Import dssp5

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
author: Dominick Grift <dominick.grift@defensec.nl> 2023-08-20 15:44:41 +0200
committer: Dominick Grift <dominick.grift@defensec.nl> 2023-08-20 15:46:23 +0200
commit: 0c187b6ff97f91c41dab65a6426dc61f77305cdf (patch)
tree: 1e35f5851154500a8a39428a45a5671f9488e1da /src/dev
download: selinux-policy-0c187b6ff97f91c41dab65a6426dc61f77305cdf.tar.gz
92 files changed, 1541 insertions, 0 deletions
diff --git a/src/dev/nodedev.cil b/src/dev/nodedev.cil
new file mode 100644
index 0000000..b681759
--- /dev/null
+++ b/src/dev/nodedev.cil
@@ -0,0 +1,116 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block nodedev
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (typeattribute typeattr)
+
+  (macro mounton_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr mounton_chr_file))
+
+  (blockinherit .file.all_macro_template_chr_files)
+
+  (call .dev.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (context nodedev_context (.sys.id .sys.role nodedev lowlevelrange))
+
+    (type nodedev)
+    (call .nodedev.type (nodedev)))
+
+  (block except
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (blockinherit file.all_macro_template_chr_files)
+
+    (typeattribute typeattr)
+
+    (typeattributeset typeattr
+		      (and nodedev.typeattr (not (exception.typeattr)))))
+
+  (block exception
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (call nodedev.type (typeattr))
+
+    (call .dev.exception.type (typeattr)))
+
+  (block macro_template_chr_files
+
+    (blockabstract macro_template_chr_files)
+
+    (macro append_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev append_chr_file))
+
+    (macro appendinherited_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev appendinherited_chr_file))
+
+    (macro create_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev create_chr_file))
+
+    (macro delete_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev delete_chr_file))
+
+    (macro manage_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev manage_chr_file))
+
+    (macro mapexecute_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev mapexecute_chr_file))
+
+    (macro read_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev read_chr_file))
+
+    (macro readinherited_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev readinherited_chr_file))
+
+    (macro readwrite_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev readwrite_chr_file))
+
+    (macro readwriteinherited_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev readwriteinherited_chr_file))
+
+    (macro relabel_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev relabel_chr_file))
+
+    (macro relabelfrom_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev relabelfrom_chr_file))
+
+    (macro relabelto_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev relabelto_chr_file))
+
+    (macro rename_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev rename_chr_file))
+
+    (macro write_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev write_chr_file))
+
+    (macro writeinherited_nodedev_chr_files ((type ARG1))
+	   (allow ARG1 nodedev writeinherited_chr_file)))
+
+  (block template
+
+    (blockabstract template)
+
+    (blockinherit .nodedev.base_template)
+    (blockinherit .nodedev.macro_template_chr_files))
+
+  (block unconfined
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (allow typeattr nodedev.typeattr (chr_file (not (audit_access execmod))))))
diff --git a/src/dev/nodedev/apmnodedev.cil b/src/dev/nodedev/apmnodedev.cil
new file mode 100644
index 0000000..d13ee45
--- /dev/null
+++ b/src/dev/nodedev/apmnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block apm
+
+  (filecon "/dev/snapshot" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/autofsnodedev.cil b/src/dev/nodedev/autofsnodedev.cil
new file mode 100644
index 0000000..1aea912
--- /dev/null
+++ b/src/dev/nodedev/autofsnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block autofs
+
+  (filecon "/dev/autofs" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/btrfscontrolnodedev.cil b/src/dev/nodedev/btrfscontrolnodedev.cil
new file mode 100644
index 0000000..e390955
--- /dev/null
+++ b/src/dev/nodedev/btrfscontrolnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block btrfscontrol
+
+  (filecon "/dev/btrfs-control" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/cachefilesnodedev.cil b/src/dev/nodedev/cachefilesnodedev.cil
new file mode 100644
index 0000000..8b3aba2
--- /dev/null
+++ b/src/dev/nodedev/cachefilesnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block cachefiles
+
+  (filecon "/dev/cachefiles" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/cdcwdmnodedev.cil b/src/dev/nodedev/cdcwdmnodedev.cil
new file mode 100644
index 0000000..1c03f7f
--- /dev/null
+++ b/src/dev/nodedev/cdcwdmnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block cdcwdm
+
+  (filecon "/dev/cdc-wdm([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/clocknodedev.cil b/src/dev/nodedev/clocknodedev.cil
new file mode 100644
index 0000000..97a67f7
--- /dev/null
+++ b/src/dev/nodedev/clocknodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block clock
+
+  (filecon "/dev/hpet" char nodedev_context)
+  (filecon "/dev/ptp([0-9]+)?" char nodedev_context)
+  (filecon "/dev/rtc([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/cpunodedev.cil b/src/dev/nodedev/cpunodedev.cil
new file mode 100644
index 0000000..07fc918
--- /dev/null
+++ b/src/dev/nodedev/cpunodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block cpu
+
+  (filecon "/dev/cpu/.+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/crashnodedev.cil b/src/dev/nodedev/crashnodedev.cil
new file mode 100644
index 0000000..db1abe9
--- /dev/null
+++ b/src/dev/nodedev/crashnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block crash
+
+  (filecon "/dev/crash" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/cusenodedev.cil b/src/dev/nodedev/cusenodedev.cil
new file mode 100644
index 0000000..ab303b0
--- /dev/null
+++ b/src/dev/nodedev/cusenodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block cuse
+
+  (filecon "/dev/cuse" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/dmaheapnodedev.cil b/src/dev/nodedev/dmaheapnodedev.cil
