Return-Path: <SRS0=0v2g=PN=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0CD17C43387
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  5 Jan 2019 15:18:30 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id CE7582070C
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  5 Jan 2019 15:18:29 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726238AbfAEPS3 (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 5 Jan 2019 10:18:29 -0500
Received: from mx1.polytechnique.org ([129.104.30.34]:34608 "EHLO
        mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726200AbfAEPS3 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 5 Jan 2019 10:18:29 -0500
Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by ssl.polytechnique.org (Postfix) with ESMTPSA id 4A1C45646B6
        for <selinux-refpolicy@vger.kernel.org>; Sat,  5 Jan 2019 16:18:25 +0100 (CET)
Received: by mail-ot1-f52.google.com with SMTP id i20so34493942otl.0
        for <selinux-refpolicy@vger.kernel.org>; Sat, 05 Jan 2019 07:18:25 -0800 (PST)
X-Gm-Message-State: AJcUukc/K0H7LyhyNLfa3kPozAiTBXRu2vFhSISvQL4S8JScZwiSIRHT
        Q/kSQD9nL68kuRx7CA0TFaZ0SbP9n4AiiZAwxHY=
X-Google-Smtp-Source: ALg8bN6wC6VUCpOt2tKRYMUvTrDg/IAmRH3qGVUoZUv+pKBgmDrXUDEH/8KGZDs16gx2dg77IIHVA7D9IPH8jHD0grA=
X-Received: by 2002:a9d:65c8:: with SMTP id z8mr5835477oth.338.1546701504317;
 Sat, 05 Jan 2019 07:18:24 -0800 (PST)
MIME-Version: 1.0
References: <20190102092027.GC31076@aaa.coker.com.au> <b0ab0455-cdfe-be36-2c28-1398cabb58ac@ieee.org>
 <2798399.SdR9s7MnL5@xev>
In-Reply-To: <2798399.SdR9s7MnL5@xev>
From:   Nicolas Iooss <nicolas.iooss@m4x.org>
Date:   Sat, 5 Jan 2019 16:18:13 +0100
X-Gmail-Original-Message-ID: <CAJfZ7=kRgTuVELRGMXpOFLsiKFuND3ughioEgVZD1LTRdDBVVw@mail.gmail.com>
Message-ID: <CAJfZ7=kRgTuVELRGMXpOFLsiKFuND3ughioEgVZD1LTRdDBVVw@mail.gmail.com>
Subject: Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils
 tor devicekit dicts irqbalance policykit and postfix
To:     Russell Coker <russell@coker.com.au>
Cc:     Chris PeBenito <pebenito@ieee.org>,
        selinux-refpolicy@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sat Jan  5 16:18:25 2019 +0100 (CET))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On Thu, Jan 3, 2019 at 2:19 AM Russell Coker <russell@coker.com.au> wrote:
>
> On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> > On 1/2/19 4:20 AM, Russell Coker wrote:
> > > Trivial stuff.
> > >
> > >
> > > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > ===================================================================
> > > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> > >
> > >   allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> > >   relabelto }; allow NetworkManager_t self:packet_socket
> > >   create_socket_perms;
> > >   allow NetworkManager_t self:socket create_socket_perms;
> > >
> > > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > > read };
> > This seems odd.  Can you provide any more details on this?
>
> From memory it appeared to be some sort of ping functionality built in.  Feel
> free to drop that section and apply the rest, I can do more testing on it if
> you like.

For information, I have a patch in my policy (that I never found the
time to send) which adds "allow NetworkManager_t self:rawip_socket
create_socket_perms;" with the following description:

    Allow NetworkManager to use raw IP sockets

    NetworkManager uses raw sockets to send and receive ICMPv6 paquets.

    "ss --raw -lpn" shows:

        State   Recv-Q  Send-Q  Local Address:Port  Peer Address:Port
        UNCONN  0       0       :::ipv6-icmp        :::*
        users:(("NetworkManager",pid=31474,fd=22))

    and audit.log reports AVC denials from NetworkManager for create,
    setopt, getattr and write in rawip_socket class.  Here is an excerpt for
    a denied write ("lport=58" means "ipv6-icmp", cf. /etc/protocols):

      type=AVC msg=audit(1414245913.538:386): avc:  denied  { write } for
      pid=31474 comm="NetworkManager" lport=58
      scontext=system_u:system_r:NetworkManager_t
      tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket

I agree with adding the required permissions to NetworkManager (ICMPv6
is used for Router Solicitation/Router Advertisement packets).

Nicolas