Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3028124pxb;
        Tue, 12 Jan 2021 04:43:40 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzCBOzTYiMzwW4lMUuqa6QAVgkmLQN4l7mPeHtJTKaMiBXNRBTEELltDpqGaRBN6iNL8Y8W
X-Received: by 2002:a05:6402:1386:: with SMTP id b6mr3292871edv.42.1610455420431;
        Tue, 12 Jan 2021 04:43:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610455420; cv=none;
        d=google.com; s=arc-20160816;
        b=BAI7t9OdIRZ3KNPHDQSvQS0vtYziGa4+5adfZGH5PhHYU+f3F+w3YoHGx3ayRnZOaT
         A8E00iLuLcLTF1aVwSwyaUTekbzzIJC63DuXGNcOADQvs5mKiwC9f5TnwSRmIRnZmvG0
         +1pJ9CodBQ+kBOYSX5M3xZ4MsPOCKuFEYD8Ydrr9rNGNNXPjy2wdofjQIspOgXu0A+36
         wlSsVsftGlxMXlQ62gZ+pyuqtXFziYpwU2Zi4ATFDIq9F9NgW5mqOkkk9RDoJQqG1buH
         oVctvDIYfqd9bKsR79tLUPKD7KboqXY0n/V4xB4jiu8PuEa3VKdBdOaBly82SdQB8nLp
         HJpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=R+ptdp0KMhZxpCDdhera7+5aUKIbqqvj49aaUokdKuk=;
        b=yzwau8C+GgRUq0+/N8orHXHNQ3BlqWMexkeeocKI6bay1GisU95KknBkYdLmfJugt5
         wQyiS4oS07dWDpvxb+rD3AVkn/3TGhVish0C+JowOZquQ/0u0/ejelHl83q78dmHt3AF
         796+X+4plKEXFSE/rf1QfzDzCHXSf7UnPthogmFaXeHUOGY0s96AhDb9OdWnQo9Q438J
         1P6Kdc79w4GsavSUq/T/KT8HY2avuLmHbUxL5tNIoFyCKaWwrZ3gKJ/p6gS7tK8HfEm9
         xm85TH3BNRVykqKULiX1JnMtt++PnWSA3jbo8xpiVqQ2/Db4DY1C0kuSdzathkHxP6Ky
         KwoQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=uALf01ML;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id u25si1280104edv.571.2021.01.12.04.43.33;
        Tue, 12 Jan 2021 04:43:40 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=uALf01ML;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2392987AbhALKJS (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 18 others); Tue, 12 Jan 2021 05:09:18 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37308 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2391410AbhALKJS (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 12 Jan 2021 05:09:18 -0500
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 346B3C061786
        for <selinux-refpolicy@vger.kernel.org>; Tue, 12 Jan 2021 02:08:38 -0800 (PST)
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id A0A0F16A71
        for <selinux-refpolicy@vger.kernel.org>; Tue, 12 Jan 2021 21:08:31 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1610446111;
        bh=R+ptdp0KMhZxpCDdhera7+5aUKIbqqvj49aaUokdKuk=; l=4488;
        h=Date:From:To:Subject:From;
        b=uALf01MLJty+bJKmqZXdVTMuHhNBG/uLpv6r4pI3qesp41k8jMfSGCY/E1xmgda00
         ovaYwtSJnyrJGAlo+2j2784JqfdKw/nTEm4fIoM0oeC3U10PjGj8/TwB9i05oHzg1s
         Y8em3YIm7iD1pRY5DIFx++QmcHWZoQi7Z8W1YDvA=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 6A98512ECF17; Tue, 12 Jan 2021 21:00:02 +1100 (AEDT)
Date:   Tue, 12 Jan 2021 21:00:02 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] udevadm patch
Message-ID: <X/1zIlzuNbchBU1w@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

As Chris noted in a previous message the udevadm_t domain could be used from
other places.  This patch allows for that possibility in the near future but
for the moment just makes a system bootable in enforcing mode right now.

Also I didn't remove the context entries for udevadm even though on systems
with a recent systemd they won't exist.  At this time leaving them there
may provide the best compatability options.

Finally I added a udev_runtime_t watch because the need for that appeared
when I was working on this.

Sent again for a better sign-off.

Signed-off-by: Russell Coker <russell@coker.com.au>



Index: refpolicy-2.20201210/policy/modules/system/udev.fc
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.fc
+++ refpolicy-2.20201210/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
 /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
 
 /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -32,7 +32,6 @@ ifdef(`distro_redhat',`
 /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 ')
 
-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /usr/share/virtualbox/VBoxCreateUSBNode\.sh	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
Index: refpolicy-2.20201210/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.if
+++ refpolicy-2.20201210/policy/modules/system/udev.if
@@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
 #
 interface(`udevadm_domtrans',`
 	gen_require(`
-		type udevadm_t, udevadm_exec_t;
+		type udevadm_t, udev_exec_t;
 	')
 
-	domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+	domtrans_pattern($1, udev_exec_t, udevadm_t)
 ')
 
 ########################################
@@ -579,21 +579,3 @@ interface(`udevadm_run',`
 	udevadm_domtrans($1)
 	roleattribute $2 udevadm_roles;
 ')
-
-########################################
-## <summary>
-##	Execute udevadm in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udevadm_exec',`
-	gen_require(`
-		type udevadm_exec_t;
-	')
-
-	can_exec($1, udevadm_exec_t)
-')
Index: refpolicy-2.20201210/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.te
+++ refpolicy-2.20201210/policy/modules/system/udev.te
@@ -8,6 +8,7 @@ attribute_role udevadm_roles;
 
 type udev_t;
 type udev_exec_t;
+typealias udev_exec_t alias udevadm_exec_t;
 type udev_helper_exec_t;
 kernel_domtrans_to(udev_t, udev_exec_t)
 domain_obj_id_change_exemption(udev_t)
@@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_runtime_t)
 
 type udevadm_t;
-type udevadm_exec_t;
-init_system_domain(udevadm_t, udevadm_exec_t)
-application_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udev_exec_t)
 role udevadm_roles types udevadm_t;
 
 type udev_etc_t alias etc_udev_t;
@@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim
 manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
+allow udev_t udev_runtime_t:dir watch;
 
 kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)