iw manpage says "iw - show / manipulate wireless devices and their
configuration". Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.
Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
---
policy/modules/system/sysnetwork.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fa7a406acf80..fbb935c608fe 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -48,6 +48,7 @@ ifdef(`distro_redhat',`
/sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
@@ -56,6 +57,7 @@ ifdef(`distro_redhat',`
#
# /usr
#
+/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
/usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
#
--
2.1.2
iw uses generic netlink socket to configure WiFi properties. For
example, "strace iw dev wlan0 set power_save on" outputs:
socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
Some AVC denials are reported in audit.log:
type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
permissive=1
Allowing ifconfig_t to create generic netlink sockets fixes this.
(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)
---
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 0a3ea3d979b9..bcba404cd38e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -274,6 +274,7 @@ allow ifconfig_t self:msg { send receive };
allow ifconfig_t self:udp_socket create_socket_perms;
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
allow ifconfig_t self:tcp_socket { create ioctl };
--
2.1.2
create_netlink_socket_perms is defined as:
{ create_socket_perms nlmsg_read nlmsg_write }
This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.
Clean up things without allowing anything new.
---
policy/modules/system/ipsec.te | 2 +-
policy/modules/system/sysnetwork.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd0417c98..9e73de78e09e 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file read_fifo_file_perms;
-allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index bcba404cd38e..162be5d44318 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
allow dhcpc_t self:udp_socket create_socket_perms;
allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -276,7 +276,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
allow ifconfig_t self:packet_socket create_socket_perms;
allow ifconfig_t self:netlink_socket create_socket_perms;
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow ifconfig_t self:tcp_socket { create ioctl };
kernel_use_fds(ifconfig_t)
--
2.1.2
On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> iw uses generic netlink socket to configure WiFi properties. For
> example, "strace iw dev wlan0 set power_save on" outputs:
>
> socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
> setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
> setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
> bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0
>
> Some AVC denials are reported in audit.log:
>
> type=AVC msg=audit(1408829044.820:486): avc: denied { create } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:487): avc: denied { setopt } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:488): avc: denied { bind } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:489): avc: denied { getattr }
> for pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
> type=AVC msg=audit(1408829044.820:490): avc: denied { write } for
> pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
> tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
> permissive=1
>
> Allowing ifconfig_t to create generic netlink sockets fixes this.
Merged.
> (On a side note, the AVC denials were caused by TLP, a tool which
> applies "laptop configuration" when switching between AC and battery
> with the help of a udev script)
> ---
> policy/modules/system/sysnetwork.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 0a3ea3d979b9..bcba404cd38e 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -274,6 +274,7 @@ allow ifconfig_t self:msg { send receive };
> allow ifconfig_t self:udp_socket create_socket_perms;
> # for /sbin/ip
> allow ifconfig_t self:packet_socket create_socket_perms;
> +allow ifconfig_t self:netlink_socket create_socket_perms;
> allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
> allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
> allow ifconfig_t self:tcp_socket { create ioctl };
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> iw manpage says "iw - show / manipulate wireless devices and their
> configuration". Label this command ifconfig_exec_t to allow it to
> manage wireless communication devices.
>
> Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
> /usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).
Merged.
> ---
> policy/modules/system/sysnetwork.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
> index fa7a406acf80..fbb935c608fe 100644
> --- a/policy/modules/system/sysnetwork.fc
> +++ b/policy/modules/system/sysnetwork.fc
> @@ -48,6 +48,7 @@ ifdef(`distro_redhat',`
> /sbin/ipx_configure -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
> /sbin/ipx_interface -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
> /sbin/ipx_internal_net -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
> +/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
> /sbin/iwconfig -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
> /sbin/mii-tool -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
> /sbin/pump -- gen_context(system_u:object_r:dhcpc_exec_t,s0)
> @@ -56,6 +57,7 @@ ifdef(`distro_redhat',`
> #
> # /usr
> #
> +/usr/sbin/iw -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
> /usr/sbin/tc -- gen_context(system_u:object_r:ifconfig_exec_t,s0)
>
> #
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 10/18/2014 9:30 AM, Nicolas Iooss wrote:
> create_netlink_socket_perms is defined as:
>
> { create_socket_perms nlmsg_read nlmsg_write }
>
> This means that it is redundant to allow create_socket_perms and
> nlmsg_read/nlmsg_write.
>
> Clean up things without allowing anything new.
Merged.
> ---
> policy/modules/system/ipsec.te | 2 +-
> policy/modules/system/sysnetwork.te | 4 ++--
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index 312cd0417c98..9e73de78e09e 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
> allow ipsec_t self:udp_socket create_socket_perms;
> allow ipsec_t self:key_socket create_socket_perms;
> allow ipsec_t self:fifo_file read_fifo_file_perms;
> -allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
> +allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
>
> allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index bcba404cd38e..162be5d44318 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
> allow dhcpc_t self:tcp_socket create_stream_socket_perms;
> allow dhcpc_t self:udp_socket create_socket_perms;
> allow dhcpc_t self:packet_socket create_socket_perms;
> -allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
> +allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
>
> allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
> read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
> @@ -276,7 +276,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
> allow ifconfig_t self:packet_socket create_socket_perms;
> allow ifconfig_t self:netlink_socket create_socket_perms;
> allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
> -allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
> +allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
> allow ifconfig_t self:tcp_socket { create ioctl };
>
> kernel_use_fds(ifconfig_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com