This is a set of simple updates on the wireshark application.
- Support the use of user terminals
- Access /dev/random
- Remove duplicate corecmd_search_bin
- Allow wireshark to execute bin_t
- Let dumpcap dump its packets
- Grant access to sysfs
Wkr,
Sven Vermeulen
In order to debug wireshark startup issues, it is important that
wireshark, when started from a command line, is allowed to output its
error messages.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 8bfe97d..0106846 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -93,6 +93,7 @@ seutil_use_newrole_fds(wireshark_t)
sysnet_read_config(wireshark_t)
userdom_manage_user_home_content_files(wireshark_t)
+userdom_use_user_terminals(wireshark_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(wireshark_t)
--
1.7.3.4
It already has the rights to use the urandom device, but access to the
random device is also needed.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 0106846..9f9d24a 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -75,6 +75,7 @@ corecmd_search_bin(wireshark_t)
corenet_tcp_connect_generic_port(wireshark_t)
corenet_tcp_sendrecv_generic_if(wireshark_t)
+dev_read_rand(wireshark_t)
dev_read_urand(wireshark_t)
files_read_etc_files(wireshark_t)
--
1.7.3.4
Title sais it all, the module used "corecmd_search_bin" twice.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/wireshark.te | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 9f9d24a..32b5ca8 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -46,7 +46,6 @@ allow wireshark_t self:udp_socket create_socket_perms;
# Re-execute itself (why?)
can_exec(wireshark_t, wireshark_exec_t)
-corecmd_search_bin(wireshark_t)
# /home/.wireshark
manage_dirs_pattern(wireshark_t, wireshark_home_t, wireshark_home_t)
--
1.7.3.4
Wireshark needs to be able to execute applications, definitely for its
plugin support, but also to call the dumpcap utility (part of the
wireshark distribution) to be able to dump the network traffic.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 32b5ca8..5ee2530 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -69,6 +69,7 @@ kernel_read_kernel_sysctls(wireshark_t)
kernel_read_system_state(wireshark_t)
kernel_read_sysctl(wireshark_t)
+corecmd_exec_bin(wireshark_t)
corecmd_search_bin(wireshark_t)
corenet_tcp_connect_generic_port(wireshark_t)
--
1.7.3.4
The dumpcap utility (running in the wireshark_t domain) needs to be able
to write packet_sockets
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/wireshark.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 5ee2530..78afc39 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -40,7 +40,7 @@ allow wireshark_t self:fifo_file { getattr read write };
allow wireshark_t self:shm destroy;
allow wireshark_t self:shm create_shm_perms;
allow wireshark_t self:netlink_route_socket { nlmsg_read create_socket_perms };
-allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read };
+allow wireshark_t self:packet_socket { setopt bind ioctl getopt create read write };
allow wireshark_t self:tcp_socket create_socket_perms;
allow wireshark_t self:udp_socket create_socket_perms;
--
1.7.3.4
The wireshark utility reads information from the network devices listed
in the sysfs hierarchy.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/apps/wireshark.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
index 78afc39..a19c7ff 100644
--- a/policy/modules/apps/wireshark.te
+++ b/policy/modules/apps/wireshark.te
@@ -76,6 +76,7 @@ corenet_tcp_connect_generic_port(wireshark_t)
corenet_tcp_sendrecv_generic_if(wireshark_t)
dev_read_rand(wireshark_t)
+dev_read_sysfs(wireshark_t)
dev_read_urand(wireshark_t)
files_read_etc_files(wireshark_t)
--
1.7.3.4
On 09/04/11 07:25, Sven Vermeulen wrote:
> In order to debug wireshark startup issues, it is important that
> wireshark, when started from a command line, is allowed to output its
> error messages.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/apps/wireshark.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/apps/wireshark.te b/policy/modules/apps/wireshark.te
> index 8bfe97d..0106846 100644
> --- a/policy/modules/apps/wireshark.te
> +++ b/policy/modules/apps/wireshark.te
> @@ -93,6 +93,7 @@ seutil_use_newrole_fds(wireshark_t)
> sysnet_read_config(wireshark_t)
>
> userdom_manage_user_home_content_files(wireshark_t)
> +userdom_use_user_terminals(wireshark_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(wireshark_t)
Isn't wireshark an X app? Wouldn't it only need pty access?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, Sep 06, 2011 at 02:30:47PM -0400, Christopher J. PeBenito wrote:
> On 09/04/11 07:25, Sven Vermeulen wrote:
> > In order to debug wireshark startup issues, it is important that
> > wireshark, when started from a command line, is allowed to output its
> > error messages.
[...]
> > +userdom_use_user_terminals(wireshark_t)
>
> Isn't wireshark an X app? Wouldn't it only need pty access?
>
Ah yes, my bad. That was a remainder from an earlier attempt where dumpcap
too was labeled wireshark_exec_t (in the hope that I didn't need to allow
execute rights on bin_t) which is a commandline application (and useful in
batch jobs or scripts without need for wireshark).
I'll resubmit with userdom_use_user_ptys().
Wkr,
Sven Vermeulen