kernel: allow delete and setattr on generic SCSI and USB devices

Seen with systemd 255.

type=AVC msg=audit(1702835409.236:64): avc:  denied  { getattr } for  pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:65): avc:  denied  { setattr } for  pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:66): avc:  denied  { unlink } for  pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:69): avc:  denied  { getattr } for  pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:70): avc:  denied  { setattr } for  pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:71): avc:  denied  { unlink } for  pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1

Signed-off-by: Kenton Groombridge <[email protected]>

policy/modules/kernel/devices.if

@@ -4946,6 +4946,24 @@ interface(`dev_rw_generic_usb_dev',`
 	rw_chr_files_pattern($1, device_t, usb_device_t)
 ')
 
+########################################
+## <summary>
+##	Delete the generic USB devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_delete_generic_usb_dev',`
+	gen_require(`
+		type device_t, usb_device_t;
+	')
+
+	delete_chr_files_pattern($1, device_t, usb_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Relabel generic the USB devices.

policy/modules/kernel/kernel.te

@@ -337,6 +337,7 @@ mls_process_set_level(kernel_t)
 selinux_getattr_fs(kernel_t)
 selinux_load_policy(kernel_t)
 
+
 term_getattr_pty_fs(kernel_t)
 term_use_console(kernel_t)
 term_use_generic_ptys(kernel_t)
@@ -390,10 +391,16 @@ ifdef(`init_systemd',`
 	')
 
 	optional_policy(`
+		dev_setattr_generic_usb_dev(kernel_t)
+		dev_delete_generic_usb_dev(kernel_t)
+
 		storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
 		storage_setattr_fixed_disk_dev(kernel_t)
 		storage_create_fixed_disk_dev(kernel_t)
 		storage_delete_fixed_disk_dev(kernel_t)
+
+		storage_setattr_scsi_generic_dev(kernel_t)
+		storage_delete_scsi_generic_dev(kernel_t)
 	')
 ')
 

policy/modules/kernel/storage.if

@@ -539,6 +539,26 @@ interface(`storage_write_scsi_generic',`
 	typeattribute $1 scsi_generic_write;
 ')
 
+########################################
+## <summary>
+##	Allow the caller to delete the generic
+##	SCSI interface device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`storage_delete_scsi_generic_dev',`
+	gen_require(`
+		type scsi_generic_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Set attributes of the device nodes