[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/roles/
Date:	Tue, 26 Mar 2019 10:17:42
Message-Id:	`1553508325.a7ec244c351f1fcccd2547b2b94554b29b69c07a.perfinion@gentoo`

1

commit:     a7ec244c351f1fcccd2547b2b94554b29b69c07a

2

Author:     Sugar, David <dsugar <AT> tresys <DOT> com>

3

AuthorDate: Fri Mar 15 02:27:10 2019 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Mar 25 10:05:25 2019 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7ec244c

7

8

Separate out udevadm into a new domain

9

10

This is the update I have made based on suggestions for the previous

11

patches to add a udev_run interface.  This adds the new domain udevadm_t

12

which is entered from /usr/bin/udevadm.

13

14

It seems to meet the needs that I have, but there are some things to

15

note that are probably important.

16

1) There are a few systemd services that use udevadm during startup.

17

   I have granted the permisssions that I need based on denials I was

18

   seeing during startup (the machine would fail to start without the

19

   permisions).

20

2) In the udev.fc file there are other binaries that I don't have on a

21

   RHEL7 box that maybe should also be labeled udevadm_exec_t.

22

   e.g. /usr/bin/udevinfo and /usr/bin/udevsend

23

   But as I don't have those binaries to test, I have not updated the

24

   type of that binary.

25

3) There are some places that call udev_domtrans that maybe should now

26

   be using udevadm_domtrans - rpm.te, hal.te, hotplug.te.  Again,

27

   these are not things that I am using in my current situation and am

28

   unable to test the interactions to know if the change is correct.

29

30

Other than that, I think this was a good suggestion to split udevadm

31

into a different domain.

32

33

Only change for v4 is to use stream_connect_pattern as suggested.

34

35

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

36

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

37

38

 policy/modules/roles/sysadm.te |  4 +++

39

 policy/modules/system/udev.fc  |  4 +--

40

 policy/modules/system/udev.if  | 62 ++++++++++++++++++++++++++++++++++++++++++

41

 policy/modules/system/udev.te  | 40 ++++++++++++++++++++++++++-

42

 4 files changed, 107 insertions(+), 3 deletions(-)

43

44

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te

45

index b600e379..6827561f 100644

46

--- a/policy/modules/roles/sysadm.te

47

+++ b/policy/modules/roles/sysadm.te

48

@@ -1140,6 +1140,10 @@ optional_policy(`

49

 	tzdata_domtrans(sysadm_t)

50

')

51

52

+optional_policy(`

53

+	udevadm_run(sysadm_t, sysadm_r)

54

+')

55

+

56

 optional_policy(`

57

 	ulogd_admin(sysadm_t, sysadm_r)

58

')

59

60

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc

61

index 84705e32..7e27287e 100644

62

--- a/policy/modules/system/udev.fc

63

+++ b/policy/modules/system/udev.fc

64

@@ -10,7 +10,7 @@

65

 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)

66

67

 /usr/bin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)

68

-/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)

69

+/usr/bin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)

70

 /usr/bin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)

71

 /usr/bin/udevinfo	--	gen_context(system_u:object_r:udev_exec_t,s0)

72

 /usr/bin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)

73

@@ -22,7 +22,7 @@ ifdef(`distro_debian',`

74

')

75

76

 /usr/sbin/udev		--	gen_context(system_u:object_r:udev_exec_t,s0)

77

-/usr/sbin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)

78

+/usr/sbin/udevadm	--	gen_context(system_u:object_r:udevadm_exec_t,s0)

79

 /usr/sbin/udevd		--	gen_context(system_u:object_r:udev_exec_t,s0)

80

 /usr/sbin/udevsend	--	gen_context(system_u:object_r:udev_exec_t,s0)

81

 /usr/sbin/udevstart	--	gen_context(system_u:object_r:udev_exec_t,s0)

82

83

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if

84

index 2ecdf5f0..fc8577bd 100644

85

--- a/policy/modules/system/udev.if

86

+++ b/policy/modules/system/udev.if

87

@@ -518,6 +518,68 @@ interface(`udev_generic_pid_filetrans_run_dirs',`

88

 	refpolicywarn(`$0($*) has been deprecated.')

