SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v3] Separate out udevadm into a new domain
@ 2019-03-13 18:18 Sugar, David
  2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
  2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
  0 siblings, 2 replies; 8+ messages in thread
From: Sugar, David @ 2019-03-13 18:18 UTC (permalink / raw)
  To: selinux-refpolicy

This is the update I have made based on suggestions for the previous
patch to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.  

It seems to meet the needs that I have, but there are some things to 
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again, 
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think it is good to split out udevadm into a
different domain to make it separate.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/roles/sysadm.te |  4 +++
 policy/modules/system/udev.fc  |  4 +--
 policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++
 policy/modules/system/udev.te  | 42 ++++++++++++++++++++++-
 4 files changed, 109 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 043e54bf..2cc60643 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
 	tzdata_domtrans(sysadm_t)
 ')
 
+optional_policy(`
+	udevadm_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	ulogd_admin(sysadm_t, sysadm_r)
 ')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 009d821a..606ad517 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
 /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
 
 /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..3028d6b8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
 
 	files_pid_filetrans($1, udev_var_run_t, dir, $2)
 ')
+
+########################################
+## <summary>
+##	Execute udev admin in the udevadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+	gen_require(`
+		type udevadm_t, udevadm_exec_t;
+	')
+
+	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the udevadm domain, and
+##	allow the specified role the udevadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+	gen_require(`
+		attribute_role udevadm_roles;
+	')
+
+	udevadm_domtrans($1)
+	roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udevadm_exec',`
+	gen_require(`
+		type udevadm_exec_t;
+	')
+
+	can_exec($1, udevadm_exec_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9d5cf3b2..becb54d9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
 #
 # Declarations
 #
+attribute_role udevadm_roles;
 
 type udev_t;
 type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
 
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
 
 ########################################
 #
-# Local policy
+# udev Local policy
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
@@ -374,3 +381,36 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(udev_t)
 ')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+allow udevadm_t udev_t:unix_stream_socket connectto;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+write_sock_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+
+dev_rw_sysfs(udevadm_t)
+dev_read_urand(udevadm_t)
+
+files_read_etc_files(udevadm_t)
+files_read_usr_files(udevadm_t)
+
+init_list_pids(udevadm_t)
+init_read_state(udevadm_t)
+
+kernel_read_system_state(udevadm_t)
+
+libs_use_ld_so(udevadm_t)
+
+seutil_read_file_contexts(udevadm_t)
+
-- 
2.20.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v2] Setup attribute for fixed_disk_device and removable_device
  2019-03-13 18:18 [PATCH v3] Separate out udevadm into a new domain Sugar, David
@ 2019-03-13 18:18 ` Sugar, David
  2019-03-14 22:06   ` Chris PeBenito
  2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
  1 sibling, 1 reply; 8+ messages in thread
From: Sugar, David @ 2019-03-13 18:18 UTC (permalink / raw)
  To: selinux-refpolicy

I am having trouble with some denials due to the fact I am setting
up specific private types for media attached to my system.  This
changes to use an attribute for media and interfaces to add types
to the newly created attribute.

Updates based on feedback to create 'all' interfaces rather than
updating existing interfaces.

I'm trying to resolve issues with denials like the following:
type=AVC msg=audit(1551461957.121:9050): avc:  denied  { open } for  pid=30877 comm="cryptsetup" path="/dev/sdb" dev="devtmpfs" ino=110450 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1551461957.121:9051): avc:  denied  { ioctl } for  pid=30877 comm="cryptsetup" path="/dev/sdb" dev="devtmpfs" ino=110450 ioctlcmd=1268 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1551461973.149:9101): avc:  denied  { getattr } for  pid=28 comm="kdevtmpfs" path="/sdb1" dev="devtmpfs" ino=110461 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1551461973.149:9102): avc:  denied  { setattr } for  pid=28 comm="kdevtmpfs" name="sdb1" dev="devtmpfs" ino=110461 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1551461973.149:9103): avc:  denied  { unlink } for  pid=28 comm="kdevtmpfs" name="sdb1" dev="devtmpfs" ino=110461 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1

type=AVC msg=audit(1552228893.128:472): avc:  denied  { getattr } for  pid=8141 comm="systemd-logind" name="sg1" dev="devtmpfs" ino=31873 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1552228893.128:473): avc:  denied  { setattr } for  pid=8141 comm="systemd-logind" name="sg1" dev="devtmpfs" ino=31873 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1552228893.128:474): avc:  denied  { getattr } for  pid=8141 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=14570 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
type=AVC msg=audit(1552228893.128:475): avc:  denied  { setattr } for  pid=8141 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=14570 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/kernel.te  |   7 +-
 policy/modules/kernel/storage.if | 320 +++++++++++++++++++++++++++++++
 policy/modules/kernel/storage.te |   7 +
 policy/modules/system/lvm.te     |   2 +-
 policy/modules/system/systemd.te |   8 +-
 5 files changed, 336 insertions(+), 8 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index e971c533..acc8a88c 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -352,9 +352,10 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		storage_dev_filetrans_fixed_disk(kernel_t)
-		storage_setattr_fixed_disk_dev(kernel_t)
-		storage_create_fixed_disk_dev(kernel_t)
-		storage_delete_fixed_disk_dev(kernel_t)
+		storage_getattr_all_scsi_generic_dev(kernel_t)
+		storage_setattr_all_fixed_disk_dev(kernel_t)
+		storage_create_all_fixed_disk_dev(kernel_t)
+		storage_delete_all_fixed_disk_dev(kernel_t)
 	')
 ')
 
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 0292eee4..93208835 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -1,5 +1,25 @@
 ## <summary>Policy controlling access to storage devices</summary>
 
+########################################
+## <summary>
+##	Allow the caller to get the attributes of 
+##	all fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_all_fixed_disk_dev',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device:blk_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes of fixed disk
@@ -20,6 +40,26 @@ interface(`storage_getattr_fixed_disk_dev',`
 	allow $1 fixed_disk_device_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to get
+##	the attributes of all fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_all_getattr_fixed_disk_dev',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	dontaudit $1 fixed_disk_device:blk_file getattr;
+	dontaudit $1 fixed_disk_device:chr_file getattr; # /dev/rawctl
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts made by the caller to get
@@ -40,6 +80,26 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',`
 	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
 ')
 
+########################################
+## <summary>
+##	Allow the caller to set the attributes of all
+##	fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_all_fixed_disk_dev',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device:blk_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to set the attributes of fixed disk
@@ -79,6 +139,31 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
 	dontaudit $1 fixed_disk_device_t:blk_file setattr;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to directly read from all fixed disks.
+##	This is extremely dangerous as it can bypass the
+##	SELinux protections for filesystem objects, and
+##	should only be used by trusted domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_raw_read_all_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_raw_read;
+		attribute fixed_disk_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device:blk_file read_blk_file_perms;
+	allow $1 fixed_disk_device:chr_file read_chr_file_perms;
+	typeattribute $1 fixed_disk_raw_read;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to directly read from a fixed disk.
@@ -188,6 +273,26 @@ interface(`storage_raw_rw_fixed_disk',`
 	storage_raw_write_fixed_disk($1)
 ')
 
