Re: [PATCH] udevadm patch

From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] udevadm patch
Date: Wed, 13 Jan 2021 08:31:12 -0500	[thread overview]
Message-ID: <787a07f6-b36f-3a73-e515-231d03502874@ieee.org> (raw)
In-Reply-To: <X/1zIlzuNbchBU1w@xev>

On 1/12/21 5:00 AM, Russell Coker wrote:
> As Chris noted in a previous message the udevadm_t domain could be used from
> other places.  This patch allows for that possibility in the near future but
> for the moment just makes a system bootable in enforcing mode right now.
> 
> Also I didn't remove the context entries for udevadm even though on systems
> with a recent systemd they won't exist.  At this time leaving them there
> may provide the best compatability options.
> 
> Finally I added a udev_runtime_t watch because the need for that appeared
> when I was working on this.
> 
> Sent again for a better sign-off.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>

Since your last patch I ended up working some of this on my own and went 
further, including removing some old /dev/.udev support:

https://github.com/SELinuxProject/refpolicy/pull/331

> 
> Index: refpolicy-2.20201210/policy/modules/system/udev.fc
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.fc
> +++ refpolicy-2.20201210/policy/modules/system/udev.fc
> @@ -10,7 +10,7 @@
>   /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>   
>   /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
> +/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -22,7 +22,7 @@ ifdef(`distro_debian',`
>   ')
>   
>   /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
> +/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -32,7 +32,6 @@ ifdef(`distro_redhat',`
>   /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
>   ')
>   
> -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
>   
>   /usr/share/virtualbox/VBoxCreateUSBNode\.sh	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
> Index: refpolicy-2.20201210/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20201210/policy/modules/system/udev.if
> @@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
>   #
>   interface(`udevadm_domtrans',`
>   	gen_require(`
> -		type udevadm_t, udevadm_exec_t;
> +		type udevadm_t, udev_exec_t;
>   	')
>   
> -	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
> +	domtrans_pattern($1, udev_exec_t, udevadm_t)
>   ')
>   
>   ########################################
> @@ -579,21 +579,3 @@ interface(`udevadm_run',`
>   	udevadm_domtrans($1)
>   	roleattribute $2 udevadm_roles;
>   ')
> -
> -########################################
> -## <summary>
> -##	Execute udevadm in the caller domain.
> -## </summary>
> -## <param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -## </param>
> -#
> -interface(`udevadm_exec',`
> -	gen_require(`
> -		type udevadm_exec_t;
> -	')
> -
> -	can_exec($1, udevadm_exec_t)
> -')
> Index: refpolicy-2.20201210/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20201210/policy/modules/system/udev.te
> @@ -8,6 +8,7 @@ attribute_role udevadm_roles;
>   
>   type udev_t;
>   type udev_exec_t;
> +typealias udev_exec_t alias udevadm_exec_t;
>   type udev_helper_exec_t;
>   kernel_domtrans_to(udev_t, udev_exec_t)
>   domain_obj_id_change_exemption(udev_t)
> @@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
>   init_named_socket_activation(udev_t, udev_runtime_t)
>   
>   type udevadm_t;
> -type udevadm_exec_t;
> -init_system_domain(udevadm_t, udevadm_exec_t)
> -application_domain(udevadm_t, udevadm_exec_t)
> +application_domain(udevadm_t, udev_exec_t)
>   role udevadm_roles types udevadm_t;
>   
>   type udev_etc_t alias etc_udev_t;
> @@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim
>   manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
>   manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
>   files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
> +allow udev_t udev_runtime_t:dir watch;
>   
>   kernel_load_module(udev_t)
>   kernel_read_system_state(udev_t)
> 

-- 
Chris PeBenito