Altered to use roleattribute based on suggestion
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
policy/modules/system/udev.te | 2 ++
2 files changed, 28 insertions(+)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..90dfb17d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -36,6 +36,32 @@ interface(`udev_domtrans',`
domtrans_pattern($1, udev_exec_t, udev_t)
')
+########################################
+## <summary>
+## Execute udev in the udev domain, and
+## allow the specified role the udev domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udev_run',`
+ gen_require(`
+ attribute_role udev_roles;
+ ')
+
+ udev_domtrans($1)
+ roleattribute $2 udev_roles;
+')
+
########################################
## <summary>
## Allow udev to execute the specified program in
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 3cbf7eff..88bff272 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.0)
#
# Declarations
#
+attribute_role udev_roles;
type udev_t;
type udev_exec_t;
@@ -14,6 +15,7 @@ domain_entry_file(udev_t, udev_helper_exec_t)
domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
init_named_socket_activation(udev_t, udev_var_run_t)
+role udev_roles types udev_t;
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
--
2.20.1
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This updates the existing interface to include allowing
to map the file.
type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8d2bb8da..03d83dc7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -34,7 +34,7 @@ interface(`systemd_read_hwdb',`
type systemd_hwdb_t;
')
- read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
+ mmap_read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
')
######################################
--
2.20.1
On 3/6/19 2:07 PM, Sugar, David wrote:
> Altered to use roleattribute based on suggestion
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
> policy/modules/system/udev.te | 2 ++
> 2 files changed, 28 insertions(+)
>
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index fee55852..90dfb17d 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
> domtrans_pattern($1, udev_exec_t, udev_t)
> ')
>
> +########################################
> +## <summary>
> +## Execute udev in the udev domain, and
> +## allow the specified role the udev domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`udev_run',`
> + gen_require(`
> + attribute_role udev_roles;
> + ')
> +
> + udev_domtrans($1)
> + roleattribute $2 udev_roles;
> +')
Why is a user be starting this?
--
Chris PeBenito
On 3/6/19 2:07 PM, Sugar, David wrote:
> I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
> This updates the existing interface to include allowing
> to map the file.
>
> type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 8d2bb8da..03d83dc7 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -34,7 +34,7 @@ interface(`systemd_read_hwdb',`
> type systemd_hwdb_t;
> ')
>
> - read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
> + mmap_read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
> ')
>
> ######################################
This should be a new interface.
--
Chris PeBenito
On 3/7/19 6:55 PM, Chris PeBenito wrote:
> On 3/6/19 2:07 PM, Sugar, David wrote:
>> Altered to use roleattribute based on suggestion
>>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
>> policy/modules/system/udev.te | 2 ++
>> 2 files changed, 28 insertions(+)
>>
>> diff --git a/policy/modules/system/udev.if
>> b/policy/modules/system/udev.if
>> index fee55852..90dfb17d 100644
>> --- a/policy/modules/system/udev.if
>> +++ b/policy/modules/system/udev.if
>> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
>> domtrans_pattern($1, udev_exec_t, udev_t)
>> ')
>> +########################################
>> +## <summary>
>> +## Execute udev in the udev domain, and
>> +## allow the specified role the udev domain.
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed to transition.
>> +## </summary>
>> +## </param>
>> +## <param name="role">
>> +## <summary>
>> +## Role allowed access.
>> +## </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`udev_run',`
>> + gen_require(`
>> + attribute_role udev_roles;
>> + ')
>> +
>> + udev_domtrans($1)
>> + roleattribute $2 udev_roles;
>> +')
>
> Why is a user be starting this?
>
In this case it isn't a user starting udev, rather calling
"/usr/bin/udevadm info" to gather all the specific information about a
USB device. udevadm is labeled udev_exec_t.
On 3/7/19 10:01 PM, Sugar, David wrote:
>
>
> On 3/7/19 6:55 PM, Chris PeBenito wrote:
>> On 3/6/19 2:07 PM, Sugar, David wrote:
>>> Altered to use roleattribute based on suggestion
>>>
>>> Signed-off-by: Dave Sugar <[email protected]>
>>> ---
>>> policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
>>> policy/modules/system/udev.te | 2 ++
>>> 2 files changed, 28 insertions(+)
>>>
>>> diff --git a/policy/modules/system/udev.if
>>> b/policy/modules/system/udev.if
>>> index fee55852..90dfb17d 100644
>>> --- a/policy/modules/system/udev.if
>>> +++ b/policy/modules/system/udev.if
>>> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
>>> domtrans_pattern($1, udev_exec_t, udev_t)
>>> ')
>>> +########################################
>>> +## <summary>
>>> +## Execute udev in the udev domain, and
>>> +## allow the specified role the udev domain.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed to transition.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="role">
>>> +## <summary>
>>> +## Role allowed access.
>>> +## </summary>
>>> +## </param>
>>> +## <rolecap/>
>>> +#
>>> +interface(`udev_run',`
>>> + gen_require(`
>>> + attribute_role udev_roles;
>>> + ')
>>> +
>>> + udev_domtrans($1)
>>> + roleattribute $2 udev_roles;
>>> +')
>>
>> Why is a user be starting this?
>>
> In this case it isn't a user starting udev, rather calling
> "/usr/bin/udevadm info" to gather all the specific information about a
> USB device. udevadm is labeled udev_exec_t.
In that case I'd be more interested in seeing what it would take for a
separate udevadm domain. If that proves to be too much like udev_t,
then I'd accept the above patch.
--
Chris PeBenito