Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49D4AC43381 for ; Sun, 17 Mar 2019 20:28:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 095F220872 for ; Sun, 17 Mar 2019 20:28:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="MVh3k2gk" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727482AbfCQU2K (ORCPT ); Sun, 17 Mar 2019 16:28:10 -0400 Received: from mail-qt1-f195.google.com ([209.85.160.195]:35431 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727452AbfCQU2K (ORCPT ); Sun, 17 Mar 2019 16:28:10 -0400 Received: by mail-qt1-f195.google.com with SMTP id h39so15759250qte.2 for ; Sun, 17 Mar 2019 13:28:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=Cgx50Y3PD7y6Jye1C1PVQB3aQw5xXUG7rymRTzbk85M=; b=MVh3k2gkLlo6XuaMR/Dl4fYT34HBbHJqDvrZU/Au2kGNXS19Re9KZUNhv0quOGTiJ+ yHfaPzxFjnZbH6M3nDkiT2yyMSZHMvLeofSBr2YPvf8lIyBEMIn/ult8+pOXQA1O2/+V a8Df4OpIE643ydgk62dgqZeb1rZglBbC3J/+o= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=Cgx50Y3PD7y6Jye1C1PVQB3aQw5xXUG7rymRTzbk85M=; b=PgAsd/vHJcEWQfrsHHGLZVAg58fMnnwyfEFTNBEQrOughd6+LF7Fqz84+qT2X85KAv AiOwVqjPWZmQC1uvggkxv9pF5j/hg6d+5YVacwGW/8aBVoqJFosJ8yb8NpcKOJfCo+T1 i9gsOZ/RzpHom7DuLQB81hV83635Fxwb01zQ7syN/n+aB48rtVcehZrQIlXby5+KK9SW HlTgwLlmkajab+WE3sEuu7Z5mwn+fWPAJL2n1SgoNF90mZKE6eDxwFHdz7jwCQ8EA486 8r+HSykSXD+o/uG/kJXaCDf4XBmkjfUNe8UZUp4q6Bv/69X8i48xOBJJtGY6Qm8wspsb uOTg== X-Gm-Message-State: APjAAAWlOn/6+qxfsSRbXRhxs0fX1lHUfB+b3mlrBpolD9oqA+K+Z8X7 r66UQvbnW2OGMa+9n/3nGk8lbNUkTmI= X-Google-Smtp-Source: APXvYqxeHO2XIqd/c1lZlUxT4pruMPWcKwspmB2eg4kyR+0P7K6h6WdhuG9PDkd0GhuKY2h0O4D+YA== X-Received: by 2002:ac8:4913:: with SMTP id e19mr11318769qtq.382.1552854488957; Sun, 17 Mar 2019 13:28:08 -0700 (PDT) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id z41sm5643909qtz.5.2019.03.17.13.28.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 17 Mar 2019 13:28:08 -0700 (PDT) Subject: Re: [PATCH v4] Separate out udevadm into a new domain To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190315022658.24006-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: <0c4dad01-c8b9-fea9-3dcb-32d9b21ab665@ieee.org> Date: Sun, 17 Mar 2019 16:15:45 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190315022658.24006-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 3/14/19 10:27 PM, Sugar, David wrote: > This is the update I have made based on suggestions for the previous > patches to add a udev_run interface. This adds the new domain udevadm_t > which is entered from /usr/bin/udevadm. > > It seems to meet the needs that I have, but there are some things to > note that are probably important. > 1) There are a few systemd services that use udevadm during startup. > I have granted the permisssions that I need based on denials I was > seeing during startup (the machine would fail to start without the > permisions). > 2) In the udev.fc file there are other binaries that I don't have on a > RHEL7 box that maybe should also be labeled udevadm_exec_t. > e.g. /usr/bin/udevinfo and /usr/bin/udevsend > But as I don't have those binaries to test, I have not updated the > type of that binary. > 3) There are some places that call udev_domtrans that maybe should now > be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again, > these are not things that I am using in my current situation and am > unable to test the interactions to know if the change is correct. > > Other than that, I think this was a good suggestion to split udevadm > into a different domain. > > Only change for v4 is to use stream_connect_pattern as suggested. > > Signed-off-by: Dave Sugar > --- > policy/modules/roles/sysadm.te | 4 +++ > policy/modules/system/udev.fc | 4 +-- > policy/modules/system/udev.if | 62 ++++++++++++++++++++++++++++++++++ > policy/modules/system/udev.te | 40 +++++++++++++++++++++- > 4 files changed, 107 insertions(+), 3 deletions(-) > > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > index 043e54bf..2cc60643 100644 > --- a/policy/modules/roles/sysadm.te > +++ b/policy/modules/roles/sysadm.te > @@ -1140,6 +1140,10 @@ optional_policy(` > tzdata_domtrans(sysadm_t) > ') > > +optional_policy(` > + udevadm_run(sysadm_t, sysadm_r) > +') > + > optional_policy(` > ulogd_admin(sysadm_t, sysadm_r) > ') > diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc > index 009d821a..606ad517 100644 > --- a/policy/modules/system/udev.fc > +++ b/policy/modules/system/udev.fc > @@ -10,7 +10,7 @@ > /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > /usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > +/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > /usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > @@ -22,7 +22,7 @@ ifdef(`distro_debian',` > ') > > /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > +/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) > diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if > index fee55852..3028d6b8 100644 > --- a/policy/modules/system/udev.if > +++ b/policy/modules/system/udev.if > @@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',` > > files_pid_filetrans($1, udev_var_run_t, dir, $2) > ') > + > +######################################## > +## > +## Execute udev admin in the udevadm domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`udevadm_domtrans',` > + gen_require(` > + type udevadm_t, udevadm_exec_t; > + ') > + > + domtrans_pattern($1, udevadm_exec_t, udevadm_t) > +') > + > +######################################## > +## > +## Execute udevadm in the udevadm domain, and > +## allow the specified role the udevadm domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +# > +interface(`udevadm_run',` > + gen_require(` > + attribute_role udevadm_roles; > + ') > + > + udevadm_domtrans($1) > + roleattribute $2 udevadm_roles; > +') > + > +######################################## > +## > +## Execute udevadm in the caller domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`udevadm_exec',` > + gen_require(` > + type udevadm_exec_t; > + ') > + > + can_exec($1, udevadm_exec_t) > +') > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index 9d5cf3b2..1e2c6cea 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -4,6 +4,7 @@ policy_module(udev, 1.25.1) > # > # Declarations > # > +attribute_role udevadm_roles; > > type udev_t; > type udev_exec_t; > @@ -15,6 +16,12 @@ domain_interactive_fd(udev_t) > init_daemon_domain(udev_t, udev_exec_t) > init_named_socket_activation(udev_t, udev_var_run_t) > > +type udevadm_t; > +type udevadm_exec_t; > +init_system_domain(udevadm_t, udevadm_exec_t) > +application_domain(udevadm_t, udevadm_exec_t) > +role udevadm_roles types udevadm_t; > + > type udev_etc_t alias etc_udev_t; > files_config_file(udev_etc_t) > > @@ -35,7 +42,7 @@ ifdef(`enable_mcs',` > > ######################################## > # > -# Local policy > +# udev Local policy > # > > allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource }; > @@ -374,3 +381,34 @@ optional_policy(` > optional_policy(` > xserver_read_xdm_pid(udev_t) > ') > + > + > +######################################## > +# > +# udevadm Local policy > +# > + > +allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms; > +allow udevadm_t self:unix_stream_socket create_socket_perms; > + > +delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t) > +stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t) > + > +dev_rw_sysfs(udevadm_t) > +dev_read_urand(udevadm_t) > + > +files_read_etc_files(udevadm_t) > +files_read_usr_files(udevadm_t) > + > +init_list_pids(udevadm_t) > +init_read_state(udevadm_t) > + > +kernel_read_system_state(udevadm_t) > + > +libs_use_ld_so(udevadm_t) > + > +seutil_read_file_contexts(udevadm_t) Merged. -- Chris PeBenito