[PATCH] udevadm patch

[PATCH] udevadm patch

[Russell Coker]

As Chris noted in a previous message the udevadm_t domain could be used from
other places.  This patch allows for that possibility in the near future but
for the moment just makes a system bootable in enforcing mode right now.

Also I didn't remove the context entries for udevadm even though on systems
with a recent systemd they won't exist.  At this time leaving them there
may provide the best compatability options.

Finally I added a udev_runtime_t watch because the need for that appeared
when I was working on this.

Sent again for a better sign-off.

Signed-off-by: Russell Coker <russell@coker.com.au>



Index: refpolicy-2.20201210/policy/modules/system/udev.fc
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.fc
+++ refpolicy-2.20201210/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
 /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
 
 /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -32,7 +32,6 @@ ifdef(`distro_redhat',`
 /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 ')
 
-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /usr/share/virtualbox/VBoxCreateUSBNode\.sh	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
Index: refpolicy-2.20201210/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.if
+++ refpolicy-2.20201210/policy/modules/system/udev.if
@@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
 #
 interface(`udevadm_domtrans',`
 	gen_require(`
-		type udevadm_t, udevadm_exec_t;
+		type udevadm_t, udev_exec_t;
 	')
 
-	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+	domtrans_pattern($1, udev_exec_t, udevadm_t)
 ')
 
 ########################################
@@ -579,21 +579,3 @@ interface(`udevadm_run',`
 	udevadm_domtrans($1)
 	roleattribute $2 udevadm_roles;
 ')
-
-########################################
-## <summary>
-##	Execute udevadm in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udevadm_exec',`
-	gen_require(`
-		type udevadm_exec_t;
-	')
-
-	can_exec($1, udevadm_exec_t)
-')
Index: refpolicy-2.20201210/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.te
+++ refpolicy-2.20201210/policy/modules/system/udev.te
@@ -8,6 +8,7 @@ attribute_role udevadm_roles;
 
 type udev_t;
 type udev_exec_t;
+typealias udev_exec_t alias udevadm_exec_t;
 type udev_helper_exec_t;
 kernel_domtrans_to(udev_t, udev_exec_t)
 domain_obj_id_change_exemption(udev_t)
@@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_runtime_t)
 
 type udevadm_t;
-type udevadm_exec_t;
-init_system_domain(udevadm_t, udevadm_exec_t)
-application_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udev_exec_t)
 role udevadm_roles types udevadm_t;
 
 type udev_etc_t alias etc_udev_t;
@@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim
 manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
+allow udev_t udev_runtime_t:dir watch;
 
 kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)

Re: [PATCH] udevadm patch

[Chris PeBenito]

On 1/12/21 5:00 AM, Russell Coker wrote:
> As Chris noted in a previous message the udevadm_t domain could be used from
> other places.  This patch allows for that possibility in the near future but
> for the moment just makes a system bootable in enforcing mode right now.
> 
> Also I didn't remove the context entries for udevadm even though on systems
> with a recent systemd they won't exist.  At this time leaving them there
> may provide the best compatability options.
> 
> Finally I added a udev_runtime_t watch because the need for that appeared
> when I was working on this.
> 
> Sent again for a better sign-off.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>


Since your last patch I ended up working some of this on my own and went 
further, including removing some old /dev/.udev support:

https://github.com/SELinuxProject/refpolicy/pull/331

> 
> Index: refpolicy-2.20201210/policy/modules/system/udev.fc
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.fc
> +++ refpolicy-2.20201210/policy/modules/system/udev.fc
> @@ -10,7 +10,7 @@
>   /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>   
>   /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
> +/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -22,7 +22,7 @@ ifdef(`distro_debian',`
>   ')
>   
>   /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
> +/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -32,7 +32,6 @@ ifdef(`distro_redhat',`
>   /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
>   ')
>   
> -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
>   
>   /usr/share/virtualbox/VBoxCreateUSBNode\.sh	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
> Index: refpolicy-2.20201210/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20201210/policy/modules/system/udev.if
> @@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
>   #
>   interface(`udevadm_domtrans',`
>   	gen_require(`
> -		type udevadm_t, udevadm_exec_t;
> +		type udevadm_t, udev_exec_t;
>   	')
>   
> -	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
> +	domtrans_pattern($1, udev_exec_t, udevadm_t)
>   ')
>   
>   ########################################
> @@ -579,21 +579,3 @@ interface(`udevadm_run',`
>   	udevadm_domtrans($1)
>   	roleattribute $2 udevadm_roles;
>   ')
> -
> -########################################
> -## <summary>
> -##	Execute udevadm in the caller domain.
> -## </summary>
> -## <param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -## </param>
> -#
> -interface(`udevadm_exec',`
> -	gen_require(`
> -		type udevadm_exec_t;
> -	')
> -
> -	can_exec($1, udevadm_exec_t)
> -')
> Index: refpolicy-2.20201210/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20201210.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20201210/policy/modules/system/udev.te
> @@ -8,6 +8,7 @@ attribute_role udevadm_roles;
>   
>   type udev_t;
>   type udev_exec_t;
> +typealias udev_exec_t alias udevadm_exec_t;
>   type udev_helper_exec_t;
>   kernel_domtrans_to(udev_t, udev_exec_t)
>   domain_obj_id_change_exemption(udev_t)
> @@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
>   init_named_socket_activation(udev_t, udev_runtime_t)
>   
>   type udevadm_t;
> -type udevadm_exec_t;
> -init_system_domain(udevadm_t, udevadm_exec_t)
> -application_domain(udevadm_t, udevadm_exec_t)
> +application_domain(udevadm_t, udev_exec_t)
>   role udevadm_roles types udevadm_t;
>   
>   type udev_etc_t alias etc_udev_t;
> @@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim
>   manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
>   manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
>   files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
> +allow udev_t udev_runtime_t:dir watch;
>   
>   kernel_load_module(udev_t)
>   kernel_read_system_state(udev_t)
> 


-- 
Chris PeBenito