+########################################
+## <summary>
+##	Allow the caller to create all fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_create_all_fixed_disk_dev',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	allow $1 self:capability mknod;
+	allow $1 fixed_disk_device:blk_file create_blk_file_perms;
+	dev_add_entry_generic_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to create fixed disk device nodes.
@@ -208,6 +313,25 @@ interface(`storage_create_fixed_disk_dev',`
 	dev_add_entry_generic_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Allow the caller to delete all fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_delete_all_fixed_disk_dev',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	allow $1 fixed_disk_device:blk_file delete_blk_file_perms;
+	dev_remove_entry_generic_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to delete fixed disk device nodes.
@@ -227,6 +351,29 @@ interface(`storage_delete_fixed_disk_dev',`
 	dev_remove_entry_generic_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_manage_all_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_raw_read, fixed_disk_raw_write;
+		attribute fixed_disk_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 self:capability mknod;
+	allow $1 fixed_disk_device:blk_file manage_blk_file_perms;
+	allow $1 fixed_disk_device:chr_file manage_chr_file_perms;
+	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete fixed disk device nodes.
@@ -293,6 +440,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
 	fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
 ')
 
+########################################
+## <summary>
+##	Relabel all fixed disk device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_relabel_all_fixed_disk',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 fixed_disk_device:blk_file relabel_blk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel fixed disk device nodes.
@@ -388,6 +554,26 @@ interface(`storage_dontaudit_rw_fuse',`
 	dontaudit $1 fuse_device_t:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to get the attributes of
+##	all generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_all_scsi_generic_dev',`
+	gen_require(`
+		attribute scsi_generic_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes of
@@ -408,6 +594,26 @@ interface(`storage_getattr_scsi_generic_dev',`
 	allow $1 scsi_generic_device_t:chr_file getattr;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to set the attributes of
+##	all generic SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_all_scsi_generic_dev',`
+	gen_require(`
+		attribute scsi_generic_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to set the attributes of
@@ -517,6 +723,26 @@ interface(`storage_dontaudit_rw_scsi_generic',`
 	dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to get the attributes of all removable
+##	devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_getattr_all_removable_dev',`
+	gen_require(`
+		attribute removable_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 removable_device:blk_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to get the attributes of removable
@@ -556,6 +782,25 @@ interface(`storage_dontaudit_getattr_removable_dev',`
 	dontaudit $1 removable_device_t:blk_file getattr;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts made by the caller to get
+##	the attributes of all removable devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`storage_dontaudit_getattr_all_removable_dev',`
+	gen_require(`
+		attribute removable_device;
+	')
+
+	dontaudit $1 removable_device:blk_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts made by the caller to read
@@ -595,6 +840,26 @@ interface(`storage_dontaudit_write_removable_device',`
 	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to set the attributes of all removable
+##	devices device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_setattr_all_removable_dev',`
+	gen_require(`
+		attribute removable_device;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 removable_device:blk_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the caller to set the attributes of removable
@@ -796,6 +1061,61 @@ interface(`storage_setattr_tape_dev',`
 	allow $1 tape_device_t:chr_file setattr;
 ')
 
+########################################
+## <summary>
+##	Mark a type as a fixed disk device type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to associate
+##	</summary>
+## </param>
+#
+interface(`storage_fixed_disk_device_type',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	typeattribute $1 fixed_disk_device;
+')
+
+########################################
+## <summary>
+##	Mark a type as a removable device type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to associate.
+##	</summary>
+## </param>
+#
+interface(`storage_removable_device_type',`
+	gen_require(`
+		attribute removable_device;
+	')
+
+	typeattribute $1 removable_device;
+')
+
+
+########################################
+## <summary>
+##	Mark a type as a scsi generic device type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to associate.
+##	</summary>
+## </param>
+#
+interface(`storage_scsi_generic_device_type',`
+	gen_require(`
+		attribute scsi_generic_device;
+	')
+
+	typeattribute $1 scsi_generic_device;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to storage devices.
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index c10290c0..cc59380d 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -11,12 +11,17 @@ attribute scsi_generic_read;
 attribute scsi_generic_write;
 attribute storage_unconfined_type;
 
+attribute fixed_disk_device;
+attribute removable_device;
+attribute scsi_generic_device;
+
 #
 # fixed_disk_device_t is the type of
 # /dev/hd* and /dev/sd*.
 #
 type fixed_disk_device_t;
 dev_node(fixed_disk_device_t)
+storage_fixed_disk_device_type(fixed_disk_device_t)
 
 neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
 neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
@@ -33,6 +38,7 @@ dev_node(fuse_device_t)
 #
 type scsi_generic_device_t;
 dev_node(scsi_generic_device_t)
+storage_scsi_generic_device_type(scsi_generic_device_t)
 
 neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
 neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
@@ -43,6 +49,7 @@ neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t
 #
 type removable_device_t;
 dev_node(removable_device_t)
+storage_removable_device_type(removable_device_t)
 
 #
 # tape_device_t is the type of
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index ba64c39d..0bb7177c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -300,7 +300,7 @@ storage_dontaudit_read_removable_device(lvm_t)
 # cjp: needs to create an interface here for fixed disk create
 storage_dev_filetrans_fixed_disk(lvm_t)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
-storage_manage_fixed_disk(lvm_t)
+storage_manage_all_fixed_disk(lvm_t)
 
 term_use_all_terms(lvm_t)
 
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 07529a5d..83f85a9d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -472,10 +472,10 @@ fs_unmount_tmpfs(systemd_logind_t)
 
 selinux_get_enforce_mode(systemd_logind_t)
 
-storage_getattr_removable_dev(systemd_logind_t)
-storage_getattr_scsi_generic_dev(systemd_logind_t)
-storage_setattr_removable_dev(systemd_logind_t)
-storage_setattr_scsi_generic_dev(systemd_logind_t)
+storage_getattr_all_removable_dev(systemd_logind_t)
+storage_getattr_all_scsi_generic_dev(systemd_logind_t)
+storage_setattr_all_removable_dev(systemd_logind_t)
+storage_setattr_all_scsi_generic_dev(systemd_logind_t)
 
