From: gizmo@giz-works.com (Chris Richards) Date: Tue, 27 Apr 2010 09:34:52 -0500 Subject: [refpolicy] [PATCH 1/1] Create new interface and type for managing /etc/udev/rules.d In-Reply-To: <1272373805.32279.237.camel@gorn> References: <1271399256-4177-1-git-send-email-gizmo@giz-works.com> <1272373805.32279.237.camel@gorn> Message-ID: <4BD6F60C.1010401@giz-works.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Under udev_var_run_t, initrc_t didn't have the permissions to write to that directory (specifically to create a new directory). udev-postmount attempts to create a temporary directory ".temp.${pid}" to see if the directory is writable. If it is, then udev-postmount continues by copying the rules into /etc/udev/rules.d. If not, then it skips that step entirely. I didn't want to give that kind of permission to udev_var_run_t, since it would also apply to pid files, run files, and a bunch of other stuff that initrc_t accesses using that label, which was why I created the udev_rules_t type. The logic that Gentoo uses (creating the dir to check for write permissions) MIGHT be Gentoo specific, since Fedora (and, presumably RHEL) doesn't do that (it just assumes it has write access). However, I don't know about Debian or SuSE and their derivatives. Actually, for that part, it might be smarter to submit a patch to Gentoo to change how the udev-postmount script works, now that I think a bit more about it. Later, Chris On 04/27/2010 08:10 AM, Christopher J. PeBenito wrote: > On Fri, 2010-04-16 at 06:27 +0000, Chris Richards wrote: > >> udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup. >> > Why does the new interface have more access than the old one (it > includes manage_dirs_pattern)? > > The interface in the .if should also be moved up after > udev_dontaudit_rw_dgram_sockets(). > > >> Signed-off-by: Chris Richards >> --- >> policy/modules/system/init.te | 1 + >> policy/modules/system/udev.fc | 2 +- >> policy/modules/system/udev.if | 19 +++++++++++++++++++ >> policy/modules/system/udev.te | 6 ++++++ >> 4 files changed, 27 insertions(+), 1 deletions(-) >> >> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te >> index 04d5792..11a369b 100644 >> --- a/policy/modules/system/init.te >> +++ b/policy/modules/system/init.te >> @@ -794,6 +794,7 @@ optional_policy(` >> optional_policy(` >> udev_rw_db(initrc_t) >> udev_manage_pid_files(initrc_t) >> + udev_manage_rules_files(initrc_t) >> ') >> >> optional_policy(` >> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc >> index 53c2e97..0291685 100644 >> --- a/policy/modules/system/udev.fc >> +++ b/policy/modules/system/udev.fc >> @@ -6,7 +6,7 @@ >> >> /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) >> >> -/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) >> +/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) >> /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) >> >> /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) >> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if >> index 7a47b45..12489cb 100644 >> --- a/policy/modules/system/udev.if >> +++ b/policy/modules/system/udev.if >> @@ -213,3 +213,22 @@ interface(`udev_manage_pid_files',` >> files_search_var_lib($1) >> manage_files_pattern($1, udev_var_run_t, udev_var_run_t) >> ') >> + >> +######################################## >> +## >> +## Manage udev rules files >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`udev_manage_rules_files',` >> + gen_require(` >> + type udev_rules_t; >> + ') >> + >> + manage_dirs_pattern($1, udev_rules_t, udev_rules_t) >> + manage_files_pattern($1, udev_rules_t, udev_rules_t) >> +') >> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te >> index 3f0a14e..af1f4e4 100644 >> --- a/policy/modules/system/udev.te >> +++ b/policy/modules/system/udev.te >> @@ -21,6 +21,9 @@ files_config_file(udev_etc_t) >> type udev_tbl_t alias udev_tdb_t; >> files_type(udev_tbl_t) >> >> +type udev_rules_t; >> +files_type(udev_rules_t) >> + >> type udev_var_run_t; >> files_pid_file(udev_var_run_t) >> >> @@ -64,6 +67,9 @@ allow udev_t udev_etc_t:file read_file_perms; >> allow udev_t udev_tbl_t:file manage_file_perms; >> dev_filetrans(udev_t, udev_tbl_t, file) >> >> +list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) >> +read_files_pattern(udev_t, udev_rules_t, udev_rules_t) >> + >> manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) >> manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) >> manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) >> >