89

')

90

91

+########################################

92

+## <summary>

93

+##	Execute udev admin in the udevadm domain.

94

+## </summary>

95

+## <param name="domain">

96

+##	<summary>

97

+##	Domain allowed to transition.

98

+##	</summary>

99

+## </param>

100

+#

101

+interface(`udevadm_domtrans',`

102

+	gen_require(`

103

+		type udevadm_t, udevadm_exec_t;

104

+	')

105

+

106

+	domtrans_pattern($1, udevadm_exec_t, udevadm_t)

107

+')

108

+

109

+########################################

110

+## <summary>

111

+##	Execute udevadm in the udevadm domain, and

112

+##	allow the specified role the udevadm domain.

113

+## </summary>

114

+## <param name="domain">

115

+##	<summary>

116

+##	Domain allowed to transition.

117

+##	</summary>

118

+## </param>

119

+## <param name="role">

120

+##	<summary>

121

+##	Role allowed access.

122

+##	</summary>

123

+## </param>

124

+## <rolecap/>

125

+#

126

+interface(`udevadm_run',`

127

+	gen_require(`

128

+		attribute_role udevadm_roles;

129

+	')

130

+

131

+	udevadm_domtrans($1)

132

+	roleattribute $2 udevadm_roles;

133

+')

134

+

135

+########################################

136

+## <summary>

137

+##	Execute udevadm in the caller domain.

138

+## </summary>

139

+## <param name="domain">

140

+##	<summary>

141

+##	Domain allowed access.

142

+##	</summary>

143

+## </param>

144

+#

145

+interface(`udevadm_exec',`

146

+	gen_require(`

147

+		type udevadm_exec_t;

148

+	')

149

+

150

+	can_exec($1, udevadm_exec_t)

151

+')

152

+

153

 # Gentoo specific but cannot add it within an ifdef distro_gentoo

154

155

 #########################################

156

157

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te

158

index 8149ea9a..77503764 100644

159

--- a/policy/modules/system/udev.te

160

+++ b/policy/modules/system/udev.te

161

@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)

162

#

163

 # Declarations

164

#

165

+attribute_role udevadm_roles;

166

167

 type udev_t;

168

 type udev_exec_t;

169

@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)

170

 init_daemon_domain(udev_t, udev_exec_t)

171

 init_named_socket_activation(udev_t, udev_var_run_t)

172

173

+type udevadm_t;

174

+type udevadm_exec_t;

175

+init_system_domain(udevadm_t, udevadm_exec_t)

176

+application_domain(udevadm_t, udevadm_exec_t)

177

+role udevadm_roles types udevadm_t;

178

+

179

 type udev_etc_t alias etc_udev_t;

180

 files_config_file(udev_etc_t)

181

182

@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`

183

184

 ########################################

185

#

186

-# Local policy

187

+# udev Local policy

188

#

189

190

 allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };

191

@@ -404,3 +411,34 @@ ifdef(`distro_gentoo',`

192

193

 	init_domtrans_script(udev_t)

194

')

195

+

196

+

197

+########################################

198

+#

199

+# udevadm Local policy

200

+#

201

+

202

+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;

203

+allow udevadm_t self:unix_stream_socket create_socket_perms;

204

+

205

+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)

206

+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)

207

+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)

208

+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)

209

+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)

210

+

211

+dev_rw_sysfs(udevadm_t)

212

+dev_read_urand(udevadm_t)

213

+

214

+files_read_etc_files(udevadm_t)

215

+files_read_usr_files(udevadm_t)

216

+

217

+init_list_pids(udevadm_t)

218

+init_read_state(udevadm_t)

219

+

220

+kernel_read_system_state(udevadm_t)

221

+

222

+libs_use_ld_so(udevadm_t)

223

+

224

+seutil_read_file_contexts(udevadm_t)

225

+

1	commit: a7ec244c351f1fcccd2547b2b94554b29b69c07a
2	Author: Sugar, David <dsugar <AT> tresys <DOT> com>
3	AuthorDate: Fri Mar 15 02:27:10 2019 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Mar 25 10:05:25 2019 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7ec244c
7
8	Separate out udevadm into a new domain
9
10	This is the update I have made based on suggestions for the previous
11	patches to add a udev_run interface. This adds the new domain udevadm_t
12	which is entered from /usr/bin/udevadm.
13
14	It seems to meet the needs that I have, but there are some things to
15	note that are probably important.
16	1) There are a few systemd services that use udevadm during startup.
17	I have granted the permisssions that I need based on denials I was
18	seeing during startup (the machine would fail to start without the
19	permisions).
20	2) In the udev.fc file there are other binaries that I don't have on a
21	RHEL7 box that maybe should also be labeled udevadm_exec_t.
22	e.g. /usr/bin/udevinfo and /usr/bin/udevsend
23	But as I don't have those binaries to test, I have not updated the
24	type of that binary.
25	3) There are some places that call udev_domtrans that maybe should now
26	be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,
27	these are not things that I am using in my current situation and am
28	unable to test the interactions to know if the change is correct.
29
30	Other than that, I think this was a good suggestion to split udevadm
31	into a different domain.
32
33	Only change for v4 is to use stream_connect_pattern as suggested.
34
35	Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
36	Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
37
38	policy/modules/roles/sysadm.te \| 4 +++
39	policy/modules/system/udev.fc \| 4 +--
40	policy/modules/system/udev.if \| 62 ++++++++++++++++++++++++++++++++++++++++++
41	policy/modules/system/udev.te \| 40 ++++++++++++++++++++++++++-
42	4 files changed, 107 insertions(+), 3 deletions(-)
43
44	diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
45	index b600e379..6827561f 100644
46	--- a/policy/modules/roles/sysadm.te
47	+++ b/policy/modules/roles/sysadm.te
48	@@ -1140,6 +1140,10 @@ optional_policy(`
49	tzdata_domtrans(sysadm_t)
50	')
51
52	+optional_policy(`
53	+ udevadm_run(sysadm_t, sysadm_r)
54	+')
55	+
56	optional_policy(`
57	ulogd_admin(sysadm_t, sysadm_r)
58	')
59
60	diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
61	index 84705e32..7e27287e 100644
62	--- a/policy/modules/system/udev.fc
63	+++ b/policy/modules/system/udev.fc
64	@@ -10,7 +10,7 @@
65	/etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
66
67	/usr/bin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
68	-/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
69	+/usr/bin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
70	/usr/bin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
71	/usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0)
72	/usr/bin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
73	@@ -22,7 +22,7 @@ ifdef(`distro_debian',`
74	')
75
76	/usr/sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
77	-/usr/sbin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
78	+/usr/sbin/udevadm -- gen_context(system_u:object_r:udevadm_exec_t,s0)
79	/usr/sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
80	/usr/sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
81	/usr/sbin/udevstart -- gen_context(system_u:object_r:udev_exec_t,s0)
82
83	diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
84	index 2ecdf5f0..fc8577bd 100644
85	--- a/policy/modules/system/udev.if
