From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Setup attribute for fixed_disk_device and removable_device
Thread-Topic: [PATCH] Setup attribute for fixed_disk_device and
 removable_device
Thread-Index: AQHU06OdC5r+KkH6VEygMu5QU2ZaRw==
Date:   Tue, 5 Mar 2019 22:34:37 +0000
Message-ID: <20190305223402.19263-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5266962c-60af-404e-e2f9-08d6a1babf8f
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1444;
x-ms-traffictypediagnostic: BN6PR15MB1444:
x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1444;23:WgTU49aXvIhEnvaF2MH+z9nGPn9SrHPhQ1rPeTr?=
 =?iso-8859-1?Q?ngxPiyhymsR0A9p0+p9i3/3Eyh9LhYXlQBUdhuejFE0V9niihGf+NQxBb8?=
 =?iso-8859-1?Q?RyzP9ueIBuZrgXSqc0eRofaO7pLJdbRaIVN6HTxgyEPpRP9FMQ13ZXL4ar?=
 =?iso-8859-1?Q?Gwi4zU3nyXE/sU6saF7eDVSTMaqu0DRXa/k1FIfeb8uwNUzZxBdL/BkqOI?=
 =?iso-8859-1?Q?k3NDn05wFjm4/mGWfS8h/EVpNOB2IwRepzmWKSM1qrP3wSKrtK2yRxucL8?=
 =?iso-8859-1?Q?KnajPcHrkLhjlP5LPI1i8FhjlygnwS6kTdoVMktCuuWlEgTq76rnglDIgS?=
 =?iso-8859-1?Q?cAmjis8yjy2k3Y4SA4pd9ASPaq4GxsdoN5L9yQ8kMiY4NDvOH5baXUEk9w?=
 =?iso-8859-1?Q?JonlK6tR9DTq0NERxdmswndNyhrMT0HFBpF8oBMuLZWbdXDbyWbl3Hgpsp?=
 =?iso-8859-1?Q?TeOf894IT2EEeDbZulvj7nKnIE76De66GvgsJ8yHKwXanvQNmiFASGVDZy?=
 =?iso-8859-1?Q?pLWoHgJ87AdUtbaEX+8umkhbpr8CWE6ZXVO2Gl2xc5DLQIxaYqF0nYz5ZW?=
 =?iso-8859-1?Q?H63L7/8CzOcLUcXmrBpt4KPavG+ZnLSklwxSALbhIUTI5WYDT9op+ad5iH?=
 =?iso-8859-1?Q?m0us4RkCbKMESL47sXvW98ZlHi+BW+Lsh3zXHQL/ALBRt2+1gBFoCKFxUo?=
 =?iso-8859-1?Q?D6stOiSDBsDnONWz5vKwlmMTfcEu603JtPYgJt8DHuNJqzGK4lyRT0g9N3?=
 =?iso-8859-1?Q?LtJ3YjIGGY/W/Lrep5Sdb7VE0JAp93KS52mwMzpJfXNsgGTPPN1kDLhfbI?=
 =?iso-8859-1?Q?CogYVc5FjpnwvL/DrWym6Viwbi1jFoRkzdIkp6zOY8ovIZl11Mvkw2fY3+?=
 =?iso-8859-1?Q?sirKtFAG+/NZvc+h0VQjws5xg1Mn0lJKy3RuMHoO8Qraz8TOef4L64IVD2?=
 =?iso-8859-1?Q?zOAMYDQSV2bnY1fwlONQpX0fqauzWdHddvhhlgWp7b7/f2TTBJUixpec8p?=
 =?iso-8859-1?Q?3liGEAJfaWBfyh+079j7aWs4ac564TCqFlzWVVDjUH8kgfBpePEkcuPqyr?=
 =?iso-8859-1?Q?pBggelUhqme8P0OgMXkJzPDVgTo4rbXQcrt9VWDEP3qXzalWkZkqp0FoYJ?=
 =?iso-8859-1?Q?r7RcZBkLSlTR5FObY7koU30VP0cxnehpU058n08Q4zHYs7pvKdnkvxeVbK?=
 =?iso-8859-1?Q?guNDS0gHnMV4+FmJVpFP0n9pXol6Ztu7RPNTxJbT6jVHa161QHZVCjl8O3?=
 =?iso-8859-1?Q?kHIparN1YwiZ8SrDTM/4R5n5YHmcuVyTkxZyIbg=3D=3D?=
x-microsoft-antispam-prvs: <BN6PR15MB14442F6574051CFD1FF0459EB9720@BN6PR15MB1444.namprd15.prod.outlook.com>
x-forefront-prvs: 0967749BC1
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39840400004)(346002)(396003)(366004)(376002)(136003)(189003)(199004)(68736007)(1076003)(50226002)(8936002)(105586002)(2906002)(106356001)(66066001)(36756003)(6916009)(97736004)(2351001)(102836004)(316002)(476003)(52116002)(486006)(386003)(6506007)(2616005)(305945005)(8676002)(7736002)(81166006)(26005)(81156014)(99286004)(186003)(86362001)(6486002)(256004)(6436002)(6116002)(53936002)(14454004)(5640700003)(6512007)(3846002)(508600001)(25786009)(71190400001)(71200400001)(30864003)(5024004)(14444005)(5660300002)(2501003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1444;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 4ZQ7lCffLVxMgCggW7YbW9qbybo8KMVkQztoOTjbCJSgnvy6unOtkaUIXCCrpijmtaxyWg3QfmB0t9A9XmytVsJFji6J0PPZmN1wD9RAqFv/i69s/hioG9SRXuEMeyl/Z9YVqCv5HzjwS1kyI0j6TLxqDVkPUklruja8b8cqf7rSs2SU8FJJj3jBJ4DBp2EmFB32D+KQg1z/zWpik02GzvY/yyn5oCBckucdaLRfIsG+Tt3P0/Rn/6/NHeQ1UR6DN2OacdZn2aDQjbDH20joNIMgcku/tePI/FglyPP6qXswo5lqY7XyoS/LYlq3FSNb2BbP8ZC9IEzVkEASpN+aC03fuhXHE/maww9ybZt7TTEfdIa2XU9kmigWlV5KMhVDnu8laC9ykLUx52hSSQp5KfDNNDgBmku2Szfu/e6Pec4=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5266962c-60af-404e-e2f9-08d6a1babf8f
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2019 22:34:37.1652
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1444
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

I am having trouble with some denials due to the fact I am setting
up specific private types for media attached to my system.  This