new file mode 100644
index 0000000..acaa5e8
--- /dev/null
+++ b/src/dev/nodedev/dmaheapnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block dmaheap
+
+  (filecon "/dev/dma_heap/.*" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/dmcontrolnodedev.cil b/src/dev/nodedev/dmcontrolnodedev.cil
new file mode 100644
index 0000000..687e1e4
--- /dev/null
+++ b/src/dev/nodedev/dmcontrolnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block dmcontrol
+
+  (filecon "/dev/mapper/control" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/drinodedev.cil b/src/dev/nodedev/drinodedev.cil
new file mode 100644
index 0000000..d215a46
--- /dev/null
+++ b/src/dev/nodedev/drinodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block dri
+
+  (filecon "/dev/dri/.+" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/drmdpauxnodedev.cil b/src/dev/nodedev/drmdpauxnodedev.cil
new file mode 100644
index 0000000..59c5257
--- /dev/null
+++ b/src/dev/nodedev/drmdpauxnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block drmdpaux
+
+  (filecon "/dev/drm_dp_aux[0-9]+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/eventnodedev.cil b/src/dev/nodedev/eventnodedev.cil
new file mode 100644
index 0000000..a8e3ee5
--- /dev/null
+++ b/src/dev/nodedev/eventnodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block event
+
+  (filecon "/dev/input/event([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/fbnodedev.cil b/src/dev/nodedev/fbnodedev.cil
new file mode 100644
index 0000000..47d670c
--- /dev/null
+++ b/src/dev/nodedev/fbnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block fb
+
+  (filecon "/dev/fb([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/gpionodedev.cil b/src/dev/nodedev/gpionodedev.cil
new file mode 100644
index 0000000..466fbdb
--- /dev/null
+++ b/src/dev/nodedev/gpionodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block gpio
+
+  (filecon "/dev/gpiochip([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/hiddevnodedev.cil b/src/dev/nodedev/hiddevnodedev.cil
new file mode 100644
index 0000000..202a000
--- /dev/null
+++ b/src/dev/nodedev/hiddevnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block hiddev
+
+  (filecon "/dev/hiddev[0-9]+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/hidrawnodedev.cil b/src/dev/nodedev/hidrawnodedev.cil
new file mode 100644
index 0000000..3ca398f
--- /dev/null
+++ b/src/dev/nodedev/hidrawnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block hidraw
+
+  (filecon "/dev/hidraw[0-9]+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/hwrngnodedev.cil b/src/dev/nodedev/hwrngnodedev.cil
new file mode 100644
index 0000000..76a14bf
--- /dev/null
+++ b/src/dev/nodedev/hwrngnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block hwrng
+
+  (filecon "/dev/hwrng" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/i2cnodedev.cil b/src/dev/nodedev/i2cnodedev.cil
new file mode 100644
index 0000000..e6bd3d0
--- /dev/null
+++ b/src/dev/nodedev/i2cnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block i2c
+
+  (filecon "/dev/i2c([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/iionodedev.cil b/src/dev/nodedev/iionodedev.cil
new file mode 100644
index 0000000..40e9d4b
--- /dev/null
+++ b/src/dev/nodedev/iionodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block iio
+
+  (filecon "/dev/iio:device([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/infinibandnodedev.cil b/src/dev/nodedev/infinibandnodedev.cil
new file mode 100644
index 0000000..4b15207
--- /dev/null
+++ b/src/dev/nodedev/infinibandnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block infiniband
+
+  (filecon "/dev/infiniband/.+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/inputnodedev.cil b/src/dev/nodedev/inputnodedev.cil
new file mode 100644
index 0000000..c68115a
--- /dev/null
+++ b/src/dev/nodedev/inputnodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block input
+
+  (filecon "/dev/input/js([0-9]+)?" char nodedev_context)
+  (filecon "/dev/input/mice" char nodedev_context)
+  (filecon "/dev/input/mouse([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/ipminodedev.cil b/src/dev/nodedev/ipminodedev.cil
new file mode 100644
index 0000000..21b4c66
--- /dev/null
+++ b/src/dev/nodedev/ipminodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ipmi
+
+  (filecon "/dev/ipmi[0-9]+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/kfdnodedev.cil b/src/dev/nodedev/kfdnodedev.cil
new file mode 100644
index 0000000..1b90a69
--- /dev/null
+++ b/src/dev/nodedev/kfdnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block kfd
+
+  (filecon "/dev/kfd" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/kmsgnodedev.cil b/src/dev/nodedev/kmsgnodedev.cil
new file mode 100644
index 0000000..3417a9e
--- /dev/null
+++ b/src/dev/nodedev/kmsgnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block kmsg
+
+  (filecon "/dev/kmsg" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/ksmnodedev.cil b/src/dev/nodedev/ksmnodedev.cil
new file mode 100644
index 0000000..b979ca9
--- /dev/null
+++ b/src/dev/nodedev/ksmnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ksm
+
+  (filecon "/dev/ksm" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/kvmnodedev.cil b/src/dev/nodedev/kvmnodedev.cil
new file mode 100644
index 0000000..8b13d49
--- /dev/null
+++ b/src/dev/nodedev/kvmnodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block kvm
+
+  (filecon "/dev/kvm" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/lircnodedev.cil b/src/dev/nodedev/lircnodedev.cil
new file mode 100644
index 0000000..4a96ea0
--- /dev/null
+++ b/src/dev/nodedev/lircnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block lirc
+
+  (filecon "/dev/lirc[0-9]+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/loopcontrolnodedev.cil b/src/dev/nodedev/loopcontrolnodedev.cil
new file mode 100644
index 0000000..e594763
--- /dev/null
+++ b/src/dev/nodedev/loopcontrolnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block loopcontrol
+
+  (filecon "/dev/loop-control" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/mcelognodedev.cil b/src/dev/nodedev/mcelognodedev.cil
new file mode 100644
index 0000000..98ddaf7
--- /dev/null
