From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] udevadm patch
Date: Wed, 13 Jan 2021 08:31:12 -0500 [thread overview]
Message-ID: <787a07f6-b36f-3a73-e515-231d03502874@ieee.org> (raw)
In-Reply-To: <X/1zIlzuNbchBU1w@xev>
On 1/12/21 5:00 AM, Russell Coker wrote:
> As Chris noted in a previous message the udevadm_t domain could be used from
> other places. This patch allows for that possibility in the near future but
> for the moment just makes a system bootable in enforcing mode right now.
>
> Also I didn't remove the context entries for udevadm even though on systems
> with a recent systemd they won't exist. At this time leaving them there
> may provide the best compatability options.
>
> Finally I added a udev_runtime_t watch because the need for that appeared
> when I was working on this.
>
> Sent again for a better sign-off.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
Since your last patch I ended up working some of this on my own and went
further, including removing some old /dev/.udev support:
https://github.com/SELinuxProject/refpolicy/pull/331
>
> Index: refpolicy-2.20201210/policy/modules/system/udev.fc
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.fc
> +++ refpolicy-2.20201210/policy/modules/system/udev.fc
> @@ -10,7 +10,7 @@
> /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> /usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
> +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
> /usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
> /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
> /usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -22,7 +22,7 @@ ifdef(`distro_debian',`
> ')
>
> /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
> +/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
> /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
> /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
> /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -32,7 +32,6 @@ ifdef(`distro_redhat',`
> /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
> ')
>
> -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
> /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
>
> /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
> Index: refpolicy-2.20201210/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20201210/policy/modules/system/udev.if
> @@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
> #
> interface(`udevadm_domtrans',`
> gen_require(`
> - type udevadm_t, udevadm_exec_t;
> + type udevadm_t, udev_exec_t;
> ')
>
> - domtrans_pattern($1, udevadm_exec_t, udevadm_t)
> + domtrans_pattern($1, udev_exec_t, udevadm_t)
> ')
>
> ########################################
> @@ -579,21 +579,3 @@ interface(`udevadm_run',`
> udevadm_domtrans($1)
> roleattribute $2 udevadm_roles;
> ')
> -
> -########################################
> -## <summary>
> -## Execute udevadm in the caller domain.
> -## </summary>
> -## <param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -## </param>
> -#
> -interface(`udevadm_exec',`
> - gen_require(`
> - type udevadm_exec_t;
> - ')
> -
> - can_exec($1, udevadm_exec_t)
> -')
> Index: refpolicy-2.20201210/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20201210/policy/modules/system/udev.te
> @@ -8,6 +8,7 @@ attribute_role udevadm_roles;
>
> type udev_t;
> type udev_exec_t;
> +typealias udev_exec_t alias udevadm_exec_t;
> type udev_helper_exec_t;
> kernel_domtrans_to(udev_t, udev_exec_t)
> domain_obj_id_change_exemption(udev_t)
> @@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
> init_named_socket_activation(udev_t, udev_runtime_t)
>
> type udevadm_t;
> -type udevadm_exec_t;
> -init_system_domain(udevadm_t, udevadm_exec_t)
> -application_domain(udevadm_t, udevadm_exec_t)
> +application_domain(udevadm_t, udev_exec_t)
> role udevadm_roles types udevadm_t;
>
> type udev_etc_t alias etc_udev_t;
> @@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim
> manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
> +allow udev_t udev_runtime_t:dir watch;
>
> kernel_load_module(udev_t)
> kernel_read_system_state(udev_t)
>
--
Chris PeBenito
prev parent reply other threads:[~2021-01-13 13:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-12 10:00 [PATCH] udevadm patch Russell Coker
2021-01-13 13:31 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=787a07f6-b36f-3a73-e515-231d03502874@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).