I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.
type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Updated from previous to create a new interface.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.if | 18 ++++++++++++++++++
policy/modules/system/udev.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8d2bb8da..6353ca69 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',`
read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
')
+#######################################
+## <summary>
+## Allow domain to map udev hwdb file
+## </summary>
+## <param name="domain">
+## <summary>
+## domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_map_hwdb',`
+ gen_require(`
+ type systemd_hwdb_t;
+ ')
+
+ allow $1 systemd_hwdb_t:file map;
+')
+
######################################
## <summary>
## Read systemd_login PID files.
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 88bff272..d0496258 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -250,6 +250,7 @@ ifdef(`init_systemd',`
init_get_generic_units_status(udev_t)
init_stream_connect(udev_t)
+ systemd_map_hwdb(udev_t)
systemd_read_hwdb(udev_t)
systemd_read_logind_sessions_files(udev_t)
systemd_read_logind_pids(udev_t)
--
2.20.1
On 3/8/19 10:58 PM, Sugar, David wrote:
> I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
> This creates and uses a new interface to allow the needed
> permission for udev.
>
> type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
>
> Updated from previous to create a new interface.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.if | 18 ++++++++++++++++++
> policy/modules/system/udev.te | 1 +
> 2 files changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 8d2bb8da..6353ca69 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',`
> read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
> ')
>
> +#######################################
> +## <summary>
> +## Allow domain to map udev hwdb file
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain allowed access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_map_hwdb',`
> + gen_require(`
> + type systemd_hwdb_t;
> + ')
> +
> + allow $1 systemd_hwdb_t:file map;
> +')
> +
> ######################################
> ## <summary>
> ## Read systemd_login PID files.
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 88bff272..d0496258 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -250,6 +250,7 @@ ifdef(`init_systemd',`
> init_get_generic_units_status(udev_t)
> init_stream_connect(udev_t)
>
> + systemd_map_hwdb(udev_t)
> systemd_read_hwdb(udev_t)
> systemd_read_logind_sessions_files(udev_t)
> systemd_read_logind_pids(udev_t)
Merged.
--
Chris PeBenito