Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2637460pxu; Mon, 14 Dec 2020 07:25:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJy7oVxQIZ+q6NvYhvcKCAsiZOqM5kzz4dpjVnzvTzCqZyd6g8UGYHFSA+GyiL/YfHtQ5aY8 X-Received: by 2002:a17:906:7aca:: with SMTP id k10mr5867686ejo.388.1607959515400; Mon, 14 Dec 2020 07:25:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607959515; cv=none; d=google.com; s=arc-20160816; b=J+9Ul8IfQgR4fI1jnQd66Q6vz+iU3XeHhe6nIsmWJcDdqX75pHP3ROqfsoyfN6+8Ln klWtuqc5pX0RyjAFwcngtItaGnTl7FVq3vAyvpEfO60yKtkzZsVqlCInfXnqREKLNYGx dbZkyeG3XbPnUAGeUaxfTxSsGY8iUQOL7j9hAo+eCniaixGjOQfF7jiHdvtfQWvs0por OzEn/zQ9hjfdGzfYqWSFS/5xL01xKULkRM7rdgiRXaqna6FF+DBKkg//ySyWz2ReHZNW 386BfjouHuEn+ncygcloPKKw3rkbUSBf3z9oIoQYdHPCqBsV7pNNmCNbwkgawI4RJGGO lJUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=UOIbsjzwMWJ2ZAwbROnRqRqAXjrPwihg+TZbFONwX30=; b=GxJlFsp964sFe2ee52HoStrjmDCXm/xPR4EzkRlBVMJb0vGKURUCSXhIGuHkYJfkq+ 87CilZZfrSwpEj/YL8ayViDa96eKeOzAicQG/FrvwtCUpuQvNl7q5mYiIRrF8e2biQEV XD8OBM9bUCYDZPCG0gRLAcFmX2B7fe9lJRBlAApg4pOjLokSTx5g6JQcDVtuhjJIM/La IwScVUDgqoGrty8J5xq1SnF/j4ohII6CRL7rz3afO9NrMEEQYU4r3cpqYhAgcTzb3NEE d3VNzS8fBRV9lUV1yICfqpcy+iyj96fo20Jk6J+3fBnG1OoCDl8ZSSLyjTnKZA19ZsbO eK0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=X8WeEkQf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u26si9864838ejx.267.2020.12.14.07.25.07; Mon, 14 Dec 2020 07:25:15 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=X8WeEkQf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2408272AbgLNOrH (ORCPT + 16 others); Mon, 14 Dec 2020 09:47:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47696 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2408271AbgLNOrH (ORCPT ); Mon, 14 Dec 2020 09:47:07 -0500 Received: from mail-qk1-x743.google.com (mail-qk1-x743.google.com [IPv6:2607:f8b0:4864:20::743]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 41267C0613CF for ; Mon, 14 Dec 2020 06:46:27 -0800 (PST) Received: by mail-qk1-x743.google.com with SMTP id u5so2761882qkf.0 for ; Mon, 14 Dec 2020 06:46:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=UOIbsjzwMWJ2ZAwbROnRqRqAXjrPwihg+TZbFONwX30=; b=X8WeEkQf9VSQDmlMoqtbBJ+jDTwW/USPTSnS8FcXdXCqRUupuDhib0xYo7Ywuylg9A jHmqq+n21LT6ODvHAZhdx2HoROhQuObdwZeFuh9xbLXhdq59It4z5+F2ELcPP3MFaPxm L0TYGAVjq0hhoU3dfao48PuNAAxMnVNE0x8QQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=UOIbsjzwMWJ2ZAwbROnRqRqAXjrPwihg+TZbFONwX30=; b=QYPaDL9xJZ5XwIxBog9h4Rgx5ywR3gUXU8APj7/Vn+HhL6WjHVF0Q7dwYqV4KbO7U9 xt1zM3RykWDfI8Mdwv4omOOy0L4LhYhcG6t0beHNhtQGzrO1aSXHA61/Fy6UXeNAkeMq gXpMXweYELpmCqEFrWXifnoDXbC7ZU6TR6JtCnkqw99p0G5t2y+B4/5w+RyyuA7yFHpY zcxdfuki//aQNZfw/J68LtdpCtNDlUY5TZOD5Q1I+8WB7/cGXTL0V2dnFs3ncDokFRqh krTMDWZ0tblb1YjwYMZGJPGZIkRhzOq5PS6sJP2OJbibEa7e+sc2hJ6YUQ6RS4IdnffM TG+A== X-Gm-Message-State: AOAM533DNsxny9dGlSDwBQRFDjPoHLUaPDql3apU44J8UNx1EtxN1Non z7mkK/hjUgW8mu/Rhr+c/RHhIbHhFsqorA== X-Received: by 2002:a37:5847:: with SMTP id m68mr33747331qkb.497.1607957186167; Mon, 14 Dec 2020 06:46:26 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id r8sm15234705qtj.94.2020.12.14.06.46.25 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Dec 2020 06:46:25 -0800 (PST) Subject: Re: [PATCH] first udevadm patch To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: <2b5b0f1e-2576-23f4-4ab4-26f8fcfb2c30@ieee.org> Date: Mon, 14 Dec 2020 09:46:23 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/10/20 9:27 PM, Russell Coker wrote: > As Chris noted in a previous message the udevadm_t domain could be