 term_setattr_unallocated_ttys(systemd_logind_t)
 term_use_unallocated_ttys(systemd_logind_t)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v3] Separate out udevadm into a new domain
  2019-03-13 18:18 [PATCH v3] Separate out udevadm into a new domain Sugar, David
  2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
@ 2019-03-14 22:05 ` Chris PeBenito
  2019-03-15  2:27   ` [PATCH v4] " Sugar, David
  1 sibling, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2019-03-14 22:05 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/13/19 2:18 PM, Sugar, David wrote:
> This is the update I have made based on suggestions for the previous
> patch to add a udev_run interface.  This adds the new domain udevadm_t
> which is entered from /usr/bin/udevadm.
> 
> It seems to meet the needs that I have, but there are some things to
> note that are probably important.
> 1) There are a few systemd services that use udevadm during startup.
>     I have granted the permisssions that I need based on denials I was
>     seeing during startup (the machine would fail to start without the
>     permisions).
> 2) In the udev.fc file there are other binaries that I don't have on a
>     RHEL7 box that maybe should also be labeled udevadm_exec_t.
>     e.g. /usr/bin/udevinfo
>     But as I don't have those binaries to test, I have not updated the
>     type of that binary.
> 3) There are some places that call udev_domtrans that maybe should now
>     be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
>     these are not things that I am using in my current situation and am
>     unable to test the interactions to know if the change is correct.
> 
> Other than that, I think it is good to split out udevadm into a
> different domain to make it separate.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/roles/sysadm.te |  4 +++
>   policy/modules/system/udev.fc  |  4 +--
>   policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++
>   policy/modules/system/udev.te  | 42 ++++++++++++++++++++++-
>   4 files changed, 109 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 043e54bf..2cc60643 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -1140,6 +1140,10 @@ optional_policy(`
>   	tzdata_domtrans(sysadm_t)
>   ')
>   
> +optional_policy(`
> +	udevadm_run(sysadm_t, sysadm_r)
> +')
> +
>   optional_policy(`
>   	ulogd_admin(sysadm_t, sysadm_r)
>   ')
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 009d821a..606ad517 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -10,7 +10,7 @@
>   /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>   
>   /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
> +/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
>   /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -22,7 +22,7 @@ ifdef(`distro_debian',`
>   ')
>   
>   /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
> +/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
>   /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index fee55852..3028d6b8 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
>   
>   	files_pid_filetrans($1, udev_var_run_t, dir, $2)
>   ')
> +
> +########################################
> +## <summary>
> +##	Execute udev admin in the udevadm domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`udevadm_domtrans',`
> +	gen_require(`
> +		type udevadm_t, udevadm_exec_t;
> +	')
> +
> +	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute udevadm in the udevadm domain, and
> +##	allow the specified role the udevadm domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`udevadm_run',`
> +	gen_require(`
> +		attribute_role udevadm_roles;
> +	')
> +
> +	udevadm_domtrans($1)
> +	roleattribute $2 udevadm_roles;
> +')
> +
> +########################################
> +## <summary>
> +##	Execute udevadm in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udevadm_exec',`
> +	gen_require(`
> +		type udevadm_exec_t;
> +	')
> +
> +	can_exec($1, udevadm_exec_t)
> +')
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 9d5cf3b2..becb54d9 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
>   #
>   # Declarations
>   #
> +attribute_role udevadm_roles;
>   
>   type udev_t;
>   type udev_exec_t;
> @@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
>   init_daemon_domain(udev_t, udev_exec_t)
>   init_named_socket_activation(udev_t, udev_var_run_t)
>   
> +type udevadm_t;
> +type udevadm_exec_t;
> +init_system_domain(udevadm_t, udevadm_exec_t)
> +application_domain(udevadm_t, udevadm_exec_t)
> +role udevadm_roles types udevadm_t;
> +
>   type udev_etc_t alias etc_udev_t;
>   files_config_file(udev_etc_t)
>   
> @@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
>   
>   ########################################
>   #
> -# Local policy
> +# udev Local policy
>   #
>   
>   allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
> @@ -374,3 +381,36 @@ optional_policy(`
>   optional_policy(`
>   	xserver_read_xdm_pid(udev_t)
>   ')
> +
> +
> +########################################
> +#
> +# udevadm Local policy
> +#
> +
> +allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow udevadm_t self:unix_stream_socket create_socket_perms;
> +
> +allow udevadm_t udev_t:unix_stream_socket connectto;
> +
> +delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +write_sock_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)

This write_sock_files_pattern allong with the above unix socket 
connectto is stream_connect_pattern.

> +
> +dev_rw_sysfs(udevadm_t)
> +dev_read_urand(udevadm_t)
> +
> +files_read_etc_files(udevadm_t)
> +files_read_usr_files(udevadm_t)
> +
> +init_list_pids(udevadm_t)
> +init_read_state(udevadm_t)
> +
> +kernel_read_system_state(udevadm_t)
> +
> +libs_use_ld_so(udevadm_t)
> +
> +seutil_read_file_contexts(udevadm_t)
> +
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Setup attribute for fixed_disk_device and removable_device
  2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
@ 2019-03-14 22:06   ` Chris PeBenito
  2019-03-15  2:22     ` Sugar, David
  0 siblings, 1 reply; 8+ messages in thread
From: Chris PeBenito @ 2019-03-14 22:06 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/13/19 2:18 PM, Sugar, David wrote:
> I am having trouble with some denials due to the fact I am setting
> up specific private types for media attached to my system.  This
> changes to use an attribute for media and interfaces to add types
> to the newly created attribute

What you implemented doesn't seem consistent with what you have in the 
commit message.  sr0 is in your example denials, so these aren't all 
fixed disk devices, so the interface names and the attribute names 
should be related to all storage devices, it would seem.


