[refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead
@ 2013-01-07 17:13 Laurent Bigonville
  2013-01-10 13:20 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Laurent Bigonville @ 2013-01-07 17:13 UTC (permalink / raw)
  To: refpolicy

From: Laurent Bigonville <bigon@bigon.be>

On most distribution /dev/.udev has been moved to /var/run/udev. We
should allow udev to R/W to the files stored in the new location.

At the sametime, and to not add yet another label we are renaming
udev_tbl_t label to the newly created udev_var_run_t label

This is inspired of the changes on Fedora policy

I would be happy if somebody could review this before I'm proposing this for
inclusion. This has only been tested on system where the directory is located
in (/var)/run/udev.

Thanks!

Laurent Bigonville
---
 policy/modules/system/udev.fc |    8 +++---
 policy/modules/system/udev.if |   58 +++++++++++++++++++++++++++++------------
 policy/modules/system/udev.te |    9 ++-----
 3 files changed, 48 insertions(+), 27 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..68f7f48 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
-/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
-/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/\.udevdb	--	gen_context(system_u:object_r:udev_var_run_t,s0)
+/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_var_run_t,s0)
 
 /etc/dev\.d/.+	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
@@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
 /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
 
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 9a1650d..440a732 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
 #
 interface(`udev_dontaudit_search_db',`
 	gen_require(`
-		type udev_tbl_t;
+		type udev_var_run_t;
 	')
 
-	dontaudit $1 udev_tbl_t:dir search_dir_perms;
+	dontaudit $1 udev_var_run_t:dir search_dir_perms;
 ')
 
 ########################################
@@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',`
 ## <infoflow type="read" weight="10"/>
 #
 interface(`udev_read_db',`
-	gen_require(`
-		type udev_tbl_t;
-	')
+	refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.')
+	udev_read_pids($1)
+')
 
-	allow $1 udev_tbl_t:dir list_dir_perms;
+########################################
+## <summary>
+##	Allow process to modify list of devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_rw_db',`
+	refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.')
+	udev_rw_pids($1)
+')
 
-	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
-	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+########################################
+## <summary>
+##	Read udev pid content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_read_pids',`
+	gen_require(`
+		type udev_var_run_t;
+	')
 
 	dev_list_all_dev_nodes($1)
-
-	files_search_etc($1)
-
-	udev_search_pids($1)
+	files_search_pids($1)
+	allow $1 udev_var_run_t:dir list_dir_perms;
+	allow $1 udev_var_run_t:file read_file_perms;
+	allow $1 udev_var_run_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Allow process to modify list of devices.
+##	Allow process to modify pid content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -213,13 +238,14 @@ interface(`udev_read_db',`
 ##	</summary>
 ## </param>
 #
-interface(`udev_rw_db',`
+interface(`udev_rw_pids',`
 	gen_require(`
-		type udev_tbl_t;
+		type udev_var_run_t;
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 udev_tbl_t:file rw_file_perms;
+	allow $1 udev_var_run_t:file rw_file_perms;
+	files_search_pids($1)
 ')
 
 ########################################
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a5ec88b..3cfe483 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t)
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)
 
-type udev_tbl_t alias udev_tdb_t;
-files_type(udev_tbl_t)
-
 type udev_rules_t;
 files_type(udev_rules_t)
 
 type udev_var_run_t;
 files_pid_file(udev_var_run_t)
 init_daemon_run_dir(udev_var_run_t, "udev")
+typealias udev_var_run_t alias udev_tbl_t;
 
 ifdef(`enable_mcs',`
 	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
@@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t)
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
 
-# create udev database in /dev/.udevdb
-allow udev_t udev_tbl_t:file manage_file_perms;
-dev_filetrans(udev_t, udev_tbl_t, file)
-
 list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
 read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
 
 manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 
 kernel_read_system_state(udev_t)
-- 
1.7.10.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead
  2013-01-07 17:13 [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead Laurent Bigonville
@ 2013-01-10 13:20 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2013-01-10 13:20 UTC (permalink / raw)
  To: refpolicy

On 01/07/13 12:13, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> On most distribution /dev/.udev has been moved to /var/run/udev. We
> should allow udev to R/W to the files stored in the new location.
> 
> At the sametime, and to not add yet another label we are renaming
> udev_tbl_t label to the newly created udev_var_run_t label
> 
> This is inspired of the changes on Fedora policy
> 
> I would be happy if somebody could review this before I'm proposing this for
> inclusion. This has only been tested on system where the directory is located
> in (/var)/run/udev.

Frankly, I think this is backwards.  *_var_run_t files are typically pid files.  The files in this dir are more than that.  If anything, it seems that udev_var_run_t should be eliminated.

Otherwise it seems that only the /run/udev/control socket might be the only thing to make sense for udev_var_run_t.


