This is the update I have made based on suggestions for the previous
patch to add a udev_run interface. This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.
It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
I have granted the permisssions that I need based on denials I was
seeing during startup (the machine would fail to start without the
permisions).
2) In the udev.fc file there are other binaries that I don't have on a
RHEL7 box that maybe should also be labeled udevadm_exec_t.
e.g. /usr/bin/udevinfo
But as I don't have those binaries to test, I have not updated the
type of that binary.
3) There are some places that call udev_domtrans that maybe should now
be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,
these are not things that I am using in my current situation and am
unable to test the interactions to know if the change is correct.
Other than that, I think it is good to split out udevadm into a
different domain to make it separate.
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/roles/sysadm.te | 4 +++
policy/modules/system/udev.fc | 4 +--
policy/modules/system/udev.if | 62 ++++++++++++++++++++++++++++++++++
policy/modules/system/udev.te | 42 ++++++++++++++++++++++-
4 files changed, 109 insertions(+), 3 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 043e54bf..2cc60643 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
tzdata_domtrans(sysadm_t)
')
+optional_policy(`
+ udevadm_run(sysadm_t, sysadm_r)
+')
+
optional_policy(`
ulogd_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 009d821a..606ad517 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
/usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
')
/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..3028d6b8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
files_pid_filetrans($1, udev_var_run_t, dir, $2)
')
+
+########################################
+## <summary>
+## Execute udev admin in the udevadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+ gen_require(`
+ type udevadm_t, udevadm_exec_t;
+ ')
+
+ domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+## Execute udevadm in the udevadm domain, and
+## allow the specified role the udevadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+ gen_require(`
+ attribute_role udevadm_roles;
+ ')
+
+ udevadm_domtrans($1)
+ roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+## Execute udevadm in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udevadm_exec',`
+ gen_require(`
+ type udevadm_exec_t;
+ ')
+
+ can_exec($1, udevadm_exec_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9d5cf3b2..becb54d9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
#
# Declarations
#
+attribute_role udevadm_roles;
type udev_t;
type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
init_named_socket_activation(udev_t, udev_var_run_t)
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
########################################
#
-# Local policy
+# udev Local policy
#
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
@@ -374,3 +381,36 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_pid(udev_t)
')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+allow udevadm_t udev_t:unix_stream_socket connectto;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+write_sock_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
