Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED02AC43381 for ; Wed, 6 Mar 2019 19:07:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A88382064A for ; Wed, 6 Mar 2019 19:07:03 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="RNK8fQr0" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730609AbfCFTHD (ORCPT ); Wed, 6 Mar 2019 14:07:03 -0500 Received: from mail-eopbgr820137.outbound.protection.outlook.com ([40.107.82.137]:27278 "EHLO NAM01-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727302AbfCFTHD (ORCPT ); Wed, 6 Mar 2019 14:07:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=19p1xzOyq7dmgcAo4bo6mi4hgv1xg78r44XgLU6FkSg=; b=RNK8fQr0MwL0yIDzwY+A9qHkSMT9IAFhAzTD36b511S+ZdKVDCBcePqWYkISFvOl0B6QTOGAu6VE1cHVjhOj43TtR5N5QVPQnikjZ9bWjhu+KbJ+jPKLCN71WUAqdw4LsrU3EeHy58MJoCReFp8Os9/hW7YTabD5KHkRvUU2wHE= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1683.namprd15.prod.outlook.com (10.175.127.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1665.16; Wed, 6 Mar 2019 19:07:00 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%7]) with mapi id 15.20.1665.020; Wed, 6 Mar 2019 19:07:00 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH v2] Add interface udev_run Thread-Topic: [PATCH v2] Add interface udev_run Thread-Index: AQHU1E/GPM7Ozj9lTEiEk6ubIu4p/Q== Date: Wed, 6 Mar 2019 19:07:00 +0000 Message-ID: <20190306190618.9089-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN6PR2201CA0020.namprd22.prod.outlook.com (2603:10b6:405:5e::33) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: dca8d08a-f2c9-4c34-df2c-08d6a266e90e x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1683; x-ms-traffictypediagnostic: BN6PR15MB1683: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1683;23:H6OBmV5te/zVHD/6uVatdrHmi+yR7RHiBP27U4o?= =?iso-8859-1?Q?dGm9YWgYZlFpbkTTgkHMudqabMcT3wV8fUSfsx2+srDLUQZX0D6cK3ac7V?= =?iso-8859-1?Q?AlyqZB73yq4aIPb6GlURdZFnVXtSSYAU1kjRVFODj2c2ol7fR0wsqshuSq?= =?iso-8859-1?Q?2Cdx+/6dnEbYrrfbC0CDa1YL2Kd62FXZbYzSlKkxt5jt0lFXZt0GfEtY94?= =?iso-8859-1?Q?sMlaL9egLiKO8Q3Y+6NxrhlZXm5fpUKXGy3QVTKiqUaOhuy+xTlwBVRryx?= =?iso-8859-1?Q?WnFFxLsx3PED3c2wxAiayXRNVcWfpX3yfhBZYFG2vdMI3INc8jI4ghySHP?= =?iso-8859-1?Q?A9SBog9UVb3zeWzzQqe9uJyp5MRGi4BeU5d5BCfha3V2LrE1dENNkZGezh?= =?iso-8859-1?Q?V0/q5HIWQiRagu12lM5wCndKlx/+U8aYOsh+Fp0mdtoXmpGKrv6DWzyMPp?= =?iso-8859-1?Q?7IexQKff91CooocfNdz73C+RRx8uMBxyyJs+gGTkJ/eu8wwdqKAz7scKf8?= =?iso-8859-1?Q?3Cr8v7Yk+aBHXrnAI/xsiHzDRlPL8W4CUFivMqSIaif+8TUeeAjW3NIMP/?= =?iso-8859-1?Q?Dv88znSP3qFrsw1hPgRP91DzOXdj6RfHBEPDtwHJnvufksNQiQ2dUjrxs7?= =?iso-8859-1?Q?oYlaNci37iPmED+CVevzDy9NlJfWMFNii8kMPZIHUstjLt7TBpS5abE0Zj?= =?iso-8859-1?Q?jtCx4KI8AZ75Q//L/Kh0svRbVK+4SXzKOFMSqOczGjLIyUgwhsk7GnVNqf?= =?iso-8859-1?Q?UU73dl5bS3uezisKS29McZofisOSmZFIjggm3yUEsLiBz6D199XLIDIl7O?= =?iso-8859-1?Q?tY8lzJQBvVqMktEDTZtlrjdkRnm2QSO5rKsA7zxiqvc/pPWs0uokaiNExm?= =?iso-8859-1?Q?kSA5xBHrOfo7dpiyi4HqyDOmNh90RUdQx6e6ytq/DiZihokQ75g5J+W+u2?= =?iso-8859-1?Q?oWyoGA6T4b6uJmG4NzSBkR+hKYRu0KtG1zWQIr4fvSQAEMKrM0tN8EUzLG?= =?iso-8859-1?Q?aOFNnDEZ63B1LfixpetRlmwq3T2zJgnLTKaIX/TZ4gxiSm7mQiEm2Z7HW0?= =?iso-8859-1?Q?JEwxqPhlU6zbvzOr6ABdGH+lU/4W+xbut5ZzA0Y+gq+CWeaoI27jrcpg+3?= =?iso-8859-1?Q?RczblB3cY6oViRFvGOSCPwykPYj/XGUmPH+EPkidAAA36IT1Q/Zl1V3DN4?= =?iso-8859-1?Q?7HZ9cxR5DfyM38z1nNhNuIEfPZZzW3w7F0FbIS3Kcjzba8rEIYNA/w=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 0968D37274 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(376002)(346002)(396003)(39840400004)(136003)(189003)(199004)(86362001)(26005)(99286004)(68736007)(2351001)(14454004)(386003)(6506007)(5660300002)(14444005)(53936002)(71190400001)(3846002)(102836004)(186003)(6116002)(1076003)(97736004)(71200400001)(66066001)(256004)(52116002)(36756003)(2501003)(2616005)(316002)(2906002)(6916009)(6436002)(25786009)(81156014)(50226002)(8676002)(81166006)(305945005)(106356001)(7736002)(6512007)(6486002)(8936002)(105586002)(476003)(486006)(508600001)(5640700003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1683;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: mCzWDia1Y5GP9/1FMQKw0vR1AeAyGvLkWJ4roNpjqKGLzxwtvN3ZGW/lmwgjtoNb98wGmtJE+66Q7o7EcnfO2xcBXZBNJ/Da/qoISXngACv369uFYljQ+/pe6HgHZaBvJZPePaO98DFSHE1LY0XUoKkm38m+NK16p4TpOiP2fVzdfvm+DlZBuT35RvGQj1Th39PgIVqzEfW2H1NxEGI2LFCOkBM5lykUrXbmkvpkkINpWYtQkBshku8IQqpTq6FQEucSEIQ8kSX6ysfv8M0lub7o3Vpr0/iOrzaTfbWsUK45Fadnt95VjHgyy+OCKqapsEwxHpn/v0rAdo+m6Q+WTNEB9iehtcLxMYP9u9X+RyoCo1dcPBtgXSXVPJVqCzMfSz4DmkW+g2OjxzMqfsUbQgQp5OHponhwOfgkF4269vk= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: dca8d08a-f2c9-4c34-df2c-08d6a266e90e X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Mar 2019 19:07:00.5218 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1683 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Altered to use roleattribute based on suggestion Signed-off-by: Dave Sugar --- policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++ policy/modules/system/udev.te | 2 ++ 2 files changed, 28 insertions(+) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index fee55852..90dfb17d 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -36,6 +36,32 @@ interface(`udev_domtrans',` domtrans_pattern($1, udev_exec_t, udev_t) ') =20 +######################################## +## +## Execute udev in the udev domain, and +## allow the specified role the udev domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`udev_run',` + gen_require(` + attribute_role udev_roles; + ') + + udev_domtrans($1) + roleattribute $2 udev_roles; +') + ######################################## ## ## Allow udev to execute the specified program in diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 3cbf7eff..88bff272 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -4,6 +4,7 @@ policy_module(udev, 1.25.0) # # Declarations # +attribute_role udev_roles; =20 type udev_t; type udev_exec_t; @@ -14,6 +15,7 @@ domain_entry_file(udev_t, udev_helper_exec_t) domain_interactive_fd(udev_t) init_daemon_domain(udev_t, udev_exec_t) init_named_socket_activation(udev_t, udev_var_run_t) +role udev_roles types udev_t; =20 type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) --=20 2.20.1