Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp4369127ybe;
        Mon, 9 Sep 2019 08:19:44 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzsdBUtxcylQragVmyzOgcRQEwJDKGIfIpGGLISF8TFVuHWI2MWHjb//MCRTbj9FgG4zAMh
X-Received: by 2002:a17:906:1197:: with SMTP id n23mr20534698eja.122.1568042384177;
        Mon, 09 Sep 2019 08:19:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1568042384; cv=none;
        d=google.com; s=arc-20160816;
        b=FUcz0PegmYC/beOlorNXEd63yM2JYngS/OPmpTDF/p+ZruRrGVqVfEv5AueO8ds/Lm
         21l0gFGg59X1qWO4u36209/WFEfjVNZtUukUT+RFGEoaeDEDFleD3DOTQSlUunwR1qvG
         MXu4CzHDyCuqWyTQrVJVQainJdOuMnFyJzZN0SiC0kYfFP56OENt3/51mf+0Soagk6Zg
         7dAy4GkB2zonr0ZT3VQ5yVS9RJ6F9W+J2ZkxRjiLRepCGN0GVtm8QxrnqiSj6uoktslv
         oGm0WZthnjEfGtxEhYl+APV6s9yfshE+OuV9q/dlOuc+jKiu8FW61W5TVcWP87IZT8ja
         g7gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=KNunQ+D1BQ3XLp8vQEAJOSFFFBeLiW8hUriuKGzZIW8=;
        b=WJQfrHN+kzFGuavjEZx5l2zo4CSpPu04lttFFpk610IYu5Q02CKi5uYDsRFQrFRXiH
         9libxTq6uCTZqCTidvoCHhUk2MiHXRFV7Y+0Vs00+aeDgkoaK2CiP1NGMxoLqbs9sgOT
         aPlVhs3Y6mYIldf07qU/fK7zv5A/w4FJWpUGsDaMs4oCByls2qyhS/tMmF28NZp+zZlW
         p5jeQuI+EqJhb2gIRmw7L8ZOPqrDefKNvlm69Huw8dQbp80xZl6gPSG2u5DiwAFSMKQ4
         Nws5NobZ2ujwBqRpJebJ1jpsKIvPK6fHSYykUpHkOSdUAQJSmCkWQQYKMUpawhUGNlM4
         FJsQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@bigon.be header.s=key1 header.b=JR04X4wi;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f4si9397353edf.6.2019.09.09.08.19.40;
        Mon, 09 Sep 2019 08:19:44 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bigon.be header.s=key1 header.b=JR04X4wi;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389937AbfIIJgE (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Mon, 9 Sep 2019 05:36:04 -0400
Received: from ithil.bigon.be ([163.172.57.153]:55886 "EHLO ithil.bigon.be"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1728313AbfIIJgE (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 9 Sep 2019 05:36:04 -0400
Received: from localhost (localhost [IPv6:::1])
        by ithil.bigon.be (Postfix) with ESMTP id 8F2AD20059
        for <selinux-refpolicy@vger.kernel.org>; Mon,  9 Sep 2019 11:27:01 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bigon.be; h=
        content-transfer-encoding:mime-version:x-mailer:message-id:date
        :date:subject:subject:from:from:received:received:received; s=
        key1; t=1568021221; x=1569835622; bh=PHJKrQyrVQGxfs/pzE5y5KjU3w3
        CkOhYX2DN9YfDx/Q=; b=JR04X4wi46IV15I8Z8bzuf2oU5m7n0P3s88Lux5Zyx5
        RcMOcpFvJu5tBuiif0s6ReBoXxZE/ZhMIoIhu6zYEPyOrLMgjqQz+m5dx+UEkQ26
        NV7DzNTAM3QEKEmTITifU5ZxMaNBgEJFAWrS9lw7zlu7ce2RjhfS30zn+0s2e8vA
        =
Received: from ithil.bigon.be ([IPv6:::1])
        by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026)
        with ESMTP id l1-qHgmTNZYT for <selinux-refpolicy@vger.kernel.org>;
        Mon,  9 Sep 2019 11:27:01 +0200 (CEST)
Received: from edoras.bigon.be (unknown [193.53.238.198])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: bigon@bigon.be)
        by ithil.bigon.be (Postfix) with ESMTPSA
        for <selinux-refpolicy@vger.kernel.org>; Mon,  9 Sep 2019 11:27:01 +0200 (CEST)
Received: from bigon (uid 1000)
        (envelope-from bigon@bigon.be)
        id 20232
        by edoras.bigon.be (DragonFly Mail Agent v0.12);
        Mon, 09 Sep 2019 11:27:01 +0200
From:   Laurent Bigonville <bigon@debian.org>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH 1/2] Allow udevadm to read files in /run/udev/data
Date:   Mon,  9 Sep 2019 11:27:00 +0200
Message-Id: <20190909092701.8508-1-bigon@debian.org>
X-Mailer: git-send-email 2.23.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

From: Laurent Bigonville <bigon@bigon.be>

With this commit, my basic debian buster installation is booting

type=PROCTITLE msg=audit(09/09/19 08:23:24.011:69) : proctitle=/bin/udevadm trigger --type=devices --action=add
type=PATH msg=audit(09/09/19 08:23:24.011:69) : item=0 name=/run/udev/data/+platform:QEMU0002:00 inode=12584 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:udev_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(09/09/19 08:23:24.011:69) : cwd=/
type=SYSCALL msg=audit(09/09/19 08:23:24.011:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fff993f0cb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=486 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { open } for  pid=486 comm=udevadm path=/run/udev/data/+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { read } for  pid=486 comm=udevadm name=+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d02dff71..399e9157 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -394,6 +394,7 @@ delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+read_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 
 dev_rw_sysfs(udevadm_t)
 dev_read_urand(udevadm_t)
-- 
2.23.0