SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH v2] Add interface udev_run
@ 2019-03-06 19:07 Sugar, David
  2019-03-06 19:07 ` [PATCH] Allow map permission when reading hwdb Sugar, David
  2019-03-07 23:55 ` [PATCH v2] Add interface udev_run Chris PeBenito
  0 siblings, 2 replies; 6+ messages in thread
From: Sugar, David @ 2019-03-06 19:07 UTC (permalink / raw)
  To: selinux-refpolicy

Altered to use roleattribute based on suggestion

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
 policy/modules/system/udev.te |  2 ++
 2 files changed, 28 insertions(+)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..90dfb17d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -36,6 +36,32 @@ interface(`udev_domtrans',`
 	domtrans_pattern($1, udev_exec_t, udev_t)
 ')
 
+########################################
+## <summary>
+##	Execute udev in the udev domain, and
+##	allow the specified role the udev domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`udev_run',`
+	gen_require(`
+		attribute_role udev_roles;
+	')
+
+	udev_domtrans($1)
+	roleattribute $2 udev_roles;
+')
+
 ########################################
 ## <summary>
 ##	Allow udev to execute the specified program in
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 3cbf7eff..88bff272 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.0)
 #
 # Declarations
 #
+attribute_role udev_roles;
 
 type udev_t;
 type udev_exec_t;
@@ -14,6 +15,7 @@ domain_entry_file(udev_t, udev_helper_exec_t)
 domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
+role udev_roles types udev_t;
 
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] Allow map permission when reading hwdb
  2019-03-06 19:07 [PATCH v2] Add interface udev_run Sugar, David
@ 2019-03-06 19:07 ` Sugar, David
  2019-03-07 23:56   ` Chris PeBenito
  2019-03-07 23:55 ` [PATCH v2] Add interface udev_run Chris PeBenito
  1 sibling, 1 reply; 6+ messages in thread
From: Sugar, David @ 2019-03-06 19:07 UTC (permalink / raw)
  To: selinux-refpolicy

I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This updates the existing interface to include allowing
to map the file.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8d2bb8da..03d83dc7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -34,7 +34,7 @@ interface(`systemd_read_hwdb',`
 		type systemd_hwdb_t;
 	')
 
-	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
+	mmap_read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
 ')
 
 ######################################
-- 
2.20.1


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Add interface udev_run
  2019-03-06 19:07 [PATCH v2] Add interface udev_run Sugar, David
  2019-03-06 19:07 ` [PATCH] Allow map permission when reading hwdb Sugar, David
@ 2019-03-07 23:55 ` Chris PeBenito
  2019-03-08  3:01   ` Sugar, David
  1 sibling, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2019-03-07 23:55 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/6/19 2:07 PM, Sugar, David wrote:
> Altered to use roleattribute based on suggestion
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
>   policy/modules/system/udev.te |  2 ++
>   2 files changed, 28 insertions(+)
> 
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index fee55852..90dfb17d 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
>   	domtrans_pattern($1, udev_exec_t, udev_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Execute udev in the udev domain, and
> +##	allow the specified role the udev domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`udev_run',`
> +	gen_require(`
> +		attribute_role udev_roles;
> +	')
> +
> +	udev_domtrans($1)
> +	roleattribute $2 udev_roles;
> +')

Why is a user be starting this?


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] Allow map permission when reading hwdb
  2019-03-06 19:07 ` [PATCH] Allow map permission when reading hwdb Sugar, David
@ 2019-03-07 23:56   ` Chris PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2019-03-07 23:56 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/6/19 2:07 PM, Sugar, David wrote:
> I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
> This updates the existing interface to include allowing
> to map the file.
> 
> type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/systemd.if | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 8d2bb8da..03d83dc7 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -34,7 +34,7 @@ interface(`systemd_read_hwdb',`
>   		type systemd_hwdb_t;
>   	')
>   
> -	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
> +	mmap_read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
>   ')
>   
>   ######################################

