kernel: allow delete and setattr on generic SCSI and USB devices

Seen with systemd 255.

type=AVC msg=audit(1702835409.236:64): avc:  denied  { getattr } for  pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:65): avc:  denied  { setattr } for  pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:66): avc:  denied  { unlink } for  pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:69): avc:  denied  { getattr } for  pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:70): avc:  denied  { setattr } for  pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:71): avc:  denied  { unlink } for  pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1

Signed-off-by: Kenton Groombridge <concord@gentoo.org>

3 files changed, 44 insertions, 0 deletions

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index d15365737..e8a4560d4 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4966,6 +4966,24 @@ interface(`dev_rw_generic_usb_dev',`
 
 ########################################
 ## <summary>
+##	Delete the generic USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_usb_dev',`
+	gen_require(`
+		type device_t, usb_device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, usb_device_t)
+')
+
+########################################
+## <summary>
 ##	Relabel generic the USB devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ba4233b7e..3c37030b6 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,10 +390,16 @@ ifdef(`init_systemd',`
 	')
 
 	optional_policy(`
+		dev_setattr_generic_usb_dev(kernel_t)
+		dev_delete_generic_usb_dev(kernel_t)
+
 		storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
 		storage_setattr_fixed_disk_dev(kernel_t)
 		storage_create_fixed_disk_dev(kernel_t)
 		storage_delete_fixed_disk_dev(kernel_t)
+
+		storage_setattr_scsi_generic_dev(kernel_t)
+		storage_delete_scsi_generic_dev(kernel_t)
 	')
 ')
 
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 777caea69..6f62adead 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -541,6 +541,26 @@ interface(`storage_write_scsi_generic',`
 
 ########################################
 ## <summary>
+##	Allow the caller to delete the generic
+##	SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_delete_scsi_generic_dev',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Set attributes of the device nodes
 ##	for the SCSI generic interface.
 ## </summary>