Return-Path: <SRS0=dYR5=RM=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A3D79C43381
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  9 Mar 2019 03:58:13 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 55D3A20866
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  9 Mar 2019 03:58:13 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="heiAtMPy"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726512AbfCID6M (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Fri, 8 Mar 2019 22:58:12 -0500
Received: from mail-eopbgr810135.outbound.protection.outlook.com ([40.107.81.135]:13964
        "EHLO NAM01-BY2-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726375AbfCID6M (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 8 Mar 2019 22:58:12 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Ot+oUzWOF/JUsRYPpBjb+mJ9YkX9f7FEfytMHp4CbdI=;
 b=heiAtMPy4MqECa8KNdSLIhvGffhJ5brQpshxiQJuhfpVQ+l2lqBgxkV9+4thBo+OJxtsHhxsXNvihZOE1giT/xzfd43ktJFrI+lyGBFFYnIgSekBk9/Z/lXHtIMxOXb+SdljeOEbChyHtL0XxcFpbHsCfilUP2Op7CW1kD4hKBE=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1555.namprd15.prod.outlook.com (10.172.152.22) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1686.19; Sat, 9 Mar 2019 03:58:09 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::ec41:1dc7:5fd4:a07a%7]) with mapi id 15.20.1665.020; Sat, 9 Mar 2019
 03:58:09 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH v2] Allow additional map permission when reading hwdb
Thread-Topic: [PATCH v2] Allow additional map permission when reading hwdb
Thread-Index: AQHU1ixPXRCrapZO6UGKcqLR89/5JQ==
Date:   Sat, 9 Mar 2019 03:58:09 +0000
Message-ID: <20190309035757.5443-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [73.180.141.176]
x-clientproxiedby: MN2PR02CA0011.namprd02.prod.outlook.com
 (2603:10b6:208:fc::24) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9cae4287-a77f-41bc-9a2a-08d6a4437148
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600127)(711020)(4605104)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1555;
x-ms-traffictypediagnostic: BN6PR15MB1555:
x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1555;23:P4qkoct5XcAXAas4hPruhPALozTfWYcpW6OY0QK?=
 =?iso-8859-1?Q?/ImwBHh6+uZxoKb7dFQCIyqSe9s2MTWBCcbvhav2STvdeBtTIrszkOO8i9?=
 =?iso-8859-1?Q?xNo5XxSS4KL59gKsoYVAcId2DzP/LFGJLdW0Td0WPl8ulOs7SKGRHJbIPB?=
 =?iso-8859-1?Q?gesWA88FFJvNKaiqyEPKui+4WNWUiTNvEvhJ2V0ECNGd6n+HEc1SaBDCP7?=
 =?iso-8859-1?Q?2DcU1h3QoCEf4DNt8tbBcrhtpKe3D4gH/Q6JKGIuV8smK4k5lLC73oZAVC?=
 =?iso-8859-1?Q?Dm4/SDHe3FPsETkBY3FFUltew94EKd7yWUus7fwB6b2cYw9dcsgi16zCek?=
 =?iso-8859-1?Q?mmA3eXYXgqGqry0dLp/U5WlReKBourisdiRvRDBYad5uYM7JDBSiDqxTBj?=
 =?iso-8859-1?Q?weDz2WI/Em7GPDtX2Ce2FBiXGF0MxqWujZC5K4nMh2uV98lId6yp08ZB6e?=
 =?iso-8859-1?Q?YrHxncVHz4/AV+wemcC9daY9ZOSFxKSOKRNeQTWm0enbvGYARmugwDNU7I?=
 =?iso-8859-1?Q?UOy+BR+TdrzsN+RctFbg/nynymv4MN1NRhqnHQwArk00rwlK/qMM+2pDwA?=
 =?iso-8859-1?Q?w4A+N13qdKj127GxkaZDr00yuQIniRJvv//UJRfUZG7k5SHvk1l1O/Do+e?=
 =?iso-8859-1?Q?mwtN1rATotTcgr50j/IQjHlCz4gAOta9ddUoP2mog/gakDuCjKKuOekSIK?=
 =?iso-8859-1?Q?L6wBfgV5+xFpDekiOZELjZomW0R5qhmvoV26PlXZLTOSpHQ+eki8/pQiVk?=
 =?iso-8859-1?Q?GTpxwNx+vepYIe9m0QJT7VEuL/neTNkkk9nH0PMBWR8GzZQHybXI7FpEAf?=
 =?iso-8859-1?Q?mHXv3Tacv3QLOyWEAVU995ubR1XFSOx2g4xOe3FSwp2iLR7VpNTqc7gQkU?=
 =?iso-8859-1?Q?3+qsTtskz8Y/QKRY6LbEQH03grxKec2v4sbFwyMlv8i1WZx3fS/JoS4SOc?=
 =?iso-8859-1?Q?Q3X8jYkP2y9Y6/lGvAzOHYtEMNEHY+dPohSHNAHoJdDwcjXuVtLElFYa9Q?=
 =?iso-8859-1?Q?rTiNgM62lCVtv7OVjKh1AiZf7S8qvNHWIAh4GcdGNfIX12L4o0jmlgwHMb?=
 =?iso-8859-1?Q?9rHCtZjfwkOUX3fzhYWLfHmXufyT+1PBggOaklRzOqmeAli5r13AnVXF+I?=
 =?iso-8859-1?Q?6MSibaLvavHNeOBk1iRKNQ0Sd5TwSbERFjmhIDYbcP4/STPM5JhAgdGQDh?=
 =?iso-8859-1?Q?MxYPwYoBxh7Ixwiqoy0yP39d/1FAyzcFyzoQlmkN5hgWdnxfsiTF43fnMT?=
 =?iso-8859-1?Q?oyZXm7adYIbQWBHt/?=
x-microsoft-antispam-prvs: <BN6PR15MB15558ED88FB256D35AB33FAAB94E0@BN6PR15MB1555.namprd15.prod.outlook.com>
x-forefront-prvs: 0971922F40
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(396003)(376002)(346002)(136003)(39830400003)(199004)(189003)(7736002)(6512007)(6486002)(305945005)(106356001)(2351001)(105586002)(99286004)(52116002)(97736004)(6436002)(5640700003)(8676002)(26005)(81156014)(53936002)(14454004)(6346003)(81166006)(508600001)(5660300002)(102836004)(2501003)(25786009)(1076003)(36756003)(256004)(6116002)(3846002)(386003)(6506007)(71190400001)(71200400001)(2906002)(486006)(2616005)(66066001)(476003)(6916009)(8936002)(50226002)(86362001)(186003)(68736007)(316002)(14444005);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1555;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mDkFcQgD0Jb2SDH3eqCy0ON/nargfk+DYThu5pZDQaQpNMkflyLd4SpX2S6T5QnAZSICeAWtUbxquFOlE/NVKiWHt7upaou3I8FZ2873lPNpqhdDATHC2mvHZAoubVu8GsH0OQxJ1COB3JM41zgZDzjzZwOxStGxUs1LMtFCNKHfppsPatPT20J6GY/35OHqM0vYJRZ+BzsmVnMRlClzGslY/mo8MwDcANFxj5SOGGaDZ3n6Hs4Lcpl29XlasWqh4/kJC4a8NJR67b09p2NKUaj+iCmbZt2an7VRMTL8Uw1sf2acamxrqW3JeiAJaMKPMilzpLKfF7NZGT8kTjqvC0yi9YW+CH6AEaA23+iswVShJi1e22lV8jB9z5w2ZBmKWXpeHB2dpyaI7ijK16RR8842QRRRs8zK5jqiZtycZPQ=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9cae4287-a77f-41bc-9a2a-08d6a4437148
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Mar 2019 03:58:09.3704
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1555
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=3DAVC msg=3Daudit(1551886176.948:642): avc:  denied  { map } for  pid=
=3D5187 comm=3D"systemd-udevd" path=3D"/etc/udev/hwdb.bin" dev=3D"dm-1" ino=
=3D6509618 scontext=3Dsystem_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=3Dsy=
stem_u:object_r:systemd_hwdb_t:s0 tclass=3Dfile permissive=3D1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 policy/modules/system/udev.te    |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/syste=
md.if
index 8d2bb8da..6353ca69 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',`
 	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
 ')
=20
+#######################################
+## <summary>
+##  Allow domain to map udev hwdb file
+## </summary>
+## <param name=3D"domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_map_hwdb',`
+	gen_require(`
+		type systemd_hwdb_t;
+	')
+
+	allow $1 systemd_hwdb_t:file map;
+')
+
 ######################################
 ## <summary>
 ##   Read systemd_login PID files.
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 88bff272..d0496258 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -250,6 +250,7 @@ ifdef(`init_systemd',`
 	init_get_generic_units_status(udev_t)
 	init_stream_connect(udev_t)
=20
+	systemd_map_hwdb(udev_t)
 	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_pids(udev_t)
--=20
2.20.1