From: Laurent Bigonville <[email protected]>
On most distribution /dev/.udev has been moved to /var/run/udev. We
should allow udev to R/W to the files stored in the new location.
At the sametime, and to not add yet another label we are renaming
udev_tbl_t label to the newly created udev_var_run_t label
This is inspired of the changes on Fedora policy
I would be happy if somebody could review this before I'm proposing this for
inclusion. This has only been tested on system where the directory is located
in (/var)/run/udev.
Thanks!
Laurent Bigonville
---
policy/modules/system/udev.fc | 8 +++---
policy/modules/system/udev.if | 58 +++++++++++++++++++++++++++++------------
policy/modules/system/udev.te | 9 ++-----
3 files changed, 48 insertions(+), 27 deletions(-)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..68f7f48 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
-/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
/etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
@@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 9a1650d..440a732 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
#
interface(`udev_dontaudit_search_db',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
- dontaudit $1 udev_tbl_t:dir search_dir_perms;
+ dontaudit $1 udev_var_run_t:dir search_dir_perms;
')
########################################
@@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',`
## <infoflow type="read" weight="10"/>
#
interface(`udev_read_db',`
- gen_require(`
- type udev_tbl_t;
- ')
+ refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.')
+ udev_read_pids($1)
+')
- allow $1 udev_tbl_t:dir list_dir_perms;
+########################################
+## <summary>
+## Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_rw_db',`
+ refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.')
+ udev_rw_pids($1)
+')
- read_files_pattern($1, udev_tbl_t, udev_tbl_t)
- read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+########################################
+## <summary>
+## Read udev pid content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_read_pids',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
dev_list_all_dev_nodes($1)
-
- files_search_etc($1)
-
- udev_search_pids($1)
+ files_search_pids($1)
+ allow $1 udev_var_run_t:dir list_dir_perms;
+ allow $1 udev_var_run_t:file read_file_perms;
+ allow $1 udev_var_run_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
-## Allow process to modify list of devices.
+## Allow process to modify pid content.
## </summary>
## <param name="domain">
## <summary>
@@ -213,13 +238,14 @@ interface(`udev_read_db',`
## </summary>
## </param>
#
-interface(`udev_rw_db',`
+interface(`udev_rw_pids',`
gen_require(`
- type udev_tbl_t;
+ type udev_var_run_t;
')
dev_list_all_dev_nodes($1)
- allow $1 udev_tbl_t:file rw_file_perms;
+ allow $1 udev_var_run_t:file rw_file_perms;
+ files_search_pids($1)
')
########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a5ec88b..3cfe483 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
-type udev_tbl_t alias udev_tdb_t;
-files_type(udev_tbl_t)
-
type udev_rules_t;
files_type(udev_rules_t)
type udev_var_run_t;
files_pid_file(udev_var_run_t)
init_daemon_run_dir(udev_var_run_t, "udev")
+typealias udev_var_run_t alias udev_tbl_t;
ifdef(`enable_mcs',`
kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
-
list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
kernel_read_system_state(udev_t)
--
1.7.10.4
On 01/07/13 12:13, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> On most distribution /dev/.udev has been moved to /var/run/udev. We
> should allow udev to R/W to the files stored in the new location.
>
> At the sametime, and to not add yet another label we are renaming
> udev_tbl_t label to the newly created udev_var_run_t label
>
> This is inspired of the changes on Fedora policy
>
> I would be happy if somebody could review this before I'm proposing this for
> inclusion. This has only been tested on system where the directory is located
> in (/var)/run/udev.
Frankly, I think this is backwards. *_var_run_t files are typically pid files. The files in this dir are more than that. If anything, it seems that udev_var_run_t should be eliminated.
Otherwise it seems that only the /run/udev/control socket might be the only thing to make sense for udev_var_run_t.
> ---
> policy/modules/system/udev.fc | 8 +++---
> policy/modules/system/udev.if | 58 +++++++++++++++++++++++++++++------------
> policy/modules/system/udev.te | 9 ++-----
> 3 files changed, 48 insertions(+), 27 deletions(-)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 40928d8..68f7f48 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -1,6 +1,6 @@
> -/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
> +/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
>
> /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> @@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
> /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>
> /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> -/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
> +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
> /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 9a1650d..440a732 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
> #
> interface(`udev_dontaudit_search_db',`
> gen_require(`
> - type udev_tbl_t;
> + type udev_var_run_t;
> ')
>
> - dontaudit $1 udev_tbl_t:dir search_dir_perms;
> + dontaudit $1 udev_var_run_t:dir search_dir_perms;
> ')
>
> ########################################
> @@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',`
> ## <infoflow type="read" weight="10"/>
> #
> interface(`udev_read_db',`
> - gen_require(`
> - type udev_tbl_t;
> - ')
> + refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.')
> + udev_read_pids($1)
> +')
>
> - allow $1 udev_tbl_t:dir list_dir_perms;
> +########################################
> +## <summary>
> +## Allow process to modify list of devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_rw_db',`
> + refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.')
> + udev_rw_pids($1)
> +')
>
> - read_files_pattern($1, udev_tbl_t, udev_tbl_t)
> - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
> +########################################
> +## <summary>
> +## Read udev pid content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_read_pids',`
> + gen_require(`
> + type udev_var_run_t;
> + ')
>
> dev_list_all_dev_nodes($1)
> -
> - files_search_etc($1)
> -
> - udev_search_pids($1)
> + files_search_pids($1)
> + allow $1 udev_var_run_t:dir list_dir_perms;
> + allow $1 udev_var_run_t:file read_file_perms;
> + allow $1 udev_var_run_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> ## <summary>
> -## Allow process to modify list of devices.
> +## Allow process to modify pid content.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -213,13 +238,14 @@ interface(`udev_read_db',`
> ## </summary>
> ## </param>
> #
> -interface(`udev_rw_db',`
> +interface(`udev_rw_pids',`
> gen_require(`
> - type udev_tbl_t;
> + type udev_var_run_t;
> ')
>
> dev_list_all_dev_nodes($1)
> - allow $1 udev_tbl_t:file rw_file_perms;
> + allow $1 udev_var_run_t:file rw_file_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index a5ec88b..3cfe483 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t)
> type udev_etc_t alias etc_udev_t;
> files_config_file(udev_etc_t)
>
> -type udev_tbl_t alias udev_tdb_t;
> -files_type(udev_tbl_t)
> -
> type udev_rules_t;
> files_type(udev_rules_t)
>
> type udev_var_run_t;
> files_pid_file(udev_var_run_t)
> init_daemon_run_dir(udev_var_run_t, "udev")
> +typealias udev_var_run_t alias udev_tbl_t;
>
> ifdef(`enable_mcs',`
> kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
> @@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t)
> # read udev config
> allow udev_t udev_etc_t:file read_file_perms;
>
> -# create udev database in /dev/.udevdb
> -allow udev_t udev_tbl_t:file manage_file_perms;
> -dev_filetrans(udev_t, udev_tbl_t, file)
> -
> list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
> read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>
> manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
>
> kernel_read_system_state(udev_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com