Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9B665C282C2 for ; Thu, 7 Feb 2019 21:15:37 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 50E2B21721 for ; Thu, 7 Feb 2019 21:15:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="ZZH2wxwu" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726401AbfBGVPg (ORCPT ); Thu, 7 Feb 2019 16:15:36 -0500 Received: from mail-eopbgr740102.outbound.protection.outlook.com ([40.107.74.102]:64759 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726379AbfBGVPg (ORCPT ); Thu, 7 Feb 2019 16:15:36 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Y84iMTolBYDWq6bpkXU9zBPN1nahSTIMBvuhihO1lto=; b=ZZH2wxwukQ2sj5dfiE8SRESl/YfmGhY01ZDFmMfdVC7Ag1UEsO1yROwEbFTQ3X056bPfNj+0IHjvkfsb/YQ3jU4mdZcEyu8ad9yw1asj0KpDOENjKQITwISU5bDTDLs74WlFGco9RaOJ3deABKeWfoGmLpbjpErA5ZYV1ekgO2E= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1265.namprd15.prod.outlook.com (10.172.205.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.21; Thu, 7 Feb 2019 21:15:32 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1601.016; Thu, 7 Feb 2019 21:15:32 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Allow systemd-networkd to get IP address from dhcp server Thread-Topic: [PATCH] Allow systemd-networkd to get IP address from dhcp server Thread-Index: AQHUvypC5j+EBRdNN0asOqLV+Sug8A== Date: Thu, 7 Feb 2019 21:15:32 +0000 Message-ID: <20190207211422.10855-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN6PR14CA0011.namprd14.prod.outlook.com (2603:10b6:404:79::21) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR15MB1265;6:modpPEXROUops0UZ6kAL9GIJTAPk2oseWjKXwjxU9VD46MpsZEytV8GX1vKyt17UPagmbkNTP+cUM1AnyLO1BzmHI4JzLf01ybimS+H0exWm4TfvyutDOzYtJIzT8F+GLU0AZPKyTZe3kOrUcPr9uxv0PlOWuBZRawf99pU2/NmNkja5WLUX0bBEY20vgdMajSjCbMn0op1OB1Vx0ZJOzkMFc5D0I0RjOERCTCheivAvCfp0C9kNAXFPUfdRdpWjtkeTNOhgIj3ChdSBKTVjuPHcp+A4Dhrl+Uybsi6PCnsXeUtpvRAhs0qXiH9PUBWJvlHIaEWPbu92jesIha4sAF3PeP38xgWHG7sAFudsKcr9K7LlFC/7alfMjC2s7mIkURbeIv4mWoHSKTwB2aEUMOJDThJPjXpGf2SrnyvQLUK/WHQkdNtjwojAUyKR8y4teLayRTYwbPkAaNJ1Ai38Sg==;5:xcgbYMyWvbdvJ/BqaQh9mY6pWCnIZeHm4u+M7cSi4+kbkwWZmL8SLW04b1DxUSV7Vxnf5QpNimKEc8N26Kzn3rBbvJb/C7uDXrMZ96zaew5HeGPtoyTsAFI8k8Rzyyq7Jwnrf45+sRS2R/cIXM0aEzNA1EzQXc82Ow0OiIfkMbsDpPSD6/yF2ULl+VPBl4wKuYnp1eN5T2yyBZlyLz8RAQ==;7:cj5o2LK2NKfwwx8yFy/qOTsPGjPpmWsqJMMvxviEAUqt5fssSwET2H3Nk4IaLhzvrTBPBFsj31hbc3CMwypnMdcBgMFT/uAr+oiBjvKnQ0XTlejAAutLdzP8x/6KtV6p1YAbAL0JAwnC10JfuJyR0w== x-ms-office365-filtering-correlation-id: a23e39d0-bf70-488d-d1d4-08d68d41649b x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1265; x-ms-traffictypediagnostic: BN6PR15MB1265: x-microsoft-antispam-prvs: x-forefront-prvs: 0941B96580 