Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp355143pxb; Wed, 13 Jan 2021 05:32:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJyYfqv/PijDjvAj1pK4jZo8Dxe+e8/sAfcYysp1lpkhT/CZD9R+EwyJQZdoLP91157l8uJd X-Received: by 2002:aa7:dacf:: with SMTP id x15mr1775784eds.134.1610544761763; Wed, 13 Jan 2021 05:32:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610544761; cv=none; d=google.com; s=arc-20160816; b=gAv20XI5ZGgguMJXVnxG0pfKxexNLUcFXvt1+Cg5PkJJrYvMScY4D8OqDRzhA+6QI2 8PiDevFfw7YnXdzUkQHcXljeeTsHJOK21EMXwnO239wqMHQVG8ORxhjrnLF5rOnjXF7P N6gy7zms517ughH1xAB6RKCuwmYRuYWYXO2hgsbp+fb/7T2i3kNMeXUOMJVT8NNxCMGh V5CK6dv1osAqzUfShluSx9Di1rgyDvrWv2b/q+yqXMNguDbf2fUuAhfhbj3yKXHWeqLW GHiFtk83j3ouePwnym1brzLtgIcjE712p5ZWCoORxcZ3FbJpXaoJAp6AyKwBzhkb2fpm 7BDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=kTC5yCug9xY5Va20DPAVc7ppHCoEuX9+UwFIFFlWfp4=; b=uMDaJySpxlIrfXkctyBGMlWBWIIXpefsPIq4B1jqT22LlmZI4MLxfr3WqqFVpAu13o 7CP0DdRUh3NkQmdh1lFFpzR0KGeAlns8pVM2m5UHrIfEm+V2safdx9GfLNZd64/TtiPr P6YqmA3qZoQ/aKrM85H/OQz/3nr/5OKqQyPro7dk13D5CSlXv15qZsL9Hn9QxzbZh8S0 xR2RF6ccmq+EGZwj1AV3FNaYZZGr9k1Bh9uNYyQRzaJbUwwVzNnVD3cwNHy0sT1HRUKT fiwIFkdeHik4euHpqECSer9hrFDd25RabmHe0VraqHBLUmtT9ISb8Qthrr7UDFX8l/uF rt5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=gmWRV0Wa; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cq20si981419edb.563.2021.01.13.05.32.13; Wed, 13 Jan 2021 05:32:41 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=gmWRV0Wa; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725681AbhAMNb4 (ORCPT + 18 others); Wed, 13 Jan 2021 08:31:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52806 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725843AbhAMNb4 (ORCPT ); Wed, 13 Jan 2021 08:31:56 -0500 Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EFB51C061575 for ; Wed, 13 Jan 2021 05:31:15 -0800 (PST) Received: by mail-io1-xd35.google.com with SMTP id z5so3970175iob.11 for ; Wed, 13 Jan 2021 05:31:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=kTC5yCug9xY5Va20DPAVc7ppHCoEuX9+UwFIFFlWfp4=; b=gmWRV0Wa0VyRhjHHUZFoIbH5NCY5mLey7J3mTog4uFcDcPs6sqwmQRSev43rvi43p6 8Sssffrn6FJOM1k1vDHRKtye0DLEO4lK9ULItqFNUrxe3iVvC8alcrpxkK5AC+4eDEZG dJ1rR7dcywlkMfxi722dOolemeUMSqK97/O/w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=kTC5yCug9xY5Va20DPAVc7ppHCoEuX9+UwFIFFlWfp4=; b=tRf/pU6+98SWkc2vE+8G78/VX5G0fcXE3fJQxy8RTrQ3fBLDCw0VsZQsdmMaO8plkU I979mpFMupG++P+jKAaIG39uGITUSzYYGDAEBhF8bwY5SZPViZbrDAnPcEA6yQ2cdiSf 7MPrFAoaPADGwqMp+Zpunxmvfh3AOm/IvC012b6Yf4+lddl18Rn3xmZQHvkLL6scMyjt wzmEckSBxW3M8JU4Cq9yCDr+7yluXvfrTuNLBNghvRbn4Oh7iN/w8YpocGFtpVFVfyyE NvcJun50r8J+IANtyTopYQ9kPeQHSielweDAPvOfl8dPQtJMRlyMNY52o699yK3B6wyR mbQA== X-Gm-Message-State: AOAM533vaRIhixAcUtoUOMtpldDpQWkGlMBfLnCe2h8tDJRvzsYxkqgx tftgUyJLcPH5GFhyU678xTisBFu2NLykWQ== X-Received: by 2002:a5d:8405:: with SMTP id i5mr1767612ion.164.1610544675060; Wed, 13 Jan 2021 05:31:15 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id v14sm1513203ilu.78.2021.01.13.05.31.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Jan 2021 05:31:14 -0800 (PST) Subject: Re: [PATCH] udevadm patch To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: <787a07f6-b36f-3a73-e515-231d03502874@ieee.org> Date: Wed, 13 Jan 2021 08:31:12 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/12/21 5:00 AM, Russell Coker wrote: > As Chris noted in a previous message the udevadm_t domain could be used from > other places. This patch allows for that possibility in the near future but > for the moment just makes a system bootable in enforcing mode right now. > > Also I didn't remove the context entries for udevadm even