+++ b/src/dev/nodedev/mcelognodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block mcelog
+
+  (filecon "/dev/mcelog" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/meinodedev.cil b/src/dev/nodedev/meinodedev.cil
new file mode 100644
index 0000000..41f9f8d
--- /dev/null
+++ b/src/dev/nodedev/meinodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block mei
+
+  (filecon "/dev/mei([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/memnodedev.cil b/src/dev/nodedev/memnodedev.cil
new file mode 100644
index 0000000..cfef06e
--- /dev/null
+++ b/src/dev/nodedev/memnodedev.cil
@@ -0,0 +1,53 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block mem
+
+  (filecon "/dev/mem" char nodedev_context)
+  (filecon "/dev/port" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .nodedev.exception.type (nodedev))
+
+  (block read
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute not_typeattr)
+    (typeattribute typeattr)
+
+    (typeattributeset not_typeattr (not typeattr))
+
+    (neverallow not_typeattr mem.nodedev (chr_file (read))))
+
+  (block readwrite
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (call read.type (typeattr))
+    (call write.type (typeattr)))
+
+  (block write
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute not_typeattr)
+    (typeattribute typeattr)
+
+    (typeattributeset not_typeattr (not typeattr))
+
+    (neverallow not_typeattr mem.nodedev (chr_file (append write)))))
+
+(in dev.unconfined
+
+    (call .mem.readwrite.type (typeattr)))
+
+(in nodedev.unconfined
+
+    (call .mem.readwrite.type (typeattr)))
diff --git a/src/dev/nodedev/modemnodedev.cil b/src/dev/nodedev/modemnodedev.cil
new file mode 100644
index 0000000..8fce849
--- /dev/null
+++ b/src/dev/nodedev/modemnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block modem
+
+  (filecon "/dev/modem" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/ndctlnodedev.cil b/src/dev/nodedev/ndctlnodedev.cil
new file mode 100644
index 0000000..b55df2c
--- /dev/null
+++ b/src/dev/nodedev/ndctlnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ndctl
+
+  (filecon "/dev/ndctl([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/nullnodedev.cil b/src/dev/nodedev/nullnodedev.cil
new file mode 100644
index 0000000..e6340a3
--- /dev/null
+++ b/src/dev/nodedev/nullnodedev.cil
@@ -0,0 +1,13 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(sidcontext devnull (sys.id sys.role null.nodedev lowlevelrange))
+
+(block null
+
+  (filecon "/dev/full" char nodedev_context)
+  (filecon "/dev/null" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/nvramnodedev.cil b/src/dev/nodedev/nvramnodedev.cil
new file mode 100644
index 0000000..5a1b581
--- /dev/null
+++ b/src/dev/nodedev/nvramnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block nvram
+
+  (filecon "/dev/nvram" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/pmunodedev.cil b/src/dev/nodedev/pmunodedev.cil
new file mode 100644
index 0000000..d27d04d
--- /dev/null
+++ b/src/dev/nodedev/pmunodedev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block pmu
+
+  (filecon "/dev/pmu" char nodedev_context)
+  (filecon "/dev/smu" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/pppnodedev.cil b/src/dev/nodedev/pppnodedev.cil
new file mode 100644
index 0000000..2a551c2
--- /dev/null
+++ b/src/dev/nodedev/pppnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ppp
+
+  (filecon "/dev/ppp" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/printernodedev.cil b/src/dev/nodedev/printernodedev.cil
new file mode 100644
index 0000000..2766e4a
--- /dev/null
+++ b/src/dev/nodedev/printernodedev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block printer
+
+  (filecon "/dev/lp([0-9]+)?" char nodedev_context)
+  (filecon "/dev/parport([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/ptmxnodedev.cil b/src/dev/nodedev/ptmxnodedev.cil
new file mode 100644
index 0000000..8d26226
--- /dev/null
+++ b/src/dev/nodedev/ptmxnodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ptmx
+
+  (filecon "/dev/ptmx" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/qosnodedev.cil b/src/dev/nodedev/qosnodedev.cil
new file mode 100644
index 0000000..b64d46d
--- /dev/null
+++ b/src/dev/nodedev/qosnodedev.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block qos
+
+  (filecon "/dev/cpu_dma_latency" char nodedev_context)
+  (filecon "/dev/memory_bandwidth" char nodedev_context)
+  (filecon "/dev/network_latency" char nodedev_context)
+  (filecon "/dev/network_throughput" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/randomnodedev.cil b/src/dev/nodedev/randomnodedev.cil
new file mode 100644
index 0000000..c3b1cd6
--- /dev/null
+++ b/src/dev/nodedev/randomnodedev.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block random
+
+  (filecon "/dev/random" char nodedev_context)
+  (filecon "/dev/urandom" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/rfkillnodedev.cil b/src/dev/nodedev/rfkillnodedev.cil
new file mode 100644
index 0000000..712cb21
--- /dev/null
+++ b/src/dev/nodedev/rfkillnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block rfkill
+
+  (filecon "/dev/rfkill" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/sndnodedev.cil b/src/dev/nodedev/sndnodedev.cil
new file mode 100644
index 0000000..85569c3
--- /dev/null
+++ b/src/dev/nodedev/sndnodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block snd
+
+  (filecon "/dev/snd/.+" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/tpmnodedev.cil b/src/dev/nodedev/tpmnodedev.cil
new file mode 100644
index 0000000..98b44a3
--- /dev/null
+++ b/src/dev/nodedev/tpmnodedev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block tpm
+
+  (filecon "/dev/tpm([0-9]+)?" char nodedev_context)
+  (filecon "/dev/tpmrm([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/ttynodedev.cil b/src/dev/nodedev/ttynodedev.cil
new file mode 100644
index 0000000..0380fde
--- /dev/null
+++ b/src/dev/nodedev/ttynodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block tty
+
+  (filecon "/dev/tty" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/tuntapnodedev.cil b/src/dev/nodedev/tuntapnodedev.cil
new file mode 100644
index 0000000..8e4d249
--- /dev/null
+++ b/src/dev/nodedev/tuntapnodedev.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block tuntap
