Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp4364040ybe;
        Mon, 9 Sep 2019 08:15:59 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzg9SQ62H87rSMr9XvIJw4Zff0aYFnnar4lRXXi/KmDbs4274UtKFmkVpCnEI/a/aqpHVZe
X-Received: by 2002:a50:de8f:: with SMTP id c15mr25266089edl.47.1568042158908;
        Mon, 09 Sep 2019 08:15:58 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568042158; cv=none;
        d=google.com; s=arc-20160816;
        b=WZoPbAcxWxIbz79yH/LXbq7KI+P9RCJVRK2fcLJ4dI37O91VBkh1rFg+qtpA5nwFml
         mpGa2AI/wDxNW8I+QQ2hiSBkCgUW++B7Ldk6Chf1Ceyfpw8XipcEs5kqX/SxCrqLpz+F
         BIQ2DWMteF06Sf4DXZLYSJXQ9r1VZBctaDaKRqv0Kye3dh3xa/PoDuJ/NaCeuGSH1DP7
         0GMSOO6DRI/ZFXLc77TOLkRmHKbOt6Mnb7Y9K+KAo8pNoueOj+rtXO05LdrW0V8jS2sz
         YPFwrXI/IX34EEmAQRTZKLbEgzcHW9fZjrsSj429Zzm74tf7gyZU8+fbwMETJPttFQwa
         Ivjw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-language
         :content-transfer-encoding:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject;
        bh=tftU00KXPvN9+Q/0NhuvR1mFQVwpgz1NSXcU4Cmsy4c=;
        b=m9F5sy+lZQrivzb+nlGCqC/acKlzAROIkyOFdjg+brPqKRcuDJE/AHSHv3yrprhhMC
         JnrWltRW3R0wOls0/jWp2qZKpjsAFINfzUHywjHCkEJyifvRI60H7eTWJoRwmalwp05L
         HafeoaT/iC0YzA4udIN1P0FYuVfk7d81w1D8eq4x8/8L+c3HbYm3DybgWP0S6UX4GohA
         9T+Gv5CrTsVhcmiiOBU1UYTNF8H/LtTNePxomAMIMOs9lVWUTtRwJBtyFWUGGyjOaM4O
         pma2X/oZSjIKJks4mxnSzuCm9yyi02zAlFcpbLImbT2QKptzq6L/V/dbszpUZ/oB2+Fi
         xYdw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e14si8529960edd.417.2019.09.09.08.15.53;
        Mon, 09 Sep 2019 08:15:58 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728115AbfIIJ0F (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Mon, 9 Sep 2019 05:26:05 -0400
Received: from ithil.bigon.be ([163.172.57.153]:55768 "EHLO ithil.bigon.be"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727664AbfIIJ0E (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 9 Sep 2019 05:26:04 -0400
X-Greylist: delayed 430 seconds by postgrey-1.27 at vger.kernel.org; Mon, 09 Sep 2019 05:26:04 EDT
Received: from localhost (localhost [IPv6:::1])
        by ithil.bigon.be (Postfix) with ESMTP id CAA3D20059;
        Mon,  9 Sep 2019 11:18:52 +0200 (CEST)
Received: from ithil.bigon.be ([IPv6:::1])
        by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026)
        with ESMTP id OsM7qKN10Gut; Mon,  9 Sep 2019 11:18:52 +0200 (CEST)
Received: from [10.40.0.155] (unknown [193.53.238.198])
        (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: bigon@bigon.be)
        by ithil.bigon.be (Postfix) with ESMTPSA;
        Mon,  9 Sep 2019 11:18:52 +0200 (CEST)
Subject: Re: Permissions in the udevadm_t domain
To:     Nicolas Iooss <nicolas.iooss@m4x.org>,
        selinux-refpolicy@vger.kernel.org
References: <6d208e36-cf81-7fde-2b57-fddf4a529f52@debian.org>
 <CAJfZ7=nTK1uO0j7wbevyitrNv_1RYyLpgzMPWjJkM3Mzpcg7ag@mail.gmail.com>
From:   Laurent Bigonville <bigon@debian.org>
Message-ID: <9906138d-4c2e-b300-755f-b65629841836@debian.org>
Date:   Mon, 9 Sep 2019 11:18:51 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.0
MIME-Version: 1.0
In-Reply-To: <CAJfZ7=nTK1uO0j7wbevyitrNv_1RYyLpgzMPWjJkM3Mzpcg7ag@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 7/09/19 15:14, Nicolas Iooss wrote:
> [Adding selinux-refpolicy@vger.kernel.org, which is better suited for
> questions related to refpolicy]
>
> On Sat, Sep 7, 2019 at 12:19 PM Laurent Bigonville <bigon@debian.org> wrote:
> [...]
>> But when
>> looking at the current policy code I'm seeing that udevadm is allowed to
>> delete files/directory/.. in /var/run and I'm wondering why. I've never
>> seen this happening during my (limited) test, an idea?
> Which policy? On my test system based on a lightly-patched refpolicy, I have:
>
> # sesearch -A -s udevadm_t -t var_run_t
> allow udevadm_t var_run_t:dir { getattr open search };
> allow udevadm_t var_run_t:lnk_file { getattr read };

It's the refpolicy, but I meant udev_var_run_t (/var/run/udev) rather 
than var_run_t

# sesearch -A -s udevadm_t -t udev_var_run_t
allow udevadm_t udev_var_run_t:dir { getattr ioctl lock open read 
remove_name rmdir search write };
allow udevadm_t udev_var_run_t:file { getattr unlink };
allow udevadm_t udev_var_run_t:lnk_file { getattr unlink };
allow udevadm_t udev_var_run_t:sock_file { append getattr open write };

>
>> For the later, it seems that the kernel the mode to 400 on some files in
>> /sys (ie. --w------- 1 root root 4096 sep  5 17:06
>> /sys/module/snd_hda_codec_generic/uevent) looking at the code it seems
>> that udev is ready to handle EACCES already, so I was wondering, should
>> we just allow dac_read_search or don't audit dac_read_search (and
>> dac_override as well then)?
> For the record, even with dac_read_search, opening this file fails
> with EACCES, because the kernel did not implement show() on this sysfs
> file (cf. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/kernel/module.c?h=v5.2#n1204
> and kernfs_fop_open() in fs/kernfs/file.c). More precisely, openat()
> returns EACCES because kernfs_fop_open() returns this error code when
> trying to open a write-only file for reading. Unfortunately this check
> happens after the capability checks, which is why you got the denials
> for dac_override and dac_read_search.
>
> I do not have an opinion about allowing dac_read_search vs.
> dontaudit-ing dac_read_search and dac_override.
Grift was saying that "the cap_dac_read_search could maybe be 
dontaudited, but then cap_dac_override would have to be dontaudited as 
well. cap_dac_read_search would also be triggered when you run `sudo 
udevadm ...` where pwd or/and oldpwd is ~"

So I guess I will just allow it