SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH v2] Allow additional map permission when reading hwdb
@ 2019-03-09  3:58 Sugar, David
  2019-03-12  0:53 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Sugar, David @ 2019-03-09  3:58 UTC (permalink / raw)
  To: selinux-refpolicy

I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 policy/modules/system/udev.te    |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8d2bb8da..6353ca69 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',`
 	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
 ')
 
+#######################################
+## <summary>
+##  Allow domain to map udev hwdb file
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_map_hwdb',`
+	gen_require(`
+		type systemd_hwdb_t;
+	')
+
+	allow $1 systemd_hwdb_t:file map;
+')
+
 ######################################
 ## <summary>
 ##   Read systemd_login PID files.
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 88bff272..d0496258 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -250,6 +250,7 @@ ifdef(`init_systemd',`
 	init_get_generic_units_status(udev_t)
 	init_stream_connect(udev_t)
 
+	systemd_map_hwdb(udev_t)
 	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_pids(udev_t)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] Allow additional map permission when reading hwdb
  2019-03-09  3:58 [PATCH v2] Allow additional map permission when reading hwdb Sugar, David
@ 2019-03-12  0:53 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2019-03-12  0:53 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/8/19 10:58 PM, Sugar, David wrote:
> I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
> This creates and uses a new interface to allow the needed
> permission for udev.
> 
> type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
> 
> Updated from previous to create a new interface.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/systemd.if | 18 ++++++++++++++++++
>   policy/modules/system/udev.te    |  1 +
>   2 files changed, 19 insertions(+)
> 
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 8d2bb8da..6353ca69 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',`
>   	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
>   ')
>   
> +#######################################
> +## <summary>
> +##  Allow domain to map udev hwdb file
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##  domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_map_hwdb',`
> +	gen_require(`
> +		type systemd_hwdb_t;
> +	')
> +
> +	allow $1 systemd_hwdb_t:file map;
> +')
> +
>   ######################################
>   ## <summary>
>   ##   Read systemd_login PID files.
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 88bff272..d0496258 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -250,6 +250,7 @@ ifdef(`init_systemd',`
>   	init_get_generic_units_status(udev_t)
>   	init_stream_connect(udev_t)
>   
> +	systemd_map_hwdb(udev_t)
>   	systemd_read_hwdb(udev_t)
>   	systemd_read_logind_sessions_files(udev_t)
>   	systemd_read_logind_pids(udev_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-09  3:58 [PATCH v2] Allow additional map permission when reading hwdb Sugar, David
2019-03-12  0:53 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox