From 8f4f9a924a5a277643ac1d0703e64e37fa80945e Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Sun, 11 Aug 2019 14:41:37 +0200
Subject: [PATCH 1/2] Allow udevadm to read files in /run/udev/data

With this commit, my basic debian buster installation is booting

type=PROCTITLE msg=audit(09/09/19 08:23:24.011:69) : proctitle=/bin/udevadm trigger --type=devices --action=add
type=PATH msg=audit(09/09/19 08:23:24.011:69) : item=0 name=/run/udev/data/+platform:QEMU0002:00 inode=12584 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:udev_var_run_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(09/09/19 08:23:24.011:69) : cwd=/
type=SYSCALL msg=audit(09/09/19 08:23:24.011:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=0xffffff9c a1=0x7fff993f0cb0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=486 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { open } for  pid=486 comm=udevadm path=/run/udev/data/+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(09/09/19 08:23:24.011:69) : avc:  denied  { read } for  pid=486 comm=udevadm name=+platform:QEMU0002:00 dev="tmpfs" ino=12584 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d02dff717..399e91571 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -394,6 +394,7 @@ delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
+read_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 
 dev_rw_sysfs(udevadm_t)
 dev_read_urand(udevadm_t)

From 44957d318c85e2fc3ce1c667044712f239d95d03 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Fri, 6 Sep 2019 17:54:17 +0200
Subject: [PATCH 2/2] Allow udevadm_t to use dac_read_search capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:

--w------- 1 root root 4096 sep  5 17:06 /sys/module/snd_hda_codec_generic/uevent

We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"

type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_override } for  pid=481 comm=udevadm capability=dac_override  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc:  denied  { dac_read_search } for  pid=481 comm=udevadm capability=dac_read_search  scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 399e91571..ae56a7640 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -385,6 +385,7 @@ optional_policy(`
 # udevadm Local policy
 #
 
+allow udevadm_t self:capability dac_read_search;
 allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udevadm_t self:unix_stream_socket create_socket_perms;