2019-03-06 19:07:03

by Sugar, David

[permalink] [raw]
Subject: [PATCH v2] Add interface udev_run

Altered to use roleattribute based on suggestion

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
policy/modules/system/udev.te | 2 ++
2 files changed, 28 insertions(+)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..90dfb17d 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -36,6 +36,32 @@ interface(`udev_domtrans',`
domtrans_pattern($1, udev_exec_t, udev_t)
')

+########################################
+## <summary>
+## Execute udev in the udev domain, and
+## allow the specified role the udev domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udev_run',`
+ gen_require(`
+ attribute_role udev_roles;
+ ')
+
+ udev_domtrans($1)
+ roleattribute $2 udev_roles;
+')
+
########################################
## <summary>
## Allow udev to execute the specified program in
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 3cbf7eff..88bff272 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.0)
#
# Declarations
#
+attribute_role udev_roles;

type udev_t;
type udev_exec_t;
@@ -14,6 +15,7 @@ domain_entry_file(udev_t, udev_helper_exec_t)
domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
init_named_socket_activation(udev_t, udev_var_run_t)
+role udev_roles types udev_t;

type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
--
2.20.1



2019-03-06 19:07:05

by Sugar, David

[permalink] [raw]
Subject: [PATCH] Allow map permission when reading hwdb

I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This updates the existing interface to include allowing
to map the file.

type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8d2bb8da..03d83dc7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -34,7 +34,7 @@ interface(`systemd_read_hwdb',`
type systemd_hwdb_t;
')

- read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
+ mmap_read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
')

######################################
--
2.20.1


2019-03-08 00:03:27

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v2] Add interface udev_run

On 3/6/19 2:07 PM, Sugar, David wrote:
> Altered to use roleattribute based on suggestion
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
> policy/modules/system/udev.te | 2 ++
> 2 files changed, 28 insertions(+)
>
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index fee55852..90dfb17d 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
> domtrans_pattern($1, udev_exec_t, udev_t)
> ')
>
> +########################################
> +## <summary>
> +## Execute udev in the udev domain, and
> +## allow the specified role the udev domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`udev_run',`
> + gen_require(`
> + attribute_role udev_roles;
> + ')
> +
> + udev_domtrans($1)
> + roleattribute $2 udev_roles;
> +')

Why is a user be starting this?


--
Chris PeBenito

2019-03-08 00:03:28

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] Allow map permission when reading hwdb

On 3/6/19 2:07 PM, Sugar, David wrote:
> I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
> This updates the existing interface to include allowing
> to map the file.
>
> type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 8d2bb8da..03d83dc7 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -34,7 +34,7 @@ interface(`systemd_read_hwdb',`
> type systemd_hwdb_t;
> ')
>
> - read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
> + mmap_read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
> ')
>
> ######################################

This should be a new interface.

--
Chris PeBenito

2019-03-08 03:02:05

by Sugar, David

[permalink] [raw]
Subject: Re: [PATCH v2] Add interface udev_run



On 3/7/19 6:55 PM, Chris PeBenito wrote:
> On 3/6/19 2:07 PM, Sugar, David wrote:
>> Altered to use roleattribute based on suggestion
>>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>>   policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
>>   policy/modules/system/udev.te |  2 ++
>>   2 files changed, 28 insertions(+)
>>
>> diff --git a/policy/modules/system/udev.if
>> b/policy/modules/system/udev.if
>> index fee55852..90dfb17d 100644
>> --- a/policy/modules/system/udev.if
>> +++ b/policy/modules/system/udev.if
>> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
>>       domtrans_pattern($1, udev_exec_t, udev_t)
>>   ')
>> +########################################
>> +## <summary>
>> +##    Execute udev in the udev domain, and
>> +##    allow the specified role the udev domain.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed to transition.
>> +##    </summary>
>> +## </param>
>> +## <param name="role">
>> +##    <summary>
>> +##    Role allowed access.
>> +##    </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`udev_run',`
>> +    gen_require(`
>> +        attribute_role udev_roles;
>> +    ')
>> +
>> +    udev_domtrans($1)
>> +    roleattribute $2 udev_roles;
>> +')
>
> Why is a user be starting this?
>
In this case it isn't a user starting udev, rather calling
"/usr/bin/udevadm info" to gather all the specific information about a
USB device. udevadm is labeled udev_exec_t.

2019-03-12 00:51:53

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v2] Add interface udev_run

On 3/7/19 10:01 PM, Sugar, David wrote:
>
>
> On 3/7/19 6:55 PM, Chris PeBenito wrote:
>> On 3/6/19 2:07 PM, Sugar, David wrote:
>>> Altered to use roleattribute based on suggestion
>>>
>>> Signed-off-by: Dave Sugar <[email protected]>
>>> ---
>>>   policy/modules/system/udev.if | 26 ++++++++++++++++++++++++++
>>>   policy/modules/system/udev.te |  2 ++
>>>   2 files changed, 28 insertions(+)
>>>
>>> diff --git a/policy/modules/system/udev.if
>>> b/policy/modules/system/udev.if
>>> index fee55852..90dfb17d 100644
>>> --- a/policy/modules/system/udev.if
>>> +++ b/policy/modules/system/udev.if
>>> @@ -36,6 +36,32 @@ interface(`udev_domtrans',`
>>>       domtrans_pattern($1, udev_exec_t, udev_t)
>>>   ')
>>> +########################################
>>> +## <summary>
>>> +##    Execute udev in the udev domain, and
>>> +##    allow the specified role the udev domain.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##    <summary>
>>> +##    Domain allowed to transition.
>>> +##    </summary>
>>> +## </param>
>>> +## <param name="role">
>>> +##    <summary>
>>> +##    Role allowed access.
>>> +##    </summary>
>>> +## </param>
>>> +## <rolecap/>
>>> +#
>>> +interface(`udev_run',`
>>> +    gen_require(`
>>> +        attribute_role udev_roles;
>>> +    ')
>>> +
>>> +    udev_domtrans($1)
>>> +    roleattribute $2 udev_roles;
>>> +')
>>
>> Why is a user be starting this?
>>
> In this case it isn't a user starting udev, rather calling
> "/usr/bin/udevadm info" to gather all the specific information about a
> USB device. udevadm is labeled udev_exec_t.

In that case I'd be more interested in seeing what it would take for a
separate udevadm domain. If that proves to be too much like udev_t,
then I'd accept the above patch.

--
Chris PeBenito