used from > other places. This patch allows for that possibility in the near future but > for the moment just makes a system bootable in enforcing mode right now. > > Also I didn't remove the context entries for udevadm even though on systems > with a recent systemd they won't exist. At this time leaving them there > may provide the best compatability options. > > Finally I added a udev_runtime_t watch because the need for that appeared > when I was working on this. > > > Signed off by Russell Coker The patch seems ok, please resubmit with a standard DCO signoff (e.g. git commit -s) > Index: refpolicy-2.20201210/policy/modules/system/udev.fc > =================================================================== > --- refpolicy-2.20201210.orig/policy/modules/system/udev.fc > +++ refpolicy-2.20201210/policy/modules/system/udev.fc > @@ -10,7 +10,7 @@ > /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > /usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > @@ -22,7 +22,7 @@ ifdef(`distro_debian',` > ') > > /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > +/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) > @@ -32,7 +32,6 @@ ifdef(`distro_redhat',` > /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) > ') > > -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) > > /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > Index: refpolicy-2.20201210/policy/modules/system/udev.if > =================================================================== > --- refpolicy-2.20201210.orig/policy/modules/system/udev.if > +++ refpolicy-2.20201210/policy/modules/system/udev.if > @@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',` > # > interface(`udevadm_domtrans',` > gen_require(` > - type udevadm_t, udevadm_exec_t; > + type udevadm_t, udev_exec_t; > ') > > - domtrans_pattern($1, udevadm_exec_t, udevadm_t) > + domtrans_pattern($1, udev_exec_t, udevadm_t) > ') > > ######################################## > @@ -579,21 +579,3 @@ interface(`udevadm_run',` > udevadm_domtrans($1) > roleattribute $2 udevadm_roles; > ') > - > -######################################## > -## > -## Execute udevadm in the caller domain. > -## > -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`udevadm_exec',` > - gen_require(` > - type udevadm_exec_t; > - ') > - > - can_exec($1, udevadm_exec_t) > -') > Index: refpolicy-2.20201210/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20201210.orig/policy/modules/system/udev.te > +++ refpolicy-2.20201210/policy/modules/system/udev.te > @@ -8,6 +8,7 @@ attribute_role udevadm_roles; > > type udev_t; > type udev_exec_t; > +typealias udev_exec_t alias udevadm_exec_t; > type udev_helper_exec_t; > kernel_domtrans_to(udev_t, udev_exec_t) > domain_obj_id_change_exemption(udev_t) > @@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t) > init_named_socket_activation(udev_t, udev_runtime_t) > > type udevadm_t; > -type udevadm_exec_t; > -init_system_domain(udevadm_t, udevadm_exec_t) > -application_domain(udevadm_t, udevadm_exec_t) > +application_domain(udevadm_t, udev_exec_t) > role udevadm_roles types udevadm_t; > > type udev_etc_t alias etc_udev_t; > @@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim > manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) > manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) > files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev") > +allow udev_t udev_runtime_t:dir watch; > > kernel_load_module(udev_t) > kernel_read_system_state(udev_t) > -- Chris PeBenito