changes to use an attribute for media and interfaces to add types
to the newly created attribute. I'm seeing denials from lvm_t which
this helps to resolve.

If the names of the new attributes are not OK, please suggest others.
I will update as needed.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/storage.if | 139 +++++++++++++++++++------------
 policy/modules/kernel/storage.te |  11 ++-
 2 files changed, 96 insertions(+), 54 deletions(-)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/stora=
ge.if
index 0292eee4..c8d9bfcc 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -13,11 +13,11 @@
 #
 interface(`storage_getattr_fixed_disk_dev',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file getattr;
+	allow $1 fixed_disk_device:blk_file getattr;
 ')
=20
 ########################################
@@ -33,11 +33,11 @@ interface(`storage_getattr_fixed_disk_dev',`
 #
 interface(`storage_dontaudit_getattr_fixed_disk_dev',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
-	dontaudit $1 fixed_disk_device_t:blk_file getattr;
-	dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl
+	dontaudit $1 fixed_disk_device:blk_file getattr;
+	dontaudit $1 fixed_disk_device:chr_file getattr; # /dev/rawctl
 ')
=20
 ########################################
@@ -53,11 +53,11 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',`
 #
 interface(`storage_setattr_fixed_disk_dev',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file setattr;
+	allow $1 fixed_disk_device:blk_file setattr;
 ')
=20
 ########################################
@@ -73,10 +73,10 @@ interface(`storage_setattr_fixed_disk_dev',`
 #
 interface(`storage_dontaudit_setattr_fixed_disk_dev',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
-	dontaudit $1 fixed_disk_device_t:blk_file setattr;
+	dontaudit $1 fixed_disk_device:blk_file setattr;
 ')
=20
 ########################################
@@ -95,12 +95,12 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
 interface(`storage_raw_read_fixed_disk',`
 	gen_require(`
 		attribute fixed_disk_raw_read;
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
-	allow $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+	allow $1 fixed_disk_device:blk_file read_blk_file_perms;
+	allow $1 fixed_disk_device:chr_file read_chr_file_perms;
 	typeattribute $1 fixed_disk_raw_read;
 ')
=20
@@ -117,12 +117,12 @@ interface(`storage_raw_read_fixed_disk',`
 #
 interface(`storage_dontaudit_read_fixed_disk',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
=20
 	')
=20
-	dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms;
-	dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms;
+	dontaudit $1 fixed_disk_device:blk_file read_blk_file_perms;
+	dontaudit $1 fixed_disk_device:chr_file read_chr_file_perms;
 ')
=20
 ########################################
@@ -141,12 +141,12 @@ interface(`storage_dontaudit_read_fixed_disk',`
 interface(`storage_raw_write_fixed_disk',`
 	gen_require(`
 		attribute fixed_disk_raw_write;
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file write_blk_file_perms;
-	allow $1 fixed_disk_device_t:chr_file write_chr_file_perms;
+	allow $1 fixed_disk_device:blk_file write_blk_file_perms;
+	allow $1 fixed_disk_device:chr_file write_chr_file_perms;
 	typeattribute $1 fixed_disk_raw_write;
 ')
=20
@@ -163,11 +163,11 @@ interface(`storage_raw_write_fixed_disk',`
 #
 interface(`storage_dontaudit_write_fixed_disk',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
=20
 	')
=20
-	dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms;
+	dontaudit $1 fixed_disk_device:blk_file write_blk_file_perms;
 ')
=20
 ########################################
@@ -200,11 +200,11 @@ interface(`storage_raw_rw_fixed_disk',`
 #
 interface(`storage_create_fixed_disk_dev',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	allow $1 self:capability mknod;
-	allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+	allow $1 fixed_disk_device:blk_file create_blk_file_perms;
 	dev_add_entry_generic_dirs($1)
 ')
=20
@@ -220,10 +220,10 @@ interface(`storage_create_fixed_disk_dev',`
 #
 interface(`storage_delete_fixed_disk_dev',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
-	allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms;
+	allow $1 fixed_disk_device:blk_file delete_blk_file_perms;
 	dev_remove_entry_generic_dirs($1)
 ')
=20
@@ -240,13 +240,13 @@ interface(`storage_delete_fixed_disk_dev',`
 interface(`storage_manage_fixed_disk',`
 	gen_require(`
 		attribute fixed_disk_raw_read, fixed_disk_raw_write;
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
 	allow $1 self:capability mknod;
-	allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms;
-	allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms;
+	allow $1 fixed_disk_device:blk_file manage_blk_file_perms;
+	allow $1 fixed_disk_device:chr_file manage_chr_file_perms;
 	typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write;
 ')
=20
@@ -305,11 +305,11 @@ interface(`storage_tmpfs_filetrans_fixed_disk',`
 #
 interface(`storage_relabel_fixed_disk',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
+	allow $1 fixed_disk_device:blk_file relabel_blk_file_perms;
 ')
=20
 ########################################
@@ -324,11 +324,11 @@ interface(`storage_relabel_fixed_disk',`
 #
 interface(`storage_swapon_fixed_disk',`
 	gen_require(`
-		type fixed_disk_device_t;
+		attribute fixed_disk_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 fixed_disk_device_t:blk_file { getattr swapon };
+	allow $1 fixed_disk_device:blk_file { getattr swapon };
 ')
=20
 ########################################
@@ -530,11 +530,11 @@ interface(`storage_dontaudit_rw_scsi_generic',`
 #
 interface(`storage_getattr_removable_dev',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 removable_device_t:blk_file getattr;
+	allow $1 removable_device:blk_file getattr;
 ')
=20
 ########################################
@@ -550,10 +550,10 @@ interface(`storage_getattr_removable_dev',`
 #
 interface(`storage_dontaudit_getattr_removable_dev',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
-	dontaudit $1 removable_device_t:blk_file getattr;
+	dontaudit $1 removable_device:blk_file getattr;
 ')
=20
 ########################################
@@ -569,11 +569,11 @@ interface(`storage_dontaudit_getattr_removable_dev',`
 #
 interface(`storage_dontaudit_read_removable_device',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
=20
 	')
=20
-	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
+	dontaudit $1 removable_device:blk_file read_blk_file_perms;
 ')
=20
 ########################################
@@ -589,10 +589,10 @@ interface(`storage_dontaudit_read_removable_device',`
 #
 interface(`storage_dontaudit_write_removable_device',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
-	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+	dontaudit $1 removable_device:blk_file write_blk_file_perms;
 ')
=20
 ########################################
@@ -608,11 +608,11 @@ interface(`storage_dontaudit_write_removable_device',=
`
 #
 interface(`storage_setattr_removable_dev',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 removable_device_t:blk_file setattr;
+	allow $1 removable_device:blk_file setattr;
 ')
=20
 ########################################
@@ -628,10 +628,10 @@ interface(`storage_setattr_removable_dev',`
 #
 interface(`storage_dontaudit_setattr_removable_dev',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
-	dontaudit $1 removable_device_t:blk_file setattr;
+	dontaudit $1 removable_device:blk_file setattr;
 ')
=20
 ########################################
@@ -650,11 +650,11 @@ interface(`storage_dontaudit_setattr_removable_dev',`
 #
 interface(`storage_raw_read_removable_device',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 removable_device_t:blk_file read_blk_file_perms;
