From: bigon@debian.org (Laurent Bigonville) Date: Mon, 7 Jan 2013 18:13:27 +0100 Subject: [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead Message-ID: <1357578807-17844-1-git-send-email-bigon@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Laurent Bigonville On most distribution /dev/.udev has been moved to /var/run/udev. We should allow udev to R/W to the files stored in the new location. At the sametime, and to not add yet another label we are renaming udev_tbl_t label to the newly created udev_var_run_t label This is inspired of the changes on Fedora policy I would be happy if somebody could review this before I'm proposing this for inclusion. This has only been tested on system where the directory is located in (/var)/run/udev. Thanks! Laurent Bigonville --- policy/modules/system/udev.fc | 8 +++--- policy/modules/system/udev.if | 58 +++++++++++++++++++++++++++++------------ policy/modules/system/udev.te | 9 ++----- 3 files changed, 48 insertions(+), 27 deletions(-) diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc index 40928d8..68f7f48 100644 --- a/policy/modules/system/udev.fc +++ b/policy/modules/system/udev.fc @@ -1,6 +1,6 @@ -/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) -/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) -/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) +/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0) +/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0) +/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0) /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) @@ -31,7 +31,7 @@ ifdef(`distro_redhat',` /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) -/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) ifdef(`distro_debian',` /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if index 9a1650d..440a732 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',` # interface(`udev_dontaudit_search_db',` gen_require(` - type udev_tbl_t; + type udev_var_run_t; ') - dontaudit $1 udev_tbl_t:dir search_dir_perms; + dontaudit $1 udev_var_run_t:dir search_dir_perms; ') ######################################## @@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',` ## # interface(`udev_read_db',` - gen_require(` - type udev_tbl_t; - ') + refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.') + udev_read_pids($1) +') - allow $1 udev_tbl_t:dir list_dir_perms; +######################################## +## +## Allow process to modify list of devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_rw_db',` + refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.') + udev_rw_pids($1) +') - read_files_pattern($1, udev_tbl_t, udev_tbl_t) - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) +######################################## +## +## Read udev pid content. +## +## +## +## Domain allowed access. +## +## +# +interface(`udev_read_pids',` + gen_require(` + type udev_var_run_t; + ') dev_list_all_dev_nodes($1) - - files_search_etc($1) - - udev_search_pids($1) + files_search_pids($1) + allow $1 udev_var_run_t:dir list_dir_perms; + allow $1 udev_var_run_t:file read_file_perms; + allow $1 udev_var_run_t:lnk_file read_lnk_file_perms; ') ######################################## ## -## Allow process to modify list of devices. +## Allow process to modify pid content. ## ## ## @@ -213,13 +238,14 @@ interface(`udev_read_db',` ## ## # -interface(`udev_rw_db',` +interface(`udev_rw_pids',` gen_require(` - type udev_tbl_t; + type udev_var_run_t; ') dev_list_all_dev_nodes($1) - allow $1 udev_tbl_t:file rw_file_perms; + allow $1 udev_var_run_t:file rw_file_perms; + files_search_pids($1) ') ######################################## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index a5ec88b..3cfe483 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t) -type udev_tbl_t alias udev_tdb_t; -files_type(udev_tbl_t) - type udev_rules_t; files_type(udev_rules_t) type udev_var_run_t; files_pid_file(udev_var_run_t) init_daemon_run_dir(udev_var_run_t, "udev") +typealias udev_var_run_t alias udev_tbl_t; ifdef(`enable_mcs',` kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) @@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t) # read udev config allow udev_t udev_etc_t:file read_file_perms; -# create udev database in /dev/.udevdb -allow udev_t udev_tbl_t:file manage_file_perms; -dev_filetrans(udev_t, udev_tbl_t, file) - list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) read_files_pattern(udev_t, udev_rules_t, udev_rules_t) manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) kernel_read_system_state(udev_t) -- 1.7.10.4