Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CD17C43387 for ; Sat, 5 Jan 2019 15:18:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CE7582070C for ; Sat, 5 Jan 2019 15:18:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726238AbfAEPS3 (ORCPT ); Sat, 5 Jan 2019 10:18:29 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:34608 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726200AbfAEPS3 (ORCPT ); Sat, 5 Jan 2019 10:18:29 -0500 Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 4A1C45646B6 for ; Sat, 5 Jan 2019 16:18:25 +0100 (CET) Received: by mail-ot1-f52.google.com with SMTP id i20so34493942otl.0 for ; Sat, 05 Jan 2019 07:18:25 -0800 (PST) X-Gm-Message-State: AJcUukc/K0H7LyhyNLfa3kPozAiTBXRu2vFhSISvQL4S8JScZwiSIRHT Q/kSQD9nL68kuRx7CA0TFaZ0SbP9n4AiiZAwxHY= X-Google-Smtp-Source: ALg8bN6wC6VUCpOt2tKRYMUvTrDg/IAmRH3qGVUoZUv+pKBgmDrXUDEH/8KGZDs16gx2dg77IIHVA7D9IPH8jHD0grA= X-Received: by 2002:a9d:65c8:: with SMTP id z8mr5835477oth.338.1546701504317; Sat, 05 Jan 2019 07:18:24 -0800 (PST) MIME-Version: 1.0 References: <20190102092027.GC31076@aaa.coker.com.au> <2798399.SdR9s7MnL5@xev> In-Reply-To: <2798399.SdR9s7MnL5@xev> From: Nicolas Iooss Date: Sat, 5 Jan 2019 16:18:13 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix To: Russell Coker Cc: Chris PeBenito , selinux-refpolicy@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sat Jan 5 16:18:25 2019 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thu, Jan 3, 2019 at 2:19 AM Russell Coker wrote: > > On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote: > > On 1/2/19 4:20 AM, Russell Coker wrote: > > > Trivial stuff. > > > > > > > > > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te > > > =================================================================== > > > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te > > > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te > > > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket { > > > > > > allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom > > > relabelto }; allow NetworkManager_t self:packet_socket > > > create_socket_perms; > > > allow NetworkManager_t self:socket create_socket_perms; > > > > > > +allow NetworkManager_t self:rawip_socket { create setopt getattr write > > > read }; > > This seems odd. Can you provide any more details on this? > > From memory it appeared to be some sort of ping functionality built in. Feel > free to drop that section and apply the rest, I can do more testing on it if > you like. For information, I have a patch in my policy (that I never found the time to send) which adds "allow NetworkManager_t self:rawip_socket create_socket_perms;" with the following description: Allow NetworkManager to use raw IP sockets NetworkManager uses raw sockets to send and receive ICMPv6 paquets. "ss --raw -lpn" shows: State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 :::ipv6-icmp :::* users:(("NetworkManager",pid=31474,fd=22)) and audit.log reports AVC denials from NetworkManager for create, setopt, getattr and write in rawip_socket class. Here is an excerpt for a denied write ("lport=58" means "ipv6-icmp", cf. /etc/protocols): type=AVC msg=audit(1414245913.538:386): avc: denied { write } for pid=31474 comm="NetworkManager" lport=58 scontext=system_u:system_r:NetworkManager_t tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket I agree with adding the required permissions to NetworkManager (ICMPv6 is used for Router Solicitation/Router Advertisement packets). Nicolas