
########################################
## <summary>
## Read and write to kvm devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_kvm',`
gen_require(`
type device_t, kvm_device_t;
')
rw_chr_files_pattern($1, device_t, kvm_device_t)
')
########################################
## <summary>
## Read and write to sev devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_sev',`
gen_require(`
type device_t, sev_device_t;
')
rw_chr_files_pattern($1, device_t, sev_device_t)
')
######################################
## <summary>
## Read the lirc device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
read_chr_files_pattern($1, device_t, lirc_device_t)
')
######################################
## <summary>
## Read and write the lirc device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
rw_chr_files_pattern($1, device_t, lirc_device_t)
')
######################################
## <summary>
## Automatic type transition to the type
## for lirc device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_filetrans_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2)
')
########################################
## <summary>
## Get the attributes of the loop comtrol device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_loop_control',`
gen_require(`
type device_t, loop_control_device_t;
')
getattr_chr_files_pattern($1, device_t, loop_control_device_t)
')
########################################
## <summary>
## Read the loop comtrol device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_loop_control',`
gen_require(`
type device_t, loop_control_device_t;
')
read_chr_files_pattern($1, device_t, loop_control_device_t)
')
########################################
## <summary>
## Read and write the loop control device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_loop_control',`
gen_require(`
type device_t, loop_control_device_t;
')
rw_chr_files_pattern($1, device_t, loop_control_device_t)
')
########################################
## <summary>
## Do not audit attempts to read and write loop control device.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_loop_control',`
gen_require(`
type loop_control_device_t;
')
dontaudit $1 loop_control_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Delete the loop control device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_loop_control_dev',`
gen_require(`
type device_t, loop_control_device_t;
')
delete_chr_files_pattern($1, device_t, loop_control_device_t)
')
########################################
## <summary>
## Get the attributes of the loop comtrol device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
getattr_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
## <summary>
## Read the lvm comtrol device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
read_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
## <summary>
## Read and write the lvm control device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_lvm_control',`
gen_require(`
type device_t, lvm_control_t;
')
rw_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
## <summary>
## Do not audit attempts to read and write lvm control device.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_lvm_control',`
gen_require(`
type lvm_control_t;
')
dontaudit $1 lvm_control_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Delete the lvm control device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_lvm_control_dev',`
gen_require(`
type device_t, lvm_control_t;
')
delete_chr_files_pattern($1, device_t, lvm_control_t)
')
########################################
## <summary>
## dontaudit getattr raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_memory_dev',`
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file getattr;
')
########################################
## <summary>
## Read raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_raw_memory',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_read;
')
read_chr_files_pattern($1, device_t, memory_device_t)
allow $1 memory_device_t:chr_file map;
allow $1 self:lockdown integrity;
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_read;
')
########################################
## <summary>
## Allow to be reader of raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_raw_memory_reader',`
gen_require(`
attribute memory_raw_read;
')
typeattribute $1 memory_raw_read;
')
########################################
## <summary>
## Do not audit attempts to read raw memory devices
## (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_raw_memory',`
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file read_chr_file_perms;
')
########################################
## <summary>
## Do not audit attempts to write to raw memory devices
## (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_raw_memory',`
gen_require(`
type memory_device_t;
')
dontaudit $1 memory_device_t:chr_file write_chr_file_perms;
')
########################################
## <summary>
## Write raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_raw_memory',`
gen_require(`
type device_t, memory_device_t;
attribute memory_raw_write;
')
write_chr_files_pattern($1, device_t, memory_device_t)
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write;
')
########################################
## <summary>
## Allow to be writer of raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_raw_memory_writer',`
gen_require(`
attribute memory_raw_write;
')
typeattribute $1 memory_raw_write;
')
########################################
## <summary>
## Read and execute raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
')
dev_read_raw_memory($1)
allow $1 memory_device_t:chr_file { map execute };
')
########################################
## <summary>
## Write and execute raw memory devices (e.g. /dev/mem).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_wx_raw_memory',`
gen_require(`
type device_t, memory_device_t;
')
dev_write_raw_memory($1)
allow $1 memory_device_t:chr_file { map execute };
')
########################################
## <summary>
## Get the attributes of miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_misc_dev',`
gen_require(`
type device_t, misc_device_t;
')
getattr_chr_files_pattern($1, device_t, misc_device_t)
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_misc_dev',`
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_misc_dev',`
gen_require(`
type device_t, misc_device_t;
')
setattr_chr_files_pattern($1, device_t, misc_device_t)
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## of miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_misc_dev',`
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file setattr;
')
########################################
## <summary>
## Read miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_misc',`
gen_require(`
type device_t, misc_device_t;
')
read_chr_files_pattern($1, device_t, misc_device_t)
')
########################################
## <summary>
## Write miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_misc',`
gen_require(`
type device_t, misc_device_t;
')
write_chr_files_pattern($1, device_t, misc_device_t)
')
########################################
## <summary>
## Do not audit attempts to read and write miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_rw_misc',`
gen_require(`
type misc_device_t;
')
dontaudit $1 misc_device_t:chr_file rw_file_perms;
')
########################################
## <summary>
## Get the attributes of the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_modem_dev',`
gen_require(`
type device_t, modem_device_t;
')
getattr_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Set the attributes of the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_modem_dev',`
gen_require(`
type device_t, modem_device_t;
')
setattr_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Read the modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_modem',`
gen_require(`
type device_t, modem_device_t;
')
read_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Read and write to modem devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_modem',`
gen_require(`
type device_t, modem_device_t;
')
rw_chr_files_pattern($1, device_t, modem_device_t)
')
########################################
## <summary>
## Get the attributes of the monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_monitor_dev',`
gen_require(`
type device_t, monitor_device_t;
')
getattr_chr_files_pattern($1, device_t, monitor_device_t)
')
########################################
## <summary>
## Set the attributes of the monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_monitor_dev',`
gen_require(`
type device_t, monitor_device_t;
')
setattr_chr_files_pattern($1, device_t, monitor_device_t)
')
########################################
## <summary>
## Read the monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_monitor_dev',`
gen_require(`
type device_t, monitor_device_t;
')
read_chr_files_pattern($1, device_t, monitor_device_t)
')
########################################
## <summary>
## Read and write to monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_monitor_dev',`
gen_require(`
type device_t, monitor_device_t;
')
rw_chr_files_pattern($1, device_t, monitor_device_t)
')
########################################
## <summary>
## Get the attributes of the mouse devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_mouse_dev',`
gen_require(`
type device_t, mouse_device_t;
')
getattr_chr_files_pattern($1, device_t, mouse_device_t)
')
########################################
## <summary>
## Set the attributes of the mouse devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_mouse_dev',`
gen_require(`
type device_t, mouse_device_t;
')
setattr_chr_files_pattern($1, device_t, mouse_device_t)
')
########################################
## <summary>
## Read the mouse devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_mouse',`
gen_require(`
type device_t, mouse_device_t;
')
read_chr_files_pattern($1, device_t, mouse_device_t)
')
########################################
## <summary>
## Read and write to mouse devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_mouse',`
gen_require(`
type device_t, mouse_device_t;
')
rw_chr_files_pattern($1, device_t, mouse_device_t)
')
########################################
## <summary>
## Get the attributes of the memory type range
## registers (MTRR) device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_mtrr_dev',`
gen_require(`
type device_t, mtrr_device_t;
')
getattr_files_pattern($1, device_t, mtrr_device_t)
getattr_chr_files_pattern($1, device_t, mtrr_device_t)
')
