Drop init_system_domain() for udevadm to break type transition conflicts.
Also fix interface naming issues for udevadm interfaces.
Fixes#292
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
This usage under /dev/.udev has been unused for a very long time and
replaced by functionality in /run/udev. Since these have separate types,
take this opportunity to revoke these likely unnecessary rules.
Fixes#221
Derived from Laurent Bigonville's work in #230
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Since systemd 242 (commit
6c8a2c6793),
systemd and its services read /proc/sys/kernel/osrelease in order to
detect whether they are running in Microsoft's WSL (Windows Subsystem
for Linux).
This leads to logs such as:
type=AVC msg=audit(1568445663.990:10): avc: denied { read } for
pid=401 comm="systemd-modules" name="osrelease" dev="proc" ino=13319
scontext=system_u:system_r:systemd_modules_load_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1
type=AVC msg=audit(1568445663.990:10): avc: denied { open } for
pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
dev="proc" ino=13319
scontext=system_u:system_r:systemd_modules_load_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1
type=AVC msg=audit(1568445663.990:11): avc: denied { getattr } for
pid=401 comm="systemd-modules" path="/proc/sys/kernel/osrelease"
dev="proc" ino=13319
scontext=system_u:system_r:systemd_modules_load_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=file permissive=1
Add kernel_read_kernel_sysctls() to services that read
/proc/sys/kernel/osrelease. These services have been identified by
running "grep osrelease < /var/log/audit/audit.log | audit2allow" on an
Arch Linux test system.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
udevadm trigger tries to read files under /sys/module/ that might not be
readable by root, for example:
--w------- 1 root root 4096 sep 5 17:06 /sys/module/snd_hda_codec_generic/uevent
We choose to allow it here because, according to Grift,
"the cap_dac_read_search could maybe be dontaudited, but then
cap_dac_override would have to be dontaudited as well.
cap_dac_read_search would also be triggered when you run `sudo udevadm
...` where pwd or/and oldpwd is ~"
type=PROCTITLE msg=audit(29/08/19 15:37:14.505:417) : proctitle=/bin/udevadm trigger --type=subsystems --action=add
type=PATH msg=audit(29/08/19 15:37:14.505:417) : item=0 name=/sys/module/snd_hda_codec_generic/uevent inode=17769 dev=00:13 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(29/08/19 15:37:14.505:417) : cwd=/
type=SYSCALL msg=audit(29/08/19 15:37:14.505:417) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission non accordée) a0=0xffffff9c a1=0x7fff23710260 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=481 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udevadm exe=/usr/bin/udevadm subj=system_u:system_r:udevadm_t:s0 key=(null)
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc: denied { dac_override } for pid=481 comm=udevadm capability=dac_override scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
type=AVC msg=audit(29/08/19 15:37:14.505:417) : avc: denied { dac_read_search } for pid=481 comm=udevadm capability=dac_read_search scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:system_r:udevadm_t:s0 tclass=capability permissive=0
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
v2 - enclose in ifdef for redhat
v3 - rebase this patch on e41def136a
Signed-off-by: Dave Sugar <dsugar@tresys.com>
This is the update I have made based on suggestions for the previous
patches to add a udev_run interface. This adds the new domain udevadm_t
which is entered from /usr/bin/udevadm.
It seems to meet the needs that I have, but there are some things to
note that are probably important.
1) There are a few systemd services that use udevadm during startup.
I have granted the permisssions that I need based on denials I was
seeing during startup (the machine would fail to start without the
permisions).
2) In the udev.fc file there are other binaries that I don't have on a
RHEL7 box that maybe should also be labeled udevadm_exec_t.
e.g. /usr/bin/udevinfo and /usr/bin/udevsend
But as I don't have those binaries to test, I have not updated the
type of that binary.
3) There are some places that call udev_domtrans that maybe should now
be using udevadm_domtrans - rpm.te, hal.te, hotplug.te. Again,
these are not things that I am using in my current situation and am
unable to test the interactions to know if the change is correct.
Other than that, I think this was a good suggestion to split udevadm
into a different domain.
Only change for v4 is to use stream_connect_pattern as suggested.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.
type=AVC msg=audit(1551886176.948:642): avc: denied { map } for pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
Updated from previous to create a new interface.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete. It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Chris PeBenito
Antoine Tenart
Christian Göttsche
Daniel Burgener
Jason Zaman
bauen1
Jason Zaman
Nicolas Iooss
Laurent Bigonville
Sugar, David
Chris PeBenito
Russell Coker