+
+  (filecon "/dev/net/tun" char nodedev_context)
+  (filecon "/dev/tap([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/udmabufnodedev.cil b/src/dev/nodedev/udmabufnodedev.cil
new file mode 100644
index 0000000..0404a83
--- /dev/null
+++ b/src/dev/nodedev/udmabufnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block udmabuf
+
+  (filecon "/dev/udmabuf" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/uffdnodedev.cil b/src/dev/nodedev/uffdnodedev.cil
new file mode 100644
index 0000000..c5ec44b
--- /dev/null
+++ b/src/dev/nodedev/uffdnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in uffd
+
+  (filecon "/dev/userfaultfd" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/uhidnodedev.cil b/src/dev/nodedev/uhidnodedev.cil
new file mode 100644
index 0000000..d92b7d4
--- /dev/null
+++ b/src/dev/nodedev/uhidnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block uhid
+
+  (filecon "/dev/uhid" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/uinputnodedev.cil b/src/dev/nodedev/uinputnodedev.cil
new file mode 100644
index 0000000..194b632
--- /dev/null
+++ b/src/dev/nodedev/uinputnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block uinput
+
+  (filecon "/dev/uinput" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/uionodedev.cil b/src/dev/nodedev/uionodedev.cil
new file mode 100644
index 0000000..533bb05
--- /dev/null
+++ b/src/dev/nodedev/uionodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block uio
+
+  (filecon "/dev/uio[0-9]+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/usbmonnodedev.cil b/src/dev/nodedev/usbmonnodedev.cil
new file mode 100644
index 0000000..b11881c
--- /dev/null
+++ b/src/dev/nodedev/usbmonnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block usbmon
+
+  (filecon "/dev/usbmon[0-9]+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/usbnodedev.cil b/src/dev/nodedev/usbnodedev.cil
new file mode 100644
index 0000000..2432b6a
--- /dev/null
+++ b/src/dev/nodedev/usbnodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block usb
+
+  (filecon "/dev/bus/usb/.+" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/v4lnodedev.cil b/src/dev/nodedev/v4lnodedev.cil
new file mode 100644
index 0000000..b2fe91f
--- /dev/null
+++ b/src/dev/nodedev/v4lnodedev.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block v4l
+
+  (filecon "/dev/media([0-9]+)?" char nodedev_context)
+  (filecon "/dev/video([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/vfionodedev.cil b/src/dev/nodedev/vfionodedev.cil
new file mode 100644
index 0000000..8644d8e
--- /dev/null
+++ b/src/dev/nodedev/vfionodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block vfio
+
+  (filecon "/dev/vfio/.+" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/nodedev/vgaarbiternodedev.cil b/src/dev/nodedev/vgaarbiternodedev.cil
new file mode 100644
index 0000000..bbe5fe6
--- /dev/null
+++ b/src/dev/nodedev/vgaarbiternodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block vgaarbiter
+
+  (filecon "/dev/vga_arbiter" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/vhostnodedev.cil b/src/dev/nodedev/vhostnodedev.cil
new file mode 100644
index 0000000..305e2be
--- /dev/null
+++ b/src/dev/nodedev/vhostnodedev.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block vhost
+
+  (filecon "/dev/vhci" char nodedev_context)
+  (filecon "/dev/vhost-net" char nodedev_context)
+  (filecon "/dev/vhost-scsi" char nodedev_context)
+  (filecon "/dev/vhost-vsock" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/vmcinodedev.cil b/src/dev/nodedev/vmcinodedev.cil
new file mode 100644
index 0000000..d19746b
--- /dev/null
+++ b/src/dev/nodedev/vmcinodedev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block vmci
+
+  (filecon "/dev/vmci" char nodedev_context)
+  (filecon "/dev/vsock" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/watchdognodedev.cil b/src/dev/nodedev/watchdognodedev.cil
new file mode 100644
index 0000000..120da11
--- /dev/null
+++ b/src/dev/nodedev/watchdognodedev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block watchdog
+
+  (filecon "/dev/watchdog([0-9]+)?" char nodedev_context)
+
+  (blockinherit .nodedev.template))
diff --git a/src/dev/nodedev/zeronodedev.cil b/src/dev/nodedev/zeronodedev.cil
new file mode 100644
index 0000000..386966a
--- /dev/null
+++ b/src/dev/nodedev/zeronodedev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block zero
+
+  (filecon "/dev/zero" char nodedev_context)
+
+  (blockinherit .nodedev.template)
+
+  (call .rbacsep.exempt.obj.type (nodedev)))
diff --git a/src/dev/stordev.cil b/src/dev/stordev.cil
new file mode 100644
index 0000000..8611ec6
--- /dev/null
+++ b/src/dev/stordev.cil
@@ -0,0 +1,188 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block stordev
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (typeattribute typeattr)
+
+  (macro mounton_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr mounton_chr_file))
+
+  (blockinherit .file.all_macro_template_blk_files)
+  (blockinherit .file.all_macro_template_chr_files)
+
+  (call .dev.exception.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (context stordev_context (.sys.id .sys.role stordev lowlevelrange))
+
+    (type stordev)
+    (call .stordev.type (stordev)))
+
+  (block macro_template_blk_files
+
+    (blockabstract macro_template_blk_files)
+
+    (macro append_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev append_blk_file))
+
+    (macro appendinherited_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev appendinherited_blk_file))
+
+    (macro create_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev create_blk_file))
+
+    (macro delete_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev delete_blk_file))
+
+    (macro manage_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev manage_blk_file))
+
+    (macro read_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev read_blk_file))
+
+    (macro readinherited_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev readinherited_blk_file))
+
+    (macro readwrite_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev readwrite_blk_file))
+
+    (macro readwriteinherited_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev readwriteinherited_blk_file))
+
