From: "Sugar, David" <dsugar@tresys.com>
To: "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH v3] Separate out udevadm into a new domain
Date: Wed, 13 Mar 2019 18:18:55 +0000 [thread overview]
Message-ID: <20190313181804.10224-1-dsugar@tresys.com> (raw)
This is the update I have made based on suggestions for the previous
patch to add a udev_run interface. This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.
It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
I have granted the permisssions that I need based on denials I was
seeing during startup (the machine would fail to start without the
permisions).
2) In the udev.fc file there are other binaries that I don't have on a
RHEL7 box that maybe should also be labeled udevadm_exec_t.
e.g. /usr/bin/udevinfo
But as I don't have those binaries to test, I have not updated the
type of that binary.
3) There are some places that call udev_domtrans that maybe should now
be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,
these are not things that I am using in my current situation and am
unable to test the interactions to know if the change is correct.
Other than that, I think it is good to split out udevadm into a
different domain to make it separate.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/roles/sysadm.te | 4 +++
policy/modules/system/udev.fc | 4 +--
policy/modules/system/udev.if | 62 ++++++++++++++++++++++++++++++++++
policy/modules/system/udev.te | 42 ++++++++++++++++++++++-
4 files changed, 109 insertions(+), 3 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 043e54bf..2cc60643 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
tzdata_domtrans(sysadm_t)
')
+optional_policy(`
+ udevadm_run(sysadm_t, sysadm_r)
+')
+
optional_policy(`
ulogd_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 009d821a..606ad517 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
/usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
')
/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..3028d6b8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
files_pid_filetrans($1, udev_var_run_t, dir, $2)
')
+
+########################################
+## <summary>
+## Execute udev admin in the udevadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+ gen_require(`
+ type udevadm_t, udevadm_exec_t;
+ ')
+
+ domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+## Execute udevadm in the udevadm domain, and
+## allow the specified role the udevadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+ gen_require(`
+ attribute_role udevadm_roles;
+ ')
+
+ udevadm_domtrans($1)
+ roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+## Execute udevadm in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udevadm_exec',`
+ gen_require(`
+ type udevadm_exec_t;
+ ')
+
+ can_exec($1, udevadm_exec_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9d5cf3b2..becb54d9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
#
# Declarations
#
+attribute_role udevadm_roles;
type udev_t;
type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
init_named_socket_activation(udev_t, udev_var_run_t)
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
########################################
#
-# Local policy
+# udev Local policy
#
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
@@ -374,3 +381,36 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_pid(udev_t)
')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+allow udevadm_t udev_t:unix_stream_socket connectto;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+write_sock_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+
+dev_rw_sysfs(udevadm_t)
+dev_read_urand(udevadm_t)
+
+files_read_etc_files(udevadm_t)
+files_read_usr_files(udevadm_t)
+
+init_list_pids(udevadm_t)
+init_read_state(udevadm_t)
+
+kernel_read_system_state(udevadm_t)
+
+libs_use_ld_so(udevadm_t)
+
+seutil_read_file_contexts(udevadm_t)
+
--
2.20.1
next reply other threads:[~2019-03-13 18:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-13 18:18 Sugar, David [this message]
2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
2019-03-14 22:06 ` Chris PeBenito
2019-03-15 2:22 ` Sugar, David
2019-03-17 20:14 ` Chris PeBenito
2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
2019-03-15 2:27 ` [PATCH v4] " Sugar, David
2019-03-17 20:15 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190313181804.10224-1-dsugar@tresys.com \
--to=dsugar@tresys.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).