From mboxrd@z Thu Jan  1 00:00:00 1970
From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 27 Sep 2013 16:37:23 -0400
Subject: [refpolicy] [PATCH 09/20] udev-acl.ck lists
 /run/udev/tags/udev-acl udev blocks suspend, and compromises kernel
In-Reply-To: <1380029980-25198-1-git-send-email-dominick.grift@gmail.com>
References: <1380029980-25198-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <5245EC83.1090000@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue 24 Sep 2013 09:39:40 AM EDT, Dominick Grift wrote:
> udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
> directories
>
> udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t
>
> udev: remove compromise_kernel capability2 av perm as its currently not
> supported in reference policy
>
> udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)
>
> udev: udevd manages control udev_tbl_t type socket
>
> udev: udevd manages udev_tbl_t directories
> named files pid filetrans for /run/udev directory
>
> udev: lets just label /run/udev type udev_var_run_t and get it over with
>
> udev: make the files_pid_filetrans more specific because it appears that
> udev also creates directories in /run that we dont want to have created
> with type udev_var_run_t (/run/avahi-daemon in Debian)
>
> udev: udev-acl.ck uses dbus system bus fds
>
> udev: sends dbus message to consolekit manager:
> OpenSessionWithParameters

Merged.  I moved the one Debian addition to the latter Debian block.

> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  policy/modules/system/lvm.fc  |  1 +
>  policy/modules/system/udev.fc |  2 +-
>  policy/modules/system/udev.te | 18 ++++++++++++++++--
>  3 files changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
> index 879bb1e..6b91740 100644
> --- a/policy/modules/system/lvm.fc
> +++ b/policy/modules/system/lvm.fc
> @@ -28,6 +28,7 @@ ifdef(`distro_gentoo',`
>  #
>  /lib/lvm-10/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
>  /lib/lvm-200/.*		--	gen_context(system_u:object_r:lvm_exec_t,s0)
> +/lib/udev/udisks-lvm-pv-export	--	gen_context(system_u:object_r:lvm_exec_t,s0)
>
>  #
>  # /sbin
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 40928d8..f41857e 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
>  /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>
>  /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> -/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
> +/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
>
>  ifdef(`distro_debian',`
>  /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 90e4ab3..d8b9856 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -39,6 +39,7 @@ ifdef(`enable_mcs',`
>
>  allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin sys_nice sys_rawio sys_resource setuid setgid sys_nice sys_ptrace };
>  dontaudit udev_t self:capability sys_tty_config;
> +allow udev_t self:capability2 block_suspend;
>  allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem execstack execheap };
>  allow udev_t self:process { execmem setfscreate };
>  allow udev_t self:fd use;
> @@ -63,7 +64,6 @@ can_exec(udev_t, udev_helper_exec_t)
>  # read udev config
>  allow udev_t udev_etc_t:file read_file_perms;
>
> -# create udev database in /dev/.udevdb
>  allow udev_t udev_tbl_t:file manage_file_perms;
>  dev_filetrans(udev_t, udev_tbl_t, file)
>
> @@ -73,7 +73,12 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>  manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
>  manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> -files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
> +manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
> +files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
> +
> +ifdef(`distro_debian',`
> +	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
> +')
>
>  kernel_read_system_state(udev_t)
>  kernel_request_load_module(udev_t)
> @@ -230,6 +235,11 @@ optional_policy(`
>
>  optional_policy(`
>  	dbus_system_bus_client(udev_t)
> +	dbus_use_system_bus_fds(udev_t)
> +
> +	optional_policy(`
> +		consolekit_dbus_chat(udev_t)
> +	')
>  ')
>
>  optional_policy(`
> @@ -260,6 +270,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	lvm_domtrans(udev_t)
> +')
> +
> +optional_policy(`
>  	mount_domtrans(udev_t)
>  ')

--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com