[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

Jason Zaman Tue, 26 Mar 2019 03:17:55 -0700

commit:     a7ec244c351f1fcccd2547b2b94554b29b69c07a
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Mar 15 02:27:10 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7ec244c


Separate out udevadm into a new domain

This is the update I have made based on suggestions for the previous
patches to add a udev_run interface.  This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.

It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
   I have granted the permisssions that I need based on denials I was
   seeing during startup (the machine would fail to start without the
   permisions).
2) In the udev.fc file there are other binaries that I don't have on a
   RHEL7 box that maybe should also be labeled udevadm_exec_t.
   e.g. /usr/bin/udevinfo and /usr/bin/udevsend
   But as I don't have those binaries to test, I have not updated the
   type of that binary.
3) There are some places that call udev_domtrans that maybe should now
   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,
   these are not things that I am using in my current situation and am
   unable to test the interactions to know if the change is correct.

Other than that, I think this was a good suggestion to split udevadm
into a different domain.

Only change for v4 is to use stream_connect_pattern as suggested.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/roles/sysadm.te |  4 +++
 policy/modules/system/udev.fc  |  4 +--
 policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/udev.te  | 40 ++++++++++++++++++++++++++-
 4 files changed, 107 insertions(+), 3 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index b600e379..6827561f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
        tzdata_domtrans(sysadm_t)
 ')
 
+optional_policy(`
+       udevadm_run(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
        ulogd_admin(sysadm_t, sysadm_r)
 ')

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 84705e32..7e27287e 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
 /etc/udev/scripts/.+ --        
gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
 /usr/bin/udev          --      gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm       --      gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm       --      gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/bin/udevd         --      gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo      --      gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevsend      --      gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
 ')
 
 /usr/sbin/udev         --      gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm      --      gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm      --      gen_context(system_u:object_r:udevadm_exec_t,s0)
 /usr/sbin/udevd                --      
gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevsend     --      gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/sbin/udevstart    --      gen_context(system_u:object_r:udev_exec_t,s0)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 2ecdf5f0..fc8577bd 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -518,6 +518,68 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
        refpolicywarn(`$0($*) has been deprecated.')
 ')
 
+########################################
+## <summary>
+##     Execute udev admin in the udevadm domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+       gen_require(`
+               type udevadm_t, udevadm_exec_t;
+       ')
+
+       domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+##     Execute udevadm in the udevadm domain, and
+##     allow the specified role the udevadm domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to transition.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+       gen_require(`
+               attribute_role udevadm_roles;
+       ')
+
+       udevadm_domtrans($1)
+       roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+##     Execute udevadm in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`udevadm_exec',`
+       gen_require(`
+               type udevadm_exec_t;
+       ')
+
+       can_exec($1, udevadm_exec_t)
+')
+
 # Gentoo specific but cannot add it within an ifdef distro_gentoo
 
 #########################################

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 8149ea9a..77503764 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
 #
 # Declarations
 #
+attribute_role udevadm_roles;
 
 type udev_t;
 type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
 init_named_socket_activation(udev_t, udev_var_run_t)
 
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
 
 ########################################
 #
-# Local policy
+# udev Local policy
 #
 
 allow udev_t self:capability { chown dac_override dac_read_search fowner 
fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice 
sys_ptrace sys_rawio sys_resource };
@@ -404,3 +411,34 @@ ifdef(`distro_gentoo',`
 
        init_domtrans_script(udev_t)
 ')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
+
+dev_rw_sysfs(udevadm_t)
+dev_read_urand(udevadm_t)
+
+files_read_etc_files(udevadm_t)
+files_read_usr_files(udevadm_t)
+
+init_list_pids(udevadm_t)
+init_read_state(udevadm_t)
+
+kernel_read_system_state(udevadm_t)
+
+libs_use_ld_so(udevadm_t)
+
+seutil_read_file_contexts(udevadm_t)
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/

Reply via email to