SELinux-Refpolicy Archive on
 help / color / Atom feed
From: Chris PeBenito <>
To: "Sugar, David" <>,
Subject: Re: [PATCH v2] Setup attribute for fixed_disk_device and removable_device
Date: Sun, 17 Mar 2019 16:14:10 -0400
Message-ID: <> (raw)
In-Reply-To: <>

On 3/14/19 10:22 PM, Sugar, David wrote:
> On 3/14/19 6:06 PM, Chris PeBenito wrote:
>> On 3/13/19 2:18 PM, Sugar, David wrote:
>>> I am having trouble with some denials due to the fact I am setting
>>> up specific private types for media attached to my system.  This
>>> changes to use an attribute for media and interfaces to add types
>>> to the newly created attribute
>> What you implemented doesn't seem consistent with what you have in the
>> commit message.  sr0 is in your example denials, so these aren't all
>> fixed disk devices, so the interface names and the attribute names
>> should be related to all storage devices, it would seem.
> No, they are not all fixed disk denials.  And maybe I should have split
> this into 2 (or 3) patches.  As I was making changes they all seemed
> related from my use case, but from your point of view I can see why they
> are probably different.  And I may not be explaining what I'm trying to
> accomplish clearly.
> Basically I have two (or three) cases:
> 1) I want to provide distinct types for USB devices so that only certain
> domains are able to mount/umount/format/etc...  The attribute provides a
> way to grant access to things like lvm_t and kernel_t which still need
> to do stuff with the device nodes.  The USB devices /dev/sd* by default
> are labeled fixed_disk_device_t.
> 2) I want to provide distinct types for certain hard disk/LVM
> partitions.  This will provide a way to restrict access to certain
> domains to alter those hard disk partitions (i.e. mount and umount and
> cryptsetup (to change LUKS password)).  At the same time this restricts
> those domains that need this specific hard disk access to still not have
> access to other partitions labeled fixed_disk_device_t.  i.e. so if this
> domain is compromised, it can only alter the single partition it has
> access to, not others.
> 3) The last case maybe overkill (maybe not) where I am labeling /dev/sr0
> and /dev/sg1 with a separate type to better control access to write to
> the generic scsi device node to only the process who is writing optical
> media.  Again this provides a way to restrict access to the other
> /dev/sg* devices this process should not be accessing.  /dev/sr0 is
> removable_device_t by default but I also have some USB devices that
> present as cdrom devices get /dev/sr1 as the device node and by default
> are also labeled removable_device_t.
> I am able to use specific udev rules to correctly setup the SELinux
> labels for these specific hard disk partitions, USB devices and optical
> drive.
> I am also open to other recommendations for a better way to solve these
> denials without giving domains that only need to access a single device
> or partition access to all devices.

These do not seem upstreamable.  They sound very system-specific.

Chris PeBenito

  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-13 18:18 [PATCH v3] Separate out udevadm into a new domain Sugar, David
2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
2019-03-14 22:06   ` Chris PeBenito
2019-03-15  2:22     ` Sugar, David
2019-03-17 20:14       ` Chris PeBenito [this message]
2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
2019-03-15  2:27   ` [PATCH v4] " Sugar, David
2019-03-17 20:15     ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on

Archives are clonable:
	git clone --mirror selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ \
	public-inbox-index selinux-refpolicy

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox