diff options
author | Kenton Groombridge <concord@gentoo.org> | 2023-12-18 13:29:39 -0500 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-03-01 12:02:30 -0500 |
commit | 13a17848e44efe0d9f9691a7dbe1995b8756d907 (patch) | |
tree | 75176f74da1c000e3ffe864ecb7e92c9f5a30b41 /policy | |
parent | su: various fixes (diff) | |
download | hardened-refpolicy-13a17848e44efe0d9f9691a7dbe1995b8756d907.tar.gz hardened-refpolicy-13a17848e44efe0d9f9691a7dbe1995b8756d907.tar.bz2 hardened-refpolicy-13a17848e44efe0d9f9691a7dbe1995b8756d907.zip |
kernel: allow delete and setattr on generic SCSI and USB devices
Seen with systemd 255.
type=AVC msg=audit(1702835409.236:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:65): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:66): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:69): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:70): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:71): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Diffstat (limited to 'policy')
-rw-r--r-- | policy/modules/kernel/devices.if | 18 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.te | 6 | ||||
-rw-r--r-- | policy/modules/kernel/storage.if | 20 |
3 files changed, 44 insertions, 0 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index d15365737..e8a4560d4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4966,6 +4966,24 @@ interface(`dev_rw_generic_usb_dev',` ######################################## ## <summary> +## Delete the generic USB devices. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_delete_generic_usb_dev',` + gen_require(` + type device_t, usb_device_t; + ') + + delete_chr_files_pattern($1, device_t, usb_device_t) +') + +######################################## +## <summary> ## Relabel generic the USB devices. ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index ba4233b7e..3c37030b6 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,10 +390,16 @@ ifdef(`init_systemd',` ') optional_policy(` + dev_setattr_generic_usb_dev(kernel_t) + dev_delete_generic_usb_dev(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) + + storage_setattr_scsi_generic_dev(kernel_t) + storage_delete_scsi_generic_dev(kernel_t) ') ') diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 777caea69..6f62adead 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -541,6 +541,26 @@ interface(`storage_write_scsi_generic',` ######################################## ## <summary> +## Allow the caller to delete the generic +## SCSI interface device nodes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`storage_delete_scsi_generic_dev',` + gen_require(` + type scsi_generic_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms; +') + +######################################## +## <summary> ## Set attributes of the device nodes ## for the SCSI generic interface. ## </summary> |