Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 363DEC43381 for ; Wed, 6 Mar 2019 08:18:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E1EDE20661 for ; Wed, 6 Mar 2019 08:18:18 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VcIdmoCS" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728972AbfCFISS (ORCPT ); Wed, 6 Mar 2019 03:18:18 -0500 Received: from mail-ed1-f68.google.com ([209.85.208.68]:39554 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728951AbfCFISS (ORCPT ); Wed, 6 Mar 2019 03:18:18 -0500 Received: by mail-ed1-f68.google.com with SMTP id p27so9542328edc.6 for ; Wed, 06 Mar 2019 00:18:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=76n/R5hF8oHrwVR61eUfjPHUzvtNwhYPKMjLxin+Hpw=; b=VcIdmoCSBw1kOxq4UjkNDgYAqlOkT0ziSVq78qHEKCZFkLGwRU/fpjB9gAAsinCex2 qukapDi91GJDBycwp/o/xzuErzLk37Z68RwAE11Q+uWuUJuAKoyZtAUZoCaihTpEF/JM 0VfAyR4N6ptgwNzoxuY5VPzOfKI5O/TxRuTyNpBMXQqMr379hlfcDIykO/Piq2QU6FnX jfk3lTDcAkkt5BbeSFfzkt1JM2r5NGhLGI9J1yKAZ1WB/tKc9q/o8pKDi5iVaFmwMItf m4WrTuA+an+ibUkE+cOYoFaaMUjCFyt9qMmIjvPsEqnvskU+G64VZYM7r6L1rg40FATG plNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=76n/R5hF8oHrwVR61eUfjPHUzvtNwhYPKMjLxin+Hpw=; b=eqlUCsFjombumCXx1DXOhN11fLu1ygqGQc3LPJjJfI+onK83aZ/gDupnk8X7C0h69O buyTbACp0nENtyE902LO4hPJ7FT747Ask3g6F5RMt5DdL+qXalxXI85Yu1YUq7u8Ouwv YncQqJnB+D69Nt4hAWiOcJsCwfvHyPJmvEOaB2PnhBBYECfEMPox5GNSKfOZNZwr3fAc BPKh3wdK85V0mHFXWqhiQCjWE0ApSNdfrbV6kwNJ8/x8U7YpX9D0UCim7ovYp7dyWdZO WIbdqoxRpRg72L83D9Itz9FSaLfydQ764JyoBOzz/mVVtLW+rW7kARSLjVjYSHE9cwCv 3jhQ== X-Gm-Message-State: APjAAAWhZw8OxoPXV2bQd0BaPtnPfq2wOm8Gc/EKieQ4zeWIYqRM5e4F n9EskGlAN/ebA6WOdPoCNMIYr+IM X-Google-Smtp-Source: APXvYqy71OzFDUlGj7iKGUZbuwHodnBn/Ew7dQ3i6Yc6I97p0awLxu6UHuBGPGE/q92orZUTVyUfOA== X-Received: by 2002:a17:906:33d5:: with SMTP id w21mr3107588eja.152.1551860294872; Wed, 06 Mar 2019 00:18:14 -0800 (PST) Received: from brutus (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id q11sm200459ejb.39.2019.03.06.00.18.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 06 Mar 2019 00:18:14 -0800 (PST) From: Dominick Grift To: "Sugar\, David" Cc: "selinux-refpolicy\@vger.kernel.org" Subject: Re: [PATCH] Setup attribute for fixed_disk_device and removable_device References: <20190305223402.19263-1-dsugar@tresys.com> Date: Wed, 06 Mar 2019 09:18:12 +0100 In-Reply-To: <20190305223402.19263-1-dsugar@tresys.com> (David Sugar's message of "Tue, 5 Mar 2019 22:34:37 +0000") Message-ID: <871s3kza9n.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org "Sugar, David" writes: > I am having trouble with some denials due to the fact I am setting > up specific private types for media attached to my system. This > changes to use an attribute for media and interfaces to add types > to the newly created attribute. I'm seeing denials from lvm_t which > this helps to resolve. > > If the names of the new attributes are not OK, please suggest others. > I will update as needed. You probably should create new interfaces for operations that apply to all fixed disk types instead of modifying the ones that apply to generic fixed disk Example: storage_getattr_all_fixed_disk_dev() > > Signed-off-by: Dave Sugar > --- > policy/modules/kernel/storage.if | 139 +++++++++++++++++++------------ > policy/modules/kernel/storage.te | 11 ++- > 2 files changed, 96 insertions(+), 54 deletions(-) > > diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if > index 0292eee4..c8d9bfcc 100644 > --- a/policy/modules/kernel/storage.if > +++ b/policy/modules/kernel/storage.if > @@ -13,11 +13,11 @@ > # > interface(`storage_getattr_fixed_disk_dev',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 fixed_disk_device_t:blk_file getattr; > + allow $1 fixed_disk_device:blk_file getattr; > ') > > ######################################## > @@ -33,11 +33,11 @@ interface(`storage_getattr_fixed_disk_dev',` > # > interface(`storage_dontaudit_getattr_fixed_disk_dev',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > - dontaudit $1 fixed_disk_device_t:blk_file getattr; > - dontaudit $1 fixed_disk_device_t:chr_file getattr; # /dev/rawctl > + dontaudit $1 fixed_disk_device:blk_file getattr; > + dontaudit $1 fixed_disk_device:chr_file getattr; # /dev/rawctl > ') > > ######################################## > @@ -53,11 +53,11 @@ interface(`storage_dontaudit_getattr_fixed_disk_dev',` > # > interface(`storage_setattr_fixed_disk_dev',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 fixed_disk_device_t:blk_file setattr; > + allow $1 fixed_disk_device:blk_file setattr; > ') > > ######################################## > @@ -73,10 +73,10 @@ interface(`storage_setattr_fixed_disk_dev',` > # > interface(`storage_dontaudit_setattr_fixed_disk_dev',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > - dontaudit $1 fixed_disk_device_t:blk_file setattr; > + dontaudit $1 fixed_disk_device:blk_file setattr; > ') > > ######################################## > @@ -95,12 +95,12 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',` > interface(`storage_raw_read_fixed_disk',` > gen_require(` > attribute fixed_disk_raw_read; > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 fixed_disk_device_t:blk_file read_blk_file_perms; > - allow $1 fixed_disk_device_t:chr_file read_chr_file_perms; > + allow $1 fixed_disk_device:blk_file read_blk_file_perms; > + allow $1 fixed_disk_device:chr_file read_chr_file_perms; > typeattribute $1 fixed_disk_raw_read; > ') > > @@ -117,12 +117,12 @@ interface(`storage_raw_read_fixed_disk',` > # > interface(`storage_dontaudit_read_fixed_disk',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > > ') > > - dontaudit $1 fixed_disk_device_t:blk_file read_blk_file_perms; > - dontaudit $1 fixed_disk_device_t:chr_file read_chr_file_perms; > + dontaudit $1 fixed_disk_device:blk_file read_blk_file_perms; > + dontaudit $1 fixed_disk_device:chr_file read_chr_file_perms; > ') > > ######################################## > @@ -141,12 +141,12 @@ interface(`storage_dontaudit_read_fixed_disk',` > interface(`storage_raw_write_fixed_disk',` > gen_require(` > attribute fixed_disk_raw_write; > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 fixed_disk_device_t:blk_file write_blk_file_perms; > - allow $1 fixed_disk_device_t:chr_file write_chr_file_perms; > + allow $1 fixed_disk_device:blk_file write_blk_file_perms; > + allow $1 fixed_disk_device:chr_file write_chr_file_perms; > typeattribute $1 fixed_disk_raw_write; > ') > > @@ -163,11 +163,11 @@ interface(`storage_raw_write_fixed_disk',` > # > interface(`storage_dontaudit_write_fixed_disk',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > > ') > > - dontaudit $1 fixed_disk_device_t:blk_file write_blk_file_perms; > + dontaudit $1 fixed_disk_device:blk_file write_blk_file_perms; > ') > > ######################################## > @@ -200,11 +200,11 @@ interface(`storage_raw_rw_fixed_disk',` > # > interface(`storage_create_fixed_disk_dev',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > allow $1 self:capability mknod; > - allow $1 fixed_disk_device_t:blk_file create_blk_file_perms; > + allow $1 fixed_disk_device:blk_file create_blk_file_perms; > dev_add_entry_generic_dirs($1) > ') > > @@ -220,10 +220,10 @@ interface(`storage_create_fixed_disk_dev',` > # > interface(`storage_delete_fixed_disk_dev',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > - allow $1 fixed_disk_device_t:blk_file delete_blk_file_perms; > + allow $1 fixed_disk_device:blk_file delete_blk_file_perms; > dev_remove_entry_generic_dirs($1) > ') > > @@ -240,13 +240,13 @@ interface(`storage_delete_fixed_disk_dev',` > interface(`storage_manage_fixed_disk',` > gen_require(` > attribute fixed_disk_raw_read, fixed_disk_raw_write; > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > dev_list_all_dev_nodes($1) > allow $1 self:capability mknod; > - allow $1 fixed_disk_device_t:blk_file manage_blk_file_perms; > - allow $1 fixed_disk_device_t:chr_file manage_chr_file_perms; > + allow $1 fixed_disk_device:blk_file manage_blk_file_perms; > + allow $1 fixed_disk_device:chr_file manage_chr_file_perms; > typeattribute $1 fixed_disk_raw_read, fixed_disk_raw_write; > ') > > @@ -305,11 +305,11 @@ interface(`storage_tmpfs_filetrans_fixed_disk',` > # > interface(`storage_relabel_fixed_disk',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms; > + allow $1 fixed_disk_device:blk_file relabel_blk_file_perms; > ') > > ######################################## > @@ -324,11 +324,11 @@ interface(`storage_relabel_fixed_disk',` > # > interface(`storage_swapon_fixed_disk',` > gen_require(` > - type fixed_disk_device_t; > + attribute fixed_disk_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 fixed_disk_device_t:blk_file { getattr swapon }; > + allow $1 fixed_disk_device:blk_file { getattr swapon }; > ') > > ######################################## > @@ -530,11 +530,11 @@ interface(`storage_dontaudit_rw_scsi_generic',` > # > interface(`storage_getattr_removable_dev',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 removable_device_t:blk_file getattr; > + allow $1 removable_device:blk_file getattr; > ') > > ######################################## > @@ -550,10 +550,10 @@ interface(`storage_getattr_removable_dev',` > # > interface(`storage_dontaudit_getattr_removable_dev',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > - dontaudit $1 removable_device_t:blk_file getattr; > + dontaudit $1 removable_device:blk_file getattr; > ') > > ######################################## > @@ -569,11 +569,11 @@ interface(`storage_dontaudit_getattr_removable_dev',` > # > interface(`storage_dontaudit_read_removable_device',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > > ') > > - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; > + dontaudit $1 removable_device:blk_file read_blk_file_perms; > ') > > ######################################## > @@ -589,10 +589,10 @@ interface(`storage_dontaudit_read_removable_device',` > # > interface(`storage_dontaudit_write_removable_device',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; > + dontaudit $1 removable_device:blk_file write_blk_file_perms; > ') > > ######################################## > @@ -608,11 +608,11 @@ interface(`storage_dontaudit_write_removable_device',` > # > interface(`storage_setattr_removable_dev',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 removable_device_t:blk_file setattr; > + allow $1 removable_device:blk_file setattr; > ') > > ######################################## > @@ -628,10 +628,10 @@ interface(`storage_setattr_removable_dev',` > # > interface(`storage_dontaudit_setattr_removable_dev',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > - dontaudit $1 removable_device_t:blk_file setattr; > + dontaudit $1 removable_device:blk_file setattr; > ') > > ######################################## > @@ -650,11 +650,11 @@ interface(`storage_dontaudit_setattr_removable_dev',` > # > interface(`storage_raw_read_removable_device',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 removable_device_t:blk_file read_blk_file_perms; > + allow $1 removable_device:blk_file read_blk_file_perms; > ') > > ######################################## > @@ -669,10 +669,10 @@ interface(`storage_raw_read_removable_device',` > # > interface(`storage_dontaudit_raw_read_removable_device',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > - dontaudit $1 removable_device_t:blk_file read_blk_file_perms; > + dontaudit $1 removable_device:blk_file read_blk_file_perms; > ') > > ######################################## > @@ -691,11 +691,11 @@ interface(`storage_dontaudit_raw_read_removable_device',` > # > interface(`storage_raw_write_removable_device',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > dev_list_all_dev_nodes($1) > - allow $1 removable_device_t:blk_file write_blk_file_perms; > + allow $1 removable_device:blk_file write_blk_file_perms; > ') > > ######################################## > @@ -710,10 +710,10 @@ interface(`storage_raw_write_removable_device',` > # > interface(`storage_dontaudit_raw_write_removable_device',` > gen_require(` > - type removable_device_t; > + attribute removable_device; > ') > > - dontaudit $1 removable_device_t:blk_file write_blk_file_perms; > + dontaudit $1 removable_device:blk_file write_blk_file_perms; > ') > > ######################################## > @@ -813,3 +813,40 @@ interface(`storage_unconfined',` > > typeattribute $1 storage_unconfined_type; > ') > + > +######################################## > +## > +## Mark a type as a removable device type. > +## > +## > +## > +## Type to associate. > +## > +## > +# > +interface(`storage_removable_device_type',` > + gen_require(` > + attribute removable_device; > + ') > + > + typeattribute $1 removable_device; > +') > + > +######################################## > +## > +## Mark a type as a fixed disk device type. > +## > +## > +## > +## Type to associate > +## > +## > +# > +interface(`storage_fixed_disk_device_type',` > + gen_require(` > + attribute fixed_disk_device; > + ') > + > + typeattribute $1 fixed_disk_device; > +') > + > diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te > index c10290c0..7a358290 100644 > --- a/policy/modules/kernel/storage.te > +++ b/policy/modules/kernel/storage.te > @@ -11,15 +11,19 @@ attribute scsi_generic_read; > attribute scsi_generic_write; > attribute storage_unconfined_type; > > +attribute removable_device; > +attribute fixed_disk_device; > + > # > # fixed_disk_device_t is the type of > # /dev/hd* and /dev/sd*. > # > type fixed_disk_device_t; > dev_node(fixed_disk_device_t) > +storage_fixed_disk_device_type(fixed_disk_device_t) > > -neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } read; > -neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write }; > +neverallow ~{ fixed_disk_raw_read storage_unconfined_type } fixed_disk_device:{ chr_file blk_file } read; > +neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device:{ chr_file blk_file } { append write }; > > # > # fuse_device_t is the type of /dev/fuse > @@ -43,6 +47,7 @@ neverallow ~{ scsi_generic_write storage_unconfined_type } scsi_generic_device_t > # > type removable_device_t; > dev_node(removable_device_t) > +storage_removable_device_type(removable_device_t) > > # > # tape_device_t is the type of > @@ -55,5 +60,5 @@ dev_node(tape_device_t) > # Unconfined access to this module > # > > -allow storage_unconfined_type { fixed_disk_device_t removable_device_t }:blk_file { manage_blk_file_perms relabelfrom relabelto map execute swapon quotaon mounton audit_access execmod }; > +allow storage_unconfined_type { fixed_disk_device removable_device }:blk_file { manage_blk_file_perms relabelfrom relabelto map execute swapon quotaon mounton audit_access execmod }; > allow storage_unconfined_type { scsi_generic_device_t tape_device_t }:chr_file { manage_chr_file_perms relabelfrom relabelto map execute swapon quotaon mounton execute_no_trans entrypoint execmod audit_access }; -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift