From 8cec6fabc2f9010963c67aba1c4a78b3c4240d7a Mon Sep 17 00:00:00 2001 From: Kenton Groombridge Date: Mon, 18 Dec 2023 13:29:39 -0500 Subject: [PATCH] kernel: allow delete and setattr on generic SCSI and USB devices Seen with systemd 255. type=AVC msg=audit(1702835409.236:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:65): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:66): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:69): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:70): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:71): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 Signed-off-by: Kenton Groombridge --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/kernel/kernel.te | 7 +++++++ policy/modules/kernel/storage.if | 20 ++++++++++++++++++++ 3 files changed, 45 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index f81f2ad232..42215766f4 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4946,6 +4946,24 @@ interface(`dev_rw_generic_usb_dev',` rw_chr_files_pattern($1, device_t, usb_device_t) ') +######################################## +## +## Delete the generic USB devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_delete_generic_usb_dev',` + gen_require(` + type device_t, usb_device_t; + ') + + delete_chr_files_pattern($1, device_t, usb_device_t) +') + ######################################## ## ## Relabel generic the USB devices. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index e449160d87..95ac0ae4af 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -337,6 +337,7 @@ mls_process_set_level(kernel_t) selinux_getattr_fs(kernel_t) selinux_load_policy(kernel_t) + term_getattr_pty_fs(kernel_t) term_use_console(kernel_t) term_use_generic_ptys(kernel_t) @@ -390,10 +391,16 @@ ifdef(`init_systemd',` ') optional_policy(` + dev_setattr_generic_usb_dev(kernel_t) + dev_delete_generic_usb_dev(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) + + storage_setattr_scsi_generic_dev(kernel_t) + storage_delete_scsi_generic_dev(kernel_t) ') ') diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 777caea69f..6f62adead3 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -539,6 +539,26 @@ interface(`storage_write_scsi_generic',` typeattribute $1 scsi_generic_write; ') +######################################## +## +## Allow the caller to delete the generic +## SCSI interface device nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`storage_delete_scsi_generic_dev',` + gen_require(` + type scsi_generic_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 scsi_generic_device_t:chr_file delete_chr_file_perms; +') + ######################################## ## ## Set attributes of the device nodes