From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 18 May 2010 10:28:32 -0400 Subject: [refpolicy] [PATCH 1/1] Create new interface and type for managing /etc/udev/rules.d In-Reply-To: <1271399256-4177-1-git-send-email-gizmo@giz-works.com> References: <1271399256-4177-1-git-send-email-gizmo@giz-works.com> Message-ID: <1274192912.2093.112.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2010-04-16 at 06:27 +0000, Chris Richards wrote: > udev_var_run_t is used for managing files in /etc/udev/rules.d as well as other files, including udev pid files. This patch creates a type specifically for rules.d files, and an interface for managing them. It also gives access to this type to initrc_t so that rules can be properly populated during startup. This also fixes a problem on Gentoo where udev rules are NOT properly populated on startup. Merged. > Signed-off-by: Chris Richards > --- > policy/modules/system/init.te | 1 + > policy/modules/system/udev.fc | 2 +- > policy/modules/system/udev.if | 19 +++++++++++++++++++ > policy/modules/system/udev.te | 6 ++++++ > 4 files changed, 27 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index 04d5792..11a369b 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -794,6 +794,7 @@ optional_policy(` > optional_policy(` > udev_rw_db(initrc_t) > udev_manage_pid_files(initrc_t) > + udev_manage_rules_files(initrc_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc > index 53c2e97..0291685 100644 > --- a/policy/modules/system/udev.fc > +++ b/policy/modules/system/udev.fc > @@ -6,7 +6,7 @@ > > /etc/hotplug\.d/default/udev.* -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > -/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) > +/etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0) > /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > /lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0) > diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if > index 7a47b45..12489cb 100644 > --- a/policy/modules/system/udev.if > +++ b/policy/modules/system/udev.if > @@ -213,3 +213,22 @@ interface(`udev_manage_pid_files',` > files_search_var_lib($1) > manage_files_pattern($1, udev_var_run_t, udev_var_run_t) > ') > + > +######################################## > +## > +## Manage udev rules files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`udev_manage_rules_files',` > + gen_require(` > + type udev_rules_t; > + ') > + > + manage_dirs_pattern($1, udev_rules_t, udev_rules_t) > + manage_files_pattern($1, udev_rules_t, udev_rules_t) > +') > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index 3f0a14e..af1f4e4 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -21,6 +21,9 @@ files_config_file(udev_etc_t) > type udev_tbl_t alias udev_tdb_t; > files_type(udev_tbl_t) > > +type udev_rules_t; > +files_type(udev_rules_t) > + > type udev_var_run_t; > files_pid_file(udev_var_run_t) > > @@ -64,6 +67,9 @@ allow udev_t udev_etc_t:file read_file_perms; > allow udev_t udev_tbl_t:file manage_file_perms; > dev_filetrans(udev_t, udev_tbl_t, file) > > +list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) > +read_files_pattern(udev_t, udev_rules_t, udev_rules_t) > + > manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) > manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) > manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com