+    (macro relabel_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev relabel_blk_file))
+
+    (macro relabelfrom_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev relabelfrom_blk_file))
+
+    (macro relabelto_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev relabelto_blk_file))
+
+    (macro rename_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev rename_blk_file))
+
+    (macro write_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev write_blk_file))
+
+    (macro writeinherited_stordev_blk_files ((type ARG1))
+	   (allow ARG1 stordev writeinherited_blk_file)))
+
+  (block macro_template_chr_files
+
+    (blockabstract macro_template_chr_files)
+
+    (macro append_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev append_chr_file))
+
+    (macro appendinherited_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev appendinherited_chr_file))
+
+    (macro create_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev create_chr_file))
+
+    (macro delete_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev delete_chr_file))
+
+    (macro manage_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev manage_chr_file))
+
+    (macro mapexecute_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev mapexecute_chr_file))
+
+    (macro read_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev read_chr_file))
+
+    (macro readinherited_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev readinherited_chr_file))
+
+    (macro readwrite_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev readwrite_chr_file))
+
+    (macro readwriteinherited_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev readwriteinherited_chr_file))
+
+    (macro relabel_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev relabel_chr_file))
+
+    (macro relabelfrom_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev relabelfrom_chr_file))
+
+    (macro relabelto_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev relabelto_chr_file))
+
+    (macro rename_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev rename_chr_file))
+
+    (macro write_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev write_chr_file))
+
+    (macro writeinherited_stordev_chr_files ((type ARG1))
+	   (allow ARG1 stordev writeinherited_chr_file)))
+
+  (block template
+
+    (blockabstract template)
+
+    (blockinherit .stordev.base_template)
+    (blockinherit .stordev.macro_template_blk_files)
+    (blockinherit .stordev.macro_template_chr_files))
+
+  (block read
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute not_typeattr)
+    (typeattribute typeattr)
+
+    (typeattributeset not_typeattr (not typeattr))
+
+    (neverallow not_typeattr stordev.typeattr (blk_file (read)))
+    (neverallow not_typeattr stordev.typeattr (chr_file (read))))
+
+  (block readwrite
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (call read.type (typeattr))
+    (call write.type (typeattr)))
+
+  (block unconfined
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (allow typeattr stordev.typeattr
+	   (blk_file (not (audit_access execmod map))))
+    (allow typeattr stordev.typeattr (chr_file (not (audit_access execmod))))
+
+    (call readwrite.type (typeattr)))
+
+  (block write
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute not_typeattr)
+    (typeattribute typeattr)
+
+    (typeattributeset not_typeattr (not typeattr))
+
+    (neverallow not_typeattr stordev.typeattr (blk_file (append write)))
+    (neverallow not_typeattr stordev.typeattr (chr_file (append write)))))
+
+(in dev.unconfined
+
+    (call .stordev.readwrite.type (typeattr)))
diff --git a/src/dev/stordev/dmstordev.cil b/src/dev/stordev/dmstordev.cil
new file mode 100644
index 0000000..4a0d4d9
--- /dev/null
+++ b/src/dev/stordev/dmstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block dm
+
+  (filecon "/dev/dm-[0-9]+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/stordev/fusestordev.cil b/src/dev/stordev/fusestordev.cil
new file mode 100644
index 0000000..da05a57
--- /dev/null
+++ b/src/dev/stordev/fusestordev.cil
@@ -0,0 +1,11 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block fuse
+
+  (filecon "/dev/fuse" char stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_chr_files)
+
+  (call .rbacsep.exempt.obj.type (stordev)))
diff --git a/src/dev/stordev/hdstordev.cil b/src/dev/stordev/hdstordev.cil
new file mode 100644
index 0000000..c912513
--- /dev/null
+++ b/src/dev/stordev/hdstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block hd
+
+  (filecon "/dev/hd[^/]+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/stordev/loopstordev.cil b/src/dev/stordev/loopstordev.cil
new file mode 100644
index 0000000..d683738
--- /dev/null
+++ b/src/dev/stordev/loopstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block loop
+
+  (filecon "/dev/loop.+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/stordev/mdstordev.cil b/src/dev/stordev/mdstordev.cil
new file mode 100644
index 0000000..1aa7d84
--- /dev/null
+++ b/src/dev/stordev/mdstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block md
+
+  (filecon "/dev/md[^/]+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/stordev/mtdstordev.cil b/src/dev/stordev/mtdstordev.cil
new file mode 100644
index 0000000..f8338b8
--- /dev/null
+++ b/src/dev/stordev/mtdstordev.cil
@@ -0,0 +1,14 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block mtd
+
+  (filecon "/dev/mtd[0-9]+" char stordev_context)
+  (filecon "/dev/mtd[0-9]+ro" char stordev_context)
+  (filecon "/dev/mtdblock[0-9]+" block stordev_context)
+
+  (filecon "/dev/ubi[0-9]+_[0-9]+" char stordev_context)
+  (filecon "/dev/ubi_ctrl" char stordev_context)
+  (filecon "/dev/ubiblock[0-9]+_[0-9]+" block stordev_context)
+
+  (blockinherit .stordev.template))
diff --git a/src/dev/stordev/nvmestordev.cil b/src/dev/stordev/nvmestordev.cil
new file mode 100644
index 0000000..ce30812
--- /dev/null
+++ b/src/dev/stordev/nvmestordev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block nvme
+
+  (filecon "/dev/ng[0-9]n[^/]+" char stordev_context)
+  (filecon "/dev/nvme[0-9]+" char stordev_context)
+  (filecon "/dev/nvme[0-9]n[^/]+" block stordev_context)
+
+  (blockinherit .stordev.template))
diff --git a/src/dev/stordev/rawstordev.cil b/src/dev/stordev/rawstordev.cil