though on systems > with a recent systemd they won't exist. At this time leaving them there > may provide the best compatability options. > > Finally I added a udev_runtime_t watch because the need for that appeared > when I was working on this. > > Sent again for a better sign-off. > > Signed-off-by: Russell Coker Since your last patch I ended up working some of this on my own and went further, including removing some old /dev/.udev support: https://github.com/SELinuxProject/refpolicy/pull/331 > > Index: refpolicy-2.20201210/policy/modules/system/udev.fc > =================================================================== > --- refpolicy-2.20201210.orig/policy/modules/system/udev.fc > +++ refpolicy-2.20201210/policy/modules/system/udev.fc > @@ -10,7 +10,7 @@ > /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > /usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > +/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > @@ -22,7 +22,7 @@ ifdef(`distro_debian',` > ') > > /usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) > -/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0) > +/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0) > @@ -32,7 +32,6 @@ ifdef(`distro_redhat',` > /usr/sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) > ') > > -/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > /usr/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) > > /usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > Index: refpolicy-2.20201210/policy/modules/system/udev.if > =================================================================== > --- refpolicy-2.20201210.orig/policy/modules/system/udev.if > +++ refpolicy-2.20201210/policy/modules/system/udev.if > @@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',` > # > interface(`udevadm_domtrans',` > gen_require(` > - type udevadm_t, udevadm_exec_t; > + type udevadm_t, udev_exec_t; > ') > > - domtrans_pattern($1, udevadm_exec_t, udevadm_t) > + domtrans_pattern($1, udev_exec_t, udevadm_t) > ') > > ######################################## > @@ -579,21 +579,3 @@ interface(`udevadm_run',` > udevadm_domtrans($1) > roleattribute $2 udevadm_roles; > ') > - > -######################################## > -## > -## Execute udevadm in the caller domain. > -## > -## > -## > -## Domain allowed access. > -## > -## > -# > -interface(`udevadm_exec',` > - gen_require(` > - type udevadm_exec_t; > - ') > - > - can_exec($1, udevadm_exec_t) > -') > Index: refpolicy-2.20201210/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20201210.orig/policy/modules/system/udev.te > +++ refpolicy-2.20201210/policy/modules/system/udev.te > @@ -8,6 +8,7 @@ attribute_role udevadm_roles; > > type udev_t; > type udev_exec_t; > +typealias udev_exec_t alias udevadm_exec_t; > type udev_helper_exec_t; > kernel_domtrans_to(udev_t, udev_exec_t) > domain_obj_id_change_exemption(udev_t) > @@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t) > init_named_socket_activation(udev_t, udev_runtime_t) > > type udevadm_t; > -type udevadm_exec_t; > -init_system_domain(udevadm_t, udevadm_exec_t) > -application_domain(udevadm_t, udevadm_exec_t) > +application_domain(udevadm_t, udev_exec_t) > role udevadm_roles types udevadm_t; > > type udev_etc_t alias etc_udev_t; > @@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim > manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) > manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) > files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev") > +allow udev_t udev_runtime_t:dir watch; > > kernel_load_module(udev_t) > kernel_read_system_state(udev_t) > -- Chris PeBenito