########################################
## <summary>
## Write the memory type range
## registers (MTRR). (Deprecated)
## </summary>
## <desc>
## <p>
## Write the memory type range
## registers (MTRR). This interface has
## been deprecated, dev_rw_mtrr() should be
## used instead.
## </p>
## <p>
## The MTRR device ioctls can be used for
## reading and writing; thus, write access to the
## device cannot be separated from read access.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_mtrr',`
refpolicywarn(`$0($*) has been replaced with dev_rw_mtrr().')
dev_rw_mtrr($1)
')
########################################
## <summary>
## Do not audit attempts to write the memory type
## range registers (MTRR).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_mtrr',`
gen_require(`
type mtrr_device_t;
')
dontaudit $1 mtrr_device_t:file write_file_perms;
dontaudit $1 mtrr_device_t:chr_file write_chr_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read the memory type
## range registers (MTRR).
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_mtrr',`
gen_require(`
type mtrr_device_t;
')
dontaudit $1 mtrr_device_t:file { open read };
dontaudit $1 mtrr_device_t:chr_file { open read };
')
########################################
## <summary>
## Read the memory type range registers (MTRR).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_mtrr',`
gen_require(`
type device_t, mtrr_device_t;
')
read_files_pattern($1, device_t, mtrr_device_t)
read_chr_files_pattern($1, device_t, mtrr_device_t)
')
########################################
## <summary>
## Read and write the memory type range registers (MTRR).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_mtrr',`
gen_require(`
type device_t, mtrr_device_t;
')
rw_files_pattern($1, device_t, mtrr_device_t)
rw_chr_files_pattern($1, device_t, mtrr_device_t)
')
########################################
## <summary>
## Get the attributes of the network control device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_netcontrol_dev',`
gen_require(`
type device_t, netcontrol_device_t;
')
getattr_chr_files_pattern($1, device_t, netcontrol_device_t)
')
########################################
## <summary>
## Read the network control identity.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_netcontrol',`
gen_require(`
type device_t, netcontrol_device_t;
')
read_chr_files_pattern($1, device_t, netcontrol_device_t)
')
########################################
## <summary>
## Read and write the the network control device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_netcontrol',`
gen_require(`
type device_t, netcontrol_device_t;
')
rw_chr_files_pattern($1, device_t, netcontrol_device_t)
')
########################################
## <summary>
## Get the attributes of the null device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_null_dev',`
gen_require(`
type device_t, null_device_t;
')
getattr_chr_files_pattern($1, device_t, null_device_t)
')
########################################
## <summary>
## Set the attributes of the null device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_null_dev',`
gen_require(`
type device_t, null_device_t;
')
setattr_chr_files_pattern($1, device_t, null_device_t)
')
########################################
## <summary>
## Delete the null device (/dev/null).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_delete_null',`
gen_require(`
type device_t, null_device_t;
')
delete_chr_files_pattern($1, device_t, null_device_t)
')
########################################
## <summary>
## Read and write to the null device (/dev/null).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_null',`
gen_require(`
type device_t, null_device_t;
')
rw_chr_files_pattern($1, device_t, null_device_t)
')
########################################
## <summary>
## Create the null device (/dev/null).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_null_dev',`
gen_require(`
type device_t, null_device_t;
')
create_chr_files_pattern($1, device_t, null_device_t)
')
########################################
## <summary>
## Get the status of a null device service.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_service_status_null_dev',`
gen_require(`
type null_device_t;
')
allow $1 null_device_t:service status;
')
########################################
## <summary>
## Configure null_device as a unit files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dev_config_null_dev_service',`
gen_require(`
type null_device_t;
')
allow $1 null_device_t:service manage_service_perms;
')
########################################
## <summary>
## Read Non-Volatile Memory Host Controller Interface. (Deprecated)
## </summary>
## <desc>
## Use storage_raw_read_fixed_disk() instead.
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_nvme',`
refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk().')
storage_raw_read_fixed_disk($1)
')
########################################
## <summary>
## Read/Write Non-Volatile Memory Host Controller Interface. (Deprecated)
## </summary>
## <desc>
## Use storage_raw_read_fixed_disk() and
## storage_raw_write_fixed_disk() instead.
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_nvme',`
refpolicywarn(`$0($*) has been replaced with storage_raw_read_fixed_disk() and storage_raw_write_fixed_disk().')
storage_raw_read_fixed_disk($1)
storage_raw_write_fixed_disk($1)
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_nvram_dev',`
gen_require(`
type nvram_device_t;
')
dontaudit $1 nvram_device_t:chr_file getattr;
')
########################################
## <summary>
## Read BIOS non-volatile RAM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_nvram',`
gen_require(`
type nvram_device_t;
')
read_chr_files_pattern($1, device_t, nvram_device_t)
')
########################################
## <summary>
## Read and write BIOS non-volatile RAM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_nvram',`
gen_require(`
type nvram_device_t;
')
rw_chr_files_pattern($1, device_t, nvram_device_t)
')
########################################
## <summary>
## Get the attributes of the printer device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_printer_dev',`
gen_require(`
type device_t, printer_device_t;
')
getattr_chr_files_pattern($1, device_t, printer_device_t)
')
########################################
## <summary>
## Set the attributes of the printer device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_printer_dev',`
gen_require(`
type device_t, printer_device_t;
')
setattr_chr_files_pattern($1, device_t, printer_device_t)
')
########################################
## <summary>
## Append the printer device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for lpd/checkpc_t
interface(`dev_append_printer',`
gen_require(`
type device_t, printer_device_t;
')
append_chr_files_pattern($1, device_t, printer_device_t)
')
########################################
## <summary>
## Read and write the printer device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_printer',`
gen_require(`
type device_t, printer_device_t;
')
rw_chr_files_pattern($1, device_t, printer_device_t)
')
########################################
## <summary>
## Relabel the printer device node.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_printer',`
gen_require(`
type printer_device_t;
')
allow $1 printer_device_t:chr_file relabel_chr_file_perms;
')
########################################
## <summary>
## Read and write the printer device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_printer',`
gen_require(`
type device_t, printer_device_t;
')
manage_chr_files_pattern($1, device_t, printer_device_t)
dev_filetrans_printer_named_dev($1)
')
########################################
## <summary>
## Get the attributes of the QEMU
## microcode and id interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_qemu_dev',`
gen_require(`
type device_t, qemu_device_t;
')
getattr_chr_files_pattern($1, device_t, qemu_device_t)
')
########################################
## <summary>
## Set the attributes of the QEMU
## microcode and id interfaces.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_qemu_dev',`
gen_require(`
type device_t, qemu_device_t;
')
setattr_chr_files_pattern($1, device_t, qemu_device_t)
')
########################################
## <summary>
## Read the QEMU device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_qemu',`
gen_require(`
type device_t, qemu_device_t;
')
read_chr_files_pattern($1, device_t, qemu_device_t)
')
########################################
## <summary>
## Read and write the the QEMU device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_qemu',`
gen_require(`
type device_t, qemu_device_t;
')
rw_chr_files_pattern($1, device_t, qemu_device_t)
')
