Re: [PATCH] first udevadm patch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12/10/20 9:27 PM, Russell Coker wrote:
As Chris noted in a previous message the udevadm_t domain could be used from
other places.  This patch allows for that possibility in the near future but
for the moment just makes a system bootable in enforcing mode right now.

Also I didn't remove the context entries for udevadm even though on systems
with a recent systemd they won't exist.  At this time leaving them there
may provide the best compatability options.

Finally I added a udev_runtime_t watch because the need for that appeared
when I was working on this.


Signed off by Russell Coker

The patch seems ok, please resubmit with a standard DCO signoff (e.g. git commit -s)



Index: refpolicy-2.20201210/policy/modules/system/udev.fc
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.fc
+++ refpolicy-2.20201210/policy/modules/system/udev.fc
@@ -10,7 +10,7 @@
  /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
/usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
  /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
  /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)
  /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
  ')
/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)
+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
  /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)
  /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)
  /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)
@@ -32,7 +32,6 @@ ifdef(`distro_redhat',`
  /usr/sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
  ')
-/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
  /usr/lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
/usr/share/virtualbox/VBoxCreateUSBNode\.sh -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
Index: refpolicy-2.20201210/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.if
+++ refpolicy-2.20201210/policy/modules/system/udev.if
@@ -548,10 +548,10 @@ interface(`udev_manage_runtime_files',`
  #
  interface(`udevadm_domtrans',`
  	gen_require(`
-		type udevadm_t, udevadm_exec_t;
+		type udevadm_t, udev_exec_t;
  	')
- domtrans_pattern($1, udevadm_exec_t, udevadm_t)
+	domtrans_pattern($1, udev_exec_t, udevadm_t)
  ')
########################################
@@ -579,21 +579,3 @@ interface(`udevadm_run',`
  	udevadm_domtrans($1)
  	roleattribute $2 udevadm_roles;
  ')
-
-########################################
-## <summary>
-##	Execute udevadm in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`udevadm_exec',`
-	gen_require(`
-		type udevadm_exec_t;
-	')
-
-	can_exec($1, udevadm_exec_t)
-')
Index: refpolicy-2.20201210/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20201210.orig/policy/modules/system/udev.te
+++ refpolicy-2.20201210/policy/modules/system/udev.te
@@ -8,6 +8,7 @@ attribute_role udevadm_roles;
type udev_t;
  type udev_exec_t;
+typealias udev_exec_t alias udevadm_exec_t;
  type udev_helper_exec_t;
  kernel_domtrans_to(udev_t, udev_exec_t)
  domain_obj_id_change_exemption(udev_t)
@@ -17,9 +18,7 @@ init_daemon_domain(udev_t, udev_exec_t)
  init_named_socket_activation(udev_t, udev_runtime_t)
type udevadm_t;
-type udevadm_exec_t;
-init_system_domain(udevadm_t, udevadm_exec_t)
-application_domain(udevadm_t, udevadm_exec_t)
+application_domain(udevadm_t, udev_exec_t)
  role udevadm_roles types udevadm_t;
type udev_etc_t alias etc_udev_t;
@@ -86,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtim
  manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
  manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
  files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
+allow udev_t udev_runtime_t:dir watch;
kernel_load_module(udev_t)
  kernel_read_system_state(udev_t)



--
Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux