From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead
Date: Thu, 10 Jan 2013 08:20:42 -0500 [thread overview]
Message-ID: <50EEC02A.6030402@tresys.com> (raw)
In-Reply-To: <1357578807-17844-1-git-send-email-bigon@debian.org>
On 01/07/13 12:13, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
>
> On most distribution /dev/.udev has been moved to /var/run/udev. We
> should allow udev to R/W to the files stored in the new location.
>
> At the sametime, and to not add yet another label we are renaming
> udev_tbl_t label to the newly created udev_var_run_t label
>
> This is inspired of the changes on Fedora policy
>
> I would be happy if somebody could review this before I'm proposing this for
> inclusion. This has only been tested on system where the directory is located
> in (/var)/run/udev.
Frankly, I think this is backwards. *_var_run_t files are typically pid files. The files in this dir are more than that. If anything, it seems that udev_var_run_t should be eliminated.
Otherwise it seems that only the /run/udev/control socket might be the only thing to make sense for udev_var_run_t.
> ---
> policy/modules/system/udev.fc | 8 +++---
> policy/modules/system/udev.if | 58 +++++++++++++++++++++++++++++------------
> policy/modules/system/udev.te | 9 ++-----
> 3 files changed, 48 insertions(+), 27 deletions(-)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 40928d8..68f7f48 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -1,6 +1,6 @@
> -/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
> +/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/\.udevdb -- gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/udev\.tbl -- gen_context(system_u:object_r:udev_var_run_t,s0)
>
> /etc/dev\.d/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> @@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
> /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>
> /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> -/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
> +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
> /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 9a1650d..440a732 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
> #
> interface(`udev_dontaudit_search_db',`
> gen_require(`
> - type udev_tbl_t;
> + type udev_var_run_t;
> ')
>
> - dontaudit $1 udev_tbl_t:dir search_dir_perms;
> + dontaudit $1 udev_var_run_t:dir search_dir_perms;
> ')
>
> ########################################
> @@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',`
> ## <infoflow type="read" weight="10"/>
> #
> interface(`udev_read_db',`
> - gen_require(`
> - type udev_tbl_t;
> - ')
> + refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.')
> + udev_read_pids($1)
> +')
>
> - allow $1 udev_tbl_t:dir list_dir_perms;
> +########################################
> +## <summary>
> +## Allow process to modify list of devices.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_rw_db',`
> + refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.')
> + udev_rw_pids($1)
> +')
>
> - read_files_pattern($1, udev_tbl_t, udev_tbl_t)
> - read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
> +########################################
> +## <summary>
> +## Read udev pid content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`udev_read_pids',`
> + gen_require(`
> + type udev_var_run_t;
> + ')
>
> dev_list_all_dev_nodes($1)
> -
> - files_search_etc($1)
> -
> - udev_search_pids($1)
> + files_search_pids($1)
> + allow $1 udev_var_run_t:dir list_dir_perms;
> + allow $1 udev_var_run_t:file read_file_perms;
> + allow $1 udev_var_run_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> ## <summary>
> -## Allow process to modify list of devices.
> +## Allow process to modify pid content.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -213,13 +238,14 @@ interface(`udev_read_db',`
> ## </summary>
> ## </param>
> #
> -interface(`udev_rw_db',`
> +interface(`udev_rw_pids',`
> gen_require(`
> - type udev_tbl_t;
> + type udev_var_run_t;
> ')
>
> dev_list_all_dev_nodes($1)
> - allow $1 udev_tbl_t:file rw_file_perms;
> + allow $1 udev_var_run_t:file rw_file_perms;
> + files_search_pids($1)
> ')
>
> ########################################
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index a5ec88b..3cfe483 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t)
> type udev_etc_t alias etc_udev_t;
> files_config_file(udev_etc_t)
>
> -type udev_tbl_t alias udev_tdb_t;
> -files_type(udev_tbl_t)
> -
> type udev_rules_t;
> files_type(udev_rules_t)
>
> type udev_var_run_t;
> files_pid_file(udev_var_run_t)
> init_daemon_run_dir(udev_var_run_t, "udev")
> +typealias udev_var_run_t alias udev_tbl_t;
>
> ifdef(`enable_mcs',`
> kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
> @@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t)
> # read udev config
> allow udev_t udev_etc_t:file read_file_perms;
>
> -# create udev database in /dev/.udevdb
> -allow udev_t udev_tbl_t:file manage_file_perms;
> -dev_filetrans(udev_t, udev_tbl_t, file)
> -
> list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
> read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>
> manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
>
> kernel_read_system_state(udev_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2013-01-10 13:20 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-07 17:13 [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead Laurent Bigonville
2013-01-10 13:20 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50EEC02A.6030402@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.