* [refpolicy] [PATCH 09/20] udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel
@ 2013-09-24 13:39 Dominick Grift
2013-09-27 20:37 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2013-09-24 13:39 UTC (permalink / raw)
To: refpolicy
udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
directories
udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t
udev: remove compromise_kernel capability2 av perm as its currently not
supported in reference policy
udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)
udev: udevd manages control udev_tbl_t type socket
udev: udevd manages udev_tbl_t directories
named files pid filetrans for /run/udev directory
udev: lets just label /run/udev type udev_var_run_t and get it over with
udev: make the files_pid_filetrans more specific because it appears that
udev also creates directories in /run that we dont want to have created
with type udev_var_run_t (/run/avahi-daemon in Debian)
udev: udev-acl.ck uses dbus system bus fds
udev: sends dbus message to consolekit manager:
OpenSessionWithParameters
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/lvm.fc | 1 +
policy/modules/system/udev.fc | 2 +-
policy/modules/system/udev.te | 18 ++++++++++++++++--
3 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 879bb1e..6b91740 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -28,6 +28,7 @@ ifdef(`distro_gentoo',`
#
/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
+/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
#
# /sbin
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 40928d8..f41857e 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 90e4ab3..d8b9856 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
dontaudit udev_t self:capability sys_tty_config;
+allow udev_t self:capability2 block_suspend;
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -63,7 +64,6 @@ can_exec(udev_t, udev_helper_exec_t)
# read udev config
allow udev_t udev_etc_t:file read_file_perms;
-# create udev database in /dev/.udevdb
allow udev_t udev_tbl_t:file manage_file_perms;
dev_filetrans(udev_t, udev_tbl_t, file)
@@ -73,7 +73,12 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
-files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
+
+ifdef(`distro_debian',`
+ files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
+')
kernel_read_system_state(udev_t)
kernel_request_load_module(udev_t)
@@ -230,6 +235,11 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(udev_t)
+ dbus_use_system_bus_fds(udev_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(udev_t)
+ ')
')
optional_policy(`
@@ -260,6 +270,10 @@ optional_policy(`
')
optional_policy(`
+ lvm_domtrans(udev_t)
+')
+
+optional_policy(`
mount_domtrans(udev_t)
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH 09/20] udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel
2013-09-24 13:39 [refpolicy] [PATCH 09/20] udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel Dominick Grift
@ 2013-09-27 20:37 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2013-09-27 20:37 UTC (permalink / raw)
To: refpolicy
On Tue 24 Sep 2013 09:39:40 AM EDT, Dominick Grift wrote:
> udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
> directories
>
> udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t
>
> udev: remove compromise_kernel capability2 av perm as its currently not
> supported in reference policy
>
> udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)
>
> udev: udevd manages control udev_tbl_t type socket
>
> udev: udevd manages udev_tbl_t directories
> named files pid filetrans for /run/udev directory
>
> udev: lets just label /run/udev type udev_var_run_t and get it over with
>
> udev: make the files_pid_filetrans more specific because it appears that
> udev also creates directories in /run that we dont want to have created
> with type udev_var_run_t (/run/avahi-daemon in Debian)
>
> udev: udev-acl.ck uses dbus system bus fds
>
> udev: sends dbus message to consolekit manager:
> OpenSessionWithParameters
Merged. I moved the one Debian addition to the latter Debian block.
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/lvm.fc | 1 +
> policy/modules/system/udev.fc | 2 +-
> policy/modules/system/udev.te | 18 ++++++++++++++++--
> 3 files changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
> index 879bb1e..6b91740 100644
> --- a/policy/modules/system/lvm.fc
> +++ b/policy/modules/system/lvm.fc
> @@ -28,6 +28,7 @@ ifdef(`distro_gentoo',`
> #
> /lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
> /lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
> +/lib/udev/udisks-lvm-pv-export -- gen_context(system_u:object_r:lvm_exec_t,s0)
>
> #
> # /sbin
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 40928d8..f41857e 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
> /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>
> /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> -/var/run/udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
> +/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
> /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 90e4ab3..d8b9856 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
>
> allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
> dontaudit udev_t self:capability sys_tty_config;
> +allow udev_t self:capability2 block_suspend;
> allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> allow udev_t self:process { execmem setfscreate };
> allow udev_t self:fd use;
> @@ -63,7 +64,6 @@ can_exec(udev_t, udev_helper_exec_t)
> # read udev config
> allow udev_t udev_etc_t:file read_file_perms;
>
> -# create udev database in /dev/.udevdb
> allow udev_t udev_tbl_t:file manage_file_perms;
> dev_filetrans(udev_t, udev_tbl_t, file)
>
> @@ -73,7 +73,12 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
> manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> -files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
> +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> +files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
> +
> +ifdef(`distro_debian',`
> + files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
> +')
>
> kernel_read_system_state(udev_t)
> kernel_request_load_module(udev_t)
> @@ -230,6 +235,11 @@ optional_policy(`
>
> optional_policy(`
> dbus_system_bus_client(udev_t)
> + dbus_use_system_bus_fds(udev_t)
> +
> + optional_policy(`
> + consolekit_dbus_chat(udev_t)
> + ')
> ')
>
> optional_policy(`
> @@ -260,6 +270,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + lvm_domtrans(udev_t)
> +')
> +
> +optional_policy(`
> mount_domtrans(udev_t)
> ')
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-09-27 20:37 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-24 13:39 [refpolicy] [PATCH 09/20] udev-acl.ck lists /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel Dominick Grift
2013-09-27 20:37 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.