From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 29 Aug 2012 21:37:55 +0200 Subject: [refpolicy] [PATCH v1 5/5] Udev's tables (run data) is stored in directories In-Reply-To: <1346268526-22260-6-git-send-email-sven.vermeulen@siphos.be> References: <1346268526-22260-1-git-send-email-sven.vermeulen@siphos.be> <1346268526-22260-6-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1346269075.15262.3.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2012-08-29 at 21:28 +0200, Sven Vermeulen wrote: > When udev creates a directory to store its runtime data in, it will attempt to > relabel the directory too. So allow udev SELinux policy to do so, as well as > manage the udev_tbl_t files and directories. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/system/udev.te | 7 +++++-- > 1 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index 00fcf27..261055d 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -63,8 +63,11 @@ can_exec(udev_t, udev_helper_exec_t) > # read udev config > allow udev_t udev_etc_t:file read_file_perms; > > -# create udev database in /dev/.udevdb > -allow udev_t udev_tbl_t:file manage_file_perms; > +allow udev_t udev_tbl_t:dir relabelto; > +manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t) > +manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t) > +manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t) > + > dev_filetrans(udev_t, udev_tbl_t, file) This doesnt make sense to me. First we had: allow udev_t udev_tbl_t:file manage_file_perms; dev_filetrans(udev_t, udev_tbl_t, file) with these specs: /dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) /dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) /dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) What does this tell me? Well there shouldnt be any dirs and symlinks with type udev_tbl_t. Only files. dirs and lnk_files should be device_t. > > list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)