########################################
## <summary>
## Read from random number generator
## devices (e.g., /dev/random).
## </summary>
## <desc>
## <p>
## Allow the specified domain to read from random number
## generator devices (e.g., /dev/random). Typically this is
## used in situations when a cryptographically secure random
## number is needed.
## </p>
## <p>
## Related interface:
## </p>
## <ul>
## <li>dev_read_urand()</li>
## </ul>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`dev_read_rand',`
gen_require(`
type device_t, random_device_t;
')
read_chr_files_pattern($1, device_t, random_device_t)
')
########################################
## <summary>
## Do not audit attempts to read from random
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_rand',`
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file { getattr read };
')
########################################
## <summary>
## Do not audit attempts to append to the random
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_append_rand',`
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file { append };
')
########################################
## <summary>
## Write to the random device (e.g., /dev/random). This adds
## entropy used to generate the random data read from the
## random device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_rand',`
gen_require(`
type device_t, random_device_t;
')
write_chr_files_pattern($1, device_t, random_device_t)
')
########################################
## <summary>
## Read the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_realtime_clock',`
gen_require(`
type device_t, clock_device_t;
')
read_chr_files_pattern($1, device_t, clock_device_t)
')
########################################
## <summary>
## Set the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_realtime_clock',`
gen_require(`
type device_t, clock_device_t;
')
write_chr_files_pattern($1, device_t, clock_device_t)
allow $1 clock_device_t:chr_file setattr;
')
########################################
## <summary>
## Read and set the realtime clock (/dev/rtc).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_realtime_clock',`
dev_read_realtime_clock($1)
dev_write_realtime_clock($1)
')
########################################
## <summary>
## Get the attributes of the scanner device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_scanner_dev',`
gen_require(`
type device_t, scanner_device_t;
')
getattr_chr_files_pattern($1, device_t, scanner_device_t)
')
########################################
## <summary>
## Do not audit attempts to get the attributes of
## the scanner device.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_scanner_dev',`
gen_require(`
type scanner_device_t;
')
dontaudit $1 scanner_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of the scanner device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_scanner_dev',`
gen_require(`
type device_t, scanner_device_t;
')
setattr_chr_files_pattern($1, device_t, scanner_device_t)
')
########################################
## <summary>
## Do not audit attempts to set the attributes of
## the scanner device.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_scanner_dev',`
gen_require(`
type scanner_device_t;
')
dontaudit $1 scanner_device_t:chr_file setattr;
')
########################################
## <summary>
## Read and write the scanner device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_scanner',`
gen_require(`
type device_t, scanner_device_t;
')
rw_chr_files_pattern($1, device_t, scanner_device_t)
')
########################################
## <summary>
## Get the attributes of the sound devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_sound_dev',`
gen_require(`
type device_t, sound_device_t;
')
getattr_chr_files_pattern($1, device_t, sound_device_t)
')
########################################
## <summary>
## Set the attributes of the sound devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_sound_dev',`
gen_require(`
type device_t, sound_device_t;
')
setattr_chr_files_pattern($1, device_t, sound_device_t)
')
########################################
## <summary>
## Read the sound devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_sound',`
gen_require(`
type device_t, sound_device_t;
')
read_chr_files_pattern($1, device_t, sound_device_t)
allow $1 sound_device_t:chr_file map;
')
########################################
## <summary>
## Write the sound devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_sound',`
gen_require(`
type device_t, sound_device_t;
')
write_chr_files_pattern($1, device_t, sound_device_t)
')
########################################
## <summary>
## Read the sound mixer devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_sound_mixer',`
gen_require(`
type device_t, sound_device_t;
')
read_chr_files_pattern($1, device_t, sound_device_t)
allow $1 sound_device_t:chr_file map;
')
########################################
## <summary>
## Write the sound mixer devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_sound_mixer',`
gen_require(`
type device_t, sound_device_t;
')
write_chr_files_pattern($1, device_t, sound_device_t)
')
########################################
## <summary>
## Get the attributes of the the power management device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_power_mgmt_dev',`
gen_require(`
type device_t, power_device_t;
')
getattr_chr_files_pattern($1, device_t, power_device_t)
')
########################################
## <summary>
## Set the attributes of the the power management device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_power_mgmt_dev',`
gen_require(`
type device_t, power_device_t;
')
setattr_chr_files_pattern($1, device_t, power_device_t)
')
########################################
## <summary>
## Read and write the the power management device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_power_management',`
gen_require(`
type device_t, power_device_t;
')
rw_chr_files_pattern($1, device_t, power_device_t)
')
########################################
## <summary>
## Getattr on smartcard devices
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_smartcard_dev',`
gen_require(`
type smartcard_device_t;
')
allow $1 smartcard_device_t:chr_file getattr;
')
########################################
## <summary>
## dontaudit getattr on smartcard devices
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_smartcard_dev',`
gen_require(`
type smartcard_device_t;
')
dontaudit $1 smartcard_device_t:chr_file getattr;
')
########################################
## <summary>
## Read and write smartcard devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_smartcard',`
gen_require(`
type device_t, smartcard_device_t;
')
rw_chr_files_pattern($1, device_t, smartcard_device_t)
')
########################################
## <summary>
## Create, read, write, and delete smartcard devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_smartcard',`
gen_require(`
type device_t, smartcard_device_t;
')
manage_chr_files_pattern($1, device_t, smartcard_device_t)
')
########################################
## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be associated to sysfs.