> Updates based on feedback to create 'all' interfaces rather than
> updating existing interfaces.
> 
> I'm trying to resolve issues with denials like the following:
> type=AVC msg=audit(1551461957.121:9050): avc:  denied  { open } for  pid=30877 comm="cryptsetup" path="/dev/sdb" dev="devtmpfs" ino=110450 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
> type=AVC msg=audit(1551461957.121:9051): avc:  denied  { ioctl } for  pid=30877 comm="cryptsetup" path="/dev/sdb" dev="devtmpfs" ino=110450 ioctlcmd=1268 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
> type=AVC msg=audit(1551461973.149:9101): avc:  denied  { getattr } for  pid=28 comm="kdevtmpfs" path="/sdb1" dev="devtmpfs" ino=110461 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
> type=AVC msg=audit(1551461973.149:9102): avc:  denied  { setattr } for  pid=28 comm="kdevtmpfs" name="sdb1" dev="devtmpfs" ino=110461 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
> type=AVC msg=audit(1551461973.149:9103): avc:  denied  { unlink } for  pid=28 comm="kdevtmpfs" name="sdb1" dev="devtmpfs" ino=110461 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
> 
> type=AVC msg=audit(1552228893.128:472): avc:  denied  { getattr } for  pid=8141 comm="systemd-logind" name="sg1" dev="devtmpfs" ino=31873 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=chr_file permissive=1
> type=AVC msg=audit(1552228893.128:473): avc:  denied  { setattr } for  pid=8141 comm="systemd-logind" name="sg1" dev="devtmpfs" ino=31873 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=chr_file permissive=1
> type=AVC msg=audit(1552228893.128:474): avc:  denied  { getattr } for  pid=8141 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=14570 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
> type=AVC msg=audit(1552228893.128:475): avc:  denied  { setattr } for  pid=8141 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=14570 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/kernel/kernel.te  |   7 +-
>   policy/modules/kernel/storage.if | 320 +++++++++++++++++++++++++++++++
>   policy/modules/kernel/storage.te |   7 +
>   policy/modules/system/lvm.te     |   2 +-
>   policy/modules/system/systemd.te |   8 +-
>   5 files changed, 336 insertions(+), 8 deletions(-)
> 
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index e971c533..acc8a88c 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -352,9 +352,10 @@ ifdef(`init_systemd',`
>   
>   	optional_policy(`
>   		storage_dev_filetrans_fixed_disk(kernel_t)
> -		storage_setattr_fixed_disk_dev(kernel_t)
> -		storage_create_fixed_disk_dev(kernel_t)
> -		storage_delete_fixed_disk_dev(kernel_t)
> +		storage_getattr_all_scsi_generic_dev(kernel_t)
> +		storage_setattr_all_fixed_disk_dev(kernel_t)
> +		storage_create_all_fixed_disk_dev(kernel_t)
> +		storage_delete_all_fixed_disk_dev(kernel_t)
>   	')
>   ')
>   
> diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
> index 0292eee4..93208835 100644
> --- a/policy/modules/kernel/storage.if
> +++ b/policy/modules/kernel/storage.if
> @@ -1,5 +1,25 @@
>   ## <summary>Policy controlling access to storage devices</summary>
>   
> +########################################
> +## <summary>
> +##	Allow the caller to get the attributes of
> +##	all fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_getattr_all_fixed_disk_dev',`
> +	gen_require(`
> +		attribute fixed_disk_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 fixed_disk_device:blk_file getattr;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to get the attributes of fixed disk
> @@ -20,6 +40,26 @@ interface(`storage_getattr_fixed_disk_dev',`
>   	allow $1 fixed_disk_device_t:blk_file getattr;
>   ')
>   
> +########################################
> +## <summary>
> +##	Do not audit attempts made by the caller to get
> +##	the attributes of all fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_dontaudit_all_getattr_fixed_disk_dev',`
> +	gen_require(`
> +		attribute fixed_disk_device;
> +	')
> +
> +	dontaudit $1 fixed_disk_device:blk_file getattr;
> +	dontaudit $1 fixed_disk_device:chr_file getattr; # /dev/rawctl
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Do not audit attempts made by the caller to get
> @@ -40,6 +80,26 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',`
>   	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to set the attributes of all
> +##	fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_setattr_all_fixed_disk_dev',`
> +	gen_require(`
> +		attribute fixed_disk_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 fixed_disk_device:blk_file setattr;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to set the attributes of fixed disk
> @@ -79,6 +139,31 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
>   	dontaudit $1 fixed_disk_device_t:blk_file setattr;
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to directly read from all fixed disks.
> +##	This is extremely dangerous as it can bypass the
> +##	SELinux protections for filesystem objects, and
> +##	should only be used by trusted domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_raw_read_all_fixed_disk',`
> +	gen_require(`
> +		attribute fixed_disk_raw_read;
> +		attribute fixed_disk_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 fixed_disk_device:blk_file read_blk_file_perms;
> +	allow $1 fixed_disk_device:chr_file read_chr_file_perms;
> +	typeattribute $1 fixed_disk_raw_read;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to directly read from a fixed disk.
> @@ -188,6 +273,26 @@ interface(`storage_raw_rw_fixed_disk',`
>   	storage_raw_write_fixed_disk($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to create all fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_create_all_fixed_disk_dev',`
> +	gen_require(`
> +		attribute fixed_disk_device;
> +	')
> +
> +	allow $1 self:capability mknod;
> +	allow $1 fixed_disk_device:blk_file create_blk_file_perms;
> +	dev_add_entry_generic_dirs($1)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to create fixed disk device nodes.
> @@ -208,6 +313,25 @@ interface(`storage_create_fixed_disk_dev',`
>   	dev_add_entry_generic_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to delete all fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_delete_all_fixed_disk_dev',`
> +	gen_require(`
> +		attribute fixed_disk_device;
> +	')
> +
> +	allow $1 fixed_disk_device:blk_file delete_blk_file_perms;
> +	dev_remove_entry_generic_dirs($1)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to delete fixed disk device nodes.
> @@ -227,6 +351,29 @@ interface(`storage_delete_fixed_disk_dev',`
>   	dev_remove_entry_generic_dirs($1)
>   ')
>   
> +########################################
> +## <summary>
> +##	Create, read, write, and delete fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_manage_all_fixed_disk',`
> +	gen_require(`
> +		attribute fixed_disk_raw_read, fixed_disk_raw_write;
> +		attribute fixed_disk_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 self:capability mknod;
> +	allow $1 fixed_disk_device:blk_file manage_blk_file_perms;
> +	allow $1 fixed_disk_device:chr_file manage_chr_file_perms;
> +	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Create, read, write, and delete fixed disk device nodes.
> @@ -293,6 +440,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
>   	fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
>   ')
>   
> +########################################
> +## <summary>
> +##	Relabel all fixed disk device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_relabel_all_fixed_disk',`
> +	gen_require(`
> +		attribute fixed_disk_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 fixed_disk_device:blk_file relabel_blk_file_perms;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Relabel fixed disk device nodes.
> @@ -388,6 +554,26 @@ interface(`storage_dontaudit_rw_fuse',`
>   	dontaudit $1 fuse_device_t:chr_file rw_file_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to get the attributes of
> +##	all generic SCSI interface device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_getattr_all_scsi_generic_dev',`
> +	gen_require(`
> +		attribute scsi_generic_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 scsi_generic_device:chr_file getattr;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to get the attributes of
> @@ -408,6 +594,26 @@ interface(`storage_getattr_scsi_generic_dev',`
>   	allow $1 scsi_generic_device_t:chr_file getattr;
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to set the attributes of
> +##	all generic SCSI interface device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_setattr_all_scsi_generic_dev',`
> +	gen_require(`
> +		attribute scsi_generic_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 scsi_generic_device:chr_file setattr;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to set the attributes of
> @@ -517,6 +723,26 @@ interface(`storage_dontaudit_rw_scsi_generic',`
>   	dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to get the attributes of all removable
> +##	devices device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_getattr_all_removable_dev',`
> +	gen_require(`
> +		attribute removable_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 removable_device:blk_file getattr;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to get the attributes of removable
> @@ -556,6 +782,25 @@ interface(`storage_dontaudit_getattr_removable_dev',`
>   	dontaudit $1 removable_device_t:blk_file getattr;
>   ')
>   
> +########################################
> +## <summary>
> +##	Do not audit attempts made by the caller to get
> +##	the attributes of all removable devices device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_dontaudit_getattr_all_removable_dev',`
> +	gen_require(`
> +		attribute removable_device;
> +	')
> +
> +	dontaudit $1 removable_device:blk_file getattr;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Do not audit attempts made by the caller to read
> @@ -595,6 +840,26 @@ interface(`storage_dontaudit_write_removable_device',`
>   	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow the caller to set the attributes of all removable
> +##	devices device nodes.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_setattr_all_removable_dev',`
> +	gen_require(`
> +		attribute removable_device;
> +	')
> +
> +	dev_list_all_dev_nodes($1)
> +	allow $1 removable_device:blk_file setattr;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Allow the caller to set the attributes of removable
> @@ -796,6 +1061,61 @@ interface(`storage_setattr_tape_dev',`
>   	allow $1 tape_device_t:chr_file setattr;
>   ')
>   
> +########################################
> +## <summary>
> +##	Mark a type as a fixed disk device type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Type to associate
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_fixed_disk_device_type',`
> +	gen_require(`
> +		attribute fixed_disk_device;
> +	')
> +
> +	typeattribute $1 fixed_disk_device;
> +')
> +
> +########################################
> +## <summary>
> +##	Mark a type as a removable device type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Type to associate.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_removable_device_type',`
> +	gen_require(`
> +		attribute removable_device;
> +	')
> +
> +	typeattribute $1 removable_device;
> +')
> +
> +
> +########################################
> +## <summary>
> +##	Mark a type as a scsi generic device type.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Type to associate.
> +##	</summary>
> +## </param>
> +#
> +interface(`storage_scsi_generic_device_type',`
> +	gen_require(`
> +		attribute scsi_generic_device;
> +	')
> +
> +	typeattribute $1 scsi_generic_device;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Unconfined access to storage devices.
> diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
> index c10290c0..cc59380d 100644
> --- a/policy/modules/kernel/storage.te
> +++ b/policy/modules/kernel/storage.te
> @@ -11,12 +11,17 @@ attribute scsi_generic_read;
>   attribute scsi_generic_write;
>   attribute storage_unconfined_type;
>   
> +attribute fixed_disk_device;
> +attribute removable_device;
> +attribute scsi_generic_device;
> +
>   #
>   # fixed_disk_device_t is the type of
>   # /dev/hd* and /dev/sd*.
>   #
>   type fixed_disk_device_t;
>   dev_node(fixed_disk_device_t)
> +storage_fixed_disk_device_type(fixed_disk_device_t)
>   
>   neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read;
>   neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
> @@ -33,6 +38,7 @@ dev_node(fuse_device_t)
>   #
>   type scsi_generic_device_t;
>   dev_node(scsi_generic_device_t)
> +storage_scsi_generic_device_type(scsi_generic_device_t)
>   
>   neverallow ~{ scsi_generic_read storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } read;
>   neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t:{ chr_file blk_file } { append write };
> @@ -43,6 +49,7 @@ neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t
>   #
>   type removable_device_t;
>   dev_node(removable_device_t)
> +storage_removable_device_type(removable_device_t)
>   
>   #
>   # tape_device_t is the type of
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index ba64c39d..0bb7177c 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -300,7 +300,7 @@ storage_dontaudit_read_removable_device(lvm_t)
>   # cjp: needs to create an interface here for fixed disk create
>   storage_dev_filetrans_fixed_disk(lvm_t)
>   # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
> -storage_manage_fixed_disk(lvm_t)
> +storage_manage_all_fixed_disk(lvm_t)
>   
>   term_use_all_terms(lvm_t)
>   
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 07529a5d..83f85a9d 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -472,10 +472,10 @@ fs_unmount_tmpfs(systemd_logind_t)
>   
>   selinux_get_enforce_mode(systemd_logind_t)
>   
> -storage_getattr_removable_dev(systemd_logind_t)
> -storage_getattr_scsi_generic_dev(systemd_logind_t)
> -storage_setattr_removable_dev(systemd_logind_t)
> -storage_setattr_scsi_generic_dev(systemd_logind_t)
> +storage_getattr_all_removable_dev(systemd_logind_t)
> +storage_getattr_all_scsi_generic_dev(systemd_logind_t)
> +storage_setattr_all_removable_dev(systemd_logind_t)
> +storage_setattr_all_scsi_generic_dev(systemd_logind_t)
>   
>   term_setattr_unallocated_ttys(systemd_logind_t)
>   term_use_unallocated_ttys(systemd_logind_t)
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Setup attribute for fixed_disk_device and removable_device
  2019-03-14 22:06   ` Chris PeBenito
@ 2019-03-15  2:22     ` Sugar, David
  2019-03-17 20:14       ` Chris PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Sugar, David @ 2019-03-15  2:22 UTC (permalink / raw)
  To: selinux-refpolicy



