From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH v3] Separate out udevadm into a new domain
Thread-Topic: [PATCH v3] Separate out udevadm into a new domain
Thread-Index: AQHU2ck3DK8qVJCIo0+bs2fJX3wgKA==
Date:   Wed, 13 Mar 2019 18:18:55 +0000
Message-ID: <20190313181804.10224-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bb20dbf8-f9c3-4d4c-2805-08d6a7e05a25
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1698;
x-ms-traffictypediagnostic: BN6PR15MB1698:
x-microsoft-antispam-prvs: <BN6PR15MB16982ECFBC9C605A8508ED55B94A0@BN6PR15MB1698.namprd15.prod.outlook.com>
x-forefront-prvs: 09752BC779
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(136003)(366004)(376002)(39840400004)(346002)(189003)(199004)(256004)(8936002)(14444005)(50226002)(36756003)(68736007)(2906002)(26005)(71200400001)(71190400001)(186003)(86362001)(2501003)(97736004)(102836004)(6506007)(386003)(508600001)(6486002)(14454004)(81166006)(6436002)(25786009)(52116002)(99286004)(8676002)(81156014)(7736002)(305945005)(6916009)(5660300002)(3846002)(6116002)(66066001)(476003)(6512007)(53936002)(5640700003)(1076003)(2616005)(486006)(106356001)(316002)(105586002)(2351001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1698;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2dxg4PQDqbVG1tFWaUMYmHBMbzfm+XaAbXpoENtfY4wOt7P8QBHo+oNg46Bns12EVCuqS8BB48pHVfD5IwoZqvG89LPCtJY5zgcjLyGzKcoMucRzxjoU1ExFfFPMJBrNwvdmTNtgxAxUY03n6XolS+jcM+4RQ/7C3NBghItgsKptN613AZ3GrmesB4zkHK+c5r8MRl4f7L4HxGNsBpuAVvQFqcRKtcmQXMa7LlhWikBOTEzTTWZlfT/rX+QOi4i+axAoYMymMhkcjelO3xFGkCfKg08zSdsRxLteyOiSnePvw/F4l18tVhvSh2aWI/Q6HHT2ESx2hQdjsNHpZfqPcNgK612cCFHQThn9qJbePETCI8nNuPgPROKTVtICOWlkI4df7vMSH6FWHF3zgiOdJ7AwYWKiNQbpYQvyY6H1IRg=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bb20dbf8-f9c3-4d4c-2805-08d6a7e05a25
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Mar 2019 18:18:55.2716
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1698
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

This is the update I have made based on suggestions for the previous
patch to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm. =20

It seems to meet the needs that I have, but there are some things to=20
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,=20
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think it is good to split out udevadm into a
different domain to make it separate.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/roles/sysadm.te |  4 +++
 policy/modules/system/udev.fc  |  4 +--
 policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++
 policy/modules/system/udev.te  | 42 ++++++++++++++++++++++-
 4 files changed, 109 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.t=
e
index 043e54bf..2cc60643 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
 	tzdata_domtrans(sysadm_t)
 ')
=20
+optional_policy(`
+	udevadm_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	ulogd_admin(sysadm_t, sysadm_r)
 ')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 009d821a..606ad517 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s=
0)
=20
 /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
=20
 /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..3028d6b8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
=20
 	files_pid_filetrans($1, udev_var_run_t, dir, $2)
 ')
+
+########################################
+## <summary>
+##	Execute udev admin in the udevadm domain.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+	gen_require(`
+		type udevadm_t, udevadm_exec_t;
+	')
+
+	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the udevadm domain, and
+##	allow the specified role the udevadm domain.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name=3D"role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+	gen_require(`
+		attribute_role udevadm_roles;
+	')
+
+	udevadm_domtrans($1)
+	roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+##	Execute udevadm in the caller domain.
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udevadm_exec',`
+	gen_require(`
+		type udevadm_exec_t;
+	')
+
+	can_exec($1, udevadm_exec_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9d5cf3b2..becb54d9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
 #
 # Declarations
 #
+attribute_role udevadm_roles;
=20
 type udev_t;
 type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
=20
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
=20
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
=20
 ########################################
 #
-# Local policy
+# udev Local policy
 #
=20
 allow udev_t self:capability { chown dac_override dac_read_search fowner f=
setid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys=
_ptrace sys_rawio sys_resource };
@@ -374,3 +381,36 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(udev_t)
 ')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+allow udevadm_t udev_t:unix_stream_socket connectto;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+write_sock_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+
+dev_rw_sysfs(udevadm_t)
+dev_read_urand(udevadm_t)
+
+files_read_etc_files(udevadm_t)
+files_read_usr_files(udevadm_t)
+
+init_list_pids(udevadm_t)
+init_read_state(udevadm_t)
+
+kernel_read_system_state(udevadm_t)
+
+libs_use_ld_so(udevadm_t)
+
+seutil_read_file_contexts(udevadm_t)
+
--=20
2.20.1