## </summary>
## </param>
#
interface(`dev_associate_sysfs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem associate;
')
########################################
## <summary>
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir getattr_dir_perms;
')
########################################
## <summary>
## Set the attributes of sysfs directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir setattr_dir_perms;
')
########################################
## <summary>
## Get attributes of sysfs filesystems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_sysfs_fs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem getattr;
')
########################################
## <summary>
## Mount a filesystem on /sys
## </summary>
## <param name="domain">
## <summary>
## Domain allow access.
## </summary>
## </param>
#
interface(`dev_mounton_sysfs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir mounton;
')
########################################
## <summary>
## Dontaudit attempts to mount a filesystem on /sys
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_mounton_sysfs',`
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir mounton;
')
########################################
## <summary>
## Mount sysfs filesystems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_mount_sysfs_fs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem mount;
')
########################################
## <summary>
## Unmount sysfs filesystems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_unmount_sysfs_fs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem unmount;
')
########################################
## <summary>
## Remount sysfs filesystems.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_remount_sysfs_fs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:filesystem remount;
')
########################################
## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_search_sysfs',`
gen_require(`
type sysfs_t;
')
search_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Do not audit attempts to search sysfs.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_search_sysfs',`
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir search_dir_perms;
')
########################################
## <summary>
## List the contents of the sysfs directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_list_sysfs',`
gen_require(`
type sysfs_t;
')
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Write in a sysfs directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
# cjp: added for cpuspeed
interface(`dev_write_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir write;
')
########################################
## <summary>
## Access check for a sysfs directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_access_check_sysfs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:dir audit_access;
')
########################################
## <summary>
## Do not audit attempts to write in a sysfs directory.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
dontaudit $1 sysfs_t:dir write;
')
########################################
## <summary>
## Read cpu online hardware state information.
## </summary>
## <desc>
## <p>
## Allow the specified domain to read /sys/devices/system/cpu/online file.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_cpu_online',`
gen_require(`
type cpu_online_t;
')
dev_search_sysfs($1)
read_files_pattern($1, cpu_online_t, cpu_online_t)
')
########################################
## <summary>
## Relabel cpu online hardware state information.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_cpu_online',`
gen_require(`
type cpu_online_t;
type sysfs_t;
')
dev_search_sysfs($1)
allow $1 cpu_online_t:file relabel_file_perms;
')
########################################
## <summary>
## Read hardware state information.
## </summary>
## <desc>
## <p>
## Allow the specified domain to read the contents of
## the sysfs filesystem. This filesystem contains
## information, parameters, and other settings on the
## hardware installed on the system.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`dev_read_sysfs',`
gen_require(`
type sysfs_t;
')
read_files_pattern($1, sysfs_t, sysfs_t)
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Allow caller to modify hardware state information.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_sysfs',`
gen_require(`
type sysfs_t;
')
rw_files_pattern($1, sysfs_t, sysfs_t)
read_lnk_files_pattern($1, sysfs_t, sysfs_t)
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Allow caller create hardware state information files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_sysfs_files',`
gen_require(`
type sysfs_t;
')
create_files_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Relabel hardware state directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
relabel_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Relabel hardware state files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_all_sysfs',`
gen_require(`
type sysfs_t;
')
relabel_dirs_pattern($1, sysfs_t, sysfs_t)
relabel_files_pattern($1, sysfs_t, sysfs_t)
relabel_lnk_files_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Allow caller to modify hardware state information.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_sysfs_dirs',`
gen_require(`
type sysfs_t;
')
manage_dirs_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Allow caller to modify hardware state information.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_sysfs',`
gen_require(`
type sysfs_t;
')
manage_dirs_pattern($1, sysfs_t, sysfs_t)
manage_files_pattern($1, sysfs_t, sysfs_t)
manage_lnk_files_pattern($1, sysfs_t, sysfs_t)
')
########################################
## <summary>
## Mmap the sysfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_sysfs',`
gen_require(`
type sysfs_t;
')
allow $1 sysfs_t:file map;
')
########################################
## <summary>
## Read the TPM device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_tpm',`
gen_require(`
type device_t, tpm_device_t;
')
read_chr_files_pattern($1, device_t, tpm_device_t)
')
########################################
## <summary>
## Read and write the TPM device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_tpm',`
gen_require(`
type device_t, tpm_device_t;
')
rw_chr_files_pattern($1, device_t, tpm_device_t)
')
########################################
## <summary>
## Read from pseudo random number generator devices (e.g., /dev/urandom).
## </summary>
## <desc>
## <p>
## Allow the specified domain to read from pseudo random number
## generator devices (e.g., /dev/urandom). Typically this is
## used in situations when a cryptographically secure random
## number is not necessarily needed. One example is the Stack
## Smashing Protector (SSP, formerly known as ProPolice) support
## that may be compiled into programs.
## </p>
## <p>
## Related interface:
## </p>
## <ul>
## <li>dev_read_rand()</li>
## </ul>
## <p>
## Related tunable:
## </p>
## <ul>
## <li>global_ssp</li>
## </ul>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`dev_read_urand',`
gen_require(`
type device_t, urandom_device_t;
')
read_chr_files_pattern($1, device_t, urandom_device_t)
')
########################################
## <summary>
## Do not audit attempts to read from pseudo
## random devices (e.g., /dev/urandom)
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_read_urand',`
gen_require(`
type urandom_device_t;
')
dontaudit $1 urandom_device_t:chr_file { getattr read };
')
########################################
## <summary>
## Write to the pseudo random device (e.g., /dev/urandom). This
## sets the random number generator seed.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_urand',`
gen_require(`
type device_t, urandom_device_t;
')
write_chr_files_pattern($1, device_t, urandom_device_t)
')
########################################
## <summary>
## Do not audit attempts to write to pseudo
## random devices (e.g., /dev/urandom)
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_write_urand',`
gen_require(`
type urandom_device_t;
')
dontaudit $1 urandom_device_t:chr_file write;
')
########################################
## <summary>
## Getattr generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_generic_usb_dev',`
gen_require(`
type usb_device_t,device_t;
')
getattr_chr_files_pattern($1, device_t, usb_device_t)
')
########################################
## <summary>
## Setattr generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_generic_usb_dev',`
gen_require(`
type usb_device_t;
')
setattr_chr_files_pattern($1, device_t, usb_device_t)
')
########################################
## <summary>
## Read generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_generic_usb_dev',`
gen_require(`
type usb_device_t;
')
read_chr_files_pattern($1, device_t, usb_device_t)
')
########################################
## <summary>
## Read and write generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_generic_usb_dev',`
gen_require(`
type device_t, usb_device_t;
')
rw_chr_files_pattern($1, device_t, usb_device_t)
')
########################################
## <summary>
## Relabel generic the USB devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_relabel_generic_usb_dev',`
gen_require(`
type usb_device_t;
')
relabel_chr_files_pattern($1, device_t, usb_device_t)
')
########################################
## <summary>
## Read USB monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_usbmon_dev',`
gen_require(`
type device_t, usbmon_device_t;
')
read_chr_files_pattern($1, device_t, usbmon_device_t)
')
########################################
## <summary>
## Mmap USB monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_usbmon_dev',`
gen_require(`
type usbmon_device_t;
')
allow $1 usbmon_device_t:chr_file map;
')
########################################
## <summary>
## Write USB monitor devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_usbmon_dev',`
gen_require(`
type device_t, usbmon_device_t;
')
write_chr_files_pattern($1, device_t, usbmon_device_t)
')
########################################
## <summary>
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_mount_usbfs',`
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem mount;
')
