Return-Path: <SRS0=ecPC=RJ=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id ED02AC43381
	for <selinux-refpolicy@archiver.kernel.org>; Wed,  6 Mar 2019 19:07:03 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id A88382064A
	for <selinux-refpolicy@archiver.kernel.org>; Wed,  6 Mar 2019 19:07:03 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="RNK8fQr0"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730609AbfCFTHD (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Wed, 6 Mar 2019 14:07:03 -0500
Received: from mail-eopbgr820137.outbound.protection.outlook.com ([40.107.82.137]:27278
        "EHLO NAM01-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1727302AbfCFTHD (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 6 Mar 2019 14:07:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=19p1xzOyq7dmgcAo4bo6mi4hgv1xg78r44XgLU6FkSg=;
 b=RNK8fQr0MwL0yIDzwY+A9qHkSMT9IAFhAzTD36b511S+ZdKVDCBcePqWYkISFvOl0B6QTOGAu6VE1cHVjhOj43TtR5N5QVPQnikjZ9bWjhu+KbJ+jPKLCN71WUAqdw4LsrU3EeHy58MJoCReFp8Os9/hW7YTabD5KHkRvUU2wHE=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1683.namprd15.prod.outlook.com (10.175.127.15) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1665.16; Wed, 6 Mar 2019 19:07:00 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::ec41:1dc7:5fd4:a07a%7]) with mapi id 15.20.1665.020; Wed, 6 Mar 2019
 19:07:00 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH v2] Add interface udev_run
Thread-Topic: [PATCH v2] Add interface udev_run
Thread-Index: AQHU1E/GPM7Ozj9lTEiEk6ubIu4p/Q==
Date:   Wed, 6 Mar 2019 19:07:00 +0000
Message-ID: <20190306190618.9089-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: BN6PR2201CA0020.namprd22.prod.outlook.com
 (2603:10b6:405:5e::33) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dca8d08a-f2c9-4c34-df2c-08d6a266e90e
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1683;
x-ms-traffictypediagnostic: BN6PR15MB1683:
x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1683;23:H6OBmV5te/zVHD/6uVatdrHmi+yR7RHiBP27U4o?=
 =?iso-8859-1?Q?dGm9YWgYZlFpbkTTgkHMudqabMcT3wV8fUSfsx2+srDLUQZX0D6cK3ac7V?=
 =?iso-8859-1?Q?AlyqZB73yq4aIPb6GlURdZFnVXtSSYAU1kjRVFODj2c2ol7fR0wsqshuSq?=
 =?iso-8859-1?Q?2Cdx+/6dnEbYrrfbC0CDa1YL2Kd62FXZbYzSlKkxt5jt0lFXZt0GfEtY94?=
 =?iso-8859-1?Q?sMlaL9egLiKO8Q3Y+6NxrhlZXm5fpUKXGy3QVTKiqUaOhuy+xTlwBVRryx?=
 =?iso-8859-1?Q?WnFFxLsx3PED3c2wxAiayXRNVcWfpX3yfhBZYFG2vdMI3INc8jI4ghySHP?=
 =?iso-8859-1?Q?A9SBog9UVb3zeWzzQqe9uJyp5MRGi4BeU5d5BCfha3V2LrE1dENNkZGezh?=
 =?iso-8859-1?Q?V0/q5HIWQiRagu12lM5wCndKlx/+U8aYOsh+Fp0mdtoXmpGKrv6DWzyMPp?=
 =?iso-8859-1?Q?7IexQKff91CooocfNdz73C+RRx8uMBxyyJs+gGTkJ/eu8wwdqKAz7scKf8?=
 =?iso-8859-1?Q?3Cr8v7Yk+aBHXrnAI/xsiHzDRlPL8W4CUFivMqSIaif+8TUeeAjW3NIMP/?=
 =?iso-8859-1?Q?Dv88znSP3qFrsw1hPgRP91DzOXdj6RfHBEPDtwHJnvufksNQiQ2dUjrxs7?=
 =?iso-8859-1?Q?oYlaNci37iPmED+CVevzDy9NlJfWMFNii8kMPZIHUstjLt7TBpS5abE0Zj?=
 =?iso-8859-1?Q?jtCx4KI8AZ75Q//L/Kh0svRbVK+4SXzKOFMSqOczGjLIyUgwhsk7GnVNqf?=
 =?iso-8859-1?Q?UU73dl5bS3uezisKS29McZofisOSmZFIjggm3yUEsLiBz6D199XLIDIl7O?=
 =?iso-8859-1?Q?tY8lzJQBvVqMktEDTZtlrjdkRnm2QSO5rKsA7zxiqvc/pPWs0uokaiNExm?=
 =?iso-8859-1?Q?kSA5xBHrOfo7dpiyi4HqyDOmNh90RUdQx6e6ytq/DiZihokQ75g5J+W+u2?=
 =?iso-8859-1?Q?oWyoGA6T4b6uJmG4NzSBkR+hKYRu0KtG1zWQIr4fvSQAEMKrM0tN8EUzLG?=
 =?iso-8859-1?Q?aOFNnDEZ63B1LfixpetRlmwq3T2zJgnLTKaIX/TZ4gxiSm7mQiEm2Z7HW0?=
 =?iso-8859-1?Q?JEwxqPhlU6zbvzOr6ABdGH+lU/4W+xbut5ZzA0Y+gq+CWeaoI27jrcpg+3?=
 =?iso-8859-1?Q?RczblB3cY6oViRFvGOSCPwykPYj/XGUmPH+EPkidAAA36IT1Q/Zl1V3DN4?=
 =?iso-8859-1?Q?7HZ9cxR5DfyM38z1nNhNuIEfPZZzW3w7F0FbIS3Kcjzba8rEIYNA/w=3D?=
x-microsoft-antispam-prvs: <BN6PR15MB168374A905EB7190CC3E2D86B9730@BN6PR15MB1683.namprd15.prod.outlook.com>
x-forefront-prvs: 0968D37274
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(376002)(346002)(396003)(39840400004)(136003)(189003)(199004)(86362001)(26005)(99286004)(68736007)(2351001)(14454004)(386003)(6506007)(5660300002)(14444005)(53936002)(71190400001)(3846002)(102836004)(186003)(6116002)(1076003)(97736004)(71200400001)(66066001)(256004)(52116002)(36756003)(2501003)(2616005)(316002)(2906002)(6916009)(6436002)(25786009)(81156014)(50226002)(8676002)(81166006)(305945005)(106356001)(7736002)(6512007)(6486002)(8936002)(105586002)(476003)(486006)(508600001)(5640700003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1683;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mCzWDia1Y5GP9/1FMQKw0vR1AeAyGvLkWJ4roNpjqKGLzxwtvN3ZGW/lmwgjtoNb98wGmtJE+66Q7o7EcnfO2xcBXZBNJ/Da/qoISXngACv369uFYljQ+/pe6HgHZaBvJZPePaO98DFSHE1LY0XUoKkm38m+NK16p4TpOiP2fVzdfvm+DlZBuT35RvGQj1Th39PgIVqzEfW2H1NxEGI2LFCOkBM5lykUrXbmkvpkkINpWYtQkBshku8IQqpTq6FQEucSEIQ8kSX6ysfv8M0lub7o3Vpr0/iOrzaTfbWsUK45Fadnt95VjHgyy+OCKqapsEwxHpn/v0rAdo+m6Q+WTNEB9iehtcLxMYP9u9X+RyoCo1dcPBtgXSXVPJVqCzMfSz4DmkW+g2OjxzMqfsUbQgQp5OHponhwOfgkF4269vk=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dca8d08a-f2c9-4c34-df2c-08d6a266e90e
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2019 19:07:00.5218
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1683
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Altered to use roleattribute based on suggestion

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
 policy/modules/system/udev.te |  2 ++
 2 files changed, 28 insertions(+)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..90dfb17d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -36,6 +36,32 @@ interface(`udev_domtrans',`
 	domtrans_pattern($1, udev_exec_t, udev_t)
 ')
=20
+########################################
+## <summary>
+##	Execute udev in the udev domain, and
+##	allow the specified role the udev domain.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name=3D"role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`udev_run',`
+	gen_require(`
+		attribute_role udev_roles;
+	')
+
+	udev_domtrans($1)
+	roleattribute $2 udev_roles;
+')
+
 ########################################
 ## <summary>
 ##	Allow udev to execute the specified program in
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 3cbf7eff..88bff272 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.0)
 #
 # Declarations
 #
+attribute_role udev_roles;
=20
 type udev_t;
 type udev_exec_t;
@@ -14,6 +15,7 @@ domain_entry_file(udev_t, udev_helper_exec_t)
 domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
+role udev_roles types udev_t;
=20
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
--=20
2.20.1