Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A80D3C4360F for ; Fri, 15 Mar 2019 02:27:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6AEA921873 for ; Fri, 15 Mar 2019 02:27:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="IWn5UZfR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727639AbfCOC1h (ORCPT ); Thu, 14 Mar 2019 22:27:37 -0400 Received: from mail-eopbgr700112.outbound.protection.outlook.com ([40.107.70.112]:5728 "EHLO NAM04-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727218AbfCOC1h (ORCPT ); Thu, 14 Mar 2019 22:27:37 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DZ+DFfI+D9LvLcWc09IOTacqTOwpG1DLiVqfCBm5HSM=; b=IWn5UZfRaVMoT33mzevbzfmQLTwruNuvvkGm3r9VTTlT1oCAU9jaD0OvmCbWabFj/lMM9FWsS/kh3HSXNIvVdAm3IeuLZBHgSvA2Bgjw8sXbw6gfcKmib8rce1Yu7l3aRINCK1Y9LETCKbGNfYk/XkpMLGAAforfgzgyMuhSiNg= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1683.namprd15.prod.outlook.com (10.175.127.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.13; Fri, 15 Mar 2019 02:27:11 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%8]) with mapi id 15.20.1686.021; Fri, 15 Mar 2019 02:27:11 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH v4] Separate out udevadm into a new domain Thread-Topic: [PATCH v4] Separate out udevadm into a new domain Thread-Index: AQHU2taXT8afNGv+XUWouRNvxpe2+g== Date: Fri, 15 Mar 2019 02:27:10 +0000 Message-ID: <20190315022658.24006-1-dsugar@tresys.com> References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2601:154:c201:cca:6e88:14ff:fed4:292c] x-clientproxiedby: MN2PR04CA0016.namprd04.prod.outlook.com (2603:10b6:208:d4::29) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 59621201-3cde-4d71-27ea-08d6a8edba1b x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1683; x-ms-traffictypediagnostic: BN6PR15MB1683: x-microsoft-antispam-prvs: x-forefront-prvs: 09778E995A x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(346002)(366004)(136003)(396003)(39840400004)(189003)(199004)(6916009)(2906002)(50226002)(11346002)(46003)(68736007)(446003)(476003)(2616005)(8936002)(25786009)(486006)(106356001)(105586002)(2351001)(97736004)(316002)(81166006)(81156014)(8676002)(36756003)(508600001)(305945005)(14454004)(2501003)(71190400001)(76176011)(7736002)(6116002)(6436002)(99286004)(52116002)(5640700003)(1076003)(71200400001)(6512007)(6486002)(386003)(186003)(5660300002)(102836004)(256004)(6506007)(53936002)(14444005)(86362001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1683;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: soW3jLTJuYoWpkXt/0r4VaKK63UdV1ejDksezV/4fLP9437yLM+KmUJiSAonXMLmX4bz/4M9U797kmwJqbkeL2cF4YUoK4y2LRXWwhPcZpDc1K1qkcbSvA4Y6ApQdmjRnD7v5obducvhAMjl6qpYQj2Xs3YZSciBYZtcGx+RZ6GJ/PyaTILzHjzdg0hVB+HnBgCWiZWtcI+lQHAJH7Qwlt6VUsOMAbtHjZQSaGC1xrRzv/cuhQquO9hs/VjjMPuLFLps2oX+B5FJUblXv59Cq4boe8WLdi4GyrbRN8wfHzPAMP7YxZpeDkVCvZ0Dj3IE+lCc/2m72s2AvOmXTBpXPLxDPSlCSmJRHPhiTwtCZPN05BZCdI4DmhMhr4sAttmGQbCoMh0tTwxfoqOTabP3WvuOaKVjCmaXM1262e9Z4DE= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 59621201-3cde-4d71-27ea-08d6a8edba1b X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2019 02:27:10.8436 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1683 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This is the update I have made based on suggestions for the previous patches to add a udev_run interface. This adds the new domain udevadm_t which is entered from /usr/bin/udevadm. =20 It seems to meet the needs that I have, but there are some things to=20 note that are probably important. 1) There are a few systemd services that use udevadm during startup. I have granted the permisssions that I need based on denials I was seeing during startup (the machine would fail to start without the permisions). 2) In the udev.fc file there are other binaries that I don't have on a RHEL7 box that maybe should also be labeled udevadm_exec_t. e.g. /usr/bin/udevinfo and /usr/bin/udevsend But as I don't have those binaries to test, I have not updated the type of that binary. 