On 3/14/19 6:06 PM, Chris PeBenito wrote:
> On 3/13/19 2:18 PM, Sugar, David wrote:
>> I am having trouble with some denials due to the fact I am setting
>> up specific private types for media attached to my system.  This
>> changes to use an attribute for media and interfaces to add types
>> to the newly created attribute
> 
> What you implemented doesn't seem consistent with what you have in the 
> commit message.  sr0 is in your example denials, so these aren't all 
> fixed disk devices, so the interface names and the attribute names 
> should be related to all storage devices, it would seem.
> 
> 

No, they are not all fixed disk denials.  And maybe I should have split 
this into 2 (or 3) patches.  As I was making changes they all seemed 
related from my use case, but from your point of view I can see why they 
are probably different.  And I may not be explaining what I'm trying to 
accomplish clearly.

Basically I have two (or three) cases:
1) I want to provide distinct types for USB devices so that only certain 
domains are able to mount/umount/format/etc...  The attribute provides a 
way to grant access to things like lvm_t and kernel_t which still need 
to do stuff with the device nodes.  The USB devices /dev/sd* by default 
are labeled fixed_disk_device_t.

2) I want to provide distinct types for certain hard disk/LVM 
partitions.  This will provide a way to restrict access to certain 
domains to alter those hard disk partitions (i.e. mount and umount and 
cryptsetup (to change LUKS password)).  At the same time this restricts 
those domains that need this specific hard disk access to still not have 
access to other partitions labeled fixed_disk_device_t.  i.e. so if this 
domain is compromised, it can only alter the single partition it has 
access to, not others.

3) The last case maybe overkill (maybe not) where I am labeling /dev/sr0 
and /dev/sg1 with a separate type to better control access to write to 
the generic scsi device node to only the process who is writing optical 
media.  Again this provides a way to restrict access to the other 
/dev/sg* devices this process should not be accessing.  /dev/sr0 is 
removable_device_t by default but I also have some USB devices that 
present as cdrom devices get /dev/sr1 as the device node and by default 
are also labeled removable_device_t.

I am able to use specific udev rules to correctly setup the SELinux 
labels for these specific hard disk partitions, USB devices and optical 
drive.

I am also open to other recommendations for a better way to solve these 
denials without giving domains that only need to access a single device 
or partition access to all devices.

While I wait for any thoughts I will split this into three separate 
patches and try to get better examples of the kinds of denials I'm 
seeing for each.

>> Updates based on feedback to create 'all' interfaces rather than
>> updating existing interfaces.
>>
>> I'm trying to resolve issues with denials like the following:
>> type=AVC msg=audit(1551461957.121:9050): avc:  denied  { open } for  
>> pid=30877 comm="cryptsetup" path="/dev/sdb" dev="devtmpfs" ino=110450 
>> scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file 
>> permissive=1
>> type=AVC msg=audit(1551461957.121:9051): avc:  denied  { ioctl } for  
>> pid=30877 comm="cryptsetup" path="/dev/sdb" dev="devtmpfs" ino=110450 
>> ioctlcmd=1268 scontext=system_u:system_r:lvm_t:s0-s0:c0.c1023 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file 
>> permissive=1
>> type=AVC msg=audit(1551461973.149:9101): avc:  denied  { getattr } 
>> for  pid=28 comm="kdevtmpfs" path="/sdb1" dev="devtmpfs" ino=110461 
>> scontext=system_u:system_r:kernel_t:s0 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file 
>> permissive=1
>> type=AVC msg=audit(1551461973.149:9102): avc:  denied  { setattr } 
>> for  pid=28 comm="kdevtmpfs" name="sdb1" dev="devtmpfs" ino=110461 
>> scontext=system_u:system_r:kernel_t:s0 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file 
>> permissive=1
>> type=AVC msg=audit(1551461973.149:9103): avc:  denied  { unlink } for  
>> pid=28 comm="kdevtmpfs" name="sdb1" dev="devtmpfs" ino=110461 
>> scontext=system_u:system_r:kernel_t:s0 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file 
>> permissive=1
>>
>> type=AVC msg=audit(1552228893.128:472): avc:  denied  { getattr } for  
>> pid=8141 comm="systemd-logind" name="sg1" dev="devtmpfs" ino=31873 
>> scontext=system_u:system_r:systemd_logind_t:s0 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=chr_file 
>> permissive=1
>> type=AVC msg=audit(1552228893.128:473): avc:  denied  { setattr } for  
>> pid=8141 comm="systemd-logind" name="sg1" dev="devtmpfs" ino=31873 
>> scontext=system_u:system_r:systemd_logind_t:s0 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=chr_file 
>> permissive=1
>> type=AVC msg=audit(1552228893.128:474): avc:  denied  { getattr } for  
>> pid=8141 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=14570 
>> scontext=system_u:system_r:systemd_logind_t:s0 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file 
>> permissive=1
>> type=AVC msg=audit(1552228893.128:475): avc:  denied  { setattr } for  
>> pid=8141 comm="systemd-logind" name="sr0" dev="devtmpfs" ino=14570 
>> scontext=system_u:system_r:systemd_logind_t:s0 
>> tcontext=system_u:object_r:private_device_t:s0 tclass=blk_file 
>> permissive=1
>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/kernel/kernel.te  |   7 +-
>>   policy/modules/kernel/storage.if | 320 +++++++++++++++++++++++++++++++
>>   policy/modules/kernel/storage.te |   7 +
>>   policy/modules/system/lvm.te     |   2 +-
>>   policy/modules/system/systemd.te |   8 +-
>>   5 files changed, 336 insertions(+), 8 deletions(-)
>>
>> diff --git a/policy/modules/kernel/kernel.te 
>> b/policy/modules/kernel/kernel.te
>> index e971c533..acc8a88c 100644
>> --- a/policy/modules/kernel/kernel.te
>> +++ b/policy/modules/kernel/kernel.te
>> @@ -352,9 +352,10 @@ ifdef(`init_systemd',`
>>       optional_policy(`
>>           storage_dev_filetrans_fixed_disk(kernel_t)
>> -        storage_setattr_fixed_disk_dev(kernel_t)
>> -        storage_create_fixed_disk_dev(kernel_t)
>> -        storage_delete_fixed_disk_dev(kernel_t)
>> +        storage_getattr_all_scsi_generic_dev(kernel_t)
>> +        storage_setattr_all_fixed_disk_dev(kernel_t)
>> +        storage_create_all_fixed_disk_dev(kernel_t)
>> +        storage_delete_all_fixed_disk_dev(kernel_t)
>>       ')
>>   ')
>> diff --git a/policy/modules/kernel/storage.if 
>> b/policy/modules/kernel/storage.if
>> index 0292eee4..93208835 100644
>> --- a/policy/modules/kernel/storage.if
>> +++ b/policy/modules/kernel/storage.if
>> @@ -1,5 +1,25 @@
>>   ## <summary>Policy controlling access to storage devices</summary>
>> +########################################
>> +## <summary>
>> +##    Allow the caller to get the attributes of
>> +##    all fixed disk device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_getattr_all_fixed_disk_dev',`
>> +    gen_require(`
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 fixed_disk_device:blk_file getattr;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to get the attributes of fixed disk
>> @@ -20,6 +40,26 @@ interface(`storage_getattr_fixed_disk_dev',`
>>       allow $1 fixed_disk_device_t:blk_file getattr;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Do not audit attempts made by the caller to get
>> +##    the attributes of all fixed disk device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain to not audit.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_dontaudit_all_getattr_fixed_disk_dev',`
>> +    gen_require(`
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    dontaudit $1 fixed_disk_device:blk_file getattr;
>> +    dontaudit $1 fixed_disk_device:chr_file getattr; # /dev/rawctl
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Do not audit attempts made by the caller to get
>> @@ -40,6 +80,26 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',`
>>       dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to set the attributes of all
>> +##    fixed disk device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_setattr_all_fixed_disk_dev',`
>> +    gen_require(`
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 fixed_disk_device:blk_file setattr;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to set the attributes of fixed disk
>> @@ -79,6 +139,31 @@ 
>> interface(`storage_dontaudit_setattr_fixed_disk_dev',`
>>       dontaudit $1 fixed_disk_device_t:blk_file setattr;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to directly read from all fixed disks.
>> +##    This is extremely dangerous as it can bypass the
>> +##    SELinux protections for filesystem objects, and
>> +##    should only be used by trusted domains.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_raw_read_all_fixed_disk',`
>> +    gen_require(`
>> +        attribute fixed_disk_raw_read;
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 fixed_disk_device:blk_file read_blk_file_perms;
>> +    allow $1 fixed_disk_device:chr_file read_chr_file_perms;
>> +    typeattribute $1 fixed_disk_raw_read;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to directly read from a fixed disk.
>> @@ -188,6 +273,26 @@ interface(`storage_raw_rw_fixed_disk',`
>>       storage_raw_write_fixed_disk($1)
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to create all fixed disk device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_create_all_fixed_disk_dev',`
>> +    gen_require(`
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    allow $1 self:capability mknod;
>> +    allow $1 fixed_disk_device:blk_file create_blk_file_perms;
>> +    dev_add_entry_generic_dirs($1)
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to create fixed disk device nodes.
>> @@ -208,6 +313,25 @@ interface(`storage_create_fixed_disk_dev',`
>>       dev_add_entry_generic_dirs($1)
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to delete all fixed disk device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_delete_all_fixed_disk_dev',`
>> +    gen_require(`
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    allow $1 fixed_disk_device:blk_file delete_blk_file_perms;
>> +    dev_remove_entry_generic_dirs($1)
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to delete fixed disk device nodes.
>> @@ -227,6 +351,29 @@ interface(`storage_delete_fixed_disk_dev',`
>>       dev_remove_entry_generic_dirs($1)
>>   ')
>> +########################################
>> +## <summary>
>> +##    Create, read, write, and delete fixed disk device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_manage_all_fixed_disk',`
>> +    gen_require(`
>> +        attribute fixed_disk_raw_read, fixed_disk_raw_write;
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 self:capability mknod;
>> +    allow $1 fixed_disk_device:blk_file manage_blk_file_perms;
>> +    allow $1 fixed_disk_device:chr_file manage_chr_file_perms;
>> +    typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Create, read, write, and delete fixed disk device nodes.
>> @@ -293,6 +440,25 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
>>       fs_tmpfs_filetrans($1, fixed_disk_device_t, blk_file)
>>   ')
>> +########################################
>> +## <summary>
>> +##    Relabel all fixed disk device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_relabel_all_fixed_disk',`
>> +    gen_require(`
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 fixed_disk_device:blk_file relabel_blk_file_perms;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Relabel fixed disk device nodes.
>> @@ -388,6 +554,26 @@ interface(`storage_dontaudit_rw_fuse',`
>>       dontaudit $1 fuse_device_t:chr_file rw_file_perms;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to get the attributes of
>> +##    all generic SCSI interface device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_getattr_all_scsi_generic_dev',`
>> +    gen_require(`
>> +        attribute scsi_generic_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 scsi_generic_device:chr_file getattr;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to get the attributes of
>> @@ -408,6 +594,26 @@ interface(`storage_getattr_scsi_generic_dev',`
>>       allow $1 scsi_generic_device_t:chr_file getattr;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to set the attributes of
>> +##    all generic SCSI interface device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_setattr_all_scsi_generic_dev',`
>> +    gen_require(`
>> +        attribute scsi_generic_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 scsi_generic_device:chr_file setattr;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to set the attributes of
>> @@ -517,6 +723,26 @@ interface(`storage_dontaudit_rw_scsi_generic',`
>>       dontaudit $1 scsi_generic_device_t:chr_file rw_file_perms;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to get the attributes of all removable
>> +##    devices device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_getattr_all_removable_dev',`
>> +    gen_require(`
>> +        attribute removable_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 removable_device:blk_file getattr;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to get the attributes of removable
>> @@ -556,6 +782,25 @@ 
>> interface(`storage_dontaudit_getattr_removable_dev',`
>>       dontaudit $1 removable_device_t:blk_file getattr;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Do not audit attempts made by the caller to get
>> +##    the attributes of all removable devices device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain to not audit.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_dontaudit_getattr_all_removable_dev',`
>> +    gen_require(`
>> +        attribute removable_device;
>> +    ')
>> +
>> +    dontaudit $1 removable_device:blk_file getattr;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Do not audit attempts made by the caller to read
>> @@ -595,6 +840,26 @@ 
>> interface(`storage_dontaudit_write_removable_device',`
>>       dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Allow the caller to set the attributes of all removable
>> +##    devices device nodes.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_setattr_all_removable_dev',`
>> +    gen_require(`
>> +        attribute removable_device;
>> +    ')
>> +
>> +    dev_list_all_dev_nodes($1)
>> +    allow $1 removable_device:blk_file setattr;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Allow the caller to set the attributes of removable
>> @@ -796,6 +1061,61 @@ interface(`storage_setattr_tape_dev',`
>>       allow $1 tape_device_t:chr_file setattr;
>>   ')
>> +########################################
>> +## <summary>
>> +##    Mark a type as a fixed disk device type.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Type to associate
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_fixed_disk_device_type',`
>> +    gen_require(`
>> +        attribute fixed_disk_device;
>> +    ')
>> +
>> +    typeattribute $1 fixed_disk_device;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##    Mark a type as a removable device type.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Type to associate.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_removable_device_type',`
>> +    gen_require(`
>> +        attribute removable_device;
>> +    ')
>> +
>> +    typeattribute $1 removable_device;
>> +')
>> +
>> +
>> +########################################
>> +## <summary>
>> +##    Mark a type as a scsi generic device type.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Type to associate.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`storage_scsi_generic_device_type',`
>> +    gen_require(`
>> +        attribute scsi_generic_device;
>> +    ')
>> +
>> +    typeattribute $1 scsi_generic_device;
>> +')
>> +
>>   ########################################
>>   ## <summary>
>>   ##    Unconfined access to storage devices.
>> diff --git a/policy/modules/kernel/storage.te 
>> b/policy/modules/kernel/storage.te
>> index c10290c0..cc59380d 100644
>> --- a/policy/modules/kernel/storage.te
>> +++ b/policy/modules/kernel/storage.te
>> @@ -11,12 +11,17 @@ attribute scsi_generic_read;
>>   attribute scsi_generic_write;
>>   attribute storage_unconfined_type;
>> +attribute fixed_disk_device;
>> +attribute removable_device;
>> +attribute scsi_generic_device;
>> +
>>   #
>>   # fixed_disk_device_t is the type of
>>   # /dev/hd* and /dev/sd*.
>>   #
>>   type fixed_disk_device_t;
>>   dev_node(fixed_disk_device_t)
>> +storage_fixed_disk_device_type(fixed_disk_device_t)
>>   neverallow ~{ fixed_disk_raw_read storage_unconfined_type } 
>> fixed_disk_device_t:{ chr_file blk_file } read;
>>   neverallow ~{ fixed_disk_raw_write storage_unconfined_type } 
>> fixed_disk_device_t:{ chr_file blk_file } { append write };
>> @@ -33,6 +38,7 @@ dev_node(fuse_device_t)
>>   #
>>   type scsi_generic_device_t;
>>   dev_node(scsi_generic_device_t)
>> +storage_scsi_generic_device_type(scsi_generic_device_t)
>>   neverallow ~{ scsi_generic_read storage_unconfined_type } 
>> scsi_generic_device_t:{ chr_file blk_file } read;
>>   neverallow ~{ scsi_generic_write storage_unconfined_type } 
>> scsi_generic_device_t:{ chr_file blk_file } { append write };
>> @@ -43,6 +49,7 @@ neverallow ~{ scsi_generic_write 
>> storage_unconfined_type } scsi_generic_device_t
>>   #
>>   type removable_device_t;
>>   dev_node(removable_device_t)
>> +storage_removable_device_type(removable_device_t)
>>   #
>>   # tape_device_t is the type of
>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>> index ba64c39d..0bb7177c 100644
>> --- a/policy/modules/system/lvm.te
>> +++ b/policy/modules/system/lvm.te
>> @@ -300,7 +300,7 @@ storage_dontaudit_read_removable_device(lvm_t)
>>   # cjp: needs to create an interface here for fixed disk create
>>   storage_dev_filetrans_fixed_disk(lvm_t)
>>   # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
>> -storage_manage_fixed_disk(lvm_t)
>> +storage_manage_all_fixed_disk(lvm_t)
>>   term_use_all_terms(lvm_t)
>> diff --git a/policy/modules/system/systemd.te 
>> b/policy/modules/system/systemd.te
>> index 07529a5d..83f85a9d 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -472,10 +472,10 @@ fs_unmount_tmpfs(systemd_logind_t)
>>   selinux_get_enforce_mode(systemd_logind_t)
>> -storage_getattr_removable_dev(systemd_logind_t)
>> -storage_getattr_scsi_generic_dev(systemd_logind_t)
>> -storage_setattr_removable_dev(systemd_logind_t)
>> -storage_setattr_scsi_generic_dev(systemd_logind_t)
>> +storage_getattr_all_removable_dev(systemd_logind_t)
>> +storage_getattr_all_scsi_generic_dev(systemd_logind_t)
>> +storage_setattr_all_removable_dev(systemd_logind_t)
>> +storage_setattr_all_scsi_generic_dev(systemd_logind_t)
>>   term_setattr_unallocated_ttys(systemd_logind_t)
>>   term_use_unallocated_ttys(systemd_logind_t)
>>
> 
> 