new file mode 100644
index 0000000..f04b019
--- /dev/null
+++ b/src/dev/stordev/rawstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block raw
+
+  (filecon "/dev/raw/.+" char stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_chr_files))
diff --git a/src/dev/stordev/removablestordev.cil b/src/dev/stordev/removablestordev.cil
new file mode 100644
index 0000000..36e8a93
--- /dev/null
+++ b/src/dev/stordev/removablestordev.cil
@@ -0,0 +1,17 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block removable
+
+  (filecon "/dev/fd[^/]+" block stordev_context)
+  (filecon "/dev/mmcblk[0-9]+" block stordev_context)
+  (filecon "/dev/mmcblk[0-9]boot[^/]+" block stordev_context)
+  (filecon "/dev/mmcblk[0-9]p[^/]+" block stordev_context)
+  (filecon "/dev/mmcblk[0-9]rpmb" char stordev_context)
+  (filecon "/dev/mspblk[0-9]+" block stordev_context)
+  (filecon "/dev/mspblk[0-9]boot[^/]+" block stordev_context)
+  (filecon "/dev/mspblk[0-9]p[^/]+" block stordev_context)
+  (filecon "/dev/mspblk[0-9]rpmb" char stordev_context)
+  (filecon "/dev/sr[0-9]+" block stordev_context)
+
+  (blockinherit .stordev.template))
diff --git a/src/dev/stordev/sdstordev.cil b/src/dev/stordev/sdstordev.cil
new file mode 100644
index 0000000..822d45e
--- /dev/null
+++ b/src/dev/stordev/sdstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block sd
+
+  (filecon "/dev/sd[^/]+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/stordev/sgstordev.cil b/src/dev/stordev/sgstordev.cil
new file mode 100644
index 0000000..3592bc3
--- /dev/null
+++ b/src/dev/stordev/sgstordev.cil
@@ -0,0 +1,10 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block sg
+
+  (filecon "/dev/bsg/.+" char stordev_context)
+  (filecon "/dev/sg[0-9]+" char stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_chr_files))
diff --git a/src/dev/stordev/vdstordev.cil b/src/dev/stordev/vdstordev.cil
new file mode 100644
index 0000000..6dd0904
--- /dev/null
+++ b/src/dev/stordev/vdstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block vd
+
+  (filecon "/dev/vd[^/]+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/stordev/xdstordev.cil b/src/dev/stordev/xdstordev.cil
new file mode 100644
index 0000000..43edd14
--- /dev/null
+++ b/src/dev/stordev/xdstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block xd
+
+  (filecon "/dev/xd[^/]+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/stordev/zramstordev.cil b/src/dev/stordev/zramstordev.cil
new file mode 100644
index 0000000..6478289
--- /dev/null
+++ b/src/dev/stordev/zramstordev.cil
@@ -0,0 +1,9 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block zram
+
+  (filecon "/dev/zram[0-9]+" block stordev_context)
+
+  (blockinherit .stordev.base_template)
+  (blockinherit .stordev.macro_template_blk_files))
diff --git a/src/dev/termdev.cil b/src/dev/termdev.cil
new file mode 100644
index 0000000..93655b3
--- /dev/null
+++ b/src/dev/termdev.cil
@@ -0,0 +1,43 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block termdev
+
+  (macro appendinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr appendinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro readwriteinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr readwriteinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (macro writeinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr writeinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (typeattribute typeattr)
+
+  (blockinherit .file.all_macro_template_chr_files)
+
+  (call .dev.type (typeattr))
+
+  (block unconfined
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (allow typeattr termdev.typeattr (chr_file (not (audit_access execmod))))))
diff --git a/src/dev/termdev/ptytermdev.cil b/src/dev/termdev/ptytermdev.cil
new file mode 100644
index 0000000..4349a93
--- /dev/null
+++ b/src/dev/termdev/ptytermdev.cil
@@ -0,0 +1,125 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ptytermdev
+
+  (macro appendinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr appendinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro readwriteinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr readwriteinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (macro writeinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr writeinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (typeattribute typeattr)
+
+  (blockinherit .file.all_macro_template_chr_files)
+
+  (call .devpts.associate_fs (typeattr))
+
+  (call .termdev.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (context ptytermdev_context (.sys.id .sys.role ptytermdev lowlevelrange))
+
+    (type ptytermdev)
+    (call .ptytermdev.type (ptytermdev)))
+
+  (block macro_template_chr_files
+
+    (blockabstract macro_template_chr_files)
+
+    (macro append_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev append_chr_file))
+
+    (macro appendinherited_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev appendinherited_chr_file)
+	   (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE)
+	   (allowx ARG1 ptytermdev IOCTLCONSOLE)
+	   (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI)
+	   (allowx ARG1 ptytermdev IOCTLVT))
+
+    (macro create_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev create_chr_file))
+
+    (macro delete_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev delete_chr_file))
+
+    (macro manage_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev manage_chr_file))
+
+    (macro mapexecute_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev mapexecute_chr_file))
+
+    (macro read_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev read_chr_file))
+
+    (macro readinherited_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev readinherited_chr_file))
+
+    (macro readwrite_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev readwrite_chr_file))
+
+    (macro readwriteinherited_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev readwriteinherited_chr_file)
+	   (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE)
+	   (allowx ARG1 ptytermdev IOCTLCONSOLE)
+	   (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI)
+	   (allowx ARG1 ptytermdev IOCTLVT))
+
+    (macro relabel_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev relabel_chr_file))
+