3) There are some places that call udev_domtrans that maybe should now be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,=20 these are not things that I am using in my current situation and am unable to test the interactions to know if the change is correct. Other than that, I think this was a good suggestion to split udevadm into a different domain. Only change for v4 is to use stream_connect_pattern as suggested. Signed-off-by: Dave Sugar --- policy/modules/roles/sysadm.te | 4 +++ policy/modules/system/udev.fc | 4 +-- policy/modules/system/udev.if | 62 ++++++++++++++++++++++++++++++++++ policy/modules/system/udev.te | 40 +++++++++++++++++++++- 4 files changed, 107 insertions(+), 3 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.t= e index 043e54bf..2cc60643 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1140,6 +1140,10 @@ optional_policy(` tzdata_domtrans(sysadm_t) ') =20 +optional_policy(` + udevadm_run(sysadm_t, sysadm_r) +') + optional_policy(` ulogd_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 009d821a..606ad517 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -10,7 +10,7 @@ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s= 0) =20 /usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) /usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -22,7 +22,7 @@ ifdef(`distro_debian',` ') =20 /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) +/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index fee55852..3028d6b8 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',` =20 files_pid_filetrans($1, udev_var_run_t, dir, $2) ') + +######################################## +## +## Execute udev admin in the udevadm domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`udevadm_domtrans',` + gen_require(` + type udevadm_t, udevadm_exec_t; + ') + + domtrans_pattern($1, udevadm_exec_t, udevadm_t) +') + +######################################## +## +## Execute udevadm in the udevadm domain, and +## allow the specified role the udevadm domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`udevadm_run',` + gen_require(` + attribute_role udevadm_roles; + ') + + udevadm_domtrans($1) + roleattribute $2 udevadm_roles; +') + +######################################## +## +## Execute udevadm in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`udevadm_exec',` + gen_require(` + type udevadm_exec_t; + ') + + can_exec($1, udevadm_exec_t) +') diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 9d5cf3b2..1e2c6cea 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -4,6 +4,7 @@ policy_module(udev, 1.25.1) # # Declarations # +attribute_role udevadm_roles; =20 type udev_t; type udev_exec_t; @@ -15,6 +16,12 @@ domain_interactive_fd(udev_t) init_daemon_domain(udev_t, udev_exec_t) init_named_socket_activation(udev_t, udev_var_run_t) =20 +type udevadm_t; +type udevadm_exec_t; +init_system_domain(udevadm_t, udevadm_exec_t) +application_domain(udevadm_t, udevadm_exec_t) +role udevadm_roles types udevadm_t; + type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) =20 @@ -35,7 +42,7 @@ ifdef(`enable_mcs',` =20 ######################################## # -# Local policy +# udev Local policy # =20 allow udev_t self:capability { chown dac_override dac_read_search fowner f= setid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys= _ptrace sys_rawio sys_resource }; @@ -374,3 +381,34 @@ optional_policy(` optional_policy(` xserver_read_xdm_pid(udev_t) ') + + +######################################## +# +# udevadm Local policy +# + +allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms; +allow udevadm_t self:unix_stream_socket create_socket_perms; + +delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) +delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) +delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) +list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) +stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t) + +dev_rw_sysfs(udevadm_t) +dev_read_urand(udevadm_t) + +files_read_etc_files(udevadm_t) +files_read_usr_files(udevadm_t) + +init_list_pids(udevadm_t) +init_read_state(udevadm_t) + +kernel_read_system_state(udevadm_t) + +libs_use_ld_so(udevadm_t) + +seutil_read_file_contexts(udevadm_t) + --=20 2.20.1