This should be a new interface.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Add interface udev_run
  2019-03-07 23:55 ` [PATCH v2] Add interface udev_run Chris PeBenito
@ 2019-03-08  3:01   ` Sugar, David
  2019-03-12  0:51     ` Chris PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Sugar, David @ 2019-03-08  3:01 UTC (permalink / raw)
  To: Chris PeBenito, selinux-refpolicy



On 3/7/19 6:55 PM, Chris PeBenito wrote:
> On 3/6/19 2:07 PM, Sugar, David wrote:
>> Altered to use roleattribute based on suggestion
>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
>>   policy/modules/system/udev.te |  2 ++
>>   2 files changed, 28 insertions(+)
>>
>> diff --git a/policy/modules/system/udev.if 
>> b/policy/modules/system/udev.if
>> index fee55852..90dfb17d 100644
>> --- a/policy/modules/system/udev.if
>> +++ b/policy/modules/system/udev.if
>> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
>>       domtrans_pattern($1, udev_exec_t, udev_t)
>>   ')
>> +########################################
>> +## <summary>
>> +##    Execute udev in the udev domain, and
>> +##    allow the specified role the udev domain.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed to transition.
>> +##    </summary>
>> +## </param>
>> +## <param name="role">
>> +##    <summary>
>> +##    Role allowed access.
>> +##    </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`udev_run',`
>> +    gen_require(`
>> +        attribute_role udev_roles;
>> +    ')
>> +
>> +    udev_domtrans($1)
>> +    roleattribute $2 udev_roles;
>> +')
> 
> Why is a user be starting this?
> 
In this case it isn't a user starting udev, rather calling
"/usr/bin/udevadm info" to gather all the specific information about a 
USB device.  udevadm is labeled udev_exec_t.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH v2] Add interface udev_run
  2019-03-08  3:01   ` Sugar, David
@ 2019-03-12  0:51     ` Chris PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2019-03-12  0:51 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/7/19 10:01 PM, Sugar, David wrote:
> 
> 
> On 3/7/19 6:55 PM, Chris PeBenito wrote:
>> On 3/6/19 2:07 PM, Sugar, David wrote:
>>> Altered to use roleattribute based on suggestion
>>>
>>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>>> ---
>>>    policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
>>>    policy/modules/system/udev.te |  2 ++
>>>    2 files changed, 28 insertions(+)
>>>
>>> diff --git a/policy/modules/system/udev.if
>>> b/policy/modules/system/udev.if
>>> index fee55852..90dfb17d 100644
>>> --- a/policy/modules/system/udev.if
>>> +++ b/policy/modules/system/udev.if
>>> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
>>>        domtrans_pattern($1, udev_exec_t, udev_t)
>>>    ')
>>> +########################################
>>> +## <summary>
>>> +##    Execute udev in the udev domain, and
>>> +##    allow the specified role the udev domain.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##    <summary>
>>> +##    Domain allowed to transition.
>>> +##    </summary>
>>> +## </param>
>>> +## <param name="role">
>>> +##    <summary>
>>> +##    Role allowed access.
>>> +##    </summary>
>>> +## </param>
>>> +## <rolecap/>
>>> +#
>>> +interface(`udev_run',`
>>> +    gen_require(`
>>> +        attribute_role udev_roles;
>>> +    ')
>>> +
>>> +    udev_domtrans($1)
>>> +    roleattribute $2 udev_roles;
>>> +')
>>
>> Why is a user be starting this?
>>
> In this case it isn't a user starting udev, rather calling
> "/usr/bin/udevadm info" to gather all the specific information about a
> USB device.  udevadm is labeled udev_exec_t.

In that case I'd be more interested in seeing what it would take for a 
separate udevadm domain.  If that proves to be too much like udev_t, 
then I'd accept the above patch.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-06 19:07 [PATCH v2] Add interface udev_run Sugar, David
2019-03-06 19:07 ` [PATCH] Allow map permission when reading hwdb Sugar, David
2019-03-07 23:56   ` Chris PeBenito
2019-03-07 23:55 ` [PATCH v2] Add interface udev_run Chris PeBenito
2019-03-08  3:01   ` Sugar, David
2019-03-12  0:51     ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox