SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 1/2] Allow udevadm to read files in /run/udev/data
@ 2019-09-09  9:27 Laurent Bigonville
  2019-09-09  9:27 ` [PATCH 2/2] Allow udevadm_t to use dac_read_search capability Laurent Bigonville
  0 siblings, 1 reply; 2+ messages in thread
From: Laurent Bigonville @ 2019-09-09  9:27 UTC (permalink / raw)
  To: selinux-refpolicy

From: Laurent Bigonville <bigon@bigon.be>

With this commit, my basic debian buster installation is booting

type=PROCTITLE msg=audit(09/09/19 08:23:24.011:69) : proctitle=/bin/udevadm trigger --type=devices --action=add
type=PATH msg=audit(09/09/19 08:23:24.011:69) : item=0 name=/run/udev/data/+platform:QEMU0002:00 inode=12584 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:udev_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(09/09/19 08:23:24.011:69) : cwd=/
type=SYSCALL msg=audit(09/09/19 08:23:24.011:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fff993f0cb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=486 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { open } for  pid=486 comm=udevadm path=/run/udev/data/+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { read } for  pid=486 comm=udevadm name=+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d02dff71..399e9157 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -394,6 +394,7 @@ delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+read_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 
 dev_rw_sysfs(udevadm_t)
 dev_read_urand(udevadm_t)
-- 
2.23.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH 2/2] Allow udevadm_t to use dac_read_search capability
  2019-09-09  9:27 [PATCH 1/2] Allow udevadm to read files in /run/udev/data Laurent Bigonville
@ 2019-09-09  9:27 ` Laurent Bigonville
  0 siblings, 0 replies; 2+ messages in thread
From: Laurent Bigonville @ 2019-09-09  9:27 UTC (permalink / raw)
  To: selinux-refpolicy

From: Laurent Bigonville <bigon@bigon.be>

udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:

--w------- 1 root root 4096 sep  5 17:06 /sys/module/snd_hda_codec_generic/uevent

We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"

type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_override } for  pid=481 comm=udevadm capability=dac_override  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_read_search } for  pid=481 comm=udevadm capability=dac_read_search  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 399e9157..ae56a764 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -385,6 +385,7 @@ optional_policy(`
 # udevadm Local policy
 #
 
+allow udevadm_t self:capability dac_read_search;
 allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udevadm_t self:unix_stream_socket create_socket_perms;
 
-- 
2.23.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-09  9:27 [PATCH 1/2] Allow udevadm to read files in /run/udev/data Laurent Bigonville
2019-09-09  9:27 ` [PATCH 2/2] Allow udevadm_t to use dac_read_search capability Laurent Bigonville

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox