From 13a17848e44efe0d9f9691a7dbe1995b8756d907 Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 18 Dec 2023 13:29:39 -0500 Subject: kernel: allow delete and setattr on generic SCSI and USB devices Seen with systemd 255. type=AVC msg=audit(1702835409.236:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:65): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:66): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:69): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:70): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:71): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 Signed-off-by: Kenton Groombridge --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.te | 6 ++++++ policy/modules/kernel/storage.if | 20 ++++++++++++++++++++ 3 files changed, 44 insertions(+) (limited to 'policy') diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index d1536573..e8a4560d 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4964,6 +4964,24 @@ interface(`dev_rw_generic_usb_dev',` rw_chr_files_pattern($1, device_t, usb_device_t) ') +######################################## +## +## Delete the generic USB devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_delete_generic_usb_dev',` + gen_require(` + type device_t, usb_device_t; + ') + + delete_chr_files_pattern($1, device_t, usb_device_t) +') + ######################################## ## ## Relabel generic the USB devices. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index ba4233b7..3c37030b 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,10 +390,16 @@ ifdef(`init_systemd',` ') optional_policy(` + dev_setattr_generic_usb_dev(kernel_t) + dev_delete_generic_usb_dev(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) + + storage_setattr_scsi_generic_dev(kernel_t) + storage_delete_scsi_generic_dev(kernel_t) ') ') diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 777caea6..6f62adea 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -539,6 +539,26 @@ interface(`storage_write_scsi_generic',` typeattribute $1 scsi_generic_write; ') +######################################## +## +## Allow the caller to delete the generic +## SCSI interface device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_delete_scsi_generic_dev',` + gen_require(` + type scsi_generic_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms; +') + ######################################## ## ## Set attributes of the device nodes -- cgit v1.2.3-65-gdbad