This is the update I have made based on suggestions for the previous
patches to add a udev_run interface. This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.
It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
I have granted the permisssions that I need based on denials I was
seeing during startup (the machine would fail to start without the
permisions).
2) In the udev.fc file there are other binaries that I don't have on a
RHEL7 box that maybe should also be labeled udevadm_exec_t.
e.g. /usr/bin/udevinfo and /usr/bin/udevsend
But as I don't have those binaries to test, I have not updated the
type of that binary.
3) There are some places that call udev_domtrans that maybe should now
be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,
these are not things that I am using in my current situation and am
unable to test the interactions to know if the change is correct.
Other than that, I think this was a good suggestion to split udevadm
into a different domain.
Only change for v4 is to use stream_connect_pattern as suggested.
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/roles/sysadm.te | 4 +++
policy/modules/system/udev.fc | 4 +--
policy/modules/system/udev.if | 62 ++++++++++++++++++++++++++++++++++
policy/modules/system/udev.te | 40 +++++++++++++++++++++-
4 files changed, 107 insertions(+), 3 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 043e54bf..2cc60643 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1140,6 +1140,10 @@ optional_policy(`
tzdata_domtrans(sysadm_t)
')
+optional_policy(`
+ udevadm_run(sysadm_t, sysadm_r)
+')
+
optional_policy(`
ulogd_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 009d821a..606ad517 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
/usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
/usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
')
/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index fee55852..3028d6b8 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -447,3 +447,65 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
files_pid_filetrans($1, udev_var_run_t, dir, $2)
')
+
+########################################
+## <summary>
+## Execute udev admin in the udevadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`udevadm_domtrans',`
+ gen_require(`
+ type udevadm_t, udevadm_exec_t;
+ ')
+
+ domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+')
+
+########################################
+## <summary>
+## Execute udevadm in the udevadm domain, and
+## allow the specified role the udevadm domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`udevadm_run',`
+ gen_require(`
+ attribute_role udevadm_roles;
+ ')
+
+ udevadm_domtrans($1)
+ roleattribute $2 udevadm_roles;
+')
+
+########################################
+## <summary>
+## Execute udevadm in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udevadm_exec',`
+ gen_require(`
+ type udevadm_exec_t;
+ ')
+
+ can_exec($1, udevadm_exec_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9d5cf3b2..1e2c6cea 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
#
# Declarations
#
+attribute_role udevadm_roles;
type udev_t;
type udev_exec_t;
@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
init_named_socket_activation(udev_t, udev_var_run_t)
+type udevadm_t;
+type udevadm_exec_t;
+init_system_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udevadm_exec_t)
+role udevadm_roles types udevadm_t;
+
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
########################################
#
-# Local policy
+# udev Local policy
#
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
@@ -374,3 +381,34 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_pid(udev_t)
')
+
+
+########################################
+#
+# udevadm Local policy
+#
+
+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow udevadm_t self:unix_stream_socket create_socket_perms;
+
+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
+
+dev_rw_sysfs(udevadm_t)
+dev_read_urand(udevadm_t)
+
+files_read_etc_files(udevadm_t)
+files_read_usr_files(udevadm_t)
+
+init_list_pids(udevadm_t)
+init_read_state(udevadm_t)
+
+kernel_read_system_state(udevadm_t)
+
+libs_use_ld_so(udevadm_t)
+
+seutil_read_file_contexts(udevadm_t)
+
--
2.20.1
