2019-09-09 15:17:51

by Laurent Bigonville

[permalink] [raw]
Subject: [PATCH 2/2] Allow udevadm_t to use dac_read_search capability

From: Laurent Bigonville <[email protected]>

udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:

--w------- 1 root root 4096 sep 5 17:06 /sys/module/snd_hda_codec_generic/uevent

We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"

type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc: denied { dac_override } for pid=481 comm=udevadm capability=dac_override scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc: denied { dac_read_search } for pid=481 comm=udevadm capability=dac_read_search scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0

Signed-off-by: Laurent Bigonville <[email protected]>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 399e9157..ae56a764 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -385,6 +385,7 @@ optional_policy(`
# udevadm Local policy
#

+allow udevadm_t self:capability dac_read_search;
allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
allow udevadm_t self:unix_stream_socket create_socket_perms;

--
2.23.0