+	allow $1 removable_device:blk_file read_blk_file_perms;
 ')
=20
 ########################################
@@ -669,10 +669,10 @@ interface(`storage_raw_read_removable_device',`
 #
 interface(`storage_dontaudit_raw_read_removable_device',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
-	dontaudit $1 removable_device_t:blk_file read_blk_file_perms;
+	dontaudit $1 removable_device:blk_file read_blk_file_perms;
 ')
=20
 ########################################
@@ -691,11 +691,11 @@ interface(`storage_dontaudit_raw_read_removable_devic=
e',`
 #
 interface(`storage_raw_write_removable_device',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
 	dev_list_all_dev_nodes($1)
-	allow $1 removable_device_t:blk_file write_blk_file_perms;
+	allow $1 removable_device:blk_file write_blk_file_perms;
 ')
=20
 ########################################
@@ -710,10 +710,10 @@ interface(`storage_raw_write_removable_device',`
 #
 interface(`storage_dontaudit_raw_write_removable_device',`
 	gen_require(`
-		type removable_device_t;
+		attribute removable_device;
 	')
=20
-	dontaudit $1 removable_device_t:blk_file write_blk_file_perms;
+	dontaudit $1 removable_device:blk_file write_blk_file_perms;
 ')
=20
 ########################################
@@ -813,3 +813,40 @@ interface(`storage_unconfined',`
=20
 	typeattribute $1 storage_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Mark a type as a removable device type.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Type to associate.
+##	</summary>
+## </param>
+#
+interface(`storage_removable_device_type',`
+	gen_require(`
+		attribute removable_device;
+	')
+
+	typeattribute $1 removable_device;
+')
+
+########################################
+## <summary>
+##	Mark a type as a fixed disk device type.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Type to associate
+##	</summary>
+## </param>
+#
+interface(`storage_fixed_disk_device_type',`
+	gen_require(`
+		attribute fixed_disk_device;
+	')
+
+	typeattribute $1 fixed_disk_device;
+')
+
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/stora=
ge.te
index c10290c0..7a358290 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -11,15 +11,19 @@ attribute scsi_generic_read;
 attribute scsi_generic_write;
 attribute storage_unconfined_type;
=20
+attribute removable_device;
+attribute fixed_disk_device;
+
 #
 # fixed_disk_device_t is the type of
 # /dev/hd* and /dev/sd*.
 #
 type fixed_disk_device_t;
 dev_node(fixed_disk_device_t)
+storage_fixed_disk_device_type(fixed_disk_device_t)
=20
-neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_dev=
ice_t:{ chr_file blk_file } read;
-neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_de=
vice_t:{ chr_file blk_file } { append write };
+neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_dev=
ice:{ chr_file blk_file } read;
+neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_de=
vice:{ chr_file blk_file } { append write };
=20
 #
 # fuse_device_t is the type of /dev/fuse
@@ -43,6 +47,7 @@ neverallow ~{ scsi_generic_write storage_unconfined_type =
} scsi_generic_device_t
 #
 type removable_device_t;
 dev_node(removable_device_t)
+storage_removable_device_type(removable_device_t)
=20
 #
 # tape_device_t is the type of
@@ -55,5 +60,5 @@ dev_node(tape_device_t)
 # Unconfined access to this module
 #
=20
-allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:b=
lk_file { manage_blk_file_perms relabelfrom relabelto map execute swapon qu=
otaon mounton audit_access execmod };
+allow storage_unconfined_type { fixed_disk_device removable_device }:blk_f=
ile { manage_blk_file_perms relabelfrom relabelto map execute swapon quotao=
n mounton audit_access execmod };
 allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_=
file { manage_chr_file_perms relabelfrom relabelto map execute swapon quota=
on mounton execute_no_trans entrypoint execmod audit_access };
--=20
2.20.1