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(136003)(396003)(346002)(376002)(39830400003)(189003)(199004)(6436002)(52116002)(316002)(25786009)(6512007)(6486002)(2906002)(99286004)(5640700003)(2501003)(6506007)(386003)(486006)(26005)(186003)(14454004)(97736004)(508600001)(71200400001)(106356001)(102836004)(2616005)(105586002)(2351001)(71190400001)(256004)(36756003)(86362001)(7736002)(50226002)(68736007)(8676002)(305945005)(81166006)(81156014)(8936002)(1076003)(6116002)(3846002)(6916009)(66066001)(476003)(53936002);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1265;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: BqAmzvu/7Ij76XdWgFaqujyJb+XM71qqs5NH/KMIGCfBwbZMnXROLzt4BoQM4QaKe49cmWJ8m9ymb3CNyaLdFOytAZDCiZbE0PD+UktzBZX2wm4E2DW74WzGizmBeco5TGnWwvQDIhvq3smjhJbZlVVLkkgI2IPQOAvVCWbCk2arhMimuJ5fN+5Wos9Bk/PjeVMHXBOLCKjtTFbMFi+DgaZvnF6Cmhf4wg3Tt5vO5SMbPF+IkZbPvsyeRBdgkRckhWinPKs/2R6gQ3p07c9kL5U2OoLiVbF/eui3xGyoh7Z8kUQxAZI3jlxSn+zUTJPlnIGga9GdoY6lrvsKy5HlRbyKWjEmIh1fe2g2BpElHa1LPNHsvbsfguPAnlgArxnG5hZ6qGmC9/8mdWyMb9ezaVat0/l+f17a3+zNB8SR71k= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: a23e39d0-bf70-488d-d1d4-08d68d41649b X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2019 21:15:31.9197 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1265 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I'm seeing the following denials when attempting to get a DHCP address. type=3DAVC msg=3Daudit(1549471325.440:199): avc: denied { name_bind } for= pid=3D6964 comm=3D"systemd-network" src=3D68 scontext=3Dsystem_u:system_r:= systemd_networkd_t:s0 tcontext=3Dsystem_u:object_r:dhcpc_port_t:s0 tclass= =3Dudp_socket permissive=3D1 type=3DAVC msg=3Daudit(1549471325.440:199): avc: denied { node_bind } for= pid=3D6964 comm=3D"systemd-network" saddr=3D10.1.12.61 src=3D68 scontext= =3Dsystem_u:system_r:systemd_networkd_t:s0 tcontext=3Dsystem_u:object_r:nod= e_t:s0 tclass=3Dudp_socket permissive=3D1 type=3DAVC msg=3Daudit(1549471325.440:199): avc: denied { net_bind_servic= e } for pid=3D6964 comm=3D"systemd-network" capability=3D10 scontext=3Dsys= tem_u:system_r:systemd_networkd_t:s0 tcontext=3Dsystem_u:system_r:systemd_n= etworkd_t:s0 tclass=3Dcapability permissive=3D1 type=3DSYSCALL msg=3Daudit(1549471325.440:199): arch=3Dc000003e syscall=3D4= 9 success=3Dyes exit=3D0 a0=3Db a1=3D7fff09388780 a2=3D10 a3=3D7fff09388778= items=3D0 ppid=3D1 pid=3D6964 auid=3D4294967295 uid=3D192 gid=3D192 euid= =3D192 suid=3D192 fsuid=3D192 egid=3D192 sgid=3D192 fsgid=3D192 tty=3D(none= ) ses=3D4294967295 comm=3D"systemd-network" exe=3D"/usr/lib/systemd/systemd= -networkd" subj=3Dsystem_u:system_r:systemd_networkd_t:s0 key=3D(null) Signed-off-by: Dave Sugar --- policy/modules/system/systemd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/syste= md.te index 64e36c66..cd88e621 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -651,6 +651,8 @@ corecmd_bin_entry_type(systemd_networkd_t) corecmd_exec_bin(systemd_networkd_t) =20 corenet_rw_tun_tap_dev(systemd_networkd_t) +corenet_udp_bind_dhcpc_port(systemd_networkd_t) +corenet_udp_bind_generic_node(systemd_networkd_t) =20 dev_read_urand(systemd_networkd_t) dev_read_sysfs(systemd_networkd_t) --=20 2.20.1