From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 10 Jan 2013 08:20:42 -0500 Subject: [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead In-Reply-To: <1357578807-17844-1-git-send-email-bigon@debian.org> References: <1357578807-17844-1-git-send-email-bigon@debian.org> Message-ID: <50EEC02A.6030402@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/07/13 12:13, Laurent Bigonville wrote: > From: Laurent Bigonville > > On most distribution /dev/.udev has been moved to /var/run/udev. We > should allow udev to R/W to the files stored in the new location. > > At the sametime, and to not add yet another label we are renaming > udev_tbl_t label to the newly created udev_var_run_t label > > This is inspired of the changes on Fedora policy > > I would be happy if somebody could review this before I'm proposing this for > inclusion. This has only been tested on system where the directory is located > in (/var)/run/udev. Frankly, I think this is backwards. *_var_run_t files are typically pid files. The files in this dir are more than that. If anything, it seems that udev_var_run_t should be eliminated. Otherwise it seems that only the /run/udev/control socket might be the only thing to make sense for udev_var_run_t. > --- > policy/modules/system/udev.fc | 8 +++--- > policy/modules/system/udev.if | 58 +++++++++++++++++++++++++++++------------ > policy/modules/system/udev.te | 9 ++----- > 3 files changed, 48 insertions(+), 27 deletions(-) > > diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc > index 40928d8..68f7f48 100644 > --- a/policy/modules/system/udev.fc > +++ b/policy/modules/system/udev.fc > @@ -1,6 +1,6 @@ > -/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0) > -/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0) > -/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0) > +/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0) > +/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0) > +/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0) > > /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0) > > @@ -31,7 +31,7 @@ ifdef(`distro_redhat',` > /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0) > > /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) > -/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0) > +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) > > ifdef(`distro_debian',` > /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) > diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if > index 9a1650d..440a732 100644 > --- a/policy/modules/system/udev.if > +++ b/policy/modules/system/udev.if > @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',` > # > interface(`udev_dontaudit_search_db',` > gen_require(` > - type udev_tbl_t; > + type udev_var_run_t; > ') > > - dontaudit $1 udev_tbl_t:dir search_dir_perms; > + dontaudit $1 udev_var_run_t:dir search_dir_perms; > ') > > ######################################## > @@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',` > ## > # > interface(`udev_read_db',` > - gen_require(` > - type udev_tbl_t; > - ') > + refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.') > + udev_read_pids($1) > +') > > - allow $1 udev_tbl_t:dir list_dir_perms; > +######################################## > +## > +## Allow process to modify list of devices. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`udev_rw_db',` > + refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.') > + udev_rw_pids($1) > +') > > - read_files_pattern($1, udev_tbl_t, udev_tbl_t) > - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t) > +######################################## > +## > +## Read udev pid content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`udev_read_pids',` > + gen_require(` > + type udev_var_run_t; > + ') > > dev_list_all_dev_nodes($1) > - > - files_search_etc($1) > - > - udev_search_pids($1) > + files_search_pids($1) > + allow $1 udev_var_run_t:dir list_dir_perms; > + allow $1 udev_var_run_t:file read_file_perms; > + allow $1 udev_var_run_t:lnk_file read_lnk_file_perms; > ') > > ######################################## > ## > -## Allow process to modify list of devices. > +## Allow process to modify pid content. > ## > ## > ## > @@ -213,13 +238,14 @@ interface(`udev_read_db',` > ## > ## > # > -interface(`udev_rw_db',` > +interface(`udev_rw_pids',` > gen_require(` > - type udev_tbl_t; > + type udev_var_run_t; > ') > > dev_list_all_dev_nodes($1) > - allow $1 udev_tbl_t:file rw_file_perms; > + allow $1 udev_var_run_t:file rw_file_perms; > + files_search_pids($1) > ') > > ######################################## > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index a5ec88b..3cfe483 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t) > type udev_etc_t alias etc_udev_t; > files_config_file(udev_etc_t) > > -type udev_tbl_t alias udev_tdb_t; > -files_type(udev_tbl_t) > - > type udev_rules_t; > files_type(udev_rules_t) > > type udev_var_run_t; > files_pid_file(udev_var_run_t) > init_daemon_run_dir(udev_var_run_t, "udev") > +typealias udev_var_run_t alias udev_tbl_t; > > ifdef(`enable_mcs',` > kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh) > @@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t) > # read udev config > allow udev_t udev_etc_t:file read_file_perms; > > -# create udev database in /dev/.udevdb > -allow udev_t udev_tbl_t:file manage_file_perms; > -dev_filetrans(udev_t, udev_tbl_t, file) > - > list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t) > read_files_pattern(udev_t, udev_rules_t, udev_rules_t) > > manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t) > manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) > manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) > +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t) > files_pid_filetrans(udev_t, udev_var_run_t, { dir file }) > > kernel_read_system_state(udev_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com