> ---
>  policy/modules/system/udev.fc |    8 +++---
>  policy/modules/system/udev.if |   58 +++++++++++++++++++++++++++++------------
>  policy/modules/system/udev.te |    9 ++-----
>  3 files changed, 48 insertions(+), 27 deletions(-)
> 
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 40928d8..68f7f48 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -1,6 +1,6 @@
> -/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
> -/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
> +/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/\.udevdb	--	gen_context(system_u:object_r:udev_var_run_t,s0)
> +/dev/udev\.tbl	--	gen_context(system_u:object_r:udev_var_run_t,s0)
>  
>  /etc/dev\.d/.+	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
>  
> @@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
>  /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>  
>  /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> -/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
> +/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>  
>  ifdef(`distro_debian',`
>  /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
> diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
> index 9a1650d..440a732 100644
> --- a/policy/modules/system/udev.if
> +++ b/policy/modules/system/udev.if
> @@ -164,10 +164,10 @@ interface(`udev_manage_rules_files',`
>  #
>  interface(`udev_dontaudit_search_db',`
>  	gen_require(`
> -		type udev_tbl_t;
> +		type udev_var_run_t;
>  	')
>  
> -	dontaudit $1 udev_tbl_t:dir search_dir_perms;
> +	dontaudit $1 udev_var_run_t:dir search_dir_perms;
>  ')
>  
>  ########################################
> @@ -187,25 +187,50 @@ interface(`udev_dontaudit_search_db',`
>  ## <infoflow type="read" weight="10"/>
>  #
>  interface(`udev_read_db',`
> -	gen_require(`
> -		type udev_tbl_t;
> -	')
> +	refpolicywarn(`$0 has been deprecated, use udev_read_pids() instead.')
> +	udev_read_pids($1)
> +')
>  
> -	allow $1 udev_tbl_t:dir list_dir_perms;
> +########################################
> +## <summary>
> +##	Allow process to modify list of devices.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udev_rw_db',`
> +	refpolicywarn(`$0 has been deprecated, use udev_rw_pids() instead.')
> +	udev_rw_pids($1)
> +')
>  
> -	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
> -	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
> +########################################
> +## <summary>
> +##	Read udev pid content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`udev_read_pids',`
> +	gen_require(`
> +		type udev_var_run_t;
> +	')
>  
>  	dev_list_all_dev_nodes($1)
> -
> -	files_search_etc($1)
> -
> -	udev_search_pids($1)
> +	files_search_pids($1)
> +	allow $1 udev_var_run_t:dir list_dir_perms;
> +	allow $1 udev_var_run_t:file read_file_perms;
> +	allow $1 udev_var_run_t:lnk_file read_lnk_file_perms;
>  ')
>  
>  ########################################
>  ## <summary>
> -##	Allow process to modify list of devices.
> +##	Allow process to modify pid content.
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -213,13 +238,14 @@ interface(`udev_read_db',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`udev_rw_db',`
> +interface(`udev_rw_pids',`
>  	gen_require(`
> -		type udev_tbl_t;
> +		type udev_var_run_t;
>  	')
>  
>  	dev_list_all_dev_nodes($1)
> -	allow $1 udev_tbl_t:file rw_file_perms;
> +	allow $1 udev_var_run_t:file rw_file_perms;
> +	files_search_pids($1)
>  ')
>  
>  ########################################
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index a5ec88b..3cfe483 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -17,15 +17,13 @@ init_daemon_domain(udev_t, udev_exec_t)
>  type udev_etc_t alias etc_udev_t;
>  files_config_file(udev_etc_t)
>  
> -type udev_tbl_t alias udev_tdb_t;
> -files_type(udev_tbl_t)
> -
>  type udev_rules_t;
>  files_type(udev_rules_t)
>  
>  type udev_var_run_t;
>  files_pid_file(udev_var_run_t)
>  init_daemon_run_dir(udev_var_run_t, "udev")
> +typealias udev_var_run_t alias udev_tbl_t;
>  
>  ifdef(`enable_mcs',`
>  	kernel_ranged_domtrans_to(udev_t, udev_exec_t, s0 - mcs_systemhigh)
> @@ -63,16 +61,13 @@ can_exec(udev_t, udev_helper_exec_t)
>  # read udev config
>  allow udev_t udev_etc_t:file read_file_perms;
>  
> -# create udev database in /dev/.udevdb
> -allow udev_t udev_tbl_t:file manage_file_perms;
> -dev_filetrans(udev_t, udev_tbl_t, file)
> -
>  list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
>  read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>  
>  manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
>  
>  kernel_read_system_state(udev_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-01-10 13:20 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-07 17:13 [refpolicy] [PATCH] Drop udev_tbl_t and use udev_var_run_t label instead Laurent Bigonville
2013-01-10 13:20 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.