########################################
## <summary>
## Associate a file to a usbfs filesystem.
## </summary>
## <param name="file_type">
## <summary>
## The type of the file to be associated to usbfs.
## </summary>
## </param>
#
interface(`dev_associate_usbfs',`
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:filesystem associate;
')
########################################
## <summary>
## Get the attributes of a directory in the usb filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_usbfs_dirs',`
gen_require(`
type usbfs_t;
')
allow $1 usbfs_t:dir getattr_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of a directory in the usb filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_usbfs_dirs',`
gen_require(`
type usbfs_t;
')
dontaudit $1 usbfs_t:dir getattr_dir_perms;
')
########################################
## <summary>
## Search the directory containing USB hardware information.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_search_usbfs',`
gen_require(`
type usbfs_t;
')
search_dirs_pattern($1, usbfs_t, usbfs_t)
')
########################################
## <summary>
## Allow caller to get a list of usb hardware.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_list_usbfs',`
gen_require(`
type usbfs_t;
')
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
getattr_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
')
########################################
## <summary>
## Set the attributes of usbfs filesystem.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_usbfs_files',`
gen_require(`
type usbfs_t;
')
setattr_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
')
########################################
## <summary>
## Read USB hardware information using
## the usbfs filesystem interface.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_usbfs',`
gen_require(`
type usbfs_t;
')
read_files_pattern($1, usbfs_t, usbfs_t)
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
list_dirs_pattern($1, usbfs_t, usbfs_t)
')
########################################
## <summary>
## Allow caller to modify usb hardware configuration files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_usbfs',`
gen_require(`
type usbfs_t;
')
list_dirs_pattern($1, usbfs_t, usbfs_t)
rw_files_pattern($1, usbfs_t, usbfs_t)
read_lnk_files_pattern($1, usbfs_t, usbfs_t)
')
######################################
## <summary>
## Read and write userio device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_userio_dev',`
gen_require(`
type device_t, userio_device_t;
')
rw_chr_files_pattern($1, device_t, userio_device_t)
')
########################################
## <summary>
## Mmap the userio devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_userio_dev',`
gen_require(`
type device_t, userio_device_t;
')
allow $1 userio_device_t:chr_file map;
allow $1 self:lockdown integrity;
')
########################################
## <summary>
## Get the attributes of video4linux devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_video_dev',`
gen_require(`
type device_t, v4l_device_t;
')
getattr_chr_files_pattern($1, device_t, v4l_device_t)
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of video4linux device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_video_dev',`
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of video4linux device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_video_dev',`
gen_require(`
type device_t, v4l_device_t;
')
setattr_chr_files_pattern($1, device_t, v4l_device_t)
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## of video4linux device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_video_dev',`
gen_require(`
type v4l_device_t;
')
dontaudit $1 v4l_device_t:chr_file setattr;
')
########################################
## <summary>
## Read the video4linux devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_video_dev',`
gen_require(`
type device_t, v4l_device_t;
')
read_chr_files_pattern($1, device_t, v4l_device_t)
')
########################################
## <summary>
## Mmap the video4linux devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_video_dev',`
gen_require(`
type device_t, v4l_device_t;
')
allow $1 v4l_device_t:chr_file map;
')
########################################
## <summary>
## Write the video4linux devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_video_dev',`
gen_require(`
type device_t, v4l_device_t;
')
write_chr_files_pattern($1, device_t, v4l_device_t)
')
########################################
## <summary>
## Get the attributes of vfio devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_vfio_dev',`
gen_require(`
type device_t, vfio_device_t;
')
getattr_chr_files_pattern($1, device_t, vfio_device_t)
')
########################################
## <summary>
## Do not audit attempts to get the attributes
## of vfio device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_vfio_dev',`
gen_require(`
type vfio_device_t;
')
dontaudit $1 vfio_device_t:chr_file getattr;
')
########################################
## <summary>
## Set the attributes of vfio device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_vfio_dev',`
gen_require(`
type device_t, vfio_device_t;
')
setattr_chr_files_pattern($1, device_t, vfio_device_t)
')
########################################
## <summary>
## Do not audit attempts to set the attributes
## of vfio device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_setattr_vfio_dev',`
gen_require(`
type vfio_device_t;
')
dontaudit $1 vfio_device_t:chr_file setattr;
')
########################################
## <summary>
## Read the vfio devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_vfio_dev',`
gen_require(`
type device_t, vfio_device_t;
')
read_chr_files_pattern($1, device_t, vfio_device_t)
')
########################################
## <summary>
## Write the vfio devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_vfio_dev',`
gen_require(`
type device_t, vfio_device_t;
')
write_chr_files_pattern($1, device_t, vfio_device_t)
')
########################################
## <summary>
## Read and write the VFIO devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_vfio_dev',`
gen_require(`
type device_t, vfio_device_t;
')
rw_chr_files_pattern($1, device_t, vfio_device_t)
')
########################################
## <summary>
## Allow read/write the vhost net device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_vhost',`
gen_require(`
type device_t, vhost_device_t;
')
rw_chr_files_pattern($1, device_t, vhost_device_t)
')
########################################
## <summary>
## Allow read/write inheretid the vhost net device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_inherited_vhost',`
gen_require(`
type device_t, vhost_device_t;
')
allow $1 vhost_device_t:chr_file rw_inherited_chr_file_perms;
')
########################################
## <summary>
## Allow map the vhost devices
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_vhost',`
gen_require(`
type device_t, vhost_device_t;
')
allow $1 vhost_device_t:chr_file map;
')
########################################
## <summary>
## Read and write VMWare devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_vmware',`
gen_require(`
type device_t, vmware_device_t;
')
rw_chr_files_pattern($1, device_t, vmware_device_t)
')
########################################
## <summary>
## Read, write, and mmap VMWare devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rwx_vmware',`
gen_require(`
type device_t, vmware_device_t;
')
dev_rw_vmware($1)
allow $1 vmware_device_t:chr_file { map execute };
')
########################################
## <summary>
## Read from watchdog devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_watchdog',`
gen_require(`
type device_t, watchdog_device_t;
')
read_chr_files_pattern($1, device_t, watchdog_device_t)
')
########################################
## <summary>
## Write to watchdog devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_write_watchdog',`
gen_require(`
type device_t, watchdog_device_t;
')
write_chr_files_pattern($1, device_t, watchdog_device_t)
')
########################################
## <summary>
## RW to watchdog devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_watchdog',`
gen_require(`
type device_t, watchdog_device_t;
')
rw_chr_files_pattern($1, device_t, watchdog_device_t)
')
########################################
## <summary>
## Read and write the the wireless device.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_wireless',`
gen_require(`
type device_t, wireless_device_t;
')
rw_chr_files_pattern($1, device_t, wireless_device_t)
')
########################################
## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_xen',`
gen_require(`
type device_t, xen_device_t;
')
rw_chr_files_pattern($1, device_t, xen_device_t)
allow $1 xen_device_t:chr_file map;
')
########################################
## <summary>
## Create, read, write, and delete Xen devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_xen',`
gen_require(`
type device_t, xen_device_t;
')
manage_chr_files_pattern($1, device_t, xen_device_t)
')
########################################
## <summary>
## Automatic type transition to the type
## for xen device nodes when created in /dev.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="name" optional="true">
