Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp5022466ybv; Mon, 17 Feb 2020 10:34:53 -0800 (PST) X-Google-Smtp-Source: APXvYqwSCZbFxedLpSBzwif0STLGzIxHtsoDWmqBuDaQ5FEyUGVt5qXttZ2ay/p69ELfkPHTf/tm X-Received: by 2002:aca:5248:: with SMTP id g69mr233082oib.106.1581964493617; Mon, 17 Feb 2020 10:34:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581964493; cv=none; d=google.com; s=arc-20160816; b=yiAPRHEesIzmVNnRbPXWDPXrLVA22Mvjlizvrv5Atnywib36j/noTB2bjadt/9l8YP RBZAijLYc/1TnOMMre/FsyIvD9UT+zkHNSlI08E46F2PbocH+hcAgO7dYlYCy3FaOpE/ b0YdRlK6w6tdJuxqftv9AbdJS6I3YpNixRc+bcSfApEXSpWT1crxCHuolWs/ANgQWgrR iL9woT7aaPJK9leulBx+1oAjl5ZzMn2vkUk6ZkjheXkBeMF+Th4OtXJ17S/p4J7KmM/g pW0k9sw+jFW5d2pjMrzytL+UFgQrlEa6mEHNd4khs81yT6fXcz4fMi9EzwP+ick//Oii PxXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=TvUqpIfRKRsg0o5Ka3tnyxZmdLTO5SO+2fWqA14JX4k=; b=WX2/ZjdJXv47L6EqQlVJU8fCVp6lB7xMwZmCUQ4WSnZbs5jxaaCRTrQ5aSt5JuKNGI kLaRetABHWCdJdKMtj6oqRT6i2mBZvIxksOlEuQDUxuqOWNpLfrvL0tWoCkWRN0baEOY YcC4ieTEzoMD6VosZDK469BGBp/1vG/zKljJ1bnt7nVH/elpMHM5jCQb+2IKqMihqLy+ A6Abbd143W3pqbPcpGz5G+tj4KK92K6YkfhGfc82x0FZtYCsZVhgp5wTHxjcTgwmdo62 iyiz5fTAAFg0Yf7J2FbRgWMfX9YiWiHu0PXoU2sHVLGeuhFLyeLRe0yOlI6TOsOqzcjN VCbg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=dtvExdp+; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r3si517188otp.292.2020.02.17.10.34.51; Mon, 17 Feb 2020 10:34:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=dtvExdp+; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728299AbgBQSeg (ORCPT + 13 others); Mon, 17 Feb 2020 13:34:36 -0500 Received: from mail-qk1-f195.google.com ([209.85.222.195]:39202 "EHLO mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727179AbgBQSeg (ORCPT ); Mon, 17 Feb 2020 13:34:36 -0500 Received: by mail-qk1-f195.google.com with SMTP id a141so7221152qkg.6 for ; Mon, 17 Feb 2020 10:34:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=TvUqpIfRKRsg0o5Ka3tnyxZmdLTO5SO+2fWqA14JX4k=; b=dtvExdp+7QnpCLhMaZYVlLQx7hQaErxD4tiZRlcr0j2HEuJ1R3zfwcCixTjfTxeHbo alNo2WlPwKn0YLi1SFq7eqqxKnyiFj+i7cjEJLLu8H84Q5VBzLdtP83pv0l4LW+l1r8n z5VvlCRlKGmjMymGU5hq8STfFO8YQaRKoIFAc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TvUqpIfRKRsg0o5Ka3tnyxZmdLTO5SO+2fWqA14JX4k=; b=oww6eJe1W+88/sQiqqjwgDTQGAOlVDPK//EF1bYoLb4BypZp3pBwU7bvGV7H7FEPvO 8Hbt2Ty2xIyTJY3Nb0Nu0q8TTlPvzEA4dhGWsvu6F9+tv6IQCmXwZYhwlRxemvoPfhXp uwXjaTO0ZVhEGVqxQayrbpkrvPYlggsCuLQK0b9niY3FaBYZCFv+JjRyBRT4o+LX+hlE Agn2LricyIghNmZttWDWHVc2dqJcIIcnkPryoTju5O/wbY3JwlqSje1AhdBnWli/A/Pp x28BRZWQR8HrwTmOX8Qu6GeS3G4H7wpF2NLEK2J3slnwUtPhE6v+m49+mSjc0brxu2ee acqg== X-Gm-Message-State: APjAAAW6ks74H+IhOt4uR/5uCR7cARy0tzu+CpBdhSODjIDvEYrEpClQ yOoEUQ+J7zgSEtSBfoOO8J3+UHEihLE= X-Received: by 2002:a37:9e09:: with SMTP id h9mr15522161qke.176.1581964475504; Mon, 17 Feb 2020 10:34:35 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id t2sm627713qkc.62.2020.02.17.10.34.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 17 Feb 2020 10:34:35 -0800 (PST) Subject: Re: [PATCH 02/10] udev: Add watch perms To: Jason Zaman , selinux-refpolicy@vger.kernel.org References: <20200216200319.39337-1-jason@perfinion.com> <20200216200319.39337-2-jason@perfinion.com> From: Chris PeBenito Message-ID: Date: Mon, 17 Feb 2020 13:27:06 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <20200216200319.39337-2-jason@perfinion.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/16/20 3:03 PM, Jason Zaman wrote: > Udev watches all the fixed_disks and udevadm watches the runtime dir. > > udevd[3010]: inotify_add_watch(6, /dev/sde, 10) failed: Permission denied > > avc: denied { watch } for pid=4669 comm="udevadm" path="/run/udev" dev="tmpfs" ino=19464 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0 > avc: denied { watch } for pid=3022 comm="udevd" path="/dev/loop3" dev="devtmpfs" ino=10247 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 > Signed-off-by: Jason Zaman > --- > policy/modules/kernel/storage.if | 20 ++++++++++++++++++++ > policy/modules/system/udev.te | 3 +++ > 2 files changed, 23 insertions(+) > > diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if > index c14bb13b..f9dcbaf5 100644 > --- a/policy/modules/kernel/storage.if > +++ b/policy/modules/kernel/storage.if > @@ -364,6 +364,26 @@ interface(`storage_swapon_fixed_disk',` > allow $1 fixed_disk_device_t:blk_file getattr; > ') > > +######################################## > +## > +## Watch fixed disk device nodes. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`storage_watch_fixed_disk',` > + gen_require(` > + type fixed_disk_device_t; > + ') > + > + dev_list_all_dev_nodes($1) > + allow $1 fixed_disk_device_t:blk_file watch; > + allow $1 fixed_disk_device_t:chr_file watch; > +') > + > ######################################## > ## > ## Allow the caller to get the attributes > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index 0ccbcb51..e0e27a9d 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -154,6 +154,8 @@ selinux_compute_create_context(udev_t) > selinux_compute_relabel_context(udev_t) > selinux_compute_user_contexts(udev_t) > > +storage_watch_fixed_disk(udev_t) > + > auth_read_pam_console_data(udev_t) > auth_domtrans_pam_console(udev_t) > auth_use_nsswitch(udev_t) > @@ -401,6 +403,7 @@ delete_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) > delete_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) > list_dirs_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) > read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t) > +allow udevadm_t udev_runtime_t:dir watch; > > list_dirs_pattern(udevadm_t, udev_tbl_t, udev_tbl_t) > read_files_pattern(udevadm_t, udev_tbl_t, udev_tbl_t) Merged. -- Chris PeBenito