[refpolicy] [PATCH v1 5/5] Udev's tables (run data) is stored in directories

All of lore.kernel.org
 help / color / mirror / Atom feed

From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH v1 5/5] Udev's tables (run data) is stored in directories
Date: Wed, 29 Aug 2012 21:55:28 +0200	[thread overview]
Message-ID: <20120829195527.GA22738@siphos.be> (raw)
In-Reply-To: <1346269075.15262.3.camel@d30.localdomain>

On Wed, Aug 29, 2012 at 09:37:55PM +0200, Dominick Grift wrote:
> > -# create udev database in /dev/.udevdb
> > -allow udev_t udev_tbl_t:file manage_file_perms;
> > +allow udev_t udev_tbl_t:dir relabelto;
> > +manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
> > +manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
> > +manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
> > +
> >  dev_filetrans(udev_t, udev_tbl_t, file)
> 
> This doesnt make sense to me.
> 
> First we had:
> 
> allow udev_t udev_tbl_t:file manage_file_perms;
> dev_filetrans(udev_t, udev_tbl_t, file)
> 
> with these specs:
> 
> /dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
> /dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
> /dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
> 
> What does this tell me?
> 
> Well there shouldnt be any dirs and symlinks with type udev_tbl_t.
> 
> Only files. dirs and lnk_files should be device_t.

Well, the udev code (looking at udev-182 here) has the code for relabeling
in it. For instance, when copy_dev_dir is called, it has

#v+
                        udev_selinux_setfscreateconat(udev, dirfd(dir_to), dent->d_name, S_IFDIR|0755);
                        mkdirat(dirfd(dir_to), dent->d_name, 0755);
                        udev_selinux_resetfscreatecon(udev);
#v-

I believe this is the source, but I'm no master in this. I mainly based
myself on the denials and errors I got. If I put in an "auditallow" to show
this, this is the result:

#v+
testsys ~ # grep grant /var/log/avc.log
Aug 29 21:51:23 testsys kernel: [    3.339771] type=1400 audit(1346269880.338:6): avc:  granted  { create } for  pid=1162
comm="systemd-udevd" name="data" scontext=system_u:system_r:udev_t tcontext=system_u:object_r:udev_tbl_t tclass=dir
#v-

This, btw, is for the /var/run/udev/data location, and the file contexts for
udev does hold this as a udev_tbl_t currently:

#v+
testsys ~ # grep udev_tbl_t udev.fc
/dev/\.udev(/.*)? --    gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/\.udevdb   --      gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/udev\.tbl  --      gen_context(system_u:object_r:udev_tbl_t,s0)
/var/run/udev(/.*)?     gen_context(system_u:object_r:udev_tbl_t,s0)
#v-

(last line)

Wkr,
	Sven Vermeulen

next prev parent reply	other threads:[~2012-08-29 19:55 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-08-29 19:28 [refpolicy] [PATCH v1 0/5] Small set of updates Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 1/5] Puppet uses mount output for verification Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 2/5] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
2012-08-29 19:41   ` Dominick Grift
2012-08-29 19:59     ` Sven Vermeulen
2012-08-29 20:10       ` Dominick Grift
2012-08-29 19:28 ` [refpolicy] [PATCH v1 3/5] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 4/5] Allow init scripts to read courier configuration Sven Vermeulen
2012-08-29 19:28 ` [refpolicy] [PATCH v1 5/5] Udev's tables (run data) is stored in directories Sven Vermeulen
2012-08-29 19:37   ` Dominick Grift
2012-08-29 19:55     ` Sven Vermeulen [this message]
2012-08-29 20:04       ` Dominick Grift
2012-08-29 20:20         ` Dominick Grift
2012-08-29 20:31           ` Dominick Grift
2012-09-02 12:06             ` Guido Trentalancia
2012-09-02 19:51               ` Dominick Grift
2012-09-02 19:59                 ` Dominick Grift
2012-09-04 12:27                   ` Guido Trentalancia
2012-09-04 14:51                     ` Guido Trentalancia
2012-09-09 16:51                     ` Guido Trentalancia
2012-09-03  9:26                 ` Guido Trentalancia
2012-09-04 10:18                 ` Miroslav Grepl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120829195527.GA22738@siphos.be \
    --to=sven.vermeulen@siphos.be \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.