## <summary>
## The name of the object being created.
## </summary>
## </param>
#
interface(`dev_filetrans_xen',`
gen_require(`
type device_t, xen_device_t;
')
filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
')
########################################
## <summary>
## Get the attributes of X server miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_xserver_misc_dev',`
gen_require(`
type device_t, xserver_misc_device_t;
')
getattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
')
########################################
## <summary>
## Set the attributes of X server miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_xserver_misc_dev',`
gen_require(`
type device_t, xserver_misc_device_t;
')
setattr_chr_files_pattern($1, device_t, xserver_misc_device_t)
')
########################################
## <summary>
## Read and write X server miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_xserver_misc',`
gen_require(`
type device_t, xserver_misc_device_t;
')
rw_chr_files_pattern($1, device_t, xserver_misc_device_t)
allow $1 xserver_misc_device_t:chr_file map;
')
########################################
## <summary>
## Dontaudit attempts to Read and write X server miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_leaked_xserver_misc',`
gen_require(`
type xserver_misc_device_t;
')
dontaudit $1 xserver_misc_device_t:chr_file { read write };
')
########################################
## <summary>
## Read and write X server miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_manage_xserver_misc',`
gen_require(`
type device_t, xserver_misc_device_t;
')
manage_chr_files_pattern($1, device_t, xserver_misc_device_t)
dev_filetrans_xserver_named_dev($1)
')
########################################
## <summary>
## mmap X server miscellaneous devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_map_xserver_misc',`
gen_require(`
type xserver_misc_device_t;
')
allow $1 xserver_misc_device_t:chr_file map;
')
########################################
## <summary>
## Read and write to the zero device (/dev/zero).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_zero',`
gen_require(`
type device_t, zero_device_t;
')
rw_chr_files_pattern($1, device_t, zero_device_t)
allow $1 zero_device_t:chr_file map;
')
########################################
## <summary>
## Read, write, and execute the zero device (/dev/zero).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rwx_zero',`
gen_require(`
type zero_device_t;
')
dev_rw_zero($1)
allow $1 zero_device_t:chr_file { map execute };
')
########################################
## <summary>
## Execmod the zero device (/dev/zero).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_execmod_zero',`
gen_require(`
type zero_device_t;
')
dev_rw_zero($1)
allow $1 zero_device_t:chr_file execmod;
')
########################################
## <summary>
## Create the zero device (/dev/zero).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_create_zero_dev',`
gen_require(`
type device_t, zero_device_t;
')
create_chr_files_pattern($1, device_t, zero_device_t)
')
########################################
## <summary>
## Unconfined access to devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_unconfined',`
gen_require(`
attribute devices_unconfined_type;
')
typeattribute $1 devices_unconfined_type;
')
########################################
## <summary>
## Dontaudit getattr on all device nodes.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dev_dontaudit_getattr_all',`
gen_require(`
attribute device_node;
type device_t;
')
dontaudit $1 { device_t device_node }:dir_file_class_set getattr;
')
########################################
## <summary>
## Get the attributes of the mei devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_getattr_mei',`
gen_require(`
type device_t, mei_device_t;
')
getattr_chr_files_pattern($1, device_t, mei_device_t)
')
########################################
## <summary>
## Read the mei devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_mei',`
gen_require(`
type device_t, mei_device_t;
')
read_chr_files_pattern($1, device_t, mei_device_t)
')
########################################
## <summary>
## Read and write to mei devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_mei',`
gen_require(`
type device_t, mei_device_t;
')
rw_chr_files_pattern($1, device_t, mei_device_t)
')
########################################
## <summary>
## Read and write uhid devices.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_uhid_dev',`
gen_require(`
type device_t, uhid_device_t;
')
rw_chr_files_pattern($1, device_t, uhid_device_t)
')
########################################
## <summary>
## Allow read/write the hypervkvp device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_hypervkvp',`
gen_require(`
type device_t, hypervkvp_device_t;
')
rw_chr_files_pattern($1, device_t, hypervkvp_device_t)
')
########################################
## <summary>
## Allow read/write the hypervkvp device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_gpfs',`
gen_require(`
type device_t, gpfs_device_t;
')
read_chr_files_pattern($1, device_t, gpfs_device_t)
')
########################################
## <summary>
## Allow read/write the gpiochip device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_gpio',`
gen_require(`
type device_t, gpio_device_t;
')
read_chr_files_pattern($1, device_t, gpio_device_t)
')
########################################
## <summary>
## Allow read/write the hypervvssd device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_rw_hypervvssd',`
gen_require(`
type device_t, hypervvssd_device_t;
')
rw_chr_files_pattern($1, device_t, hypervvssd_device_t)
')
########################################
## <summary>
## Allow read the vsock device
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_read_vsock',`
gen_require(`
type device_t, vsock_device_t;
')
read_chr_files_pattern($1, device_t, vsock_device_t)
')
########################################
## <summary>
## Create all named devices with the correct label
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_filetrans_printer_named_dev',`
gen_require(`
type printer_device_t;
')
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "irlpt9")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "lp9")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "par9")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp0")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp1")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp2")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp3")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp4")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp5")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp6")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp7")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp8")
filetrans_pattern($1, device_t, printer_device_t, chr_file, "usblp9")
')
########################################
## <summary>
## Create all named devices with the correct label
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_filetrans_all_named_dev',`
gen_require(`
type device_t;
type acpi_device_t;
type dma_device_t;
type usb_device_t;
type uhid_device_t;
type sound_device_t;
type apm_bios_t;
type mouse_device_t;
type autofs_device_t;
type lvm_control_t;
type crash_device_t;
type dlm_control_device_t;
type clock_device_t;
type v4l_device_t;
type vsock_device_t;
type vmci_device_t;
type vfio_device_t;
type event_device_t;
type xen_device_t;
type framebuf_device_t;
type null_device_t;
type random_device_t;
type dri_device_t;
type hsa_device_t;
type ipmi_device_t;
type memory_device_t;
type kmsg_device_t;
type qemu_device_t;
type ksm_device_t;
type kvm_device_t;
type sev_device_t;
type lirc_device_t;
type cpu_device_t;
type scanner_device_t;
type modem_device_t;
type monitor_device_t;
type vhost_device_t;
type netcontrol_device_t;
type nvram_device_t;
type power_device_t;
type opal_device_t;
type wireless_device_t;
type hwtracing_device_t;
type tpm_device_t;
type userio_device_t;
type urandom_device_t;
type usbmon_device_t;
type vmware_device_t;
type watchdog_device_t;
type crypt_device_t;
type zero_device_t;
type smartcard_device_t;
type mtrr_device_t;
type ecryptfs_device_t;
type mptctl_device_t;
type hypervkvp_device_t;
type hypervvssd_device_t;
type gpfs_device_t;
type gpio_device_t;
type cachefiles_device_t;
')
dev_filetrans_printer_named_dev($1)
filetrans_pattern($1, device_t, acpi_device_t, chr_file, "acpi_thermal_rel")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "admmidi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "adsp9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "aload9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amidi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "amixer9")
filetrans_pattern($1, device_t, apm_bios_t, chr_file, "apm_bios")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "atibm")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "audio9")
filetrans_pattern($1, device_t, ecryptfs_device_t, chr_file, "ecryptfs")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs0")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs1")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs2")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs3")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs4")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs5")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs6")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs7")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs8")
filetrans_pattern($1, device_t, autofs_device_t, chr_file, "autofs9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "beep")
filetrans_pattern($1, device_t, lvm_control_t, chr_file, "btrfs-control")
filetrans_pattern($1, device_t, cachefiles_device_t, chr_file, "cachefiles")
filetrans_pattern($1, device_t, crash_device_t, chr_file, "crash")
filetrans_pattern($1, device_t, acpi_device_t, chr_file, "dell-smbios")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm0")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm1")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm2")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm3")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm4")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm5")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm6")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm7")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm8")
filetrans_pattern($1, device_t, dlm_control_device_t, chr_file, "dlm9")
# Note this file path is /dev/dma_heap/system
filetrans_pattern($1, device_t, dma_device_t, chr_file, "system")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmfm")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dmmidi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "dsp9")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "efirtc")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "ptp3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "e2201")
filetrans_pattern($1, device_t, vfio_device_t, chr_file, "vfio")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83000")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83001")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83002")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83003")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83004")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83005")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83006")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83007")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83008")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "em83009")
filetrans_pattern($1, device_t, vsock_device_t, chr_file, "vsock")
filetrans_pattern($1, device_t, vmci_device_t, chr_file, "vmci")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event9")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event10")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event11")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event12")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event13")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event14")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event15")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event16")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event17")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event18")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event19")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event20")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event21")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event22")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event23")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event24")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event25")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event26")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event27")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event28")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event29")
filetrans_pattern($1, device_t, event_device_t, chr_file, "event30")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "evtchn")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb0")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb1")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb2")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb3")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb4")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb5")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb6")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb7")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb8")