+    (macro relabelfrom_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev relabelfrom_chr_file))
+
+    (macro relabelto_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev relabelto_chr_file))
+
+    (macro rename_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev rename_chr_file))
+
+    (macro write_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev write_chr_file))
+
+    (macro writeinherited_ptytermdev_chr_files ((type ARG1))
+	   (allow ARG1 ptytermdev writeinherited_chr_file)
+	   (allowx ARG1 ptytermdev FIOCLEX_FIONCLEX_CHRFILE)
+	   (allowx ARG1 ptytermdev IOCTLCONSOLE)
+	   (allowx ARG1 ptytermdev IOCTLTTY_NOT_TIOCSTI)
+	   (allowx ARG1 ptytermdev IOCTLVT)))
+
+  (block template
+
+    (blockabstract template)
+
+    (blockinherit .ptytermdev.base_template)
+    (blockinherit .ptytermdev.macro_template_chr_files))
+
+  (block unconfined
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (allow typeattr ptytermdev.typeattr (chr_file (not (execmod mounton))))))
diff --git a/src/dev/termdev/ptytermdev/loginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev.cil
new file mode 100644
index 0000000..b9019d4
--- /dev/null
+++ b/src/dev/termdev/ptytermdev/loginptytermdev.cil
@@ -0,0 +1,55 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block loginptytermdev
+
+  (macro all_type_change ((type ARG1)(type ARG2))
+	 (typechange ARG1 typeattr chr_file ARG2))
+
+  (macro appendinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr appendinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro readwriteinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr readwriteinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (macro writeinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr writeinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (typeattribute typeattr)
+
+  (blockinherit .file.all_macro_template_chr_files)
+
+  (call .ptytermdev.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (blockinherit .ptytermdev.base_template)
+
+    (call .loginptytermdev.type (ptytermdev)))
+
+  (block template
+
+    (blockabstract template)
+
+    (macro ptytermdev_type_change ((type ARG1)(type ARG2))
+	   (typechange ARG1 ptytermdev chr_file ARG2))
+
+    (blockinherit .loginptytermdev.base_template)
+    (blockinherit .ptytermdev.macro_template_chr_files)))
diff --git a/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil
new file mode 100644
index 0000000..598a925
--- /dev/null
+++ b/src/dev/termdev/ptytermdev/loginptytermdev/sysloginptytermdev.cil
@@ -0,0 +1,29 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in dev.unconfined
+
+    (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr)))
+
+(in ptytermdev.unconfined
+
+    (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr)))
+
+(in sys
+
+    (macro devpts_fs_type_transition_ptytermdev ((type ARG1))
+	   (call .devpts.fs_type_transition
+		 (ARG1 ptytermdev chr_file "*")))
+
+    (macro loginptytermdev_all_type_change_ptytermdev ((type ARG1))
+	   (call .loginptytermdev.all_type_change
+		 (ARG1 ptytermdev)))
+
+    ;; support for unknown login services
+    (blockinherit .loginptytermdev.template)
+
+    (call devpts_fs_type_transition_ptytermdev (subj)))
+
+(in termdev.unconfined
+
+    (call .sys.loginptytermdev_all_type_change_ptytermdev (typeattr)))
diff --git a/src/dev/termdev/serialtermdev.cil b/src/dev/termdev/serialtermdev.cil
new file mode 100644
index 0000000..7400737
--- /dev/null
+++ b/src/dev/termdev/serialtermdev.cil
@@ -0,0 +1,124 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block serialtermdev
+
+  (macro appendinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr appendinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro readwriteinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr readwriteinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (macro writeinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr writeinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (typeattribute typeattr)
+
+  (blockinherit .file.all_macro_template_chr_files)
+
+  (call .termdev.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (context serialtermdev_context
+	     (.sys.id .sys.role serialtermdev lowlevelrange))
+
+    (type serialtermdev)
+    (call .serialtermdev.type (serialtermdev)))
+
+  (block macro_template_chr_files
+
+    (blockabstract macro_template_chr_files)
+
+    (macro append_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev append_chr_file))
+
+    (macro appendinherited_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev appendinherited_chr_file)
+	   (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE)
+	   (allowx ARG1 serialtermdev IOCTLCONSOLE)
+	   (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI)
+	   (allowx ARG1 serialtermdev IOCTLVT))
+
+    (macro create_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev create_chr_file))
+
+    (macro delete_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev delete_chr_file))
+
+    (macro manage_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev manage_chr_file))
+
+    (macro mapexecute_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev mapexecute_chr_file))
+
+    (macro read_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev read_chr_file))
+
+    (macro readinherited_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev readinherited_chr_file))
+
+    (macro readwrite_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev readwrite_chr_file))
+
+    (macro readwriteinherited_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev readwriteinherited_chr_file)
+	   (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE)
+	   (allowx ARG1 serialtermdev IOCTLCONSOLE)
+	   (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI)
+	   (allowx ARG1 serialtermdev IOCTLVT))
+
+    (macro relabel_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev relabel_chr_file))
+
+    (macro relabelfrom_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev relabelfrom_chr_file))
+
+    (macro relabelto_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev relabelto_chr_file))
+
+    (macro rename_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev rename_chr_file))
+
+    (macro write_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev write_chr_file))
