From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 10 Jan 2013 08:20:42 -0500
Subject: [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t
 label instead
In-Reply-To: <1357578807-17844-1-git-send-email-bigon@debian.org>
References: <1357578807-17844-1-git-send-email-bigon@debian.org>
Message-ID: <50EEC02A.6030402@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/07/13 12:13, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> On most distribution /dev/.udev has been moved to /var/run/udev. We
> should allow udev to R/W to the files stored in the new location.
> 
> At the sametime, and to not add yet another label we are renaming
> udev_tbl_t label to the newly created udev_var_run_t label
> 
> This is inspired of the changes on Fedora policy
> 
> I would be happy if somebody could review this before I'm proposing this for
> inclusion. This has only been tested on system where the directory is located
> in (/var)/run/udev.

Frankly, I think this is backwards.  *_var_run_t files are typically pid files.  The files in this dir are more than that.  If anything, it seems that udev_var_run_t should be eliminated.

Otherwise it seems that only the /run/udev/control socket might be the only thing to make sense for udev_var_run_t.


> ---
>  policy/modules/system/udev.fc |    8 +++---
>  policy/modules/system/udev.if |   58 +++++++++++++++++++++++++++++------------
>  policy/modules/system/udev.te |    9 ++-----
>  3 files changed, 48 insertions(+), 27 deletions(-)
> 
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 40928d8..68f7f48 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -1,6 +1,6 @@
> -/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
> +/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/\.udevdb	--	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_var_run_t,s0)
>  
>  /etc/dev\.d/.+	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>  
> @@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
>  /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>  
>  /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> -/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
> +/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>  
>  ifdef(`distro_debian',`
>  /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 9a1650d..440a732 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
>  #
>  interface(`udev_dontaudit_search_db',`
>  	gen_require(`
> -		type udev_tbl_t;
> +		type udev_var_run_t;
>  	')
>  
> -	dontaudit $1 udev_tbl_t:dir search_dir_perms;
> +	dontaudit $1 udev_var_run_t:dir search_dir_perms;
>  ')
>  
>  ########################################
> @@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',`
>  ## <infoflow type="read" weight="10"/>
>  #
>  interface(`udev_read_db',`
> -	gen_require(`
> -		type udev_tbl_t;
> -	')
> +	refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.')
> +	udev_read_pids($1)
> +')
>  
> -	allow $1 udev_tbl_t:dir list_dir_perms;
> +########################################
> +## <summary>
> +##	Allow process to modify list of devices.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udev_rw_db',`
> +	refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.')
> +	udev_rw_pids($1)
> +')
>  
> -	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
> -	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
> +########################################
> +## <summary>
> +##	Read udev pid content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udev_read_pids',`
> +	gen_require(`
> +		type udev_var_run_t;
> +	')
>  
>  	dev_list_all_dev_nodes($1)
> -
> -	files_search_etc($1)
> -
> -	udev_search_pids($1)
> +	files_search_pids($1)
> +	allow $1 udev_var_run_t:dir list_dir_perms;
> +	allow $1 udev_var_run_t:file read_file_perms;
> +	allow $1 udev_var_run_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  ########################################
>  ## <summary>
> -##	Allow process to modify list of devices.
> +##	Allow process to modify pid content.
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -213,13 +238,14 @@ interface(`udev_read_db',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`udev_rw_db',`
> +interface(`udev_rw_pids',`
>  	gen_require(`
> -		type udev_tbl_t;
> +		type udev_var_run_t;
>  	')
>  
>  	dev_list_all_dev_nodes($1)
> -	allow $1 udev_tbl_t:file rw_file_perms;
> +	allow $1 udev_var_run_t:file rw_file_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index a5ec88b..3cfe483 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t)
>  type udev_etc_t alias etc_udev_t;
>  files_config_file(udev_etc_t)
>  
> -type udev_tbl_t alias udev_tdb_t;
> -files_type(udev_tbl_t)
> -
>  type udev_rules_t;
>  files_type(udev_rules_t)
>  
>  type udev_var_run_t;
>  files_pid_file(udev_var_run_t)
>  init_daemon_run_dir(udev_var_run_t, "udev")
> +typealias udev_var_run_t alias udev_tbl_t;
>  
>  ifdef(`enable_mcs',`
>  	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
> @@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t)
>  # read udev config
>  allow udev_t udev_etc_t:file read_file_perms;
>  
> -# create udev database in /dev/.udevdb
> -allow udev_t udev_tbl_t:file manage_file_perms;
> -dev_filetrans(udev_t, udev_tbl_t, file)
> -
>  list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
>  read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>  
>  manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
>  
>  kernel_read_system_state(udev_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com