From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 21 Apr 2014 10:17:32 -0400
Subject: [refpolicy] [PATCH] Label
 /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t
In-Reply-To: <1397510880-7433-1-git-send-email-nicolas.iooss@m4x.org>
References: <1397510880-7433-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <5355287C.2010905@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/14/2014 05:28 PM, Nicolas Iooss wrote:
> VBoxCreateUSBNode.sh creates character special files in /dev/vboxusb each time
> a new USB device appears.  This script is called by udev.
> 
> audit.log on a system in permissive mode before this patch contains:
> 
>     type=AVC msg=audit(1396889711.890:175): avc:  denied  { execute } for  pid=26284 comm="systemd-udevd" name="VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file
>     type=AVC msg=audit(1396889711.890:175): avc:  denied  { execute_no_trans } for  pid=26284 comm="systemd-udevd" path="/usr/share/virtualbox/VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file
> ---
>  policy/modules/system/udev.fc | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 0b4df21..9c5ea54 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -31,6 +31,8 @@ ifdef(`distro_redhat',`
>  
>  /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>  
> +/usr/share/virtualbox/VBoxCreateUSBNode\.sh	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
> +
>  /var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>  
>  ifdef(`distro_debian',`
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com