filetrans_pattern($1, device_t, framebuf_device_t, chr_file, "fb9")
filetrans_pattern($1, device_t, null_device_t, chr_file, "full")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw8")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "fw9")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "000")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "001")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "002")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "003")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "004")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "005")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "006")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "007")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "008")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "009")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "010")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "011")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "012")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "013")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "014")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "015")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "016")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "017")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "018")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "019")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "020")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "021")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "022")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "023")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "024")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "025")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "026")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "027")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "028")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "029")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc3")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc4")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc5")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc6")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc7")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc8")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "gtrsc9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "hfmodem")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev8")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hiddev9")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw8")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "hidraw9")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "hpet")
filetrans_pattern($1, device_t, random_device_t, chr_file, "hw_random")
filetrans_pattern($1, device_t, random_device_t, chr_file, "hwrng")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "isst_interface")
filetrans_pattern($1, device_t, dri_device_t, chr_file, "i915")
filetrans_pattern($1, device_t, hsa_device_t, chr_file, "kfd")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "inportbm")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi0")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi1")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi2")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi3")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi4")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi5")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi6")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi7")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi8")
filetrans_pattern($1, device_t, ipmi_device_t, chr_file, "ipmi9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "jbm")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js0")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js1")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js2")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js4")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js5")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js6")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js7")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js8")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "js9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse0")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse1")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse2")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse4")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse5")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse6")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse7")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse8")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mouse9")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "kmem")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mptctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt0ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt1ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt2ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt3ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt4ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt5ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt6ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt7ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt8ctl")
filetrans_pattern($1, device_t, mptctl_device_t, chr_file, "mpt9ctl")
filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "kmsg")
filetrans_pattern($1, device_t, qemu_device_t, chr_file, "kqemu")
filetrans_pattern($1, device_t, ksm_device_t, chr_file, "ksm")
filetrans_pattern($1, device_t, kvm_device_t, chr_file, "kvm")
filetrans_pattern($1, device_t, sev_device_t, chr_file, "sev")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "lik9")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc0")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc1")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc2")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc3")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc4")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc5")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc6")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc7")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc8")
filetrans_pattern($1, device_t, lirc_device_t, chr_file, "lirc9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "lircm")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "logibm")
filetrans_pattern($1, device_t, kmsg_device_t, chr_file, "mcelog")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "mem")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "mergemem")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mice")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "microcode")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "midi9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mixer9")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mmetfgrab")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "modem")
filetrans_pattern($1, device_t, monitor_device_t, chr_file, "monwriter")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4010")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4011")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4012")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4013")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4014")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4015")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4016")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4017")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4018")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "mpu4019")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr0")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr1")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr2")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr3")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr4")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr5")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr6")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr7")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr8")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "msr9")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost")
filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_latency")
filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "network_throughput")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz0")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz1")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz2")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz3")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz4")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz5")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz6")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz7")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz8")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "noz9")
filetrans_pattern($1, device_t, null_device_t, chr_file, "null")
filetrans_pattern($1, device_t, nvram_device_t, chr_file, "nvram")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "oldmem")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "pc110pad")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock3")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock4")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock5")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock6")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock7")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock8")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pcfclock9")
filetrans_pattern($1, device_t, power_device_t, chr_file, "pmu")
filetrans_pattern($1, device_t, opal_device_t, chr_file, "op_panel")
filetrans_pattern($1, device_t, opal_device_t, chr_file, "opal-prd")
filetrans_pattern($1, device_t, memory_device_t, chr_file, "port")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps0")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps1")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps2")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps3")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps4")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps5")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps6")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps7")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps8")
filetrans_pattern($1, device_t, clock_device_t, chr_file, "pps9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "rmidi9")
filetrans_pattern($1, device_t, dri_device_t, chr_file, "radeon")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "radio9")
filetrans_pattern($1, device_t, random_device_t, chr_file, "random")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13940")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13941")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13942")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13943")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13944")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13945")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13946")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13947")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13948")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "raw13949")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm0")
filetrans_pattern($1, device_t, modem_device_t, chr_file, "cdc-wdm1")
filetrans_pattern($1, device_t, wireless_device_t, chr_file, "rfkill")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "sequencer2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "smpte9")
filetrans_pattern($1, device_t, power_device_t, chr_file, "smu")
filetrans_pattern($1, device_t, apm_bios_t, chr_file, "snapshot")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "sndstat")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "sonypi")
filetrans_pattern($1, device_t, hwtracing_device_t, chr_file, "tmc_etr0")
filetrans_pattern($1, device_t, hwtracing_device_t, chr_file, "tmc_etr1")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm0")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm1")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm2")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm3")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm4")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm5")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm6")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm7")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm8")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpm9")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm0")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm1")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm2")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm3")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm4")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm5")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm6")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm7")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm8")
filetrans_pattern($1, device_t, tpm_device_t, chr_file, "tpmrm9")
filetrans_pattern($1, device_t, random_device_t, chr_file, "trng")
filetrans_pattern($1, device_t, dma_device_t, chr_file, "udmabuf")
filetrans_pattern($1, device_t, event_device_t, chr_file, "uinput")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio0")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio1")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio2")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio3")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio4")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio5")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio6")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio7")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio8")
filetrans_pattern($1, device_t, userio_device_t, chr_file, "uio9")
filetrans_pattern($1, device_t, urandom_device_t, chr_file, "urandom")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb0")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb1")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb2")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb4")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb5")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb6")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb7")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "usb8")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon0")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon1")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon2")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon3")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon4")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon5")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon6")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon7")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon8")
filetrans_pattern($1, device_t, usbmon_device_t, chr_file, "usbmon9")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "usbscanner")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-net")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-0")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-1")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-2")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-3")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-4")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-5")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-6")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vdpa-7")
filetrans_pattern($1, device_t, vhost_device_t, chr_file, "vhost-vsock")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vbi9")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmmon")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet0")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet1")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet2")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet3")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet4")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet5")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet6")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet7")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet8")
filetrans_pattern($1, device_t, vmware_device_t, chr_file, "vmnet9")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "media9")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "video9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "vrtpanel")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vttuner")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "vtx9")
filetrans_pattern($1, device_t, watchdog_device_t, chr_file, "watchdog")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio3")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio4")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio5")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio6")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio8")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "winradio9")
filetrans_pattern($1, device_t, crypt_device_t, chr_file, "z90crypt")
filetrans_pattern($1, device_t, crypt_device_t, chr_file, "pkey")
filetrans_pattern($1, device_t, zero_device_t, chr_file, "zero")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx0")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx1")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx2")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx3")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx4")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx5")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx6")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx7")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx8")
filetrans_pattern($1, device_t, smartcard_device_t, chr_file, "cmx9")
filetrans_pattern($1, device_t, netcontrol_device_t, chr_file, "cpu_dma_latency")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu0")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu1")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu2")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu3")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu4")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu5")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu6")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu7")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu8")
filetrans_pattern($1, device_t, cpu_device_t, chr_file, "cpu9")
filetrans_pattern($1, device_t, mtrr_device_t, chr_file, "mtrr")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "sensor9")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m0")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m1")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m2")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m3")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m4")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m5")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m6")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m7")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m8")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "m9")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard0")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard1")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard2")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard3")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard4")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard5")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard6")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard7")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard8")
filetrans_pattern($1, device_t, event_device_t, chr_file, "keyboard9")
filetrans_pattern($1, device_t, lvm_control_t, chr_file, "control")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "ucb1x00")
filetrans_pattern($1, device_t, mouse_device_t, chr_file, "mk712")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx0")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx1")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx2")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx3")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx4")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx5")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx6")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx7")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx8")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "dc2xx9")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8000")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8001")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8002")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8003")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8004")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8005")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8006")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8007")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8008")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "mdc8009")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner0")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner1")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner2")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner3")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner4")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner5")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner6")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner7")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner8")
filetrans_pattern($1, device_t, scanner_device_t, chr_file, "scanner9")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap0")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap1")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap2")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap3")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap4")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap5")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap6")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap7")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap8")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "blktap9")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntdev")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "gntalloc")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "privcmd")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "xenbus_backend")
filetrans_pattern($1, device_t, xen_device_t, chr_file, "hypercall")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC7")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC8")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC9")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC10")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC11")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC12")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC13")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC14")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC15")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC16")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC17")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC18")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC19")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC20")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC21")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC22")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC23")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC24")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC25")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC26")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC27")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC28")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "controlC29")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "patmgr1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd0")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd1")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd2")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd3")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd4")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd5")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd6")
filetrans_pattern($1, device_t, sound_device_t, chr_file, "srnd7")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk0")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk1")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk2")
filetrans_pattern($1, device_t, v4l_device_t, chr_file, "tlk3")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "uba")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubb")
filetrans_pattern($1, device_t, usb_device_t, chr_file, "ubc")
filetrans_pattern($1, device_t, uhid_device_t, chr_file, "uhid")
filetrans_pattern($1, device_t, hypervkvp_device_t, chr_file, "hv_kvp")
filetrans_pattern($1, device_t, hypervvssd_device_t, chr_file, "hv_vss")
filetrans_pattern($1, device_t, gpfs_device_t, chr_file, "ss0")
filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip0")
filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip1")
filetrans_pattern($1, device_t, gpio_device_t, chr_file, "gpiochip2")
dev_filetrans_xserver_named_dev($1)
')
########################################
## <summary>
## Create all named devices with the correct label
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_filetrans_xserver_named_dev',`
gen_require(`
type xserver_misc_device_t;
')
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "3dfx")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "controlD64")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "gfx")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "graphics")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "mga_vid9")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia9")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidiactl")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "nvidia-uvm")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "opengl")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vbox9")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "vga_arbiter")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card0")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card1")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card2")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card3")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card4")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card5")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card6")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card7")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card8")
filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
')
Reference in a new issue View git blame Copy permalink