+
+    (macro writeinherited_serialtermdev_chr_files ((type ARG1))
+	   (allow ARG1 serialtermdev writeinherited_chr_file)
+	   (allowx ARG1 serialtermdev FIOCLEX_FIONCLEX_CHRFILE)
+	   (allowx ARG1 serialtermdev IOCTLCONSOLE)
+	   (allowx ARG1 serialtermdev IOCTLTTY_NOT_TIOCSTI)
+	   (allowx ARG1 serialtermdev IOCTLVT)))
+
+  (block template
+
+    (blockabstract template)
+
+    (blockinherit .serialtermdev.base_template)
+    (blockinherit .serialtermdev.macro_template_chr_files))
+
+  (block unconfined
+
+    (macro type ((type ARG1))
+	   (typeattributeset typeattr ARG1))
+
+    (typeattribute typeattr)
+
+    (allow typeattr serialtermdev.typeattr (chr_file (not (execmod mounton))))))
diff --git a/src/dev/termdev/serialtermdev/acmserialtermdev.cil b/src/dev/termdev/serialtermdev/acmserialtermdev.cil
new file mode 100644
index 0000000..ca8a1cb
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/acmserialtermdev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block acm
+
+  (filecon "/dev/ttyACM[0-9]+" char serialtermdev_context)
+
+  (blockinherit .serialtermdev.template))
diff --git a/src/dev/termdev/serialtermdev/consoleserialtermdev.cil b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil
new file mode 100644
index 0000000..08b2736
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/consoleserialtermdev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block console
+
+  (filecon "/dev/console" char serialtermdev_context)
+
+  (blockinherit .serialtermdev.template))
diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev.cil
new file mode 100644
index 0000000..2580dbe
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/loginserialtermdev.cil
@@ -0,0 +1,55 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block loginserialtermdev
+
+  (macro all_type_change ((type ARG1)(type ARG2))
+	 (typechange ARG1 typeattr chr_file ARG2))
+
+  (macro appendinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr appendinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro readwriteinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr readwriteinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (macro type ((type ARG1))
+	 (typeattributeset typeattr ARG1))
+
+  (macro writeinherited_all_chr_files ((type ARG1))
+	 (allow ARG1 typeattr writeinherited_chr_file)
+	 (allowx ARG1 typeattr FIOCLEX_FIONCLEX_CHRFILE)
+	 (allowx ARG1 typeattr IOCTLCONSOLE)
+	 (allowx ARG1 typeattr IOCTLTTY_NOT_TIOCSTI)
+	 (allowx ARG1 typeattr IOCTLVT))
+
+  (typeattribute typeattr)
+
+  (blockinherit .file.all_macro_template_chr_files)
+
+  (call .serialtermdev.type (typeattr))
+
+  (block base_template
+
+    (blockabstract base_template)
+
+    (blockinherit .serialtermdev.base_template)
+
+    (call .loginserialtermdev.type (serialtermdev)))
+
+  (block template
+
+    (blockabstract template)
+
+    (macro serialtermdev_type_change ((type ARG1)(type ARG2))
+	   (typechange ARG1 serialtermdev chr_file ARG2))
+
+    (blockinherit .loginserialtermdev.base_template)
+    (blockinherit .serialtermdev.macro_template_chr_files)))
diff --git a/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil
new file mode 100644
index 0000000..5919dbe
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/loginserialtermdev/ttyloginserialtermdev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in tty
+
+    (filecon "/dev/tty.+" char serialtermdev_context)
+
+    (blockinherit .loginserialtermdev.template))
diff --git a/src/dev/termdev/serialtermdev/msmserialtermdev.cil b/src/dev/termdev/serialtermdev/msmserialtermdev.cil
new file mode 100644
index 0000000..1f97fbf
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/msmserialtermdev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block msm
+
+  (filecon "/dev/ttyMSM[0-9]+" char serialtermdev_context)
+
+  (blockinherit .serialtermdev.template))
diff --git a/src/dev/termdev/serialtermdev/sysserialtermdev.cil b/src/dev/termdev/serialtermdev/sysserialtermdev.cil
new file mode 100644
index 0000000..751f057
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/sysserialtermdev.cil
@@ -0,0 +1,22 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in dev.unconfined
+
+    (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr)))
+
+(in serialtermdev.unconfined
+
+    (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr)))
+
+(in sys
+
+    (macro loginserialtermdev_all_type_change_serialtermdev ((type ARG1))
+	   (call .loginserialtermdev.all_type_change
+		 (ARG1 serialtermdev)))
+
+    (blockinherit .serialtermdev.template))
+
+(in termdev.unconfined
+
+    (call .sys.loginserialtermdev_all_type_change_serialtermdev (typeattr)))
diff --git a/src/dev/termdev/serialtermdev/usbserialtermdev.cil b/src/dev/termdev/serialtermdev/usbserialtermdev.cil
new file mode 100644
index 0000000..e11591e
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/usbserialtermdev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in usb
+
+    (filecon "/dev/ttyUSB[0-9]+" char serialtermdev_context)
+
+    (blockinherit .serialtermdev.template))
diff --git a/src/dev/termdev/serialtermdev/vcsserialtermdev.cil b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil
new file mode 100644
index 0000000..5534907
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/vcsserialtermdev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block vcs
+
+  (filecon "/dev/vcs[^/]*" char serialtermdev_context)
+
+  (blockinherit .serialtermdev.template))
diff --git a/src/dev/termdev/serialtermdev/vportserialtermdev.cil b/src/dev/termdev/serialtermdev/vportserialtermdev.cil
new file mode 100644
index 0000000..c998b56
--- /dev/null
+++ b/src/dev/termdev/serialtermdev/vportserialtermdev.cil
@@ -0,0 +1,8 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block vport
+
+  (filecon "/dev/vport[0-9]p[0-9]+" char serialtermdev_context)
+
+  (blockinherit .serialtermdev.template))
author	Dominick Grift <dominick.grift@defensec.nl>	2023-08-20 15:44:41 +0200
committer	Dominick Grift <dominick.grift@defensec.nl>	2023-08-20 15:46:23 +0200
commit	0c187b6ff97f91c41dab65a6426dc61f77305cdf (patch)
tree	1e35f5851154500a8a39428a45a5671f9488e1da /src/dev
download	selinux-policy-0c187b6ff97f91c41dab65a6426dc61f77305cdf.tar.gz