86	+++ b/policy/modules/system/udev.if
87	@@ -518,6 +518,68 @@ interface(`udev_generic_pid_filetrans_run_dirs',`
88	refpolicywarn(`$0($*) has been deprecated.')
89	')
90
91	+########################################
92	+## <summary>
93	+## Execute udev admin in the udevadm domain.
94	+## </summary>
95	+## <param name="domain">
96	+## <summary>
97	+## Domain allowed to transition.
98	+## </summary>
99	+## </param>
100	+#
101	+interface(`udevadm_domtrans',`
102	+ gen_require(`
103	+ type udevadm_t, udevadm_exec_t;
104	+ ')
105	+
106	+ domtrans_pattern($1, udevadm_exec_t, udevadm_t)
107	+')
108	+
109	+########################################
110	+## <summary>
111	+## Execute udevadm in the udevadm domain, and
112	+## allow the specified role the udevadm domain.
113	+## </summary>
114	+## <param name="domain">
115	+## <summary>
116	+## Domain allowed to transition.
117	+## </summary>
118	+## </param>
119	+## <param name="role">
120	+## <summary>
121	+## Role allowed access.
122	+## </summary>
123	+## </param>
124	+## <rolecap/>
125	+#
126	+interface(`udevadm_run',`
127	+ gen_require(`
128	+ attribute_role udevadm_roles;
129	+ ')
130	+
131	+ udevadm_domtrans($1)
132	+ roleattribute $2 udevadm_roles;
133	+')
134	+
135	+########################################
136	+## <summary>
137	+## Execute udevadm in the caller domain.
138	+## </summary>
139	+## <param name="domain">
140	+## <summary>
141	+## Domain allowed access.
142	+## </summary>
143	+## </param>
144	+#
145	+interface(`udevadm_exec',`
146	+ gen_require(`
147	+ type udevadm_exec_t;
148	+ ')
149	+
150	+ can_exec($1, udevadm_exec_t)
151	+')
152	+
153	# Gentoo specific but cannot add it within an ifdef distro_gentoo
154
155	#########################################
156
157	diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
158	index 8149ea9a..77503764 100644
159	--- a/policy/modules/system/udev.te
160	+++ b/policy/modules/system/udev.te
161	@@ -4,6 +4,7 @@ policy_module(udev, 1.25.1)
162	#
163	# Declarations
164	#
165	+attribute_role udevadm_roles;
166
167	type udev_t;
168	type udev_exec_t;
169	@@ -15,6 +16,12 @@ domain_interactive_fd(udev_t)
170	init_daemon_domain(udev_t, udev_exec_t)
171	init_named_socket_activation(udev_t, udev_var_run_t)
172
173	+type udevadm_t;
174	+type udevadm_exec_t;
175	+init_system_domain(udevadm_t, udevadm_exec_t)
176	+application_domain(udevadm_t, udevadm_exec_t)
177	+role udevadm_roles types udevadm_t;
178	+
179	type udev_etc_t alias etc_udev_t;
180	files_config_file(udev_etc_t)
181
182	@@ -35,7 +42,7 @@ ifdef(`enable_mcs',`
183
184	########################################
185	#
186	-# Local policy
187	+# udev Local policy
188	#
189
190	allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice sys_ptrace sys_rawio sys_resource };
191	@@ -404,3 +411,34 @@ ifdef(`distro_gentoo',`
192
193	init_domtrans_script(udev_t)
194	')
195	+
196	+
197	+########################################
198	+#
199	+# udevadm Local policy
200	+#
201	+
202	+allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
203	+allow udevadm_t self:unix_stream_socket create_socket_perms;
204	+
205	+delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
206	+delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
207	+delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
208	+list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
209	+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
210	+
211	+dev_rw_sysfs(udevadm_t)
212	+dev_read_urand(udevadm_t)
213	+
214	+files_read_etc_files(udevadm_t)
215	+files_read_usr_files(udevadm_t)
216	+
217	+init_list_pids(udevadm_t)
218	+init_read_state(udevadm_t)
219	+
220	+kernel_read_system_state(udevadm_t)
221	+
222	+libs_use_ld_so(udevadm_t)
223	+
224	+seutil_read_file_contexts(udevadm_t)
225	+

Gentoo Archives: gentoo-commits