From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id AB724C00307 for ; Mon, 9 Sep 2019 09:36:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 355D22086D for ; Mon, 9 Sep 2019 09:36:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=bigon.be header.i=@bigon.be header.b="JR04X4wi" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389937AbfIIJgE (ORCPT ); Mon, 9 Sep 2019 05:36:04 -0400 Received: from ithil.bigon.be ([163.172.57.153]:55886 "EHLO ithil.bigon.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728313AbfIIJgE (ORCPT ); Mon, 9 Sep 2019 05:36:04 -0400 Received: from localhost (localhost [IPv6:::1]) by ithil.bigon.be (Postfix) with ESMTP id 8F2AD20059 for ; Mon, 9 Sep 2019 11:27:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bigon.be; h= content-transfer-encoding:mime-version:x-mailer:message-id:date :date:subject:subject:from:from:received:received:received; s= key1; t=1568021221; x=1569835622; bh=PHJKrQyrVQGxfs/pzE5y5KjU3w3 CkOhYX2DN9YfDx/Q=; b=JR04X4wi46IV15I8Z8bzuf2oU5m7n0P3s88Lux5Zyx5 RcMOcpFvJu5tBuiif0s6ReBoXxZE/ZhMIoIhu6zYEPyOrLMgjqQz+m5dx+UEkQ26 NV7DzNTAM3QEKEmTITifU5ZxMaNBgEJFAWrS9lw7zlu7ce2RjhfS30zn+0s2e8vA = Received: from ithil.bigon.be ([IPv6:::1]) by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id l1-qHgmTNZYT for ; Mon, 9 Sep 2019 11:27:01 +0200 (CEST) Received: from edoras.bigon.be (unknown [193.53.238.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: bigon@bigon.be) by ithil.bigon.be (Postfix) with ESMTPSA for ; Mon, 9 Sep 2019 11:27:01 +0200 (CEST) Received: from bigon (uid 1000) (envelope-from bigon@bigon.be) id 20232 by edoras.bigon.be (DragonFly Mail Agent v0.12); Mon, 09 Sep 2019 11:27:01 +0200 From: Laurent Bigonville To: selinux-refpolicy@vger.kernel.org Subject: [PATCH 1/2] Allow udevadm to read files in /run/udev/data Date: Mon, 9 Sep 2019 11:27:00 +0200 Message-Id: <20190909092701.8508-1-bigon@debian.org> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org From: Laurent Bigonville With this commit, my basic debian buster installation is booting type=PROCTITLE msg=audit(09/09/19 08:23:24.011:69) : proctitle=/bin/udevadm trigger --type=devices --action=add type=PATH msg=audit(09/09/19 08:23:24.011:69) : item=0 name=/run/udev/data/+platform:QEMU0002:00 inode=12584 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:udev_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(09/09/19 08:23:24.011:69) : cwd=/ type=SYSCALL msg=audit(09/09/19 08:23:24.011:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fff993f0cb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=486 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null) type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc: denied { open } for pid=486 comm=udevadm path=/run/udev/data/+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc: denied { read } for pid=486 comm=udevadm name=+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 Signed-off-by: Laurent Bigonville --- policy/modules/system/udev.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index d02dff71..399e9157 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -394,6 +394,7 @@ delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) +read_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) dev_rw_sysfs(udevadm_t) dev_read_urand(udevadm_t) -- 2.23.0