Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp3028124pxb; Tue, 12 Jan 2021 04:43:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJzCBOzTYiMzwW4lMUuqa6QAVgkmLQN4l7mPeHtJTKaMiBXNRBTEELltDpqGaRBN6iNL8Y8W X-Received: by 2002:a05:6402:1386:: with SMTP id b6mr3292871edv.42.1610455420431; Tue, 12 Jan 2021 04:43:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610455420; cv=none; d=google.com; s=arc-20160816; b=BAI7t9OdIRZ3KNPHDQSvQS0vtYziGa4+5adfZGH5PhHYU+f3F+w3YoHGx3ayRnZOaT A8E00iLuLcLTF1aVwSwyaUTekbzzIJC63DuXGNcOADQvs5mKiwC9f5TnwSRmIRnZmvG0 +1pJ9CodBQ+kBOYSX5M3xZ4MsPOCKuFEYD8Ydrr9rNGNNXPjy2wdofjQIspOgXu0A+36 wlSsVsftGlxMXlQ62gZ+pyuqtXFziYpwU2Zi4ATFDIq9F9NgW5mqOkkk9RDoJQqG1buH oVctvDIYfqd9bKsR79tLUPKD7KboqXY0n/V4xB4jiu8PuEa3VKdBdOaBly82SdQB8nLp HJpg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=R+ptdp0KMhZxpCDdhera7+5aUKIbqqvj49aaUokdKuk=; b=yzwau8C+GgRUq0+/N8orHXHNQ3BlqWMexkeeocKI6bay1GisU95KknBkYdLmfJugt5 wQyiS4oS07dWDpvxb+rD3AVkn/3TGhVish0C+JowOZquQ/0u0/ejelHl83q78dmHt3AF 796+X+4plKEXFSE/rf1QfzDzCHXSf7UnPthogmFaXeHUOGY0s96AhDb9OdWnQo9Q438J 1P6Kdc79w4GsavSUq/T/KT8HY2avuLmHbUxL5tNIoFyCKaWwrZ3gKJ/p6gS7tK8HfEm9 xm85TH3BNRVykqKULiX1JnMtt++PnWSA3jbo8xpiVqQ2/Db4DY1C0kuSdzathkHxP6Ky KwoQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=uALf01ML; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u25si1280104edv.571.2021.01.12.04.43.33; Tue, 12 Jan 2021 04:43:40 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=uALf01ML; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392987AbhALKJS (ORCPT + 18 others); Tue, 12 Jan 2021 05:09:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37308 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391410AbhALKJS (ORCPT ); Tue, 12 Jan 2021 05:09:18 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 346B3C061786 for ; Tue, 12 Jan 2021 02:08:38 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id A0A0F16A71 for ; Tue, 12 Jan 2021 21:08:31 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1610446111; bh=R+ptdp0KMhZxpCDdhera7+5aUKIbqqvj49aaUokdKuk=; l=4488; h=Date:From:To:Subject:From; b=uALf01MLJty+bJKmqZXdVTMuHhNBG/uLpv6r4pI3qesp41k8jMfSGCY/E1xmgda00 ovaYwtSJnyrJGAlo+2j2784JqfdKw/nTEm4fIoM0oeC3U10PjGj8/TwB9i05oHzg1s Y8em3YIm7iD1pRY5DIFx++QmcHWZoQi7Z8W1YDvA= Received: by xev.coker.com.au (Postfix, from userid 1001) id 6A98512ECF17; Tue, 12 Jan 2021 21:00:02 +1100 (AEDT) Date: Tue, 12 Jan 2021 21:00:02 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] udevadm patch Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org As Chris noted in a previous message the udevadm_t domain could be used from other places. This patch allows for that possibility in the near future but for the moment just makes a system bootable in enforcing mode right now. Also I didn't remove the context entries for udevadm even though on systems with a recent systemd they won't exist. At this time leaving them there may provide the best compatability options. Finally I added a udev_runtime_t watch because the need for that appeared when I was working on this. Sent again for a better sign-off. Signed-off-by: Russell Coker Index: refpolicy-2.20201210/policy/modules/system/udev.fc =================================================================== --- refpolicy-2.20201210.orig/policy/modules/system/udev.fc +++ refpolicy-2.20201210/policy/modules/system/udev.fc @@ -10,7 +10,7 @@ /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) /usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -22,7 +22,7 @@ ifdef(`distro_debian',` ') /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) -/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) +/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -32,7 +32,6 @@ ifdef(`distro_redhat',` /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) ') -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) Index: refpolicy-2.20201210/policy/modules/system/udev.if =================================================================== --- refpolicy-2.20201210.orig/policy/modules/system/udev.if +++ refpolicy-2.20201210/policy/modules/system/udev.if @@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',` # interface(`udevadm_domtrans',` gen_require(` - type udevadm_t, udevadm_exec_t; + type udevadm_t, udev_exec_t; ') - domtrans_pattern($1, udevadm_exec_t, udevadm_t) + domtrans_pattern($1, udev_exec_t, udevadm_t) ') ######################################## @@ -579,21 +579,3 @@ interface(`udevadm_run',` udevadm_domtrans($1) roleattribute $2 udevadm_roles; ') - -######################################## -## -## Execute udevadm in the caller domain. -## -## -## -## Domain allowed access. -## -## -# -interface(`udevadm_exec',` - gen_require(` - type udevadm_exec_t; - ') - - can_exec($1, udevadm_exec_t) -') Index: refpolicy-2.20201210/policy/modules/system/udev.te =================================================================== --- refpolicy-2.20201210.orig/policy/modules/system/udev.te +++ refpolicy-2.20201210/policy/modules/system/udev.te @@ -8,6 +8,7 @@ attribute_role udevadm_roles; type udev_t; type udev_exec_t; +typealias udev_exec_t alias udevadm_exec_t; type udev_helper_exec_t; kernel_domtrans_to(udev_t, udev_exec_t) domain_obj_id_change_exemption(udev_t) @@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t) init_named_socket_activation(udev_t, udev_runtime_t) type udevadm_t; -type udevadm_exec_t; -init_system_domain(udevadm_t, udevadm_exec_t) -application_domain(udevadm_t, udevadm_exec_t) +application_domain(udevadm_t, udev_exec_t) role udevadm_roles types udevadm_t; type udev_etc_t alias etc_udev_t; @@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev") +allow udev_t udev_runtime_t:dir watch; kernel_load_module(udev_t) kernel_read_system_state(udev_t)