Re: [PATCH v3] Separate out udevadm into a new domain

From: Chris PeBenito <pebenito@ieee.org>
To: "Sugar, David" <dsugar@tresys.com>,
	"selinux-refpolicy@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH v3] Separate out udevadm into a new domain
Date: Thu, 14 Mar 2019 18:05:23 -0400	[thread overview]
Message-ID: <b0eb53fc-7314-34f8-5c81-3d90607348b9@ieee.org> (raw)
In-Reply-To: <20190313181804.10224-1-dsugar@tresys.com>

On 3/13/19 2:18 PM, Sugar, David wrote:
> This is the update I have made based on suggestions for the previous
> patch to add a udev_run interface.  This adds the new domain udevadm_t
> which is entered from /usr/bin/udevadm.
> 
> It seems to meet the needs that I have, but there are some things to
> note that are probably important.
> 1) There are a few systemd services that use udevadm during startup.
>     I have granted the permisssions that I need based on denials I was
>     seeing during startup (the machine would fail to start without the
>     permisions).
> 2) In the udev.fc file there are other binaries that I don't have on a
>     RHEL7 box that maybe should also be labeled udevadm_exec_t.
>     e.g. /usr/bin/udevinfo
>     But as I don't have those binaries to test, I have not updated the
>     type of that binary.
> 3) There are some places that call udev_domtrans that maybe should now
>     be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
>     these are not things that I am using in my current situation and am
>     unable to test the interactions to know if the change is correct.
> 
> Other than that, I think it is good to split out udevadm into a
> different domain to make it separate.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/roles/sysadm.te |  4 +++
>   policy/modules/system/udev.fc  |  4 +--
>   policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++
>   policy/modules/system/udev.te  | 42 ++++++++++++++++++++++-
>   4 files changed, 109 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 043e54bf..2cc60643 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -1140,6 +1140,10 @@ optional_policy(`
>   	tzdata_domtrans(sysadm_t)
>   ')
>   
> +optional_policy(`
> +	udevadm_run(sysadm_t, sysadm_r)
> +')
> +
>   optional_policy(`
>   	ulogd_admin(sysadm_t, sysadm_r)
>   ')
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 009d821a..606ad517 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -10,7 +10,7 @@
>   /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>   
>   /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
> +/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
>   /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -22,7 +22,7 @@ ifdef(`distro_debian',`
>   ')
>   
>   /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
> +/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
>   /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index fee55852..3028d6b8 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
>   
>   	files_pid_filetrans($1, udev_var_run_t, dir, $2)
>   ')
> +
> +########################################
> +## <summary>
> +##	Execute udev admin in the udevadm domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`udevadm_domtrans',`
> +	gen_require(`
> +		type udevadm_t, udevadm_exec_t;
> +	')
> +
> +	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute udevadm in the udevadm domain, and
> +##	allow the specified role the udevadm domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`udevadm_run',`
> +	gen_require(`
> +		attribute_role udevadm_roles;
> +	')
> +
> +	udevadm_domtrans($1)
> +	roleattribute $2 udevadm_roles;
> +')
> +
> +########################################
> +## <summary>
> +##	Execute udevadm in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udevadm_exec',`
> +	gen_require(`
> +		type udevadm_exec_t;
> +	')
> +
> +	can_exec($1, udevadm_exec_t)
> +')
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 9d5cf3b2..becb54d9 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
>   #
>   # Declarations
>   #
> +attribute_role udevadm_roles;
>   
>   type udev_t;
>   type udev_exec_t;
> @@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
>   init_daemon_domain(udev_t, udev_exec_t)
>   init_named_socket_activation(udev_t, udev_var_run_t)
>   
> +type udevadm_t;
> +type udevadm_exec_t;
> +init_system_domain(udevadm_t, udevadm_exec_t)
> +application_domain(udevadm_t, udevadm_exec_t)
> +role udevadm_roles types udevadm_t;
> +
>   type udev_etc_t alias etc_udev_t;
>   files_config_file(udev_etc_t)
>   
> @@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
>   
>   ########################################
>   #
> -# Local policy
> +# udev Local policy
>   #
>   
>   allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
> @@ -374,3 +381,36 @@ optional_policy(`
>   optional_policy(`
>   	xserver_read_xdm_pid(udev_t)
>   ')
> +
> +
> +########################################
> +#
> +# udevadm Local policy
> +#
> +
> +allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow udevadm_t self:unix_stream_socket create_socket_perms;
> +
> +allow udevadm_t udev_t:unix_stream_socket connectto;
> +
> +delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +write_sock_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)

This write_sock_files_pattern allong with the above unix socket 
connectto is stream_connect_pattern.

> +
> +dev_rw_sysfs(udevadm_t)
> +dev_read_urand(udevadm_t)
> +
> +files_read_etc_files(udevadm_t)
> +files_read_usr_files(udevadm_t)
> +
> +init_list_pids(udevadm_t)
> +init_read_state(udevadm_t)
> +
> +kernel_read_system_state(udevadm_t)
> +
> +libs_use_ld_so(udevadm_t)
> +
> +seutil_read_file_contexts(udevadm_t)
> +
> 

-- 
Chris PeBenito