^ permalink raw reply	[flat|nested] 8+ messages in thread

* [PATCH v4] Separate out udevadm into a new domain
  2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
@ 2019-03-15  2:27   ` " Sugar, David
  2019-03-17 20:15     ` Chris PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Sugar, David @ 2019-03-15  2:27 UTC (permalink / raw)
  To: selinux-refpolicy

This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.  

It seems to meet the needs that I have, but there are some things to 
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again, 
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/roles/sysadm.te |  4 +++
 policy/modules/system/udev.fc  |  4 +--
 policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++
 policy/modules/system/udev.te  | 40 +++++++++++++++++++++-
 4 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 043e54bf..2cc60643 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
 	tzdata_domtrans(sysadm_t)
 ')
 
+optional_policy(`
+	udevadm_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	ulogd_admin(sysadm_t, sysadm_r)
 ')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 009d821a..606ad517 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
 /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
 
 /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..3028d6b8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
 
 	files_pid_filetrans($1, udev_var_run_t, dir, $2)
 ')
+
+########################################
+## <summary>
+##	Execute udev admin in the udevadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+	gen_require(`
+		type udevadm_t, udevadm_exec_t;
+	')
+
+	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the udevadm domain, and
+##	allow the specified role the udevadm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+	gen_require(`
+		attribute_role udevadm_roles;
+	')
+
+	udevadm_domtrans($1)
+	roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udevadm_exec',`
+	gen_require(`
+		type udevadm_exec_t;
+	')
+
+	can_exec($1, udevadm_exec_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9d5cf3b2..1e2c6cea 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
 #
 # Declarations
 #
+attribute_role udevadm_roles;
 
 type udev_t;
 type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
 
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
 
 ########################################
 #
-# Local policy
+# udev Local policy
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
@@ -374,3 +381,34 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(udev_t)
 ')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
+
+dev_rw_sysfs(udevadm_t)
+dev_read_urand(udevadm_t)
+
+files_read_etc_files(udevadm_t)
+files_read_usr_files(udevadm_t)
+
+init_list_pids(udevadm_t)
+init_read_state(udevadm_t)
+
+kernel_read_system_state(udevadm_t)
+
+libs_use_ld_so(udevadm_t)
+
+seutil_read_file_contexts(udevadm_t)
+
-- 
2.20.1


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v2] Setup attribute for fixed_disk_device and removable_device
  2019-03-15  2:22     ` Sugar, David
@ 2019-03-17 20:14       ` Chris PeBenito
  0 siblings, 0 replies; 8+ messages in thread
From: Chris PeBenito @ 2019-03-17 20:14 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/14/19 10:22 PM, Sugar, David wrote:
> 
> 
> On 3/14/19 6:06 PM, Chris PeBenito wrote:
>> On 3/13/19 2:18 PM, Sugar, David wrote:
>>> I am having trouble with some denials due to the fact I am setting
>>> up specific private types for media attached to my system.  This
>>> changes to use an attribute for media and interfaces to add types
>>> to the newly created attribute
>>
>> What you implemented doesn't seem consistent with what you have in the
>> commit message.  sr0 is in your example denials, so these aren't all
>> fixed disk devices, so the interface names and the attribute names
>> should be related to all storage devices, it would seem.
>>
>>
> 
> No, they are not all fixed disk denials.  And maybe I should have split
> this into 2 (or 3) patches.  As I was making changes they all seemed
> related from my use case, but from your point of view I can see why they
> are probably different.  And I may not be explaining what I'm trying to
> accomplish clearly.
> 
> Basically I have two (or three) cases:
> 1) I want to provide distinct types for USB devices so that only certain
> domains are able to mount/umount/format/etc...  The attribute provides a
> way to grant access to things like lvm_t and kernel_t which still need
> to do stuff with the device nodes.  The USB devices /dev/sd* by default
> are labeled fixed_disk_device_t.
> 
> 2) I want to provide distinct types for certain hard disk/LVM
> partitions.  This will provide a way to restrict access to certain
> domains to alter those hard disk partitions (i.e. mount and umount and
> cryptsetup (to change LUKS password)).  At the same time this restricts
> those domains that need this specific hard disk access to still not have
> access to other partitions labeled fixed_disk_device_t.  i.e. so if this
> domain is compromised, it can only alter the single partition it has
> access to, not others.
> 
> 3) The last case maybe overkill (maybe not) where I am labeling /dev/sr0
> and /dev/sg1 with a separate type to better control access to write to
> the generic scsi device node to only the process who is writing optical
> media.  Again this provides a way to restrict access to the other
> /dev/sg* devices this process should not be accessing.  /dev/sr0 is
> removable_device_t by default but I also have some USB devices that
> present as cdrom devices get /dev/sr1 as the device node and by default
> are also labeled removable_device_t.
> 
> I am able to use specific udev rules to correctly setup the SELinux
> labels for these specific hard disk partitions, USB devices and optical
> drive.
> 
> I am also open to other recommendations for a better way to solve these
> denials without giving domains that only need to access a single device
> or partition access to all devices.

These do not seem upstreamable.  They sound very system-specific.


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [PATCH v4] Separate out udevadm into a new domain
  2019-03-15  2:27   ` [PATCH v4] " Sugar, David
@ 2019-03-17 20:15     ` Chris PeBenito
  0 siblings, 0 replies; 8+ messages in thread
From: Chris PeBenito @ 2019-03-17 20:15 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/14/19 10:27 PM, Sugar, David wrote:
> This is the update I have made based on suggestions for the previous
> patches to add a udev_run interface.  This adds the new domain udevadm_t
> which is entered from /usr/bin/udevadm.
> 
> It seems to meet the needs that I have, but there are some things to
> note that are probably important.
> 1) There are a few systemd services that use udevadm during startup.
>     I have granted the permisssions that I need based on denials I was
>     seeing during startup (the machine would fail to start without the
>     permisions).
> 2) In the udev.fc file there are other binaries that I don't have on a
>     RHEL7 box that maybe should also be labeled udevadm_exec_t.
>     e.g. /usr/bin/udevinfo and /usr/bin/udevsend
>     But as I don't have those binaries to test, I have not updated the
>     type of that binary.
> 3) There are some places that call udev_domtrans that maybe should now
>     be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
>     these are not things that I am using in my current situation and am
>     unable to test the interactions to know if the change is correct.
> 
> Other than that, I think this was a good suggestion to split udevadm
> into a different domain.
> 
> Only change for v4 is to use stream_connect_pattern as suggested.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/roles/sysadm.te |  4 +++
>   policy/modules/system/udev.fc  |  4 +--
>   policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++
>   policy/modules/system/udev.te  | 40 +++++++++++++++++++++-
>   4 files changed, 107 insertions(+), 3 deletions(-)
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 043e54bf..2cc60643 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -1140,6 +1140,10 @@ optional_policy(`
>   	tzdata_domtrans(sysadm_t)
>   ')
>   
> +optional_policy(`
> +	udevadm_run(sysadm_t, sysadm_r)
> +')
> +
>   optional_policy(`
>   	ulogd_admin(sysadm_t, sysadm_r)
>   ')
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 009d821a..606ad517 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -10,7 +10,7 @@
>   /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>   
>   /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
> +/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
>   /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
> @@ -22,7 +22,7 @@ ifdef(`distro_debian',`
>   ')
>   
>   /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
> -/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
> +/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
>   /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
>   /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index fee55852..3028d6b8 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
>   
>   	files_pid_filetrans($1, udev_var_run_t, dir, $2)
>   ')
> +
> +########################################
> +## <summary>
> +##	Execute udev admin in the udevadm domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`udevadm_domtrans',`
> +	gen_require(`
> +		type udevadm_t, udevadm_exec_t;
> +	')
> +
> +	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute udevadm in the udevadm domain, and
> +##	allow the specified role the udevadm domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`udevadm_run',`
> +	gen_require(`
> +		attribute_role udevadm_roles;
> +	')
> +
> +	udevadm_domtrans($1)
> +	roleattribute $2 udevadm_roles;
> +')
> +
> +########################################
> +## <summary>
> +##	Execute udevadm in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udevadm_exec',`
> +	gen_require(`
> +		type udevadm_exec_t;
> +	')
> +
> +	can_exec($1, udevadm_exec_t)
> +')
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 9d5cf3b2..1e2c6cea 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
>   #
>   # Declarations
>   #
> +attribute_role udevadm_roles;
>   
>   type udev_t;
>   type udev_exec_t;
> @@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
>   init_daemon_domain(udev_t, udev_exec_t)
>   init_named_socket_activation(udev_t, udev_var_run_t)
>   
> +type udevadm_t;
> +type udevadm_exec_t;
> +init_system_domain(udevadm_t, udevadm_exec_t)
> +application_domain(udevadm_t, udevadm_exec_t)
> +role udevadm_roles types udevadm_t;
> +
>   type udev_etc_t alias etc_udev_t;
>   files_config_file(udev_etc_t)
>   
> @@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
>   
>   ########################################
>   #
> -# Local policy
> +# udev Local policy
>   #
>   
>   allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
> @@ -374,3 +381,34 @@ optional_policy(`
>   optional_policy(`
>   	xserver_read_xdm_pid(udev_t)
>   ')
> +
> +
> +########################################
> +#
> +# udevadm Local policy
> +#
> +
> +allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow udevadm_t self:unix_stream_socket create_socket_perms;
> +
> +delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
> +stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
> +
> +dev_rw_sysfs(udevadm_t)
> +dev_read_urand(udevadm_t)
> +
> +files_read_etc_files(udevadm_t)
> +files_read_usr_files(udevadm_t)
> +
> +init_list_pids(udevadm_t)
> +init_read_state(udevadm_t)
> +
> +kernel_read_system_state(udevadm_t)
> +
> +libs_use_ld_so(udevadm_t)
> +
> +seutil_read_file_contexts(udevadm_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-13 18:18 [PATCH v3] Separate out udevadm into a new domain Sugar, David
2019-03-13 18:18 ` [PATCH v2] Setup attribute for fixed_disk_device and removable_device Sugar, David
2019-03-14 22:06   ` Chris PeBenito
2019-03-15  2:22     ` Sugar, David
2019-03-17 20:14       ` Chris PeBenito
2019-03-14 22:05 ` [PATCH v3] Separate out udevadm into a new domain Chris PeBenito
2019-03-15  2:27   ` [PATCH v4] " Sugar, David
2019-03-17 20:15     ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox