Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3835C43381 for ; Thu, 14 Mar 2019 22:06:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6CD3B20854 for ; Thu, 14 Mar 2019 22:06:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="R0CKpaxu" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727246AbfCNWGi (ORCPT ); Thu, 14 Mar 2019 18:06:38 -0400 Received: from mail-qk1-f196.google.com ([209.85.222.196]:42476 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726885AbfCNWGi (ORCPT ); Thu, 14 Mar 2019 18:06:38 -0400 Received: by mail-qk1-f196.google.com with SMTP id b74so4346003qkg.9 for ; Thu, 14 Mar 2019 15:06:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=eFDs7qpqnxSQ2bwDnw/TnuKki8HvQzibiXdWFHgX4RY=; b=R0CKpaxusdD7elKLHNtcROiIbCaL5/n81AXrdhyXDAlvXnDjjg9PpHzccUnGVex//O gQl5XoLbwXeBxTTNI5YFW0zuiuZoKmjcMHYNaOWnd0MZMUZGsxkTtNg9vcVSyfyfqFYn emhqkmTfCIXx/HS1gVE3oJvBHF4uwpKRKKwzw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=eFDs7qpqnxSQ2bwDnw/TnuKki8HvQzibiXdWFHgX4RY=; b=Iu2+z5sRLNvLUtwJIMnNO0c63qpYdGy4idmYkz3GI/sGFTnXC5/AOEt98GbWHVUvsD i2z4y7lhWFzhaQ6YOV8beg9v/g2UG5ZNPo1WrwTAmt0Hi6C+C9sHbWZArV1At52mYMpR 8wEVTkO5GcTIVttFfv62E3W9jvVvIa+C0sVykhpnf25v8UtaISmyu/jxV9GO8ObTPkRf s9oig75yUw17mDWmceGiW/+TkhFwwQlpT3hk4JoEeqQCm/wp0C32Wic6FHay9Bsp6UEV XTQ3EUwyRctSIIgWrHrmGt9sLCernZTzYbztVfqZseD6BSz0dCIA+V9Sl4Pnsrty+8TU X2RA== X-Gm-Message-State: APjAAAWZt4yXNFlOoi9Qmh51+jSrTRZeyiqCz/CIrJxBodaBqDjD/HeH uc8n6dc7Pt+L4D2FvwQ8pQAKaF/QjAk= X-Google-Smtp-Source: APXvYqxDNzb9QpiPzltJRDv2PamB7Xldi8j2mNvZVglLDXD8pqrRGiyHKCngyaKsvtulbnr5DktA2A== X-Received: by 2002:a37:de0b:: with SMTP id h11mr444552qkj.238.1552601196294; Thu, 14 Mar 2019 15:06:36 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id l34sm193810qtc.44.2019.03.14.15.06.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Mar 2019 15:06:35 -0700 (PDT) Subject: Re: [PATCH v3] Separate out udevadm into a new domain To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190313181804.10224-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: Date: Thu, 14 Mar 2019 18:05:23 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190313181804.10224-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 3/13/19 2:18 PM, Sugar, David wrote: > This is the update I have made based on suggestions for the previous > patch to add a udev_run interface. This adds the new domain udevadm_t > which is entered from /usr/bin/udevadm. > > It seems to meet the needs that I have, but there are some things to > note that are probably important. > 1) There are a few systemd services that use udevadm during startup. > I have granted the permisssions that I need based on denials I was > seeing during startup (the machine would fail to start without the > permisions). > 2) In the udev.fc file there are other binaries that I don't have on a > RHEL7 box that maybe should also be labeled udevadm_exec_t. > e.g. /usr/bin/udevinfo > But as I don't have those binaries to test, I have not updated the > type of that binary. > 3) There are some places that call udev_domtrans that maybe should now > be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again, > these are not things that I am using in my current situation and am > unable to test the interactions to know if the change is correct. > > Other than that, I think it is good to split out udevadm into a > different domain to make it separate. > > Signed-off-by: Dave Sugar > --- > policy/modules/roles/sysadm.te | 4 +++ > policy/modules/system/udev.fc | 4 +-- > policy/modules/system/udev.if | 62 ++++++++++++++++++++++++++++++++++ > policy/modules/system/udev.te | 42 ++++++++++++++++++++++- > 4 files changed, 109 insertions(+), 3 deletions(-) > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 043e54bf..2cc60643 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -1140,6 +1140,10 @@ optional_policy(` > tzdata_domtrans(sysadm_t) > ') > > +optional_policy(` > + udevadm_run(sysadm_t, sysadm_r) > +') > + > optional_policy(` > ulogd_admin(sysadm_t, sysadm_r) > ') > diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc > index 009d821a..606ad517 100644 > --- a/policy/modules/system/udev.fc > +++ b/policy/modules/system/udev.fc > @@ -10,7 +10,7 @@ > /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > /usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > +/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > /usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > @@ -22,7 +22,7 @@ ifdef(`distro_debian',` > ') > > /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > +/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) > diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if > index fee55852..3028d6b8 100644 > --- a/policy/modules/system/udev.if > +++ b/policy/modules/system/udev.if > @@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',` > > files_pid_filetrans($1, udev_var_run_t, dir, $2) > ') > + > +######################################## > +## > +## Execute udev admin in the udevadm domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`udevadm_domtrans',` > + gen_require(` > + type udevadm_t, udevadm_exec_t; > + ') > + > + domtrans_pattern($1, udevadm_exec_t, udevadm_t) > +') > + > +######################################## > +## > +## Execute udevadm in the udevadm domain, and > +## allow the specified role the udevadm domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`udevadm_run',` > + gen_require(` > + attribute_role udevadm_roles; > + ') > + > + udevadm_domtrans($1) > + roleattribute $2 udevadm_roles; > +') > + > +######################################## > +## > +## Execute udevadm in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`udevadm_exec',` > + gen_require(` > + type udevadm_exec_t; > + ') > + > + can_exec($1, udevadm_exec_t) > +') > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index 9d5cf3b2..becb54d9 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -4,6 +4,7 @@ policy_module(udev, 1.25.1) > # > # Declarations > # > +attribute_role udevadm_roles; > > type udev_t; > type udev_exec_t; > @@ -15,6 +16,12 @@ domain_interactive_fd(udev_t) > init_daemon_domain(udev_t, udev_exec_t) > init_named_socket_activation(udev_t, udev_var_run_t) > > +type udevadm_t; > +type udevadm_exec_t; > +init_system_domain(udevadm_t, udevadm_exec_t) > +application_domain(udevadm_t, udevadm_exec_t) > +role udevadm_roles types udevadm_t; > + > type udev_etc_t alias etc_udev_t; > files_config_file(udev_etc_t) > > @@ -35,7 +42,7 @@ ifdef(`enable_mcs',` > > ######################################## > # > -# Local policy > +# udev Local policy > # > > allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; > @@ -374,3 +381,36 @@ optional_policy(` > optional_policy(` > xserver_read_xdm_pid(udev_t) > ') > + > + > +######################################## > +# > +# udevadm Local policy > +# > + > +allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms; > +allow udevadm_t self:unix_stream_socket create_socket_perms; > + > +allow udevadm_t udev_t:unix_stream_socket connectto; > + > +delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +write_sock_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) This write_sock_files_pattern allong with the above unix socket connectto is stream_connect_pattern. > + > +dev_rw_sysfs(udevadm_t) > +dev_read_urand(udevadm_t) > + > +files_read_etc_files(udevadm_t) > +files_read_usr_files(udevadm_t) > + > +init_list_pids(udevadm_t) > +init_read_state(udevadm_t) > + > +kernel_read_system_state(udevadm_t) > + > +libs_use_ld_so(udevadm_t) > + > +seutil_read_file_contexts(udevadm_t) > + > -- Chris PeBenito